The General Data Protection Regulation (GDPR) is part of the EU data protection reform package through which the European Commission aims to strengthen the rights of individuals in the digital age and simplify the rules for businesses in the EU, contributing to the creation of a Digital Single Market.
On this page you’ll find answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details should you need additional information on the GDPR.
COMMON QUESTIONS AND ANSWERS ON THE GDPR
What is the GDPR?
The EU General Data Protection Regulation (GDPR), the "Regulation," will replace the current EU Data Protection Directive 95/46/EC and will be directly applicable in all EU and EEA Member States from 25 May 2018.
The GDPR will significantly change the EU data protection regulatory landscape, setting stricter requirements, reaching more companies, and imposing potentially higher penalties. For example, companies must:
- Implement programmatic measures to ensure and actively demonstrate compliance
- Implement appropriate technical and organisational measures to protect the rights of individuals when designing a processing system and processing data
- Conduct data protection impact assessments of high risk processing activities
- Implement privacy by design and by default
- Implement data breach notification
How has the Bank prepared for the GDPR?
Bank of America Merrill Lynch is committed to the protection of personal data we collect and process, with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately.
The Bank has established an enterprise-wide GDPR programme, with key executive sponsorship, that covers its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU are under review, including applications and databases, policies, processes, and procedures to ensure that employees, partners, and vendors process personal data in compliance with GDPR requirements.
Bank of America Merrill Lynch leverages a network of country compliance officers and a global Privacy Legal and Compliance team to ensure sustainable compliance with the GDPR going forward.
How will I be affected as a client of Bank of America Merrill Lynch?
The GDPR may require updates to certain data privacy provisions of client agreements to reflect the changes required by the GDPR. If changes in documentation we have in place with you are needed, we will contact you to provide any new privacy terms or notices that are required.
Does Brexit change the position for the GDPR in the UK?
As a result of Brexit the UK will no longer be part of the European Union and will implement a legal mechanism that will largely follow the GDPR. The UK Data Protection Bill is intended to provide the equivalent legal mechanism that meets GDPR standards and reflects the UK’s commitment to high data protection standards post-Brexit. For more information, refer to the Information Commissioner’s Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
I am a client outside the EU; will I be affected?
The GDPR’s territorial scope of application is wider and may apply to organisations that are not based in the EU but offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU. Bank of America Merrill Lynch is reviewing all of its data processing activities involving individuals in the EU to determine if the broader territorial scope applies. If applicable, the Bank will take the necessary actions, which may include updating Terms and Conditions of business, to reflect the changes required by the GDPR.
Can I see your data privacy policies?
You can see our current policies by visiting the portal(s) you use to access our services or contacting your relationship manager. We are working through all our policies and procedures and making updates where necessary to comply with the GDPR.
Can I update my documentation now to incorporate GDPR compliant clauses?
We have been actively reviewing our client documentation in light of GDPR and engaging with clients as required. Please also see the Essential GDPR Documents section below for relevant privacy notices and other information.
ESSENTIAL GDPR DOCUMENTS FOR BANK OF AMERICA MERRILL LYNCH CLIENTS
USEFUL GDPR EXTERNAL RESOURCES
Information Commissioner’s Office:
EU General Data Protection Regulation (full text):
If you have additional queries on GDPR implementation or about the way in which the Bank processes your Personal Data please contact your Client Relationship Manager.
You may also contact the EU Data Protection Officer using the following contact details: BAML.EUDPO@baml.com.
For enquiries about your Personal Data processed or controlled by Bank of America N.A. Frankfurt branch or Bank of America Merrill Lynch International Limited, Zweigniederlassung Frankfurt am Main or to exercise rights granted by the Federal Data Protection Act, you can also contact the Data Protection Officer at Neue Mainzer Strasse 52, 60311 Frankfurt am Main, directly at email@example.com or by telephone on +49 69 5899 5028.