The General Data Protection Regulation (GDPR) is part of the EU data protection reform package through which the European Commission aims to strengthen the rights of individuals in the digital age and simplify the rules for businesses in the EU, contributing to the creation of a Digital Single Market.
On this page you’ll find answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details should you need additional information on the GDPR.
COMMON QUESTIONS AND ANSWERS ON THE GDPR
What is the GDPR?
The EU General Data Protection Regulation (GDPR), the "Regulation," replaced the EU Data Protection Directive 95/46/EC and is applicable in all EU and EEA Member States as of 25 May 2018.
The GDPR significantly changes the EU data protection regulatory landscape, setting stricter requirements, reaching more companies, and imposing potentially higher penalties. For example, companies must:
- Implement programmatic measures to ensure and actively demonstrate compliance
- Implement appropriate technical and organisational measures to protect the rights of individuals when designing a processing system and processing data
- Conduct data protection impact assessments of high risk processing activities
- Implement privacy by design and by default
- Implement data breach notification
How is Bank of America Merrill Lynch complying with the GDPR?
The Bank is committed to the protection of personal data we collect and process, with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately.
The Bank established an enterprise-wide GDPR programme, with key executive sponsorship, that covered its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU were reviewed, including applications and databases, policies, processes, and procedures to ensure that employees, partners, and vendors process personal data in compliance with GDPR requirements.
Bank of America Merrill Lynch leverages a network of country compliance officers and a global Privacy Legal and Compliance team to ensure sustainable compliance with the GDPR going forward.
Does Brexit change the position for the GDPR in the UK?
As a result of Brexit the UK will no longer be part of the European Union and implemented a legal mechanism that largely follows the GDPR. The UK Data Protection Bill provides the equivalent legal mechanism that meets GDPR standards and reflects the UK’s commitment to high data protection standards post-Brexit. For more information, refer to the Information Commissioner’s Office website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
I am a client outside the EU; am I affected?
The GDPR’s territorial scope of application is wider and may apply to organisations that are not based in the EU but offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU. Bank of America Merrill Lynch reviewed all of its data processing activities involving individuals in the EU to determine if the broader territorial scope applies. The Bank took the necessary actions, which included updating Terms and Conditions of business, to reflect the changes required by the GDPR.
Can I see your data privacy policies?
You can see our current policies by visiting the portal(s) you use to access our services or contacting your relationship manager. Please also see the Essential GDPR Documents section below for relevant privacy notices and other information.
Can I update my documentation now to incorporate GDPR compliant clauses?
We have been actively reviewing our client documentation in light of GDPR and engaging with clients as required. Please also see the Essential GDPR Documents section below for relevant privacy notices and other information.
ESSENTIAL BANK OF AMERICA MERRILL LYNCH GDPR DOCUMENTS
USEFUL GDPR EXTERNAL RESOURCES
Information Commissioner’s Office:
EU General Data Protection Regulation (full text):
If you have additional queries on GDPR or about the way in which the Bank processes your Personal Data please contact your Client Relationship Manager.
You may also contact the EU Data Protection Officer using the following contact details: BAML.EUDPO@baml.com.
For enquiries about your Personal Data processed or controlled by Bank of America N.A. Frankfurt branch or Bank of America Merrill Lynch International Designated Activity Company, Zweigniederlassung Frankfurt am Main or to exercise rights granted by the Federal Data Protection Act, you can also contact the Data Protection Officer at Neue Mainzer Strasse 52, 60311 Frankfurt am Main, directly at firstname.lastname@example.org or by telephone on +49 69 5899 5028.