Global Banking, Global Markets Privacy Notice – Canada

This Privacy Notice explains how Bank of America Corporation branches, affiliates and subsidiaries established in Canada (each a “BAC Canadian Entity” or “we”), collect, use and disclose personal data online and offline in connection with the services we provide to our corporate and institutional clients (“Services”). We refer to the individuals whose Personal Data (as defined below) we process, such as individuals who work for or are otherwise engaged by, or interact with, our clients, their affiliates or other third parties in connection with the Services, as “you” in this Notice. This notice also explains how we collect, use, share and protect personal data from registrants for events that these entities host. See relevant sections on event management and execution.

This Privacy Notice is in addition to other privacy notices related to other services BAC Canadian Entities provide to clients and individuals. Where this Privacy Notice is translated into local language, conflicts between the English version and translated version will be resolved in favor of the English version.

“Personal Data” is information that identifies an individual or relates to an identifiable individual, including:

• Name
• Account details and related contact information
• Postal address
• Telephone or fax number
• Email address and other identifying addresses for electronic communications
• Date of birth
• Details from passports and other government or state issued forms of personal identification (including social security, driver’s license, national insurance and other identifying numbers)
• Photographic or video images
• Telephonic or electronic recordings
• IP Address
• To facilitate event management (virtual or in-person), in addition to the data mentioned above we may also collect:

   

  • Dietary requirements
  • Special assistance needs (hearing, sight or physical impairment)
  • Travel details
  • Spouse/partner name
  • Name and age of child/children (collected through parents or guardians attending events)
  • Speaker biographies

In the course of providing certain Services, we may also receive from you, or third parties, information including:

• Employment related information (salary information, stock options, shareholdings, pension, and CVs);
• Information about regulatory and other investigations or litigation to which you are or have been subject; and
• source of wealth of beneficial owner(s).

We need to collect and process Personal Data in order to provide the requested Services, or because we are legally required to do so. If we do not receive the information that we request, we may not be able to provide the requested Services.

We and our agents, affiliates and service providers collect Personal Data in a variety of ways, including: 
 

• Through the Services: We may collect Personal Data through providing the Services.
• Other than through the Services: We may collect Personal Data about you other than through the Services, such as when you meet us ahead of transactions, request pitches or proposals from us, or participate in a transaction or contractual arrangement, are referred to in a working party list provided by you or third parties, or in information obtained from deal-related data rooms.
• From Other Sources: We may receive Personal Data from other sources, such as public databases, employers, the entity we provide the Services to and from other third parties.
• Event management and execution: You provide Personal Data through the event registration process.

Keeping Personal Data secure is one of our most important responsibilities. We maintain physical, technical, electronic, procedural and organisational safeguards and security measures to protect personal data against accidental, unlawful, or unauthorised destruction, loss, alteration, disclosure, or access, regardless of where it is processed. Appropriate employees are authorised to access personal data for legitimate and specified business purposes. Our employees are bound by a code of ethics and other internal policies that require confidential treatment of personal data and are subject to disciplinary action if they fail to follow such requirements.

Use of Personal Data We and our service providers may use Personal Data for our legitimate business interests and/or to meet our legal and regulatory obligations, including the following:

• to validate authorized signatories when concluding agreements and transactions;
• to contact nominated individuals in connection with existing transactions and contractual agreements;
• to respond to enquiries and fulfill requests from our clients and/or relevant third parties who require information as a necessary part of the provision of the Services, and to administer account(s) and manage our relationships;
• to inform our clients about products or services which we believe may be of interest, including tailored ads, marketing proposals or offers;
• to verify an individual’s identity and/or location (or the identity or location of our client’s representative or agent) in order to allow access to client accounts, or conduct online transactions;
• to protect the security of accounts and Personal Data;
• for information and relationship management purposes, and business purposes, including data analysis, audits, developing and improving products and services, identifying usage trends and determining the effectiveness of promotional campaigns, and enhancing, improving or modifying our Services;
• for risk management, compliance with our legal and regulatory obligations and for fraud detection, prevention and investigation, including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification requirements, credit checks, credit risk analysis, compliance with sanctions procedures or rules, and tax reporting;
• to comply with laws and regulations (including any legal or regulatory guidance, codes or opinions), and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions);
• to provide, and perform our obligations with respect to, the Services or otherwise in connection with fulfilling instructions;
• to send administrative information to clients, such as changes to our terms, conditions and policies; and
• For event management and execution to ensure that all participants have a safe and enjoyable experience, to provide notifications concerning the event, provide analysis to improve our events and develop new events, determine their overall effectiveness, enhance products and services, and to operate and expand our business activities.

Please note that Personal Data we collect in order to meet our legal and regulatory obligations related to the prevention of money laundering and terrorist financing is processed only for those purposes, unless otherwise permitted or agreed.

Personal Data may be disclosed to third parties in connection with the Services we are providing. The recipients of any such information will depend on the Services that are being provided. Subject to any restrictions around confidentiality we have expressly agreed with our client or other transaction parties, such disclosures may include disclosures:
 

• to affiliates and subsidiaries of Bank of America Corporation for the purposes described in this Privacy Notice (“affiliates”);
• to our third party service providers who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure provision, customer service, email delivery, auditing and other services such as marketing and event management and execution (event vendors, organizers, volunteers, contractors, and sponsors);
• to third party experts and advisers (including external legal counsel, notaries, auditors and tax advisers);
• to payment, banking and communication infrastructure providers including SWIFT, financial institutions or intermediaries with which we may have dealings including correspondent banks, insurers, insurance brokers, central counterparties (CCPs), clearing houses, clearing and settlement systems, exchanges, trading platforms, regulated markets, credit institutions, financial brokers, other banks, sponsors, issuers, joint syndicate members, sub-underwriters, portfolio reconciliation service providers, margin service providers, middleware platforms, valuation agents, service agents and other service providers assisting on transactions;
• to third party storage providers (including archive service providers, document repositories and deal sites which provide access offering circulars and other marketing materials) and trade data repositories;
• to third party distribution platforms and to operators of private or common carrier communication or transmission facilities, time sharing suppliers and mail or courier services;
• to other deal/transaction participants including issuers, borrowers, potential investors and syndicate members, advisers, other lenders, independent printers producing circulars, prospectuses and marketing and event materials and translation service providers;
• to counterparties, vendors and beneficiaries, and other entities connected with our client (including guarantors affiliates, underlying clients, obligors, investors, funds, accounts and/or other any principals connected); and
• other persons as agreed with our client or as required or expressly permitted by applicable law.

Disclosures of Personal Data which we make to our third party service providers, as described in this section, will be made subject to conditions of confidentiality and security as we may consider appropriate to the specific circumstances of each such disclosure.

We may also use and disclose Personal Data as we believe to be necessary or appropriate: (a) to comply with applicable law including treaties or agreements with or between foreign or domestic governments (including in relation to tax reporting laws), which may include laws outside the country you are located in, to respond to requests from public and government authorities, which may include authorities outside your country, to cooperate with law enforcement, governmental, regulatory, securities exchange or other similar agencies or authorities including tax authorities to which we or our affiliates are subject or submit, in each case of any country worldwide, or for other legal reasons, who may transfer the Personal Data to equivalent agencies or authorities in other countries; (b) to central banks, regulators, trade data repositories, or approved reporting mechanisms which may be outside your country; (c) to courts, litigation counterparties and others, pursuant to subpoena or other court order or process or otherwise as reasonably necessary, including in the context of litigation, arbitration and similar proceedings to enforce our terms and conditions, and as reasonably necessary to prepare for or conduct any litigation, arbitration and/or similar proceedings; and (d) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.

In addition, we may use, disclose or transfer Personal Data to a third party (i) in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings) and/or (ii) to third parties, as requested by clients or their representatives.
 

Online Information
 

How do we collect personal information online through cookies and similar tracking technologies?
 

We collect information about you through your computer, smartphone, tablet or other mobile device by the use of cookies and similar tracking technologies.
 

The type of information we collect from and about you online will depend on how you interact with us and may include: (not all of these may apply to your environment)

• Unique device identifiers (for example Media Access Control (MAC) and Internet Protocol (IP) addresses).
• Browser type, version, language, and display/screen settings.
• Information about how you use and interact with our sites and mobile apps (for example page visited or links clicked).
• Survey responses and similar information which reveals views and preferences, but which does not reveal a person’s specific identity.
• Responses to advertisements on the sites and mobile apps where we advertise.
• Log information such as your search and voice to text queries in the mobile app.
• Search engine referrals.
• Geolocation information.

How do we use the information collected online?
 

We collect this information through cookies and other tracking technologies for the following reasons: 
 

• Because it is necessary to ensure the site works as intended, such as performing authentication within a secured site. Without this information, some services you have asked for cannot be provided, for example within a secured area requiring authentication and to assist in detecting and preventing fraud, identify theft and other risks to you or Bank of America.
• To remember choices you make (such as your user name, language or region) and provide enhanced, more personal features. These cookies can be used to remember changes you have made to text size, fonts and other parts of web pages that you may have customized. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
• To improve how a website works and includes collecting information about how visitors use a website, for instance which pages visitors go to most often, or if they get error messages from web pages. This information can also be used to make collective inferences based on choices and browsing behavior for marketing and advertising research.
• To deliver advertisements that may be relevant to you and your interests. These are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. These are usually placed by advertising networks with the website operator’s permission. These remember that you have visited a website and this information may be shared with other organizations such as advertisers.
• To provide you with information you request such as the location of an office based on your location.

Uses and Disclosures of Other Information

We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Data. If we do, we will treat the combined information as Personal Data as long as it is combined.

See our Cookie Policy. For additional details about cookies and tracking technologies including how you can manage cookies.

This Privacy Notice does not address, and we are not responsible for, the privacy information or other practices of any third parties, including any third party operating any website or service to which the Services link. The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates.

We seek to use reasonable organizational, technical and administrative measures to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us” section below.

Receiving electronic communications from us

If you no longer want to receive marketing-related emails from us on a going-forward basis, you may opt-out by following the instructions in the relevant electronic communication.
 

We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative and Service or transaction-related messages, which you cannot opt out of.

How individuals can access, change or suppress their Personal Data

If you would like to request to review, correct, update, suppress, restrict or delete Personal Data that you have previously provided to us, or if you would like to request to receive an electronic copy of your Personal Data for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law), you may contact us by emailing: dpn_support@bofa.com. We will respond to your request consistent with applicable law.
 

In your request, please make clear what Personal Data you would like to have changed, whether you would like to have the Personal Data suppressed from our database or otherwise let us know what limitations you would like to put on our use of the Personal Data. For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
 

Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed.

We will retain Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect Personal Data from individuals under 18. Individuals may submit personal Data about their minor children or legal wards in relation to attendance at or participation in an event. Individual parents or guardians must have the legal authority to disclose such Personal Data to us and make decisions related to processing of such Personal Data in connection with the event. This Personal data of minors will only be used for event registration and participation purposes.

Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Data.

Where local data protection law requires it we have put in place adequate measures, such as data transfer agreements. Where permitted by applicable laws, transfers may also be made pursuant to contracts in your interest or at your request.

We do not typically collect sensitive Personal Data in connection with the Services. Examples of such data, as defined by applicable data protection law, may include information related to racial or ethnic origin, political opinions, income, sex life, sexual orientation, religious or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership (“Special Data”) Please do not send us any Special Data through the Services or otherwise, unless we specifically request this information from you or make a due diligence enquiry of you where the response necessitates you disclosing Special Data to us. In such a case, please ensure you notify us that you are providing Special Data.
 

We may receive Special Data from third party service providers and others in support of due diligence activities we undertake to satisfy various legal and regulatory requirements to which we are subject.
 

Event management and execution: At the time of registration participants may tell us about disabilities that may require accommodation, or special needs related to religious beliefs, and/or health characteristics, e.g. dietary requirements. This information will be used only to the extent necessary to facilitate any disability or special accommodations. Similarly, certain registration details may include sensitive Personal Data (e.g., dietary restrictions may indicate a particular religious belief). Such data will be used only to facilitate event participation.

When individuals communicate with BAC Canadian Entities , to the extent permitted or required by applicable law, telephone conversations and electronic communications, including emails, text messages and instant messages, may be recorded and/or monitored for evidentiary, compliance, quality assurance and governance purposes.

We may change this Privacy Notice, including the list of BAC Canadian Entities, from time to time. The “Last Updated” legend at the bottom of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes will become effective when we post the revised Privacy Notice. Use of the Services following these changes (or your continued provision of Personal Data to us) signifies acceptance of the revised Privacy Notice.

The Bank of America Canadian Entity who provides the Services in connection with which your Personal Data has been provided is the company responsible for collection, use and disclosure of your Personal Data under this Privacy Notice.

If you do not know which BAC Canadian Entity is responsible for those Services or you have any questions about this Privacy Notice, please contact us at dpo@bofa.com.

To help us to manage your query, please include your full name and the name of the BAC Canadian Entity you understand is processing your personal data and/or any reference number that was made available by a BAC Canadian Entity to you.

Appendix 1 – BAC Canadian Entities 1

1 Note that the list may be updated from time to time without notice.