This Privacy Notice explains how Bank of America Corporation branches, affiliates and subsidiaries established in Canada (each a “BAC Canadian Entity” or “we”), collect, use and disclose personal data online and offline in connection with the services we provide to our corporate and institutional clients as defined in the Processing Activities section below. We refer to the individuals whose personal data (as defined below) we process, such as individuals who work for or are otherwise engaged by, or interact with, our corporate, institutional, and prospective clients, their affiliates or other third parties in connection with the services, as “you” in this notice. This notice also explains how we collect, use, share and protect personal data from registrants for events that these entities host. See relevant sections on event management and execution. This Privacy Notice is in addition to other privacy notices related to other services BAC Canadian Entities provide to clients and individuals. Where this Privacy Notice is translated into local language, conflicts between the English version and translated version will be resolved in favor of the English version.
Global Banking, Global Markets Privacy Notice – Canada
(LAST UPDATED: April 2024)
Introduction
Personal Data We Collect
“Personal Data” is information that identifies an individual or relates to an identifiable individual.
We and our agents, affiliates and service providers collect Personal Data in a variety of ways, including:
- Through the Services: We may collect Personal Data through providing the Services.
- Other than through the Services: We may collect Personal Data about you other than through the Services, such as when you meet us ahead of transactions, request pitches or proposals from us, or participate in a transaction or contractual arrangement, are referred to in a working party list provided by you or third parties, or in information obtained from deal-related data rooms.
- From Other Sources: We may receive Personal Data from other sources, such as public databases, employers, the entity we provide the Services to and from other third parties.
- Event management and execution: You provide Personal Data through the event registration process.
The table below contains a list of the Personal Data we collect. In the table in the section Processing Activities, we have associated the categories of Personal Data we collect with the categories of our processing activities/processing purposes.
Categories of | Description | Personal Data |
Attendance Data | Confirmation of an individual's attendance at in-person or virtual events (including guests of the invited party) | Events attended |
Biographies | Information pertaining to an individual’s work history, professional experience, languages spoken, and/or education | Job history, professional experience (including company names and titles), education (schools, degrees), languages spoken, photograph |
Business Contact Data | A client’s or client employee’s corporate contact information | Name, company, business address, business phone number, business email address |
Place of Birth | Name of city and/or country of birth | Name of city and/or country of birth |
Contact Details - Minors | Information pertaining to the contact information for a minor in relation to an event hosted by us | Name, relationship to attendee, dietary restrictions (if applicable) |
Criminal Records | An individual's criminal records and/or convictions | Arrest records, arraignment details, behavior, criminal convictions |
Date of Birth | An individual’s date of birth | Date of birth |
Dietary Data | Information regarding a person's dietary requirements | Dietary requirements (Note: religion may be inferred from a person’s dietary requirements) |
Disability Data | Information regarding a person’s disabilities required to accommodate special needs | Disability data |
Gender | Information regarding a person's gender | Gender |
Voice | Recordings of voice | Voice on phone calls |
Miscellaneous Data | Personal Data, as relevant to satisfy ad hoc regulatory, judicial, or law enforcement requests or obligations or as affirmatively provided by you in furtherance of the Services | Personal data, as defined by regulatory body, judiciary, or law enforcement or as otherwise affirmatively provided by you to us. |
National Identifier | Information containing a person's country-specific National Identifier | Examples: European SSN, United Kingdom National Insurance Number, Ireland PPS numbers |
Online Authentication Information | Information required to access an individual's personal account, online or through mobile applications | User ID, PIN/Password, IP address, challenge questions, device ID, mobile phone number |
Online Identifier | A means of identifying an individual by associating informational traces an individual leaves when operating online | Cookies, pixel tags, web beacons, locally stored objects, unique device identifiers (for example Media Access Control (MAC) and Internet Protocol (IP) addresses, smart device information, mobile phone network information |
Personal Contact Data | An individual’s personal contact information | Name, alias, home address, home/personal phone number, personal email address |
Proof of Address | Information found on utility bills and/or financial statements | Utility bills, financial statements |
Signature | Any symbol, character, sound or mark made by an individual with the intent to authenticate or authorize a transaction, agreement, or written or electronic document | eSignature, DocuSign, web signature, copy of written signature, ink signature |
Unique Personal Identifier (Driver's License, Tax Identification Number) | Information containing a person's unique identifier for a driver's license or Individual Tax Identification Number | Driver's license number, ID issue date, ID expiration, Individual Tax Identification Number (“TIN”) |
Visa, Passport, Nationality and Citizenship Data | Information containing a person's visa, passport, nationality and/or citizenship data | Visa, passport copy, nationality, citizenship |
Keeping Personal Data secure is one of our most important responsibilities. We maintain physical, technical, electronic, procedural and organisational safeguards and security measures to protect personal data against accidental, unlawful, or unauthorised destruction, loss, alteration, disclosure, or access, regardless of where it is processed. Appropriate employees are authorised to access personal data for legitimate and specified business purposes. Our employees are bound by a code of ethics and other internal policies that require confidential treatment of personal data and are subject to disciplinary action if they fail to follow such requirements.
Sensitive Information
We do not typically collect special categories of Personal Data as defined in either the Personal Information Protection and Electronic Documents Act (PIPEDA) or the Protection of Personal Information in the Private Sector (PPIPS) or in any other Canadian regulations (“Special Data”) in connection with the Services. Special Data is information if, due to its nature, including medical, biometric or otherwise intimate information, or the context of its use or communication, entails a high level of reasonable expectation of privacy.
Please do not send us any Special Data through the Services or otherwise, unless we specifically request this information from you or make a due diligence enquiry of you where the response necessitates you disclosing Special Data to us. In such a case, please ensure you notify us that you are providing Special Data.
We may receive Special Data from third party service providers and others in support of due diligence activities we undertake to satisfy various legal and regulatory requirements to which we are subject, such as negative news runs and enhanced due diligence reports performed related to anti-money laundering or know-your-customer requirements (“AML/KYC”).
Event management and execution: At the time of registration, participants may tell us about disabilities that may require accommodation, or special needs related to religious beliefs, and/or health characteristics, e.g., dietary requirements. This information will be used only to the extent necessary to facilitate any disability or special accommodations. Similarly, certain registration details may include Special Data (e.g., dietary restrictions may indicate a particular religious belief). Such Special Data will be used only to facilitate event participation.
Processing Activities
We need to collect and process Personal Data in order to provide the requested services, or because we are legally required to do so. If we do not receive the information that we request, we may not be able to provide the requested services. The below table contains an indicative summary of our activities which require the processing of your Personal Data. Unless otherwise stated, we collect Personal Data directly from the individual.
Purpose | Reasons for Processing | Categories of Personal Data |
Anti-Money Laundering/ Know-your-Customer Requirements | · To comply with applicable AML/KYC laws and regulations, including identifying beneficial owners, conducting background checks, monitoring, and performing other checks to meet anti-terrorism financing legal requirements. As required by applicable laws, this may involve processing your political affiliations, criminal convictions or allegations of offenses. | Business Contact Data, Personal Contact Data, Date of Birth, Place of Birth, National Identifier, Visa, Passport, Nationality and Citizenship Data, Unique Personal Identifier (Driver's License, TIN), Signature, Proof of Address |
Account Opening | · To obtain all enterprise and regulatory requirements for your onboarding, expansion of services and account maintenance. · To obtain the necessary information to open accounts as required to enable your trading or other activities.
| Personal Contact Data, Business Contact Data |
Regulatory and Compliance Obligations | · To comply with applicable laws and regulations (including any legal or regulatory guidance, codes or opinions). · To comply with sanctions procedures and other legal process and law enforcement requirements including any internal policies which are based on, or reflecting, legal or regulatory guidance, codes or opinions. · To comply with non-financial regulatory reporting requirements established by regulators, tax authorities and government bodies across jurisdictions. See Disclosure of Personal Data for additional information. | Personal Data as relevant for each specific regulatory and compliance obligation. |
Delivery of Global Banking and Global Markets Products and Services | · To contact nominated individuals in connection with existing transactions and contractual agreements. · To validate authorized signatories when executing agreements. · To compile working group lists for communication purposes. · To respond to your enquiries and fulfil requests and contractual obligations and to administer account(s). · To circulate transaction documents to you, such as trade confirmations or relevant agreements, or in amending trade terms. · To arrange virtual or in-person roadshows or meetings with institutional investors in capital raising efforts. · To authenticate your identity prior to granting access to certain websites, systems or accounts. · To assist in detecting and preventing fraud, identity theft and other risks to you or us. | Business Contact Data, Online Authentication Information, Personal Contact Data, Online Identifier
|
Delivery of our Global Transactions Services | · If you are a Global Transaction Services client or a majority-owned affiliate of such that receives or has access to one or more forms of deposit-taking services, account services, treasury services, payment services, trade finance services and/or, supply chain finance services and/or referral arrangements, we further process Personal Data: o To administer those products or services in connection with fulfilling your instructions (e.g., Personal Data obtained through our relationship with you, the way you operate your accounts and/or services, such as the payments made to and from your accounts, services you ask us to provide to you, etc.). o To perform our regulatory obligations, such as compliance with the Funds Transfer Regulation and the Payment Services Directive. | Personal Data of individuals related to or associated with you, our client (e.g., a beneficiary, counterparty, payee, employee, contractor, supplier etc.) such as their Personal Contact Data, Business Contact Data, Date of Birth, Place of Birth , National Identifiers, Gender, Nationality, Visa, Passport, Nationality and Citizenship Data, Online Identifier, Online Authentication Information |
Client Communications and Relationship Management | · To directly communicate with you to help improve the products and services we provide, or in relation to a product or service in which you have expressed an interest, such as sharing of our case studies, capabilities materials, deal proposals, offers, market trends, insights, strategies and trade ideas. · To handle your complaints.
| Business Contact Data |
Events Management and Execution | · To register and confirm attendance at virtual or in-person events and conferences. · To notify your organization about events for awareness, as part of our services to you. · To facilitate event management, virtual or in-person. · To facilitate special accommodations, including disabilities, dietary requirements or other special needs | Business Contact Data, Signature, |
Legal and
| · To fulfil our legal and compliance-related obligations. · To enforce our terms and conditions. · To protect our operations. · To protect our rights, privacy, or our property. · To allow us to pursue available legal remedies, defend claims and limit the damages that we may sustain. | Personal Data as relevant for each specific legal action, regulatory investigation, and/or other legal processes in question
|
Cookies and Similar Technologies
We may collect personal information through the use of cookies and similar technologies. See our Cookie Policy for additional details about cookies and tracking technologies including how you can manage cookies.
Disclosure of Personal Data
Personal Data may be disclosed to subsidiaries, affiliates and third parties in connection with the Services we are providing. The recipients of any such information will depend on the Services that are being provided. Subject to any restrictions around confidentiality we have expressly agreed with you or other transaction parties, such disclosures may include disclosures made to categories of third parties listed in the table below:
Categories of third parties | Personal Data | Purpose of processing your Personal Data | Destination Countries |
Communication and Collaboration Software and Software Services providers who enable individuals and teams to work together over geographic distances by providing tools that aid communication, collaboration and the process of problem solving (includes appliances, maintenance and support services.) | Business Contact Data | To service your accounts and share transaction documents with you | Globally where we have presence |
External law firms | Personal Data as relevant in each specific situation
| To provide legal support in preparing transactional documents with you, in support of the services we provide to you, or in defending claims involving you
| Globally where we have presence
|
Regulators | Personal Data as relevant in each specific situation
| To comply with regulatory requirements that obligate us to share your Personal Data | In jurisdictions where entities in Appendix 1 are subject to regulatory oversight and non-financial regulatory reporting requirements |
Tax Service Providers who assist us on tax rules and regulations, including legal analysis, technical calculations, form preparation, planning and controversy management associated with meeting our local and international tax obligations. | Business Contact Data, Personal Contact Data, National Identifier, Date of Birth, Place of Birth, Visa, Passport, Nationality and Citizenship data | To comply with the Foreign Account Tax Compliance Act (“FATCA”) & Client Relationship Summary (“CRS”) related tax reporting requirements that obligate us to share your Personal Data | Globally where we have presence
|
Account Management Software Service Providers who help us with the management of financial accounts and processes with tools and controls that support our organizational, operational, and legislative requirements (includes maintenance and support services.)
| Business Contact Data | To help process invoices and statements to you on services we provided or transactions we conducted with you | Globally where we have presence
|
Digital Commerce and Payment Services providers who enable you to conduct transactions online and via mobile devices | Business Contact Data, Online Authentication Information, Online Identifier | If you are a client of Global Transaction Services, to authenticate you when you log into online portals, to access your account, to review and conduct your transactions | Belgium, Hong Kong, Netherlands, Switzerland, United States |
Banks with which we have made arrangements to enable us to provide the Services to you | Your information relating to you or your accounts with us or your relationship with us as is necessary to enable us to provide you with the services | To allow our partner banks to process payments to or from individuals related to your account with us in places where we do not have a presence, or we are unable to provide the relevant services | Denmark, Finland, Latvia, Norway, Sweden |
Corporate Business Application vendors who provide software and software services to support our Global Banking and Global Markets businesses, including technology for Sales and Trading functions within Global Equities, Fixed Income Currency and Commodities, Global Research and technology for Credit, Cash Management, FX, Equipment Finance and Merchant Services within Global Banking | Business Contact Data | To send you service or transactional emails or communications, as applicable and appropriate. | United States, United Kingdom |
Digital Process Automation Software Services Providers who automate and digitize our transaction documentation workflow | Signature, Business Contact Data | To enable you to review and sign contracts with us electronically | United States |
Business Contact Data | To facilitate transactions with you | Globally where we have presence | |
Other deal and transaction participants | Business Contact Data | To share your Personal Data as part of transactions | Globally where we have presence |
Tax Authorities | Business Contact Data, Personal Contact Data, National Identifier, Date of Birth, Place of Birth, Visa, Passport, Nationality and Citizenship data | To share your Personal Data in order for us comply with FATCA, CRS and other tax-related reporting requirements | Belgium, France, Germany, Greece, Hong Kong, Ireland, Italy, Netherlands, Qatar, Spain, Switzerland, United Arab Emirates, United Kingdom, United States |
Third parties in connection with a sale or business transaction | Dependent on the specific sale or business transaction | We have a legitimate interest in disclosing or transferring your Personal Data to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). You will be notified of any such business transaction and of possible changes to the processing of your Personal Data in accordance with applicable law. | Dependent on the sale or business transaction |
Hotels, Restaurants, Virtual event platforms, Transportation Companies, and Corporate Security | Business Contact Data, Personal Contact Data Dietary and Disability Data | To assist with our events management and execution | Globally where we have presence
|
Digital Tracking Providers: Companies that provide digital tracking services (like cookies, tags, etc) and whose scripts we use to add to our webpages. | IP Address | To improve technical and design features of our websites and platforms | USA, UK, EU, India |
Third Party Services
This Privacy Notice does not address, and we are not responsible for, the privacy information or other practices of any third parties, including any third party operating any website or service to which the Services link. The inclusion of a link does not imply endorsement of the linked site or service by us or by our affiliates.
Security
We seek to use reasonable organizational, technical and administrative measures to protect Personal Data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us” section below.
Choices and Access
Receiving electronic communications from us
If you no longer wish to receive marketing-related emails from us in the future, you may opt-out by following the instructions in the relevant electronic communication or contacting your relationship manager.
We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative and Service or transaction-related messages, which you cannot opt out of.
Rights of Individuals afforded to you under Canada laws
If you would like to request to access, correct, update, suppress, restrict or delete Personal Data, object to or opt out of the processing of Personal Data, withdraw your consent (which will not affect the lawfulness of processing prior to the withdrawal) or if you would like to request to receive an electronic copy of your Personal Data for purposes of transmitting it to another company (to the extent the right to data portability is provided to you by applicable law), you may contact us by emailing: individualrightsrequests@bofa.com. We will respond to your request consistent with applicable law.
In your request, please make clear what Personal Data you would like to have changed, whether you would like to have the Personal Data suppressed from our database or otherwise let us know what limitations you would like to put on our use of the Personal Data. For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed.
Retention Period
We will retain Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
The appropriate retention period is determined on a case-by-case basis and will depend upon the length of time we need to keep your Personal Data for the purpose(s) for which it was collected. For instance, we may need to retain your Personal Data to provide our client(s) with services, to comply with a legal obligation to which we are subject or in situations where retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
For example:
- We are required to retain certain Personal Data to deliver services to our clients at least until the termination of the relationship, and sometimes for a period of time thereafter;
- We preserve your Personal Data where it is reasonably necessary for reasons related to a legal claim or complaint, where we are subject to a regulatory investigation or where we may need to defend ourselves in legal proceedings or respond to a regulator or to respond to a valid legal request, such as a preservation order, subpoena or search warrant;
- We keep information collected using Cookies in accordance with the Cookie Policy;
- We are required to retain certain Personal Data in order to meet our legal and regulatory obligations related to the prevention of money laundering and terrorist financing, and this information is retained in accordance with applicable money laundering laws
Once we no longer need to retain your personal data, we will permanently delete or destroy, archive so that it is beyond use, or anonymize the relevant data.
Use of Services by Minors
The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect Personal Data from individuals under 18.
Individuals may submit Personal Data about their minor children or legal wards in relation to attendance at or participation in an event. Individual parents or guardians must have the legal authority to disclose such Personal Data to us and make decisions related to processing of such Personal Data in connection with the event. This Personal Data of minors will only be used for event registration and participation purposes.
Jurisdiction and Cross-Border Transfer
Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Data.
Where local data protection law requires it, we have put in place adequate measures, such as data transfer agreements. Where permitted by applicable laws, transfers may also be made pursuant to contracts in your interest or at your request.
RECORDING OF COMMUNICATIONS
When individuals communicate with BAC Canadian Entities , to the extent permitted or required by applicable law, telephone conversations and electronic communications, including emails, text messages and instant messages, may be recorded and/or monitored for evidentiary, compliance, quality assurance and governance purposes.
Updates to This Privacy Notice
We may change this Privacy Notice from time to time. The “LAST UPDATED” legend at the top of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes will become effective when we post the revised Privacy Notice. Use of the Services following these changes (or your continued provision of Personal Data to us) signifies acceptance of the revised Privacy Notice.
Contacting Us
The BofA Canada Entity who provides the Services in connection with which your Personal Data has been provided is the company responsible for collection, use and disclosure of your Personal Data under this Privacy Notice.
If you do not know which BofA Canada Entity is responsible for those Services or you have any questions or complaints about this Privacy Notice or any complaints, please contact your Client Relationship Manager.
If you have additional questions or complaints about the way in which the Company processes your Personal Data more broadly you may contact the local Data Protection Officer at dpo@bofa.com.
To help us to manage your query, please include your full name and the name of the BofA Canada Entity you understand is processing your Personal Data and/or any reference number that was made available by a BofA Canada Entity to you.
Appendix 1 – BAC Canadian Entities 1
Bank of America, National Association, Canada Branch | Brookfield Place, 181 Bay Street, Suite 400, Toronto, ON, M5J2V8 Attention: Canada Privacy Compliance |
Merrill Lynch Canada Inc. | Brookfield Place, 181 Bay Street, Suite 400, Toronto, ON, M5J2V8 Attention: Canada Privacy Compliance |
Merrill Lynch Commodities Canada ULC | 1969 Upper Water Street, Suite 1300, Halifax, NS, B3J2V1 |
BAL Global Finance Canada Corporation | Brookfield Place, 181 Bay Street, Suite 400, Toronto, ON, M5J2V8 Attention: Canada Privacy Compliance |
1 Note that the list may be updated from time to time without notice.