logermany

UBS AG London Branch

5 Broadgate

London

EC2M 2QS

Allen & Overy LLP

Bockenheimer Landstraße 2

60306 Frankfurt am Main

Germany

Our ref

0036335

0000808

22 October 2021

Dear Sir or Madam

UBS SEC registration as a non-resident security-based swap dealer

BACKGROUND

1.1

We understand that UBS AG, a bank authorised in Switzerland, is seeking to register with the United

States (

) Securities and

Exchange Commission (

SEC

) as a non-resident

security-based swap (

SBS

)

dealer (

SBSD

1.2

To register as an SBSD with the SEC, a non-resident SBSD

such as UBS AG must attach an opinion

of counsel to Form SBSE, SBSE-A or SBSE-BD affirming that the SBSD can, as

a matter of law:

(a)

provide

the

SEC

with

prompt

access

the

relevant

books

and

records

defined

paragraphs

3.3

3.5

(

Covered Books and Records

); and

(b)

submit to on-site

inspection and examination

of its Covered

Books and Records by

the SEC

(

On-Site Inspection

1.3

Associated persons

of UBS

AG located

in Germany

who effect

SBS transactions on

behalf of

UBS

will

employed

UBS

Europe

(

UBS

ESE

which

incorporated

Germany

and

authorised to provide services in

Germany (among other jurisdictions).

Accordingly, UBS

ESE will

maintain certain Covered Books and Records in Germany on behalf of UBS

AG.

1.4

You have asked us to issue

an opinion affirming

that (a) UBS AG

will be able

to provide the

SEC with

prompt access to

its Covered

Books and

Records that are

maintained by

UBS ESE in

Germany and

(b) UBS ESE can

submit to On-Site

Inspection by the

SEC of UBS

AG’s Covered Books and Records

it maintains on behalf of UBS AG, in each case accordance with paragraph

1.2 above.

In the case of a corporation, an SBSD will be “non

resident” if it is incorporated

in or has its principal place of business in any place not in the

United States (see 17

Code of Federal Regulations

(

CFR

) § 240.15Fb2-4(a)(2)). As

UBS AG is incorporated

in Switzerland, UBS AG

fulfils this

definition of a “non-resident” SBSD.

In accord

ance with Assumption

Annex 2

, this opinion does not

cover the direct provision of Covered

Books and Records by UBS

ESE to

the SEC as this information will instead be provided

to UBS AG London Branch and sent by UBS AG London

Branch to the SEC.

Allen &

Overy LLP

is a

limited liability

partnership registered

in England

and Wales

with registered

number OC306763.

It is

authorised and

regulated by

the Solicitors

Regulation

Authority of England and Wales.

The term partner is used to refer

to a member of Allen & Overy

LLP or an employee or consultant

with equivalent standing and qualifications.

A list

of the members of Allen & Overy LLP and of the non-members who are designated as partners is open

to inspection at its registered office, One Bishops Square, London E1 6AD.

Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi,

Amsterdam, Antwerp, Bangkok, Beijing, Belfast, Bratislava, Brussels, Budapest, Casablanca, Dubai,

Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh

City, Hong Kong, Istanbul, Jakarta (associated office), Johannesburg, London, Los Angeles,

Luxembourg, Madrid, Milan, Moscow,

Munich, New York, Paris, Perth,

Prague, Rome, São Paulo, Seoul, Shanghai, Silicon Valley,

Singapore, Sydney, Tokyo,

Warsaw, Washington,

D.C. and Yangon.

Düsseldorf

Dreischeibenhaus 1

40211 Düsseldorf

Tel +49 (0)211

2806 7000

Fax +49 (0)211 2806 7800

Ellen Birkemeyer

Dr. Hans Diekmann

Dr. Christian Eichner

Dr. Jens Matthes

Dr. Stephan Neuhaus

Dr. Jan Schröder

Counsel

Kyrill Chilevych

Dr. Michael Fink

Anne Fischer

Dr. Achim Schmid

Frankfurt

Haus am OpernTurm

Bockenheimer Landstraße 2

60306 Frankfurt am Main

Tel +49 (0)69 2648 5000

Fax +49 (0)69 2648 5800

Dr. Alexander Behrens

Dr. Wolf R. Bussian

John Coburn

Dr. Michael H. Ehret

Dr. Stefan Henkelmann

Dr. Franz Bernhard Herding

Dr. Matthias Horn

Dr. Michiel Huizinga

Dr. Hartmut Krause

Dr. Hans-Peter Löw

Anna Masser

Dr. Olaf Meisen

Wolfgang Melzer

Thomas Neubaum

Dr. Udo H. Olgemöller

Marc O. Plepelits

Dr. Sven Prüfer

Dr. Knut Sauer

Martin Scharnke

Dr. Jochen Scheel

Thomas Ubber

Dr. Heike Weber

Dr. Michael Weiß

Jan Erik Windthorst

Dr. Marc Zimmerling

Senior Counsel

Peter H. Hoegen

Counsel

Boris Alexander Blunck

Dr. Jan-Hendrik Bode

Lennart Dahmen

Matthias Fischer

Dr. Mark Hallett

Woldemar Häring

Dr. Roman A. Kasten

Christian Klöpfer

Stefan Kuhm

Dr. Tim Nikolas Müller

Jens Nollmann

Dr. David T.

Schmid

Dr. Esther Schmidt-Naumann

Dr. Sebastian Schulz

Tim Spranger

Dr. Katharina Stüber

Dr. Andre P.

H. Wandt

Peter Wehner

Alexander Wüpper

Of Counsel

Stephan Funck

Frank Herring

Hamburg

Hanseatic Trade Center

Kehrwieder 12

20457 Hamburg

Tel +49 (0)40 82221 20

Fax +49 (0)40 82221 2200

Dr. Börries Ahrens

Dr. Nicolaus Ascherfeld

Markulf Behrendt

Dr. Ellen Braun

Dr. Christian Hilmes

Dr. Nils Koffka

Max Landshut

Dr. Helge Schäfer

Dr. Hans Schoneweg

Counsel

Marie-Luise von Buchwaldt

Dr. René Galle

Dr. Rüdiger Klüber

Dr. Jonas Wittgens

München

Maximilianstraße 35

80539 München

Tel +49 (0)89 71043 3000

Fax +49 (0)89 71043 3800

Dr. Gottfried E. Breuninger

Dr. Jan Ebersohl

Dr. Joachim Feldges

Dr. Astrid Krüger

Dr. Magnus Müller

Dr. Hendrik Röhricht

Dr. Walter Uebelhoer

Dr. Alexander Veith

Counsel

Dr. Ilja Baudisch

Dr. Alice Broichmann

Christina Habermayr

Dr. Dirk Schade

Dr. Bettina Scharff

Dr. Jens Wagner

Eda Zhuleku

0036335-0000808 UKO1: 2005527215.20

1.5

This opinion is structured as follows:

(a)

Section

Summary of opinion;

(b)

Section

Scope, assumptions and qualifications

;

(c)

Section

revisions to applicable law;

(d)

Section

reliance and confidentiality;

(e)

Annex 1

: Opinion; and

(f)

Annex 2

: Assumptions.

1.6

For the purposes

of this opinion,

the legal or

natural person imparting the

information subject to

the

duty of

confidentiality will

be the

Rights Holder

and the

person receiving

that information,

in this

case UBS ESE, will be the

Recipient.

SUMMARY OF OPINION

Subject to the assumptions and qualifications below, it is our opinion that:

2.1

UBS ESE can, as

matter of applicable German law,

submit to On-Site Inspection by

the SEC. There

is no restriction

or general blocking

statute on UBS

ESE submitting to

On-Site Inspection by

the SEC.

The

remainder

this

opinion

focuses

UBS

ESE’s

ability

disclose

information

contained

Covered Books

and Records

to the SEC

in the course

of On-Site

Inspection in Germany

and the ability

to provide UBS AG London Branch with prompt access to Covered Books

and Records.

2.2

UBS ESE can, as a

matter of applicable German law, provide the SEC

with prompt access to

Covered

Books and Records

held by UBS

ESE in Germany

either by disclosure

of Covered Books

and Records

to UBS AG London Branch for the purpose of providing information to the SEC or to the SEC in the

course of On-Site Inspections in Germany.

Data Protection

2.3

Disclosures of personal data (particularly special categories of data

or criminal data) relating to UBS

ESE’s clients and staff

are subject to certain restrictions under the Data Protection Laws, particularly

where this involves a cross-border transfer

to a country or territory the European Commission

has not

found to

have an

‘adequate’ data

protection regime.

However, there are

certain legal

bases for

making

disclosures, and derogations from

the prohibition on international

transfers, that would be

available to

UBS ESE

were it

to be

required by the

SEC to make

available personal data

either by

disclosure of

Covered Books and Records to UBS AG London Branch for the purpose of providing information to

the

SEC or

the

SEC in

the

course

On-Site

Inspections in

Germany.

note

that

these legal

restrictions and derogations that UBS

ESE would rely on when

making disclosures to the SEC are

the

same

legal

requirements

referred

and

reflected

the

“Memorandum

Understanding

concerning consultation, cooperation and

the exchange of

information related to the

supervision and

oversight of

certain cross-border

over-the-counter derivatives

entities in

connection with

the use

substituted

compliance

such

entities”

entered

into

between

the

SEC

and

the

German

Federal

Financial

Supervisory

Authority

(

Bundesanstalt

für

Finanzdienstleistungsaufsicht

–

BaFin

)

(the

Where a restriction

on the ability

grant access to,

transfer

or other disclose

personal data or

to disclose confidential

information applies,

consent

from the Rights Holder, validly given

in accordance with the relevant standard for consent under each applicable

legal obligation, would allow

for such information to be lawfully transferred to the

SEC or disclosed to the SEC during On-Site Inspection.

Please note that valid consent is

assumed in Assumption

Please refer to section

Annex 1

for definitions of Data Protection Laws, EU GDPR

and the BDSG.

According to

Article

44 of

the EU

GDPR, any

transfer of

personal data

to third

countries or

international organizations

must, in

addition to

complying with Chapter V of the EU GDPR, also meet

the conditions of the other provisions of the EU GDPR.

0036335-0000808 UKO1: 2005527215.20

BaFin

MoU

similar

Memorandum

Understanding

was

entered

into

the

SEC

and

the

European Central Bank (

ECB

)

(the

ECB MoU

2.4

anticipate

that

the

legitimate

interests

legal

basis

for

processing

would

provide

applicable

grounds under the EU

GDPR to enable

disclosure of Covered

Books and Records

to UBS AG London

Branch for the purpose of providing information to the SEC and to

permit On-Site Inspection.

Banking Secrecy Principle

2.5

The German banking secrecy principle

(the

German Banking Secrecy Principle

) applies in respect

all

business and

private information

the

client obtained

bank on

the basis

within the

context of

its client

business pursuant

to a

contractual relationship

with the

client. In

Germany,

the

banking secrecy principle is primarily a matter of contract law.

Against this background,

the German

Banking Secrecy

Principle does

not differentiate

between (i)

customer data;

and (ii)

data of

natural

persons or

legal entities,

provided that

the data

are obtained

on the

basis or

within the

context of

customer business pursuant to a contractual relationship with a client governed

by German law.

2.6

UBS ESE

may share information

contained in

the Covered Books

and Records

or obtained

by the

SEC

through On-Site

Inspections either

(i) where

they are

not in

the scope

of application

of the

German

Banking Secrecy Principle or

(ii) where the

sharing is legally

justified as it

is either required

by law

or the relevant

clients have consented

to the disclosure.

A client’s consent can be

expressed implicitly.

2.7

German laws and orders of German authorities

clearly justify a sharing of information covered

by the

German Banking Secrecy Principle.

There is, however, no case law

or administrative practice or

clear

legal literature as

regards the “conflict”

between foreign statutes

and foreign orders

on the one

hand

and the

German Banking

Secrecy Principle

on the

other hand.

Hence, the

legal situation

is unclear.

That said, in our view there

are good reasons to believe that data

sharing can be justified in relation

the German Banking

Secrecy Principle by

either (i) implied

consent or (ii)

a combination of

the US

statutes / the SEC orders in combination with the BaFin MoU / ECB

MoU.

Principle of territoriality

2.8

According to

the general

territorial principle

of international

law,

a state

that wishes

to take

action

outside

its

sovereign

borders

is,

general

rule,

referred

private

law,

because

the

territorial

principle of

international law

limits the

validity of

its sovereign

acts to

its national

territory.

In this

respect, the SEC is in

principle not authorized to take sovereign action,

including On-Site Inspection

of and obtaining

access to Covered

Books and Records,

in Germany.

However, such a permission

can

be found

in the

BaFin MoU between

BaFin and SEC

and also

in the

ECB MoU between

ECB

and

SEC.

While the BaFin

MoU and the

ECB MoU are

non-binding, in our view

it should allow

those

actions to be taken without a breach of the general principle of territoriality.

Privacy and Human Rights

2.9

Protection

for

the

general

fundamental

right

“

respect

for

private

and

family

life,

home

and

correspondence

” is

enshrined in

Article 8 of

the European

Convention on

Human Rights

(

ECHR

This right is directly applicable in Germany.

Actions in respect of Article 8 ECHR require a separate

cause of action, such as an action arising from a wrongful act or other legal obligation, such as

under

the Data

Protection Laws.

However, we note

that the

ECHR only

confers rights

on private

law subjects

Available at

https://www.sec.gov/files/15122020-substituted-compliance-mou-germany-final-signatures.pdf.

As UBS

ESE qualifies

a “significant

institution

” within

the

meaning of

Art.

6(4) of

the Regulation

der (EU)

No. 1024/2013

(the

Single

Supervisory Mechanism Regulation

), it is, as regards prudential supervision, also subject to

direct supervision by the ECB.

The Memorandum of

Understanding between

the United States

Securities and Exchange

Commission and the

European Central Bank

concerning

consultation, cooperation

and the

exchange of

information related

to the

supervision and

oversight of

certain cross-border

over-the-counter

derivatives

entities

connection

with

the

use

substituted

compliance

such

entities

dated

August

2021

(available

https://www.bankingsupervision.europa.eu/legalframework/mous/html/ssm.mou_2021_sec~220403db9b.en.pdf

Article II paragraph 25

et seq

. of the ECB MoU and Article II paragraph 26

et seq.

of the BaFin MoU.

0036335-0000808 UKO1: 2005527215.20

vis-à-vis the

state and

not among

themselves. Consequently,

the ECHR

is not

directly applicable to

UBS ESE.

2.10

Article 8 ECHR is, as it were, the

legal foundation on which the GDPR

has been based. The GDPR is

detailing the fundamental

right laid down

in Article 8 ECHR.

Thus, Article 8

ECHR and the

GDPR

are intertwined with each other. As long as

the provision of information to

the SEC by UBS ESE falls

entirely

within

the

scope

and

compliance

with

the

Data

Protection

Laws,

consider

the

general fundamental right set out in Article 8 ECHR will be protected.

This summary opinion is not a substitute for the full expression of our views

set out in

Annex 1.

SCOPE, ASSUMPTIONS AND QUALIFICATIONS

3.1

This opinion relates solely to access provided to the SEC

by UBS AG,

through its London Branch, of

Covered Books

and Records

held on

its behalf

by UBS ESE

in Germany

and On-Site

Inspection of

UBS ESE

by the

SEC in

Germany.

This opinion

applies equally

remote access

from the

United

States to Covered

Books and Records

held in the

Federal Republic of

Germany. This opinion excludes

books and records held in the US.

3.2

This opinion has been prepared in accordance with UBS AG’s specific instructions as to the scope of

the opinion.

For this purpose you have issued us

with guidance from a third party US

law firm which

we have used to inform the scope of our opinion.

3.3

This opinion covers data relating to:

(a)

SBS transactions

concluded between UBS

AG (through

its associated

persons employed

UBS ESE) and US Person

counterparties,

insofar as this data is

held on behalf of UBS

AG by

UBS

ESE

(e.g.

voice

recordings

and

client

communications)

(these

transactions

will

concluded by staff

of UBS ESE

acting in the

name and for the

account of UBS AG

London

Branch and

so some

data relating

to such

transactions will

be held

by UBS

AG London

Branch

in the United

Kingdom (

) – access

to Covered Books

and Records and

On-Site Inspections

by the SEC of data that is held in the UK is not within scope of this opinion);

and

(b)

the activities of the staff of UBS ESE pertaining to

UBS AG’s SBS transactions that are also

arranged, negotiated, or

executed by personnel

of UBS AG

located in a

US branch or

office

personnel

agent

UBS

located

branch

office

(irrespective

whether UBS AG’s counterparty is a US Person or a non-US Person).

This opinion only covers transactions

entered into by UBS AG

where UBS ESE is acting

on behalf of

UBS AG.

This opinion does not

cover data relating to

SBS transactions concluded between

UBS ESE

and its own counterparties (even though UBS ESE may be relying on the counting exemption set out

in 17 CFR §

240.3a71-3(d) for such transactions,

we are instructed that

this data is not

relevant for the

purposes of 17 CFR § 240.15Fb2-4(c) and so this data is not within scope

of this opinion.

0036335-0000808 UKO1: 2005527215.20

3.4

This opinion

only covers

access to

and the

On-site Inspection

of Covered

Books and

Records.

Covered

Books and Records include only those books and records which:

(a)

relate to the US business

of the non-resident SBSD.

These are the records that relate to an

SBS that is either:

(i)

entered into, or offered to be entered into, by or on behalf of the

non-resident SBSD,

with a “U.S. Person”

as defined in 17

CFR § 240.3a71-3(a)(4)

(

US Person

) (other

than an SBS conducted through a foreign branch of such US Person

); or

(ii)

arranged, negotiated, or executed by

personnel of the non-resident SBSD

located in a

branch in the United States (

US branch

) or office or by personnel

of an agent of the

non-resident SBSD located in a US branch or office;

(b)

constitute

financial

records

necessary

for

the

SEC

assess

the

non-resident

SBSD’s

compliance with the SEC’s margin and capital requirements, if applicable.

3.5

Further

Assumption

this

opinion

limited

those

types

records

that

are

relevant

prudentially regulated SBSDs,

which excludes financial

records as noted

in paragraph

3.4(b) above

For this opinion, the term “Covered Books and Records” extends to these

record types alone.

3.6

The issues

addressed in

this opinion

apply equally

across the

different document

types which

constitute

the Covered Books and

Records based upon the

information actually contained

in each of the relevant

Covered Books and Records.

We have not examined any such documents or records.

3.7

In giving this opinion, we have made the further assumptions set out

Annex 2

3.8

No opinion is expressed on matters of fact.

3.9

As a

practical matter,

it may

be particularly

difficult to

establish that

consent is

freely given

where

information relates

to UBS

ESE staff

because consent

is very

difficult to

rely on

in an

employment

context, due to the inherent imbalance of power between an employer and its staff (for example, staff

may

believe

there

could

negative

consequences

should

they

refuse

give

consent).

Further,

consent will only be valid if UBS ESE offers

its staff a genuine choice over how the data is used

and

will only continue to be an

appropriate legal basis if UBS ESE

also offers

its staff the opportunity to

withdraw consent at any time.

Where consent is relied upon in this opinion,

it is on the basis that this

practical matter

has been

overcome.

Where consent

is not

available as

a legal

basis for

disclosure

(including where valid

consent cannot be

obtained), UBS ESE

may be

able to rely

on an alternative

basis for disclosure (e.g. the legitimate interest basis or another exception for international transfer of

personal data).

As defined in 17 CFR §240.3a71

(a)(8).

Cross

Border Application of Certain [SBS] Requirements,

85 Fed.

Reg. 6270, 6296 (Feb. 4, 2020) (the

SEC Guidance

A “U.S. person” means any person

that is “(i) a natural

person resident in the U.S.;

(ii) a partnership, corporation, trust,

nvestment vehicle, or

other legal

person organized,

incorporated, or

established under the

laws of

the United

States or

having its

principal place

of business

in the

United States; (iii) an account (whether discretionary or

non-discretionary) of a U.S. person; or (iv) an

estate of a decedent who was a

resident

of the United States at the time of death.” 17 CFR

§ 240.3a71-3(a)(4).

A “foreign branch” means “any branch of a U.S. bank if: (i) the branch is located outside of the United States; (ii) the bran

h operates for valid

business reasons; and (iii)

the branch is engaged

in the business of

banking and is

subject to substantive banking regulation

in the jurisdiction

where located.” (17 CFR §

240.3a71-3(a)(2)). An “SBS conducted through a

foreign branch” means an SBS

that is “arranged, negotiated, and

executed by a U.S.

person through a foreign

branch of such U.S.

person if: (A) the foreign

branch is the counterparty

to such security-based swap

transaction; and (B) the security-based swap transaction is arranged, negotiated, and executed on behalf of the foreign branch solely by persons

located outside the United States.” (17 CFR § 240.3a71-3(a)(3)(i)).

17 CFR

240.3a71

3(a)(8)(i)(B).

The requirement set

out in this paragraph

3.4(b)

does not apply

to UBS AG because

it is not subject

to the SEC’s margin and

capital requirements

as it is assumed that UBS AG has a prudential regulator –

please see Assumptions

set out in

Annex 2

0036335-0000808 UKO1: 2005527215.20

REVISIONS TO APPLICABLE LAW

4.1

note

that

the

SEC

rules

require

non-resident

SBSD

re-certify

within

days

after

any

changes in the legal or regulatory framework that would:

(a)

impact the ability of the SBSD to provide prompt access to its Covered

Books and Records;

(b)

impact the

manner in

which it

would provide

prompt access

to its

Covered Books

and Records;

(c)

impact the ability of the SEC to conduct On-Site Inspections.

4.2

Upon a change in law or regulatory framework of the sort outlined in paragraph

4.1

above, the SBSD

is required to submit a revised opinion describing how, as a matter of law,

the SBSD will continue to

meet its obligations.

4.3

This opinion relates solely to

the laws of the Federal Republic

of Germany and European Union

(

)

law that is directly

applicable in Germany

(i.e. regulations pursuant

to Art. 288(2)

of the Treaty on the

Functioning of the European Union), in each case, in force as at the date of this opinion.

We have no

obligation to notify any addressee of any change

in any applicable law or its application

after the date

of this opinion.

RELIANCE AND CONFIDENTIALITY

5.1

This opinion is given

for the sole benefit of

the addressee.

It may not be relied

upon by anyone else

without our prior written consent.

5.2

This

opinion

not

disclosed

any

person

outside

UBS

AG’s

group

used,

circulated,

quoted or otherwise referred to for any other purpose.

However, we agree that a copy of this opinion

letter may be disclosed:

(a)

where

disclosure is

required

requested

any

governmental, banking,

taxation

other

regulatory authority or similar body having jurisdiction over

UBS AG (including to the SEC

part

UBS

AG’s

SBSD

registration

application) or

the

rules

any

relevant

stock

exchange or pursuant to any applicable law or regulation; and

(b)

UBS

AG’s

affiliates,

and

any

their

officers,

directors,

employees,

auditors,

insurers,

reinsurers, insurance brokers and professional advisors (in their capacity

as such).

5.3

Any such disclosure

must be made

on the basis

that it is

for information purposes only,

no recipient

may rely

on this advice,

no client-lawyer relationship between

us and the

recipient arises following,

or as a

result of,

any such

disclosure.

We assume no duty

or liability

to any

recipient, and

any recipient

under paragraph

5.2(b) above

will be subject to the same restrictions on disclosure as set out above.

5.4

assume no obligation

to advise

you or

any other person

or to

make any

investigations as to

any

legal

developments

factual

matters

arising

subsequent

the

date

hereof

that

might

affect

the

opinions expressed herein.

17 CFR § 240

.15Fb2

4(c)(2).

0036335-0000808 UKO1: 2005527215.20

Yours

faithfully,

Allen & Overy LLP

0036335-0000808 UKO1: 2005527215.20

ANNEX 1

OPINION

DATA

PROTECTION

1.1

The

General

Data

Protection

Regulation

2016/679

(

GDPR

and

the

German

Federal

Data

Protection Act (

Bundesdatenschutzgesetz

–

BDSG

) (together, the

Data Protection Laws

) will apply

to UBS ESE’s disclosure of Covered Books and Records to UBS AG London Branch for the purpose

of providing information to

the SEC and to

the SEC in the course

of On-Site Inspections, to

the extent

that

these

comprise

contain

personal

data.

Personal

data

relating

identified

identifiable living individual, so may extend to information on UBS

ESE staff as well as clients.

1.2

Under

the

Data

Protection Laws,

specific

additional restrictions

apply

for

personal

data

relating to

criminal convictions and

offences.

These laws also

impose heightened

restrictions on

the processing

‘special

category personal

data’

–

this

personal

data

that reveals

racial

ethnic

background,

political

opinions,

religious

philosophical

beliefs,

trade

union

membership,

genetic

data,

biometric

data

when

used

for

purposes,

health

information,

data

concerning

sex

life

sexual

orientation

As special

category personal

data are

less likely

to be

relevant in

the context

of UBS

ESE’s

disclosures to

the SEC,

the laws

applicable to

this data

have not

been considered

in detail

this opinion.

1.3

Key restrictions in

the Data Protection

Laws relating to

UBS ESE’s

ability to disclose

personal data

to the SEC are set out below.

Legal basis for the disclosure

1.4

UBS ESE requires a legal basis under Article 6 of the

EU GDPR to disclose personal data to the SEC

in the

course of

On-Site Inspections

and to

provide UBS

AG London

Branch with

access to

its Covered

Books and

Records for

the purpose

of providing

information to

the

SEC.

Personal data

cannot be

disclosed if

doing so

would breach

another legal

requirement (e.g. banking

secrecy –

please see

section

2 below

Whilst there

are a

number of

Article 6 legal

bases on

which UBS

ESE may

seek to

rely,

none of its

own is so

comprehensive as to cover

all disclosures of personal

data to the SEC,

so UBS

ESE will need to

consider the most appropriate legal

basis to apply to

any given situation on

a case-

by-case basis.

1.5

The Article 6 legal bases most

applicable to UBS ESE, together with their

respective limitations, are

as follows:

(a)

Consent (Article

6(1)(a) EU

GDPR)

: In order

for consent

to be

valid under

the Data

Protection

Laws,

must

satisfy

the

high

standard

being

freely-given,

specific,

informed

and

unambiguous indication of wishes.

(b)

Legitimate interests

(Article 6(1)(f)

EU GDPR)

: This

is one

of the

most flexible

legal bases

for processing

that can

apply to

a multitude

of business

purposes, including

with respect

ensuring compliance with

regulatory obligations. To

rely on

the legitimate interests

ground,

UBS ESE must:

Article

10 of the EU GDPR.

Article

9(1) of the EU GDPR.

Please also refer to limitations

on the applicability of

consent discussed in paragraph

3.9

of section

Scope, assumptions and qualifications.

note that German data protection authorities are in practice particularly strict in relation to

accepting employee consent as freely given and that

under Section 26(2)

of the BDSG,

the employee’s level

of dependence

in the employment

relationship and

the circumstances

under which

consent

was given must be taken into account in assessing

whether such consent was freely given.

That said, it may prove almost impossible

in practice

to obtain valid employee consent from UBS ESE’s

staff for the purpose of disclosing their personal data

to a non-EU based authority.

Consent

might therefore

not generally

be considered

as a

valid legal

basis for

disclosure of

UBS ESE’s

staff data

and UBS

ESE should

rely on

alternative basis for disclosure (e.g. the legitimate interests).

Please note that valid consent is assumed in Assumption

0036335-0000808 UKO1: 2005527215.20

(i)

identify its,

or a

third party’s legitimate

interest (this

can include

commercial interests,

individual

interests

broader

societal

benefits)

complying

with

the

SEC’s

disclosure request;

(ii)

show that

the

disclosure of

documents to

the SEC

necessary for

achieving these

interests; and

(iii)

balance

these

interests

against

the

competing

interests,

rights

and

freedoms

the

individuals concerned, and satisfy itself that those interests

do not outweigh its own.

If individuals would not

reasonably expect the disclosure,

or if the

disclosure would

cause

unjustified

harm

the

individuals,

the

interests

those

individuals

would

likely override the interests of UBS ESE or the third party.

An individual has the right to object to the disclosure of their personal

data to the SEC under

this basis

for processing,

and UBS

ESE would

need to

demonstrate ‘compelling’ legitimate

grounds to process the data that override the rights, freedoms and interests

of that individual.

The balancing of

legitimate interests against

the competing interests,

rights and freedoms

the

individuals

concerned should

made

case-by-case

basis

and

should

consider all

available facts.

In particular, Recital

47 of

the GDPR

states that,

when balancing

their interests

against

those

the

individuals

concerned,

controllers

should

take

into

account

“

the

reasonable expectations

of data

subjects based

on their

relationship with the

controller

”. With

this in mind, UBS ESE may

argue that its interests are

not outweighed by those of its

clients

or its employees on the basis that:

(i)

clients are

aware, due

statements contained

in their

terms

of business

with UBS

AG, the US nexus when they engage in SBS transactions and, their understanding as

sophisticated investors, that regulatory

oversight will be exercised

by the SEC, which

may entail

certain information

regarding their

transactions, including

in some

cases

their personal data, to be disclosed to the SEC; and

(ii)

the employees whose

personal data may

be disclosed to

the SEC understand

their role

will involve SEC

oversight due

to their being

classified as

‘associated persons’

for the

purposes of SBS

transactions and understand

that, as a result,

certain of their

personal

data

may

disclosed

the

SEC.

specifically,

each

associated

person

required

complete

‘SBS

associated

person

questionnaire’,

which

provides

advance notice that

their activities may

involve the

disclosure of their

personal data

to the SEC and

potentially require them to undertake

interviews with the SEC.

Each

employee that is an

associated person is also

required to agree or

acknowledge their

understanding

that

their

data

may

provided

the

SEC

connection

with

the

SEC’s oversight of SBS transactions.

In addition,

while focused

on the

relationship between the

SEC and

BaFin, the

existence of

the BaFin

MoU arguably

reflects an

acceptance in

Germany that

the SEC

has a

duty to

regulate

SBS markets and may need to access information

maintained by financial institutions located

Germany for

this purpose.

This

argument

further supported

by the

ECB MoU,

which

similarly reflects an understanding of the SEC’s

duties and an acceptance regarding the need

for information, including personal data, to be provided to the SEC.

Also relevant to this balancing of interests are that the SEC will:

For the avoidance of

doubt, we note however

that neither the BaFin

MoU nor the ECB

MoU stipulates any exemptions

from the com

pliance with

applicable data protection rules under the GDPR, including from

the international transfer rules.

0036335-0000808 UKO1: 2005527215.20

(i)

restrict

its

information

requests

for,

and

use

of,

any

information

only

the

information

that

requires

for

the

legitimate

and

specific

purpose

fulfilling

its

regulatory mandate

and responsibilities

and to

prevent and/or

enforce against

potential

illegal behaviour, with the type and amount of personal

data requested being targeted

based on risk and related to specific clients and accounts, and employees;

and

(ii)

information,

data

and

documents

received

the

SEC

are

maintained

secure

manner and only disclosed pursuant to strict US confidentiality laws.

(c)

Disclosure is

necessary for compliance

with a legal obligation

to which UBS ESE

is subject

(Article 6(1)(c) EU GDPR)

: There must be a German or EU law nexus in order

for UBS ESE

be able

rely

on this

legal basis.

Article 6(3)

the

GDPR requires

that the

legal

obligation must be laid down by EU law

or EU Member State law,

to which the controller is

subject to,

although this

does not

have to

be an

explicit statutory

obligation, as

long as

the

application of the law is foreseeable to UBS ESE as the person subject

to it.

In the context of

this legal basis for processing,

an SEC request in

the absence of a

German or

EU legal requirement (e.g.

a lawful request

from BaFin in

the exercise of

its powers) would

not justify the disclosure as being necessary for compliance with

such an obligation.

further

note that

neither the

BaFin MoU

nor

the ECB

MoU

create any

legally binding

obligations.

(d)

Disclosure is necessary

for the performance

of a

task carried

out in the

public interest (Article

6(1)(e) EU

GDPR)

According to

German data

protection authorities’

and legal

literature’s

interpretation of this legal basis, only entities who or are officially entrusted with performing

public tasks or

are vested

with public

authority are

able to

rely on this

legal basis.

As a result

it is

not possible

for UBS

ESE to

rely on

this legal

basis for

the disclosure

of personal

data

contained in the Covered Books and Records

from a German data protection law

perspective.

(e)

Disclosure is

necessary for the

establishment, exercise or

defence of legal

claims unless the

data subject has

an overriding interest

in not having

the data processed

(Section 24(1) no.2

BDSG)

The effects of the

disclosure on the data

subject must be assessed on

a case-by-case

basis, taking into account in

particular if the disclosure of

personal data is truly necessary

if there are

less intrusive ways

to fulfil UBS

ESE’s interest

in the establishment, exercise

defence of legal claims.

Based upon the above, the legitimate

interests basis for processing is

likely to be the most appropriate

Article 6

EU GDPR grounds

on which

UBS ESE

could rely

in relation

to its

disclosure of Covered

Books and Records to the SEC and to permit On-Site Inspection.

1.6

It is considered very unlikely that personal data included in Covered Books and Records or disclosed

to the SEC during On-Site Inspections will include special categories of personal data.

Further, UBS

ESE

might

not

hold

all

information

described

C.F.R.

§§.18a-5(b)(8)(i)(A)

through

(H)

240.18a-5(a)(10)(i)(A) through

(H), as the

case may be

an associated person

who is not

a US Person.

However, to the extent that this does

occur,

and such information is held by UBS ESE, in addition to

Article

GDPR

legal

basis,

UBS

ESE

will

need

establish

additional

condition

for

processing under Article

9 of

the EU

GDPR if

it discloses special

categories of personal

data to

the

Please refer to Assumptions

and

Annex 2

, as well as Article

II paragraphs 44, 54

of the BaFin MoU

and

Article II paragraph 49

of the ECB

MoU.

Please refer to Assumption

Annex 2

, as well as paragraph 60 of the BaFin MoU and

paragraph 56 of the ECB MoU.

Recital 41

U GDPR

Article II paragraph

28 of the BaFin MoU / Article II paragraph 27 of the

ECB MoU.

See

DSK

short

paper

no.

(

Kurzpapier

Nr.

Datenübermittlung

Drittländer

available

https://www.datenschutzkonferenz

online.de/media/kp/dsk_kpnr_4.pdf

As we understand is as defined in 17 C.F.R. §240.3a71

3(a)(4)(i)(A).

0036335-0000808 UKO1: 2005527215.20

SEC, such as

where it is

necessary for the

establishment, exercise or defence

of legal claims.

Other

than valid consent,

the Article 9 EU GDPR conditions that

are most likely to apply to disclosure of

special categories of personal data contained in the Covered Books and Records

are:

(a)

processing is necessary for

the establishment, exercise or

defence of legal

claims or whenever

courts are acting in

their judicial capacity

(

Article 9(2)(f) EU GDPR and Section 24(1) no.

BDSG)

; and

(b)

processing is necessary

for reasons of

substantial interest,

on the

basis of

domestic or

Member

State

law

(

Article 9(2)(g) EU GDPR)

1.7

Although Sections 22

and 26(3)

BDSG provides

for additional

legal bases

for the

processing of

special

categories of

personal data,

none of

these additional

bases is

likely to

be available

for disclosing

special

categories of

personal data to

the SEC

by UBS ESE,

as these legal

bases refer to

the processing for

purposes of preventive

medicine or

where the processing

is required

under employment

or social

laws.

1.8

Similarly,

UBS ESE’s

processing of

personal data

relating to

criminal

convictions and

offences

security

measures

highly

restricted,

and

can

only

disclosed

based

Article

6(1)

GDPR

under

the

control

official

authority

when

the

processing

authorised

Member State law providing for appropriate

safeguards for the rights and freedoms

of data subjects.

recognised

the

legislative

memorandum

the

BDSG

that

Section 26

BDSG

such

Member State

law that

allows processing

criminal data

without the

control of

official

authority.

That

is,

the

extent

that

the

disclosure

criminal

data

necessary

for

the

performance

the

employment relationship

, Section 26 BDSG could allow on a

case-by-case assessment the disclosure

of UBS ESE staff’s criminal data.

Data protection principles

1.9

addition to

establishing a

legal basis

for

the

disclosure, UBS

ESE

would need

ensure that

its

disclosures are compliant with the remaining

requirements under the Data Protection

Laws, including

the data protection principles set out in Article 5 of the EU GDPR.

For example, UBS ESE must:

(a)

transparent with

those whose

personal data

disclosed to

the

SEC, who

must

provided

with

fair

processing

information

(usually

the

form

privacy

notice

statement);

(b)

with

respect

the

data

itself,

ensure

that

only

provides

personal

data

that

adequate,

relevant and limited

to what is

necessary in relation

to the purposes

of its regulatory

activities;

(c)

be careful to avoid participating

in ‘data dumps’ and should

consider withholding documents,

anonymising personal data

(or pseudonymising

data where full

anonymisation is not

possible)

and redacting personal data from documents as appropriate;

(d)

ensure that the data is accurate and, where necessary, kept up to date;

(e)

keep the personal data

in a form that enables

identification of individuals for

no longer than is

necessary for the purposes for which the personal data is processed;

and

(f)

ensure

that

the

confidentiality

and

integrity

personal

data

maintained,

and

such,

implement appropriate security measures (e.g. encryption) to protect

the personal data.

Article

9(2)(a)

GDPR

–

please

also

refer

imitations on

the

applicability

consent

discussed

paragraph

3.9

section

Scope,

assumptions and qualifications.

Please note that valid consent is assumed in Assumption

Article

10 sent.

1 EU GDPR.

Drs. 18/11325, p.

97.

e note, however,

that in our

experience German data protection

authorities tend to apply

the necessi

ty test rather

strictly in the employment

context in practice.

0036335-0000808 UKO1: 2005527215.20

1.10

Whilst it is possible

that the SEC has

taken these principles

into account in its

request for access

to the

Covered Books

and Records, responsibility

remains with

UBS ESE

to ensure

that any

disclosure of

personal

data

the

Covered

Books

and

Records

comply

with

all

requirements

under

the

Data

Protection Laws and to verify this and implement its own compliance

measures.

International transfers

1.11

The general

principle in

the EU

GDPR is

that UBS

ESE may

not transfer

personal data

to a

jurisdiction

outside the

European Economic

Area, unless

it can

satisfy a

condition for

the transfer

as set

out in

Chapter V of the EU GDPR.

1.12

Article 45

of the

EU GDPR allows

for UBS

ESE to

transfer personal

data to

a recipient

outside the

EEA

where

the

transfer

based

adequacy

decision

the

European

Commission.

For

the

purposes of

providing Covered

Books and

Records to

UBS AG

London Branch,

the adequacy

decision

of the

European Commission

currently in

effect in

respect of

the UK

allows transfers

of personal

data from the EEA, including Germany, to the UK to be made freely.

Any transfer from UBS ESE to

UBS AG

London Branch

would therefore

be permitted

without limitation

(provided that

the disclosure

otherwise complied with the EU GDPR).

1.13

It should be noted that

under Article 44 sent. 1, Recital 101 of the

EU GDPR any onward transfer of

UBS ESE’s Covered Books and Records by

UBS AG London Branch

to the SEC is still

subject to the

transfer requirements of

the EU GDPR.

In this

regard it is

helpful that the

European Commission’s

adequacy decision for

the UK addresses

onward transfers from the

UK and notes that

the regime on

international

transfers

under

the

GDPR

and

DPA

2018

“

substance

identical

”

the

transfer regime

under

the EU

GDPR.

The

primary options

available to

UBS

AG London

Branch

pursuant to this

EU GDPR restriction applicable to

data originating from UBS ESE

when disclosing

the UBS ESE’s Covered Books and Records to the SEC in the US are as follows:

(a)

Derogations (Article

49 EU

GDPR)

: Where

a transfer

mechanism adopted by

the European

Commission in

respect of

the US

is not

available (as

is currently

the case),

derogations for

specific situations from the transfer prohibition are potentially available under EU GDPR for

facilitating

UBS

London

Branch’s

transfer

personal

data

contained

UBS

ESE’s

Covered Books and Records to the SEC.

These derogations include:

(i)

Consent

: relying on

consent to enable

an international transfer

requires that UBS

ESE

has

(A) explicitly

stated

the

Rights

Holder

that

the

data

protection

level

the

recipient is

not comparable

to the

data protection

level in

Germany,

noting that

the

controller

will

not

able

ensure

that

adequate level

data

protection level

achieved by

using a

transfer mechanism

available under

the EU

GDPR,

with the

result

that their personal data will not be subject to data protection that is equivalent to that

established under the

EU GDPR,

and (B) included in

the consent form a

description

of the data protection laws and practices in the recipient country (i.e. in this case, the

US), so that the data subject is in a position to make an informed decision

;

and

(ii)

legitimate interests:

a data transfer on the basis

of legitimate interests may only take

place if (A) the transfer

is not repetitive, (B) concerns only

a limited number of

data

subjects, (C)

is necessary for the purposes of compelling legitimate interests pursued

Commission Implementing Decision

of 28.6.2021

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the

Council

on the

adequate protection

of personal

data by

the

United Kingdom.

Please note

that in

the

future the

adequacy decision

may be

withdrawn, not

prolonged or restricted and that the current adequacy decision is

limited to four years.

Paragraph 2.5

.7, recitals

(74) and

(75) of

the

Commission Implementing Decision

of 28.6.2021

pursuant to

Regulation (EU) 2016/679

of the

European Parliament and of the Council on the adequate protection

of personal data by the United Kingdom.

[

Local guidance – source to be added

]

Please note that valid consent is assumed in Assumption

0036335-0000808 UKO1: 2005527215.20

by UBS ESE, (D) UBS ESE’s

legitimate interests are not overridden by the interests

rights

and

freedoms

the

Rights

Holder,

(E)

UBS

ESE

has

assessed

all

the

circumstances surrounding

the data transfer

and (F)

UBS ESE has,

on the

basis of that

assessment,

provided

suitable

safeguards

with

regard

the

protection

personal

data. UBS

ESE must

inform the

Data Protection

Authority of

the State

of Hesse

(being

UBS ESE’s supervisory authority

for data protection)

of the transfer.

UBS ESE

must,

in addition to providing the information referred to in

Articles 13 and 14 EU GDPR,

inform

the

data

subject

the

transfer

and

the

compelling

legitimate

interests

pursued.

Each of the

consent and legitimate interest

derogations need to be

applied on a

case-by-case

basis.

note

that

the

derogation

that

the

transfer

strictly

necessary

for

important

reasons

public interest will likely not be applicable from a German data protection

perspective.

(b)

BaFin route

: In certain situations, for example where UBS ESE

considers the transfer of data

to UBS AG

London Branch for

the purpose of

providing information to

the SEC to

be high

risk, it may

be possible to

arrange for the

disclosure to be

made to

BaFin, which could

then

transfer the data

to the SEC

in the US.

This route would

avoid UBS ESE

and UBS AG

being

responsible for ensuring the

international onward transfer

was fully compliant with

Article 44

sent. 1, Recital 101 of the EU GDPR.

1.14

Access to Covered Books and

Records granted to the SEC

in the course of On-Site Inspections

would

not

entail

UBS

ESE

effecting

international

transfer

and

restrictions

Chapter

the

GDPR would not apply to that situation.

BANKING SECRECY PRINCIPLE (

BANKGEHEIMNIS

)

General considerations

2.1

Note

that

the

banking

secrecy

principle

only

relevant

for

UBS

ESE

where

the

contractual

relationships with the customers are governed by German law.

2.2

According

the

German

banking

secrecy

principle

(the

German

Banking

Secrecy

Principle

credit

institution,

such

UBS

ESE,

obliged

treat

any

client-related

information

being

confidential

and

disclose

this

information

only

need

know

basis

applying

strict

safeguarding measures.

In Germany,

the banking

secrecy principle

is primarily

a matter

of contract

law.

It is

not codified

in the

German civil

code (

Bürgerliches Gesetzbuch

) or

other laws.

However,

according to

the jurisprudence

of the

German Federal

High Court

(

Bundesgerichtshof

), the

German

Banking Secrecy

Principle constitutes

an ancillary

obligation of

the banking

contract between

the bank

and its customer and forms therefore part of each contractual banking relationship

between a German

bank and its

customers governed by German

law.

In recognition of

that fact, the

duty to observe

the

German Banking Secrecy Principle has been incorporated

in No. 2(1) of the standard General Terms

and Conditions for Banks (

Allgemeine Geschäftsbedingungen

–

AGB-Banken

2.3

Against

this

background,

the

German

Banking

Secrecy

Principle

does

not

differentiate

between

(i) customer data; and (ii) data of natural persons or legal entities, provided that the data are obtained

by UBS ESE on the basis or within the context of its customer business/contractual

relationship.

2.4

Though, on the

one hand, it is

undisputed that each bank can

generally modify the AGB-Banken for

their

own

purposes,

the

other

hand

unclear

what

extent

the

German

Banking

Secrecy

Principle

can

waived

such

modification.

can

expected

that

there

customary

law

Article 49(1) EU GDPR at sentence

1 paragraph (a) and sentence

2, respectively.

See

Article

48 EU GDPR.

0036335-0000808 UKO1: 2005527215.20

foundation (

Gewohnheitsrecht

) to

the German

Banking Secrecy

Principle, according

to which

such

principle is

such an

essential part

of the

relationship between

a bank

and its

client that

it cannot

carved

out. For

clarification purposes,

we would

therefore like

highlight that

mere deletion

No. 2(1) AGB-Banken would not result

in the German Banking Secrecy Principle

being inapplicable.

Scope of protection under the German Banking Secrecy Principle

2.5

The German Banking Secrecy

Principle applies in respect

of all business and

private information on

the

client

obtained

bank

the

basis

within

the

context

its

client

business/contractual

relationship, i.e. not only personal data.

Furthermore, the German Banking Secrecy Principle applies

all

outward

well

inward

processes

the

bank.

Hence,

even

inside

the

bank

only

those

individuals which

have a

legitimate interest

may have

access to

the data

subject to

the German

Banking

Secrecy Principle (“need to know” principle).

2.6

Anonymised data

(i.e. data

that has

been amended

in such

a way

that it

is technically

impossible to

trace it back

to specific persons

or is only

possible with disproportionate effort)

or redacted data

are

not included

in the

scope of

the German

Banking Secrecy

Principle and

can be

transferred to

third

parties without further restrictions related to the bank secrecy.

2.7

Consequently, where Covered

Books and Records do not contain any relevant forms

of business and

private information on the client obtained by UBS ESE on the basis or within the context of its client

business/contractual

relationship

(e.g. transaction

data

such

volumes

and

prices)

the

German

Banking

Secrecy

Principle will

not

apply,

and

hence

UBS

ESE

can

the

information

without

customer consent.

Sharing of information – general limitations on sharing of information within the scope of the German

Banking Secrecy Principle

2.8

As a general remark, it should be noted that there is neither case law nor legal literature discussing in

detail the limits of the German Banking Secrecy Principle if it comes to sharing information with US

authorities such as the

SEC. This is probably mainly

due to the fact

that traditionally data protection

rules were stricter than the banking secrecy limits and that there are few instances where data sharing

results in damages

to the customer

which would justify

a legal

proceeding. Therefore, it

seems very

difficult to

precisely determine

to what

extent data

may be

shared with

SEC for

the purpose

of the

registration as an SBSD in the US.

2.9

According to No.

2(1) of the

AGB-Banken which

incorporates the general

principles developed

on the

German Banking Secrecy

Principle UBS ESE

may share

information falling within

the scope of

the

German Banking Secrecy Principle only if:

(a)

required by law,

(b)

the client has consented to the disclosure, or

(c)

the bank

is authorised

to provide

a bank

notification requested

by another

bank (

Bankauskunft

)

(cf. No. 2(1) sent. 1 AGB-Banken).

Sharing of information if “required by law” – assessment

2.10

Although

information

contained

the

Covered

Books

and

Records

obtained

through

On-Site

Inspections is covered by

the German Banking Secrecy Principle,

it may be shared

if there is a

legal

obligation/requirement

so,

i.e.

where

law

which

the

bank

subject

requires

that

the

information shall

be disclosed

(

Legal Requirement

). Such

Legal

Requirements are

included, inter

As the third option mentioned in the

AGB

Banken, disclosing data

on the basis of a bank notification

, is not relevant in the case at

hand, it is not

further discussed in this opinion.

0036335-0000808 UKO1: 2005527215.20

alia,

German

tax,

criminal

law,

AML

and

regulatory

law

provisions

(c.f.

Kümpel/Mülbert/Früh/Seyfried, Bank-

und Kapitalmarktrecht,

No. 2 AGB-Banken:

Bankgeheimnis

und Bankauskunft, Recital 3_254).

2.11

As far

as it

is based

on Legal

Requirements, a

data-sharing request

does not

contradict the

German

Banking Secrecy Principle.

However, the question is whether

these considerations can

also be applied

in the case

at hand where the

information request is not

per se

based on German law,

but on foreign

law:

Sec 44(1) of the German Banking Act as Legal Requirement

2.12

Pursuant to Sec. 44(1) of the German Banking Act (

Kreditwesengesetz

–

KWG

), BaFin and the ECB

have the

power to

request from

institutions information

about all

business activities,

documentation

and,

necessary,

copies,

and

also

perform

on-site

inspections.

Consequently,

the

disclosure

information based on this provision does not contradict the German Banking

Secrecy Principle.

2.13

However, this specific

power is only available to

BaFin and the ECB to

oblige UBS ESE to disclose

client-related information vis-à-vis BaFin and the ECB themselves. It is not clear whether this power

applies

equally to

investigations conducted

the

ECB to

support foreign

regulators such

SEC

because

BaFin

and

the

ECB

are

subject

professional

secrecy

requirements

when

sharing

information. In any event, Sec. 44(1) KWG would only allow measures undertaken by BaFin and the

ECB

support

SEC,

but

means

measures

undertaken

SEC

directly.

this

opinion

focussed on the latter, Sec. 44(1) KWG will not constitute a sufficient legal basis in the case at hand.

17 CFR 240.18a-6(g)

as Legal Requirement

2.14

Pursuant to

17 CFR

240.18a-6(g)a non-resident

security-based swap

dealer and

non-resident major

security-based swap participant applying

for registration must

provide the SEC

access to Books

and

Records and

must allow

for On-Site

Inspections. This

might justify

the sharing

of information

with

UBS AG London Branch for the purpose of providing information to the SEC or with the SEC in the

course of On-Site Inspections in Germany.

2.15

In general, only legal requirements

to which UBS ESE is directly

subjected may justify the disclosure

and sharing of client-related information with

UBS AG London Branch for

the purpose of providing

information to the SEC or

with the SEC in

the course of On-Site

Inspections in Germany.

UBS ESE

primarily authorised

and supervised

in Germany

and therefore

subject to

local rules.

are not

aware

any

legal

literature

case

law

dealing with

the

question

whether foreign

statute

may

justify the disclosure of

information subjected to

the German Banking Secrecy

Principle. Therefore, it

is uncertain, whether such a US rule may justify the disclosure of client-related

information.

Order of a court / administrative order as Legal Requirement

2.16

Legal literature considers an order of

a foreign court to be sufficient to override the

legal duties of the

German

Banking

Secrecy Principle.

This

should

also

apply

the

disclosure

information

the

event

request

for

information

from

foreign

authority,

provided

that

this

enforceable

Germany

where

for

example,

the

foreign

authority

has

prosecutorial

powers

(c.f.

Wech,

das

Bankgeheimnis, p. 458; Canaris, Bankvertragsrecht, Recital 62).

0036335

0000808 UKO1: 2005527215.20

2.17

In the case of

the SEC, SEC

measures are generally

not enforceable in

Germany and the SEC

does not

have prosecutorial powers in

Germany.

Therefore, as in the

case of US

law,

it is unclear

whether an

SEC order

can justify

sharing of

data. However,

any event,

to rely

on this

exception, UBS

ESE

would need to

balance its interests

in complying with

the SEC’s disclosure

request against the

German

Banking Secrecy

Principle and

UBS ESE

must satisfy

itself that

the customer

interests do

not outweigh

its own; this needs to be assessed in practice on a case-by-case basis (c.f. Canaris,

Bankvertragsrecht,

Recital 62).

BaFin

MoU as Legal Requirement

2.18

Pursuant to Article IV paragraph

44 of the BaFin MoU,

the SEC is able do

directly request Books and

Records when necessary to fulfil its regulatory mandate or to conduct On-Site Inspections. However,

in this

regard we

note the

following: (i)

The BaFin

MoU is

a public

law arrangement.

It is

unclear

whether it

can have

an effect

on the

German Banking

Secrecy Principle

which is,

as set

out above,

rooted in civil law. (ii)

More importantly, pursuant to Article II paragraph 28 of the BaFin MoU,

the

BaFin MoU “

does not create any

legally binding obligations,

confer any rights

or supersede domestic

laws, nor should it

be construed as an

agreement to limit

the protection and

safeguards provided

the laws applicable

to the authorities

and does not

confer upon any

person the right

or ability, directly

indirectly,

obtain,

suppress,

exclude

any

information

challenge

the

exchange

information under this MoU

”

Consequently, the BaFin MoU lacks the authority of statue.

2.19

Nevertheless, whilst

the

position is

not

free from

doubt, in

our

view one

could well

argue

that the

combination of

the BaFin

MoU, the

US laws

and the

SEC orders

justify the

sharing of

data from

banking secrecy perspective.

2.20

Sharing of information in case of “consent” – assessment

2.21

In case there is no Legal Requirement on the basis of which client-related information sharing can be

justified, sharing of

client data protected

by the German

Banking Secrecy Principle

may only be

based

on customer consent.

2.22

Customer consent

exists in

the form

of implied

or explicit

consent: There

are recognised

circumstances

in which the

sharing and disclosure

of client-related

data is in

the interest of

the relevant

client. In such

cases,

the

German

Banking

Secrecy

Principle shall

not

prevent the

disclosure or

sharing of

client-

related data as

the sharing of

customer data

is justified by

implied consent (

konkludente Einwilligung

Otherwise, explicit consent would be required.

Explicit consent

2.23

Generally

speaking,

explicit

consent

can

always

justify

information

sharing.

Such

explicit

consent

must be provided on a case-by-case basis for the duration of the contractual relationship. This

means,

that a consent in

form of a more

general consent, i.e. consent

allowing the transfer of

information to

the US in any circumstance may not be sufficient. Please note that we have assumed

at Assumption

Annex 2

that UBS ESE has validly obtained such explicit consent.

Implied

consent (disclosure of information in the clients’ interest)

2.24

In an

economy of

scale with

regard to

the provision

of services

by UBS

ESE and

the receipt

of services

by the customers,

the sharing

of information

is a key

requirement for the

efficient running of

a banking

business. The German Banking Secrecy

Principle shall not compromise this

(c.f. WM 2000, p. 503).

Therefore, it is

recognised that the

sharing of information

can be justified

by implied consent

where

such

sharing

information

is,

from

broader

perspective,

the

interest

the

customers.

This

requires, however, a balancing

of interests.

The ECB MoU contains similar rules.

0036335-0000808 UKO1: 2005527215.20

2.25

As a

consequence of

the registration

of UBS AG

as a

SBSD in

the US,

we understand

that the

customer

benefits by

having access to

a wider range

of products. While

not being a

typical case

of sharing

information for

an economy

of scale,

we nevertheless

believe that

one can

well argue

that such

benefits

can form the basis of an implied consent.

2.26

However, as

mentioned, to rely

on this exception,

UBS ESE must

balance its interests in

complying

with the SEC’s disclosure request against the principle of the German Banking Secrecy Principle and

UBS ESE must satisfy itself that those

interests do not outweigh its own. While

this would need to be

assessed on

a case-by-case

basis, it

seems that,

as a

matter of

principle, for

those clients

who personally

make

use

the

opportunities

resulting

from

the

access

SBS

transactions,

such

benefits

may

outweigh the data sharing.

Potential sanctions in case of a breach of the German Banking Secrecy Principle – Overview

2.27

breach

banking

secrecy

has

civil

law

consequences for

UBS

ESE.

entitles

the

customer

terminate the contract

with UBS ESE

without notice (c.f.

No. 18(2) AGB-Banken)

as well as

to claims

for damages, injunctive relief and claims for restitution or deletion

of the data.

2.28

Note that

a successful

claim for

breach of

banking secrecy must

demonstrate that

there has

been an

unauthorised use of confidential information to the detriment of

the Rights Holder, i.e. the customer.

PRINCIPLE OF TERRITORIALITY

3.1

According to

the general

territorial principle

of international

law,

a state

that wishes

to take

action

outside

its

sovereign

borders

is,

general

rule,

referred

private

law,

because

the

territorial

principle of

international law

limits the

validity of

its sovereign

acts to

its national

territory.

In this

respect, the SEC is in

principle not authorized to take sovereign action,

including On-Site Inspection

and obtaining access to

Covered Books and

Records, in Germany. However, such a

permission can be

found in an MoU between BaFin and the SEC. While this MoU

is non-binding, in our view it should

allow those actions to be taken without a breach of the general

territorial principle.

***

0036335-0000808

UKO1: 2005527215.20

ANNEX 2

ASSUMPTIONS

This opinion relies on the following assumptions:

UBS AG has

a “prudential regulator”

as defined by

Section 3 of

the US Securities

Exchange Act of

1934 (the

Securities Exchange

Act

As such,

the Covered

Books and

Records considered

in this

opinion are limited to what a prudentially regulated SBSD must be able to

share with the SEC.

Additionally, in accordance with SEC Guidance at

85 FR 6297, books and records pertaining to SBS

transactions entered into prior to the date that UBS AG submits an application for registration are not

Covered Books and Records.

Where transfers of

personal data are

made to the

SEC in the

absence of an

adequacy determination,

such disclosure will

be made in

compliance with Articles 44

et seq.

of the EU

GDPR and limited

what

necessary

for

the

purpose

the

transfer

(i.e.

compliance

with

the

principle

data

minimisation, e.g. by applying less intrusive processing activities

such as redaction).

UBS ESE

or, as

the case may

be, UBS

AG has obtained

any necessary prior

consent of the

persons

(e.g

counterparties,

employees)

whose

information

will

included

Covered

Books

and

Records in order

to provide the

SEC with access

to its Covered

Books and Records

or to allow

On-

Site

Inspections,

the

extent,

considered

this

opinion,

such

consent

would

constitute

valid

consent and such

consent has not

been withdrawn.

Insofar as Covered

Books and Records

relate to

employees of UBS

ESE, such employees

are “associated persons”

of UBS AG

for purposes

of 17 CFR

§ 240.18a-5(b)(8) who

have agreed

to sharing of

their personal/employment

information with

the SEC

in the event of a request for information from the SEC.

Any

data held

by UBS

ESE that

subject to

disclosure request

from the

SEC, either

way of

access or On-Site Inspection, will be held by UBS ESE

in Germany.

Whilst UBS ESE will be subject

direct On-Site

Inspection by

the SEC

Germany,

UBS ESE

will

provide access

to its

Covered

Books and Records (beyond On-Site

Inspections) to UBS AG London

Branch, rather than providing

this access directly to the SEC.

The SEC will restrict

its information requests

for, and use of, any information

pursuant to its access

Covered Books

and Records and

On-Site Inspections to

only the

information that

it requires

for the

legitimate and specific purpose of fulfilling

its regulatory mandate and responsibilities by

evaluating

compliance with

legal obligations

designed to

ensure the proper

legal administration

of SEC-regulated

firms (which includes regulating,

administering, supervising, enforcing

and securing compliance with

the

securities or

derivatives laws

in its

jurisdiction) and

prevent and/or

enforce against

potential

illegal behaviour.

Similarly,

UBS ESE will ensure that

its disclosures are compliant with

the data protection principles

set out in Article 5 of the EU GDPR.

We understand that UBS’ general experience in responding to

information requests from the SEC (or other US

and non-US regulators) leads it to maintain a belief,

which it considers to be reasonable, that UBS ESE can and (subject

to any changes in applicable law

and

regulation

and/or

the

approach

relevant

regulators,

including

the

competent

German

data

protection authorities)

will continue to be

able to comply

with these data protection

principles in the

course

making

disclosures

the

sort

required

when

providing

access

Covered

Books

and

Records and submitting to On-Site Inspection.

It is the SEC’s

practice to limit the type and amount of

personal data it requests during examinations

to targeted

requests based

on risk

and related

to specific

clients and

accounts, and

employees.

The

These principles are set out in

Annex 1

at paragraph

1.9.

See the

SEC

uidance at 85 FR 6298

0036335-0000808 UKO1: 2005527215.20

requested

information

may

include

some

limited

criminal

records

data

and

‘special