Protecting participants’ personal information

Keeping personal and financial information protected and secure through responsible information collection and use practices is a commitment we all share. And in today’s fast-evolving privacy and information security landscape, it is an essential priority.

We have comprehensive global information security and privacy programs led by the Bank’s Chief Information Security Officer and Chief Privacy Officer with significant rigor and resources. Our privacy policies are based on regulatory requirements; federal, state, and local laws; industry standards and best practices; and are subject to ongoing regulatory oversight and examination.

What is the European Union (EU) General Data Protection Regulation (GDPR)?

The EU GDPR is a comprehensive privacy regulation that went into effect on May 25, 2018. It applies across all business types and sectors established in the EU and organizations established outside the EU that offer goods or services to EU individuals and/or monitor the behavior of EU individuals. It replaces the EU Data Protection Directive, building on the Directive’s requirements and expanding individual rights and companies’ compliance obligations related to the collection, use, storage, transfer, and destruction of personal data in the EU and beyond.

GDPR, Bank of America, and Merrill Lynch’s Retirement and Benefit Plan Services

Bank of America established an enterprise-wide GDPR program, with key executive sponsorship, that covered its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU were reviewed, including applications and databases, policies, processes, and procedures to ensure that employees, partners, and vendors process personal data in compliance with GDPR requirements. We assessed our processing activities that involve personal data of individuals in the EU to determine GDPR applicability. The evaluation and assessment resulted in the determination that Merrill Lynch’s Retirement and Benefit Plan Services (RBPS) does not trigger application of the GDPR based on the business: not being established in the EU, not offering goods or services to individuals in the EU, and not monitoring behavior of individuals in the EU.

RBPS is a U.S. provider of institutional retirement and benefit plan services, including defined contribution, equity, nonqualified deferred compensation, defined benefit, and health benefit solutions.
The standard process is the U.S. plan sponsor collects their employees’ personal information, including those employees in the EU, and sends it to RBPS, in order for RBPS to provide the recordkeeping services.
RBPS provides the recordkeeping services to the U.S. plan sponsor. This includes, at the direction of the plan sponsor, making available the Merrill Lynch Benefits OnLine® website to plan sponsor’s employees for the limited purpose of viewing their plan information and making elections or other transactions relating to such information. You can access information about how Merrill Lynch safeguards privacy and security on our websites here.
Any communications with individual plan participants are limited to servicing of the plan or a separate brokerage account, as applicable, under a separate relationship with an individual.
In connection with providing products and services, and at the request of the employer, we make available websites, mobile device applications, and written brochures (collectively, “Sites”) in order to provide participants with information regarding their plan. Under no circumstances should the Sites, or any information included in these Sites, be used as or considered to be an offer to sell or a solicitation to buy any securities or services from Merrill Lynch or any other person or entity.

Supporting our clients

We remain committed to the protection of data with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately. Some of the ways we accomplish this are by contractually committing to protection that includes:

Adhering to the privacy regulations under Title V of the Gramm-Leach-Bliley Act.
Setting standards and describing controls for securing the information that we maintain.
Agreeing to pass through substantially similar obligations to our subcontractors to protect the information.
Committing to provide reasonable and timely assistance to help our clients meet their obligations under the GDPR.
Responding to information security assessment requests.

Supporting participant requests

While the GDPR does not apply to the Retirement and Benefits Plan business, we will support any participant’s requests for, or questions about, what personal information we have on file. In those scenarios, your Client Service Manager will notify the plan sponsor of the participant request. Please note that participant requests must be initiated by the individual directly through the Contact Center.

Our ongoing commitment

We are steadfast in our commitment to putting our clients’ interests first, helping people live their best financial lives while protecting their privacy and financial information and complying with all applicable laws and regulations. If you have any questions, please contact your Bank of America Merrill Lynch representative.