a.    The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual.  This is permitted by the Notice, Choice, and Access Principles under the circumstances described below.  

b.    Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits.  Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely.  Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a “due diligence” review.  This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel.  Premature disclosure could impede the transaction or even violate applicable securities regulation.  Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization.  These legitimate interests include the monitoring of organizations’ compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors.