In the course of providing services to clients PwC and its subsidiaries may use the services of the following cloud services providers. Please notice, that, if required, the list of cloud service providers can be extended at any time:
PwC GmbH WPG places particularly high demands on data and information security and the protection of the confidentiality of all information obtained in the course of our professional activities.
As one of the companies listed in §§ 27 ff. Wirtschaftsprüferordnung (WPO) (German Act on the Code of Professional Practice for German Public Auditors), we must maintain secrecy about all knowledge acquired in the course of our professional activities in accordance with § 43 Para. 1 WPO. This applies both to the auditors employed by us and to all other employees of the auditing company. The details of this general standard are set out in the Professional Charter for Professional Accountants in Public Practice. According to § 9 of this professional statute, which is issued by the Chamber of Public Accountants on a statutory basis and is binding for all public accountants, public accountants may not, in particular, disclose without authorization facts and circumstances which are entrusted to or known to them in the course of their professional activities. This does not only apply to external third parties, but already applies to PwC internal colleagues who are not directly involved in the respective assignment. In addition, § 10 of the Professional Charter provides for a prohibition of the exploitation of acquired professional secrets.
The statutory duty of confidentiality extends to all employees of our company. Each employee is bound to secrecy with employment contract according to § 50 WPO separately and furthermore for the time beyond his departure from the services of our company.
Violation of the statutory duty of confidentiality is a punishable offence under Section 203 of the German Criminal Code. Violations of professional secrecy are also sanctioned by the Wirtschaftsprüferordnung (German Act on the Code of Professional Practice for German Public Auditors) and in serious cases may even result in exclusion from the profession of public auditor (§§ 67 ff. WPO).
In addition to the professional law, which is more specific in many respects, our company naturally also ensures compliance with the provisions of the General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG neu). In particular, all data is protected with the necessary technical and organizational security measures in accordance with Art. 32 GDPR. In addition, each employee hired by us is subject to a separate employment contract and is obliged to maintain data secrecy even after leaving the services of our company.
For this reason, the topics of data security and data protection are particularly important to us and we train our employees regularly.
PwC GmbH WPG is a member of the global PwC network, which consists of the individual legally independent PwC companies.
In addition to the legal requirements of German professional law and data protection law, which PwC GmbH WPG, as a legally independent company, has to guarantee on its own responsibility, the network-wide standards for information and data security also apply to PwC GmbH WPG. These PwC network standards for information and data security are internal guidelines that define a uniform, high level of information and data security throughout the network beyond the legal obligations of the respective PwC companies.
Our global information security policy for the PwC network is based on the recommendations of ISO/IEC 27002. All companies in the PwC network have undertaken to comply with the requirements of the information security policy. This is regularly reviewed by the Information Security Compliance Team of the global PwC Risk & Quality Organization.
The Information Security Compliance Team's data security procedures and methods have been independently reviewed by the British Standards Institution (BSI) to ensure compatibility and compliance with ISO/IEC 27001. Annual audits are carried out by the BSI.
Furthermore, we have had our entire IT division of the German PwC companies - including all the services they offer - certified in accordance with ISO/IEC 27001. This certification is confirmed within the scope of annual audits by the certifier DQS.
The PwC GmbH WPG uses Google services for the purpose of internal communication and communication with clients as well as a platform for internal cooperation. The cloud services used by PwC GmbH WPG essentially include the Google G-Suite applications for e-mail traffic, scheduling and video conferencing, as well as applications for collaboration between PwC employees (word processing, spreadsheets, presentation for joint editing) and for shared file storage.
The use of Google services does not affect the storage and archiving of client files and other mandate-related documents, records and information of the PwC GmbH WPG. Such documents are not transferred to Google cloud services, but remain stored unchanged on the systems and servers of PwC's own data centres in Germany.
The use of Google cloud services as part of client work is limited to contact data (name and e-mail address) and e-mail communication with clients.
The use of Google services by PwC GmbH WPG ensures a high level of data protection in accordance with the legal requirements of the GDPR.
Art. 44 GDPR requires safeguarding an adequate level of data protection for the processing and storage of data in computer centres outside EU states. Since not every country has a data protection level that is comparable with German and EU law, Art. 44 GDPR stipulates that an adequate level of data protection must be guaranteed when data is transferred to such countries.
For the use of the Google cloud services by PwC GmbH WPG, an adequate level of data protection within the meaning of Art. 44 GDPR is guaranteed by utilizing the EU standard contractual clauses (EU Model Clauses) developed by the EU Commission, which have been agreed upon pursuant to Art. 46 (2) (c) in conjunction with Art. 46 (5) sentence 2 GDPR.
The EU standard contractual clauses are a recognised means of contractually ensuring an adequate level of data protection for data transfers outside Europe. These contain the requirements of European data protection law in the form of contractual clauses and may not be changed by the contracting parties without prior approval by the EU Commission.
The EU Model Clauses used by Google can be found under the following link: https://cloud. google.com/terms/eu-model-contract-clause.
For the EU standard contract clauses used by Google for the Google cloud platform and for the application programs of the Google G suite, there is a so-called Common Opinion of the Art. 29 Working Party (Association of European Data Protection Supervisory Authorities), which confirms conformity with the requirements of EU data protection law.
In addition, technical and organisational measures to ensure data security have been contractually agreed which comply with the requirements of Art. 32 GDPR. Compliance with the technical and organisational measures is proven by recognised certificates and is subject to regular monitoring by PwC GmbH WPG.
In addition, the special professional confidentiality obligations to which PwC GmbH WPG as an auditing company is subject in addition to data protection law are also reflected in the contracts with Google. In particular, rights to issue instructions were agreed and strict confidentiality obligations were imposed.
The data transport as well as the data storage takes place in encrypted form on Google systems in Google data centers. These are globally organized and are characterized by high security standards and the use of modern encryption technology (e.g. HTTPS/TLS/PFS).
Among other things, all data and information is broken down into small parts, additionally encrypted and stored distributed over the data center infrastructure. Access to plain data or even the use of data by Google or its system administrators in the respective data centers is explicitly excluded by contract.
This and further information on IT security can be found at https://cloud. Google.com/security/
Google currently maintains data centers in the Netherlands, Finland, Belgium, Ireland, Taiwan, Singapore and the USA. The directory of all data centers is published and updated on Google 's homepage at https://www. Google.com/about/datacenters/inside/locations/index.html.
The Google infrastructure, services and operations are regularly audited by external independent certification bodies and the high IT security standards are audited and confirmed by internationally recognized certificates. Google publishes the ISO certificates and the SOC 3 audit report on its website (https://cloud. Google.com/security/compliance) and updates these at regular intervals. The most important certifications available to Google with regard to data security and data protection include ISO 27001, ISO 27017 and ISO 27018.
All communication and data traffic within the PwC Google domain is TLS (in transit) and AES256- (at rest) encrypted. Forward Secrecy is also supported. This ensures that a broken key can never be used to decrypt future communication or data. The external data traffic (mail, calendar entries and attachments) with TLS-enabled recipient systems can also be encrypted automatically in consultation with your IT department.
Google supports compliance with legal retention requirements systemically and provides tools and processes to ensure that data and emails are held in accordance with legal requirements. At the end of the retention period, both e-mails and data are irretrievably deleted immediately - but no later than 30 days after the end of the retention period.