Data protection information in accordance with Art. 13, 14 General Data Protection Regulation (GDPR) for PwC's payroll services
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft ("PwC") provides payroll services to its clients and customers. These services include, among other things, the execution of payroll accounting, the preparation of monthly reports for wage tax and social security and the preparation of corresponding payroll statements concerning employees of our clients and customers. In doing so, PwC processes personal data of these employees.
This data protection information is directed towards the employees of PWC's clients and customers who receive a salary statement. This privacy policy describes how PwC processes your personal data in connection with the provision of payroll services.
"Personal data" in this document means personal data as defined in Art. 4 No. 1 GDPR. This is any information relating to a natural person and with which this person can be directly or indirectly be identified.
The following privacy policy should explain to you in a comprehensible, transparent and clear manner how your data is processed by us. Nevertheless, should you have any questions about the content of this policy or other queries regarding data protection at PwC, you are welcome to contact our data protection officer Dr. Tobias Gräber at DE_Datenschutz@pwc.com or via the other contact details provided below.
Controller
The Controller within the meaning of Art 4 No. 7 GDPR which is responsible for the processing of your personal data is:
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
Email: webkontakt_anfragen@de.pwc.com
Phone: +49 69 9585-0
Fax: +49 69 9585-1000
Data protection officer
PwC has appointed a data protection officer pursuant to Art. 37 GDPR. You can contact the PwC data protection officer, Dr Tobias Gräber, using the following contact details:
Email: DE_Datenschutz@pwc.com
Post address:
PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
Phone number: +49 69 9585-0
Purpose of data processing and legal basis for the processing
Data processing for the purpose of preparing your payroll
PwC processes your personal data for the purpose of providing payroll services to your employer, especially for the preparation for your salary statement. The personal data required for this purpose (including your name, address, date of birth, tax class and tax identification number, amount of remuneration and information on your bank account and other details required for payroll purposes) are transferred to PWC by your employer and processed by PwC for the purpose of preparing your payroll.
The personal data processed may also include special categories of personal data. Special categories of personal data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, as well as data concerning health, sex life or sexual orientation of a natural person. In the context of preparing payroll accounts, religious affiliation (payment of church tax) and health information (e.g. sick pay in case of illness) may be affected in particular.
In this case, your personal data will be processed on the basis of Art 6 para. 1 lit. f) GDPR, as there is a legitimate interest for the processing. On the basis of a contract with its client, PwC is obliged to provide the commissioned service of preparing the payroll for its employees. In order to provide this service, it is necessary to process the personal data of the employees concerned. This constitutes a legitimate interest of PwC in processing these data.
The processing of special categories of personal data is carried out on the legal basis of Art. 9 para. 2 lit. g) GDPR in conjunction with § 11 para. 2 of the Steuerberatungsgesetz (StBerG, the German Tax Consultancy Act)
PwC uses IT systems in which your personal data are stored and managed for the preparation of payroll accounts.
No automated decision making or profiling takes place.
Data processing for the purpose of record keeping, documentation and archiving
PwC is required by law to keep proper records and to document its mandates and engagements comprehensively. These files and documentation must also be kept and stored after completion of an engagement or mandate for retention periods specified by law. In addition, PwC is subject to further statutory documentation and retention obligations, which are based, among other things, on tax regulations, accounting or commercial and corporate law requirements for companies.
Files to be documented, work results as well as associated mandate-related correspondence also contain personal data, so that these are also part of record keeping and archiving. The record keeping, documentation and archiving of client documents at PwC takes place in PwC's IT systems and in some cases additionally in the form of paper files.
Legal basis for this processing is Art. 6 para. 1 lit. c) GDPR. By managing, documenting and archiving files, PwC fulfils legal obligations arising from laws such as professional, tax, commercial and corporate laws.
Categories of recipients of data and transfers to third countries
As part of the service of preparing payrolls and salary statements, data is transferred to third parties. This may include the transfer of personal data to European and non-European countries and the storage of data outside the EU.
In detail, data is transferred to the following categories of recipients:
Your employer
The personal data processed in the course of payroll preparation, the results of the processing, and the prepared payroll statements are transmitted to your employer.
Data transfer to authorities, courts or other entities
Depending on the nature of the specific engagement, the provision of services by PwC may also require the transfer of information, work results and documents to authorities, courts or other public or private bodies in order to process the engagement. If the commissioned service has a foreign reference, this may also include foreign entities.
In particular, when providing payroll services, we transfer personal data to relevant tax authorities, social security institutions and health insurance companies.
In addition, PwC will transfer personal data to authorities, courts or other entities if PwC is required by law or by order of authorities or courts to disclose personal data to authorities, courts or other entities.
Contract-based cooperation with other PwC network firms
PricewaterhouseCoopers GmbH WPG is a member of the global PwC network, which consists of several individual legally separate and independent PwC firms. To the extent necessary for the provision of the commissioned service, cooperation takes place with other companies from the global PwC network. This may be the case if the engagement has an international relevance or requires the expertise of a colleague from another (foreign) PwC network firm for other reasons. This may be the case if you are staying abroad or have been seconded to a foreign country and therefore PwC has been engaged to fulfil both national and international billing and declaration obligations. In these cases, we regularly involve those members of the PwC network in the country where you are or were staying.
Insofar as this transfer is made to a network company outside the European Economic Area, an adequate level of data protection is guaranteed by using standard contractual clauses of the EU Commission in terms of Art. 46 para. 2 lit. c) GDPR. The PwC network companies have concluded an internal data protection agreement which stipulates compliance with the EU standard contractual clauses of the EU Commission for the transfer of personal data from EU/EEA countries to other companies.
The EU standard contractual clauses can be found at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF
Data transfer to PwC network internal service providers
As part of its activities, PwC uses other German or foreign PwC network companies as internal IT service providers for the operation, maintenance and servicing of the IT systems and applications used by the PwC network companies.
This primarily relates to PwC IT Services Ltd. based in the UK.
In addition, PwC uses internal network Service Delivery Centers (SDC), which support other PwC companies in administrative organisation and processing of client assignments and mandates. This includes, for example, the preparation and checking of invoices, layout and design, editing, translation services and other engagement-related services. SDCs are located in Germany, Poland and Argentina, among others.
Insofar as this transfer is made to a network company outside the European Economic Area, an adequate level of data protection is guaranteed by the use of standard contractual clauses of the EU Commission in terms of Art. 46 (2) lit. c) GDPR. The PwC network companies have concluded an internal data protection agreement which stipulates compliance with the EU standard contractual clauses of the EU Commission for the transfer of personal data from EU/EEA countries to other companies.
The EU standard contractual clauses can be found at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF
Data transfer to external IT service providers
PwC also uses external IT service providers.
- General IT service providers: PwC uses external service providers for general IT services or IT systems that are used in the context of every mandate. This includes, for example, operating the system for internal and external (e-mail) communication.
- Specialist IT service providers and IT systems used for specific engagements: In addition, PwC sometimes uses external service providers for specific applications for tax advisors, auditors and/or lawyers.
Insofar as the IT service providers are foreign cloud service providers, the data is stored in the service provider's data centers inside and outside the EU. The adequate level of data protection required by EU data protection law is contractually guaranteed by agreeing to the EU standard contractual clauses (EU Model Clauses). More information on the cloud service providers used by PwC can be found at the following link: www.pwc.de/externe-dienstleister.
In individual cases, if an adequate level of data protection comparable to that within the EU in accordance with the GDPR cannot be guaranteed, a transfer is only permitted with your explicit consent.
Data subjects' rights/your rights under data protection law
You have the following rights against PwC under the applicable data protection legislation with regard to the personal data concerning you.
Right of access: You may request information from PwC at any time as to whether PwC has stored your personal data and which personal data it has stored. The provision of information by PwC is free of charge for you.
The right of access does not exist or is subject to limitations if and to the extent that confidential information, such as information that is subject to professional secrecy, is disclosed.
Right of rectification: If your personal data stored by PwC is incorrect or incomplete, you have the right to demand at any time that PwC rectify this.
Right to erasure: You have the right to demand that PwC erase your personal data if and to the extent that the data is no longer needed for the purposes for which it was collected or, if the data is processed on the basis of your consent and you have withdrawn your consent.
In such cases, PwC must cease processing your personal data and remove it from its IT systems and databases.
There is no right to erasure, if
- the data may not be deleted due to a statutory obligation or must be processed due to a statutory obligation;
- the processing of data is necessary for the establishment, exercise or defence of legal claims.
Right to restriction of processing: You have the right to request that PwC restricts the processing of your personal data.
Right to data portability: You have the right to receive from PwC the data you provided in a structured, commonly used, and machine-readable format as well as the right to have this data transmitted to another controller. This right exists only if
- you have provided us with the data on the basis of consent or an agreement entered with you;
- the processing is carried out automated means
Right to object to processing: If the processing of your data by PwC is based on Art. 6 para. 1 lit. f) GDPR, you may object at any time to processing by PwC.
Processing on the basis of Art. 6 para. 1 lit. f) GDPR takes place, for example, if your employer is a client of PwC and has provided us with your data as a contact person in your company.
You can exercise all the rights of data subjects described above against PwC by sending your specific request to the following contact details:
By Email: DE_Datenschutz@pwc.com
By mail:
PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
Right to lodge a complaint with a data protection supervisory authority
In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection law.
Duration of data storage
PwC will store and process your personal data for as long as it is necessary in order to fulfil the processing purposes as described in this privacy policy. If your personal data is subject to statutory retention obligations or is part of documents that are subject to statutory retention obligations, PwC will store this data for the duration of the statutory retention period.
The retention periods which PwC is subject to vary in length and usually cover a period of six to ten years. The following periods are among the main statutory retention obligations which PwC must adhere to:
| Type of document | Retention period |
|---|---|
| client files of auditors | 10 years from the end of the calendar year in which the engagement ends |
| client files of attorneys | 6 years from the end of the calendar year in which the engagement ends |
| Booking vouchers | 10 years |
| Commercial or business letters received and copies of commercial or business letters sent | 6 years |
| Other documents relevant for taxation | 6 years |
If the affected data are subject to different retention periods, the longest retention period is decisive in each case. In individual cases, the legally required retention period may be extended if, for example, the information is required for the assertion, exercise or defence of legal claims even after the retention period has expired.
