Privacy Policy PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft

Data protection information in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) relating to services by PwC

This privacy notice is directed to our clients and customers, our contact persons and contact persons for clients and customers, our service providers and contact persons for our service providers as well as PwC's other business contacts.

You have a business relationship with PwC because either you or your employer is a client or prospective client of PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft ("PwC"), or because you have had business contact with PwC or PwC employees, for example, at events, pitch presentations, or in other ways, and we have received your contact details from you in this context.

This privacy notice describes how PwC processes your personal data in the context of providing tax advisory, management consulting, audit services or other engagements. Furthermore, we inform you about how PwC processes the personal contact data of clients, contact persons, and other business contacts for the establishment, maintenance, and continuation of business relationships.

In this document, the term "personal data" means personal data as defined in Article 4 (1) GDPR. It means any information relating to a (natural) person by means of which that person can be directly or indirectly identified.

The following privacy notice aims to provide you with an understandable, transparent and concise explanation of how we intend to process your data. However, should you require further explanations relating to data protection at PwC, please do not hesitate to contact our data protection officer at DE_Datenschutz@pwc.com or via the alternative channels specified below.

1. Controller

The controller within the meaning of Article 4 (7) EU General Data Protection Regulation (GDPR) which is responsible for the processing of your personal data is:

PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

Email: DE_Kontakt@pwc.com
Phone: +49 69 9585-0
Fax: +49 69 9585-1000

2. Data protection officer

PwC has appointed a data protection officer pursuant to Article 37 GDPR. You can contact PwC's data protection officer, Dr. Tobias Gräber, at the following contact details:

Email: DE_Datenschutz@pwc.com
Phone: +49 69 9585-0

Postal address:

PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

3. Purposes and legal basis for processing

PwC uses IT systems for the purposes of data processing listed below, in which your personal data is managed, stored, and further processed.

Automated decision-making or profiling does not take place.

PwC processes your personal data for the following purposes:

• 3.1 Data processing for the purpose of initiating and performing contracts

PwC processes your personal data to carry out of pre-contractual measures (such as preparing offers, performing internal pre-contractual compliance checks or setting up contracts) as well as to provide the contractually agreed services, including the project administration and billing. The legal basis for processing is Article 6 (1) (b) GDPR, and for certain engagements (particularly audits of the annual financial statements) also Article 6 (1) (c) GDPR. 

In this context, your contact details such as name, address, telephone number, and e-mail address are processed.

PwC uses IT systems to process inquiries and engagements in which your personal data is stored and managed.

The duration of storage of personal data is determined by the data processing for the purpose of record-keeping, documentation, and archiving described below.

If you yourself have not personally mandated PwC, we most likely received your contact data from your employer, our customer, who has named you as the contact person within in the company. In this case, the processing of your personal data is carried out based on Article 6 (1) (f) GDPR, as a legitimate interest in the processing exists. PwC is obliged by contract with its client to provide the commissioned service. In order to provide those services, the information of clients and client’s contact persons must be processed. This constitutes a legitimate interest of PwC in processing this data. The same applies in the case of preparing offers.

In the context of certain engagements (particularly audits of the annual financial statements), processing is also carried out on the basis of Article 6 (1) (c) GDPR as PwC is sometimes required by law to process data for the annual audit.

If you yourself are a client of PwC, further personal data about you will be processed as part of the engagement processing, insofar as this is necessary for the provision of the agreed service. This may include, in particular, bank and payment data, as well as other information about your personal, professional, and financial circumstances, insofar as these are relevant for the fulfillment of the engagement by PwC and you provide us with this information in accordance with the contract concluded with PwC.

In this case, the legal basis for the processing of your data by PwC is Article 6 (1) (b) GDPR because the processing is necessary for the fulfillment of the contract concluded between you and PwC. 

Please note that according to PwC’s General Engagement Terms, the client is obliged to provide PwC with all documents and information necessary for the execution of the engagement. If and to the extent that the necessary information is not provided, the processing of your engagement and the fulfillment of the agreed service by PwC is not possible or only possible to a limited extent.

• 3.2 Data Processing for the Purpose of Collaboration with Clients via Digital Applications

PwC offers you the opportunity to collaborate directly with PwC employees in tools and documents via digital collaboration tools and their sharing functions, e.g., to work on a document with several users at the same time. If your company is enabled to use this functionality, a PwC employee can authorize you for such collaboration and invite you as a visitor by e-mail. After completing a confirmation and authentication process, you will be authorized for access and collaboration in one or more documents. Depending on the document settings, you can then comment directly in the document and make suggestions for changes.

In this context, the following personal data is processed:

• Your first and last name and your professional e-mail address
• Your individual PIN numbers or other identifiers for authentication and authorization
• The comments and notes you add during collaboration
• The data in the document history, showing which user made changes to the document at what time

The legal basis for processing is Art. 6 (1) (f) GDPR. PwC has a legitimate interest in improving collaboration with its clients and customers in the digital space by offering sharing settings in collaboration tools. As a professionally regulated company, PwC is also subject to extensive documentation and due diligence obligations. When several authors collaborate on a document, we must be able to permanently trace the creation of a document and the decisions underlying the creation process. All documents archived by us to fulfill legal retention obligations therefore always contain a change history that transparently shows the time and content of changes.

As a rule, entries by authors who were authorized as visitors to the document are no longer listed by name after the authorization expires. If, in individual cases, a formerly authorized visitor is still named in the change history, this information is also archived beyond the fulfillment of legal retention and archiving obligations in order to safeguard our legitimate interests as described. The legal basis is therefore Art. 6 (1) (f) GDPR.

The personal data processed in the context of collaboration in a document are subject to the same retention and documentation obligations as the documents themselves. This means that, for example, the personal data in the document history, if still contained in the document after the authorization expires, as well as the content of the comments, are subject to a retention obligation of up to ten years.

3.3 Data processing for the purpose of procurement and use of services

If you or your employer are a service provider to PwC, we process your personal data (in particular your contact details such as name, address, and telephone and e-mail contact) for the initiation, conclusion, and execution of services that PwC obtains from you or your employer. The processing of your contact details is based on Art. 6 (1) (b) GDPR for the fulfillment of a contract concluded with you personally, or on the basis of a legitimate interest within the meaning of Art. 6 (1) (f) GDPR if your employer provides services for us.

3.4 Data processing for purposes of record-keeping, documentation and archiving

PwC is legally obliged to proper record-keeping and extensive documentation of its mandates and engagements. These records and documentation must also be retained and stored for statutory retention periods after completion of an engagement or mandate. In addition, PwC is subject to further statutory documentation and retention obligations, which are based, among other things, on tax, accounting, or commercial and corporate law requirements for companies. 

The documents, work results, and related client correspondence to be documented also contain personal data, so these are also part of the record-keeping and archiving.

Record-keeping, documentation, and archiving of mandate documents at PwC are carried out in PwC’s IT systems, and in some cases also in the form of paper files. This processing is based on Art. 6 (1) (c) GDPR; PwC fulfills legal obligations from professional law, tax law, and commercial and corporate law with record-keeping, documentation, and archiving.

3.5 Data processing for marketing and advertising purposes

PwC also uses your contact data, (particularly name, address, e-mail address) to obtain customer feedback or to send you information about other PwC offers or events.

This processing is based on a legitimate interest of PwC within the meaning of Art. 6 (1) (f) GDPR, unless other applicable laws require consent. PwC has a legitimate economic interest in informing customers and clients about additional offers and events in order to cultivate and maintain long-term customer relationships.

3.6 Data processing for the purpose of managing business contacts

If PwC has received your contact details in the context of a business event or other business meeting (e.g., by exchanging business cards) or in the context of an engagement, we also use your contact details (in particular name, address, e-mail address) to maintain our business contacts. For this purpose, we transfer your contact details to the CRM system (Customer Relationship Management System) we use.

Such processing is carried out based on a legitimate interest of PwC within the meaning of Article 6 (1) (f) GDPR. PwC has a legitimate economic interest in cultivating business contacts beyond the initial contact and using them to build a customer relationship and to stay in touch with the data subjects.

3.7 Data Processing in the Context of the Use of IT Systems

PwC uses, develops, and continuously optimizes its internal systems and processes, including the use of AI ("artificial intelligence")-based software solutions. In the context of the use of the aforementioned processes and systems, especially in the optimization and improvement of AI solutions, personal data may also be used. The improved solutions serve to increase the efficiency of internal processes, in particular to automate and accelerate workflows within our company. 

This processing is based on a legitimate interest of PwC within the meaning of Art. 6 (1) (f) GDPR. PwC has an economic interest in optimizing internal processes through the use and further development of AI technologies, in order to continuously improve service quality and efficiency for customers and clients.

4. Categories of recipients of and transfers to third countries

In the context of providing the services you have commissioned, data is transferred to third parties; this may also include the transfer of personal data to European and non-European countries and the storage of data outside the EU.

Specifically, data is transmitted to the following categories of recipients:

4.1 Data transfer to public authorities, courts or other bodies

Depending on the type of engagement, the provision of the service by PwC may require the transfer of information, work results, and documents to authorities, courts, or other public or private bodies in order to process the engagement. If the commissioned service involves a foreign jurisdiction, these may also include bodies located outside Germany. 

PwC will also transfer personal data to public authorities, courts or other bodies in those cases where it is required by law or by administrative or court order to turn personal data over to public authorities, courts or other bodies.

4.2 Engagement-related cooperation with other member firms of the PwC network

PricewaterhouseCoopers GmbH WPG is a member of the global PwC network, which consists of individual legally independent and separate PwC firms.

If necessary for the provision of the commissioned service, collaboration with other firms from the global PwC network takes place. This may be the case if the engagement has an international dimension or for other reasons requires the expertise of a colleague from another (foreign) PwC network firm.

Insofar as the transfer is made to a member firm of the PwC network established outside the European Economic Area, an adequate level of data protection is ensured by the use of EU Commission’s standard contractual clauses pursuant to Article 46 (2) (c) GDPR. The member firms of the PwC network have entered into an internal data protection agreement which provides compliance with the EU standard contractual clauses laid down by the EU Commission when transferring personal data from EU/EEA member states to other member firms.

4.3 Data transfer to PwC network-internal service providers

In the context of its work, PwC also uses other German or foreign-established member firms of the PwC network as network-internal IT service providers to provide services for the operation, service and maintenance of the IT systems and applications used by the member firms of the PwC network.

PwC also uses network-internal Service Delivery Centers (SDCs), which support other member firms of the PwC network in the administrative organization and settlement of customer orders and engagements. These include, for example, the creation and review of invoices, layout and design, editing, translation services, and other engagement-related services. SDCs are located in Germany, Poland and Argentina, among other places.

Insofar as the transfer is made to a member firm of the PwC network established outside the European Economic Area, an adequate level of data protection is ensured by using standard contractual clauses laid down by the EU Commission within the meaning of Article 46 (2) (c) GDPR. The PwC network firms have concluded an internal data protection agreement that provides for compliance with the EU standard contractual clauses for the transfer of personal data from EU/EEA countries to other firms.

4.4 Data transfer to external IT service providers

PwC also uses external IT service providers.

General IT service providers: PwC uses external IT service providers who provide general IT services or IT systems utilized by the whole business and for each engagement. This includes, for example, operating systems for internal and external (e-mail) communication.

Specialized and engagement-related IT service providers: In addition, PwC sometimes uses external providers who offer specialized applications for tax advisors, auditors, and/or lawyers in the context of engagement related processing. 

If the IT service providers are foreign cloud service providers, the data is stored in the service provider's data centers within and outside the EU. The level of data protection required under EU data protection law is contractually ensured by agreeing to the EU standard contractual clauses (EU Model Clauses). 

If it is not possible to ensure an adequate level of data protection comparable to that within the EU under the GDPR in individual cases, a transfer is only permitted with your express consent.

5. Rights of data subjects/your rights under data protection law

Under the applicable data protection law you have the following rights with respect to your personal data.

Right of access:

You can request information from PwC at any time as to whether and which personal data about you is stored at PwC. PwC is required to provide this information to you free of charge.

The right of access does not exist or only to a limited extent if and to the extent that the information would disclose confidential information, e.g., information subject to professional secrecy.

Right to rectification:

If your personal data stored at PwC is incorrect or incomplete, you have the right to request the correction of this data from PwC at any time.

Right to erasure:

You have the right to demand that PwC erase your personal data if and to the extent that the data is no longer needed for the purposes for which it was collected or if the data is processed on the basis of your consent and you have opted to revoke your consent. In such cases, PwC must cease processing your personal data and remove that data from its IT systems and databases.

The right to erasure does not apply if

• the data may not be deleted due to a statutory obligation or must be processed due to a statutory obligation;
• the processing of data is necessary for the establishment, exercise or defense of legal claims.

Right to restriction of processing:

You have the right to request that PwC restrict the processing of your personal data.

Right to data portability:

You have the right to receive from PwC the data provided by you in a structured, commonly used, machine-readable format as well as the right to have these data transmitted to a different controller. 

This right exists only if

• you have provided us with the data on the basis of consent or a contract concluded with you;
• and the processing is carried out by automated means.

Right to object to processing:

If your data is processed by PwC on the basis of Article 6 (1) (f) GDPR, you have the right to object at any time to processing by PwC.

Processing on the basis of Article 6 (1) (f) GDPR applies, for example, if your employer is a client of PwC and has provided us with your data as a contact person in your organization, or if PwC uses your contact data to send you information about PwC offers and events.

You may assert any and all of the rights of data subjects described above against PwC by addressing your specific requests via the following contact details: 

By email: DE_Datenschutz@pwc.com

By post:

PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

6. Right to lodge a complaint with a data protection supervisory authority

Pursuant to Article 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection law.

7. Duration of data storage 

PwC will store and process your personal data for as long as is necessary to fulfill the purposes of processing described in this privacy notice. If your personal data is subject to statutory retention obligations or is part of documents which are subject to statutory retention obligations, PwC will store such data for the duration of the stipulated statutory retention period. 

The retention periods to which PwC is subject to vary and usually cover a period of 6 to 10 years. The main statutory retention periods to which PwC is subject include, among others, the following periods:

Insofar as the relevant data is subject to different retention periods, the longest retention period is decisive. In individual cases, the statutory retention period may also be extended if, for example, the information is required for the establishment, exercise or defense of legal claims, even after the retention period has expired.

8. Information concerning rules of the profession

This privacy notice only informs about the processing of personal data. It has no bearing on duties of confidentiality and non-disclosure under rules of the profession to which PwC and its employees may be subject as tax advisors, auditors and lawyers. These professional obligations apply in full to all data and information that we receive from you in the context of the contractual relationship with you, regardless of whether this information is personal or not.

9. Additional data protection information regarding the processing of special categories of personal data

If you yourself have commissioned PwC to provide a service, PwC will process, in addition to your personal contact details, further personal data about your personal, economic, and/or professional circumstances that you provide to us for the fulfillment of the engagement.

Depending on the nature of the specific engagement, special categories of personal data within the meaning of Article 9 GDPR may be involved in addition to the above-mentioned personal data. This data is particularly protected by data protection law, and the processing of such data is only permitted under special conditions. 

The following notice provides additional information relating to the processing of special categories of personal data by PwC.

9.1 Special categories of personal data

Special categories of personal data are personal data revealing information about the following attributes:

• racial or ethnic origin;
• political opinions (such as receipts from donations to political parties or foundations or receipts for membership fees to such institutions);
• religious or philosophical beliefs (e.g., information about membership in a religious community such as a church tax feature or evidence of donations to religious or philosophical organizations);
• trade union membership (such as receipts for membership fees or donations to trade unions);
• genetic data;
• biometric data for the purpose of uniquely identifying a natural person (such as fingerprints or biometric photos);
• data concerning health (such as information about payments from disability or health insurance; information about a severe disability; or medical bills/private health insurance statements);
• data concerning a natural person's sex life or sexual orientation (this could for example be information about marital status, such as information about a same-sex registered life partnership same-sex marriage/partnership).

These are particularly sensitive pieces of information that are subject to a higher level of protection than other personal data. In order to process personal data of this type, we require your consent.

The Processing is therefore based on your consent within the meaning of Article 6 (1) (a) in conjunction with Article 7 GDPR:

By signing the contract and providing such sensitive personal data to PwC, you express your consent to the data processing by PwC for the purpose of carrying the specific engagement and thus grant your consent under data protection law.

Consent to data processing is voluntary and may be withdrawn by you at any time with effect for the future. 

If you wish to withdraw your consent to the processing of special categories of personal data by PwC, you can do so by sending your withdrawal to the following contact details:

Email: DE_Datenschutz@pwc.com

By post:

PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main

Please be advised that if you withdraw your consent, PwC will not be able to process your engagement and perform the agreed services at all or may only be able to do so to a limited extent.