Categories of recipients of data and transfers to third countries
In the context of providing the services you have commissioned, data is transferred to third parties; this may also include the transfer of personal data to European and non-European countries and the storage of data outside the EU.
Specifically, data is transmitted to the following categories of recipients:
- Data transfer to public authorities, courts or other bodies
Depending on the nature of the specific engagement, the provision of services by PwC may also make it necessary for PwC to transfer information, work products and documents to public authorities, courts or other public or private bodies in order to process the engagement. If the commissioned service involves a foreign jurisdiction, these may also include bodies located outside Germany.
PwC will also transfer personal data to public authorities, courts or other bodies in those cases where it is required by law or by administrative or court order to turn personal data over to public authorities, courts or other bodies.
- Engagement-related cooperation with other member firms of the PwC network
PricewaterhouseCoopers GmbH WPG is part of the global PwC network of member firms, each of which is a separate and independent legal entity.
If the provision of the commissioned services so requires, it works together with other member firms of the global PwC network. This may be the case if the engagement involves a foreign jurisdiction or if for some other reason the expertise of a colleague from another (foreign) member firm of the PwC network is required.
Insofar as the transfer is made to a member firm of the PwC network established outside the European Economic Area, an adequate level of data protection is ensured by using standard contractual clauses laid down by the EU Commission within the meaning of Article 46 (2) (c) GDPR. The member firms of the PwC network have entered into an internal data protection agreement which provides for compliance with the EU standard contractual clauses laid down by the EU Commission when transferring personal data from EU/EEA member states to other member firms.
The EU standard contractual clauses may be accessed at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF.
- Data transfer to PwC network-internal service providers
In the context of its work, PwC also uses other German or foreign-established member firms of the PwC network as network-internal IT service providers to provide services for the operation, service and maintenance of the IT systems and applications used by the member firms of the PwC network.
For the most part, this involves PwC IT Services Ltd. established in the UK.
PwC also uses network-internal Service Delivery Centers (SDCs), which provide support services to the other member firms of the PwC network in the area of organization and settlement of customer orders and engagements. These support services include, for example, billing, layout and design, proofreading, translation and other services related to the engagement. SDCs are located in Germany, Poland and Argentina, among other places.
Insofar as the transfer is made to a member firm of the PwC network established outside the European Economic Area, an adequate level of data protection is ensured by using standard contractual clauses laid down by the EU Commission within the meaning of Article 46 (2) (c) GDPR. The member firms of the PwC network have entered into an internal data protection agreement which provides for compliance with the EU standard contractual clauses laid down by the EU Commission when transferring personal data from EU/EEA member states to other member firms.
- Data transfer to external IT service providers
PwC also uses external IT service providers.
- General IT service providers: PwC uses external IT service providers who provide general IT services or IT systems utilized by the whole business and for each engagement. This includes, for example, operating systems for internal and external (e-mail) communication.
- Subject-specific and engagement-specific utilized IT service providers: Besides, PwC partly also uses external service providers who offer special applications for tax advisors, auditors and/or lawyers.
If the IT service providers are foreign cloud service providers, the data is stored in the service provider's data centers within and outside the EU. An adequate level of data protection as required by EU data protection law is ensured by contractual agreement of the EU standard contractual clauses (EU model clauses). For more information on the cloud service providers PwC uses, click here: www.pwc.de/externe-dienstleister.
If it is not possible to ensure an adequate level of data protection comparable to that within the EU under the GDPR in a given case, we would only be able to transfer data subject to your prior express consent.
Rights of data subjects/your rights under data protection law
Under the applicable data protection law you have the following rights with respect to your personal data.
Right of access: You may request information from PwC at any time as to whether PwC has stored your personal data and which personal data it has stored. PwC is required to provide this information to you free of charge.
The right of access does not exist or is subject to limitations if and to the extent that confidential information, such as information that is subject to professional secrecy, is disclosed.
Right to rectification: If your personal data which is stored by PwC is inaccurate or incomplete, you have the right to demand at any time that PwC rectify this.
Right to erasure: You have the right to demand that PwC erase your personal data if and to the extent that the data is no longer needed for the purposes for which it was collected or if the data is processed on the basis of your consent and you have opted to revoke your consent. In such cases, PwC must cease processing your personal data and remove that data from its IT systems and databases.
The right to erasure does not apply if
- the data may not be deleted due to a statutory obligation or must be processed due to a statutory obligation;
- the processing of data is necessary for the establishment, exercise or defense of legal claims.
Right to restriction of processing: You have the right to demand that PwC restrict the processing of your personal data.
Right to data portability: You have the right to receive from PwC the data provided by you in a structured, commonly used, machine-readable format as well as the right to have these data transmitted to a different controller. This right exists only if
- you have made this data available to us on the basis of consent or an agreement entered into with you;
- the processing is carried out by automated means.
Right to object to processing: If your data is processed by PwC on the basis of Article 6 (1) (f) GDPR, you have the right to object at any time to processing by PwC.
Processing on the basis of Article 6 (1) (f) GDPR applies, for example, if your employer is a client of PwC and has provided us with your data as a contact person in your organization, or if PwC uses your contact data to send you information about PwC offers and events.
You may assert any and all of the rights of data subjects described above against PwC by addressing your specific requests via the following channels:
By e-mail: DE_Datenschutz@pwc.com
By post:
PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
Right to lodge a complaint with a data protection supervisory authority
Pursuant to Article 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection law.
Withdrawal of consent to data processing
Consent to data processing is voluntary and may be withdrawn by you at any time with effect for the future.
If you wish to withdraw your consent to the processing of special categories of personal data by PwC, simply send your withdrawal of consent by e-mail or by post to:
E-mail: DE_Datenschutz@pwc.com
By post:
PricewaterhouseCoopers GmbH WPG
Dr. Tobias Gräber, Datenschutzbeauftragter
Friedrich-Ebert-Anlage 35-37
60327 Frankfurt am Main
Please be advised that if you withdraw your consent, PwC will not be able to process your engagement and perform the agreed services at all, or may only be able to do so to a limited extent.