PwC IT Services US - Data Privacy Framework Policy (“DPF Policy”)

Background

What is the PwC network?

PwC is the brand under which the member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide professional services. Together these firms form the PwC network. The PwC network consists of firms which are separate legal entities which work together to provide quality service offerings for clients throughout the world. Further information about the PwC network’s structure is available here (Note that these firms are collectively referred to as the ‘PwC network’ for the purposes of this Policy and individual firms are referred to as a ‘PwC member firm’)

Overview of PricewaterhouseCoopers IT Services (US) LLC 

The PricewaterhouseCoopers IT Services group of entities aims to provide shared technology services to PwC firms in a secure, compliant, efficient and transparent manner. PricewaterhouseCoopers IT Services Limited (“PwC IT Services”) is a UK incorporated company with its registered office in London. PwC IT Services is a separate legal entity owned and sponsored by several PwC firms on behalf of the PwC network, with subsidiaries or legal branches in the countries where it has operations. Those subsidiaries include PricewaterhouseCoopers IT Services (US) LLC (“PwC IT Services US”, “we”, “us” or “our”), a company with its principal place of business located at 4040 W Boy Scout Boulevard, Tampa FL, 33607.

What does PwC IT Services US do?

Commonly with all entities in the PwC IT Services group, PwC IT Services US operates shared technology services for the benefit of the PwC network. Those services include hosting services (both on-premise and provisioning of cloud hosting platforms), information security services and application support services. PwC IT Services US does not provide those services directly to PwC clients but only to other members of the PwC network. 

PwC IT Services US is a separate legal entity to PricewaterhouseCoopers LLP, the PwC firm (together with its affiliates) based in the United States that provides services to clients. PricewaterhouseCoopers LLP maintains its own separate certification under the Data Privacy Framework, details of which can be found here. Further information regarding PricewaterhouseCoopers LLP, including its privacy policy and Data Privacy Framework policy, can be found via its website.

DPF Policy

1. Introduction

1.1 Overview

As set forth in PwC's Global Code of Conduct: "We respect the confidentiality and privacy of our clients, our people and others with whom we do business." As a provider of shared IT services to the PwC network, we support the network in this aim through our operation of those services.

PwC IT Services US complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF and the Swiss-US Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. PwC IT Services US has certified to the U.S. Department of Commerce that it adheres to the EU-U.S Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. PwC IT Services US has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this DPF Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively referred to in this DPF Policy as the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

1.2 Categories of Information

This DPF Policy applies to personal information within the scope of PwC IT Services US’s DPF certification, which covers the following categories of information:

• Personal information regarding current, former and prospective partners, principals, employees and contractors of members of the PwC network (including PwC IT Services, its subsidiaries and branches, including PwC IT Services US) (together referred to as “PwC Personnel”) for the purposes of operating and managing the PwC network, performing human resource administration and maintaining contact with individuals.
• Personal information regarding current, former and prospective PwC network clients and their personnel or others for the purposes of delivering PwC network services, maintaining ongoing relationships and performing business development activities.
• Personal information regarding third parties (e.g., vendors, service providers, etc.) and their personnel for the purposes of managing and administering the PwC network’s business relationships with such third parties.

For the purposes of this DPF Policy, “personal information” means information that is about, or pertains to a specific individual and can be linked either directly or indirectly to that individual. In addition, certain personal information covered by PwC IT Services US’s DPF certification may be subject to more specific privacy policies of PwC member firms, which are also consistent with the requirements of the DPF Principles, and in the case of any conflict between these policies and the DPF Principles, the DPF Principles will control.

For example:

• Certain PwC member firm websites maintain their own privacy policies that apply to personal information collected via those sites. These policies may be accessed through those websites. Such information may be processed by PwC IT Services US in order to provide services to the relevant PwC member firm.
• Personal information obtained from or relating to clients or former clients of PwC member firms is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client and applicable laws and professional standards.
• Personal information obtained from or relating to PwC Personnel is subject to the terms of any applicable personnel privacy statement or policy, any contractual arrangements with those PwC Personnel and applicable laws and professional standards.

2. Individual Notice and Choice

We collect and process personal information from certain individuals and for the purposes described in this DPF Policy. Personal information covered by this DPF Policy is collected and processed only as permitted by the DPF Principles.

Notice to individuals regarding the personal information collected from them and how that information is used may be provided through this DPF Policy, other PwC network website notices, or other direct forms of communication with appropriate parties, such as contracts or agreements. Where necessary and appropriate, consent for personal information to be collected, used, and/or transferred may also be obtained through these same means of communication (including opt-in consent where appropriate). If personal data covered by this DPF Policy is to be used for a new purpose that is materially different from that for which it was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in this DPF Policy, PwC IT Services US will provide you with an opportunity to choose whether to have your personal data used or disclosed. Requests to opt out of such uses or disclosures of personal data should be sent to us as specified in the “how to contact us” section below.

Certain personal data, such as information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, is considered “sensitive information.” PwC IT Services US will not use sensitive personal information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individuals unless PwC IT Services US has received affirmative and explicit consent (opt-in).

The majority of data processing carried out by PwC IT Services US is in the direction of other PwC member firms and often any such notice and/or consent is controlled and handled by the PwC member firm(s) with PwC IT Services US acting as a data processor.

3. Disclosures & Accountability for Onward Transfers

Consistent with the DPF Principles, PwC IT Services US may transfer personal information to third parties, including transfers from one country to another. We will only disclose an individual’s personal information to third parties under one or more of the following conditions:

• The disclosure is to:
  • a third-party providing services to the PwC network in connection with the operation of the PwC network’s business; and/or
  • a PwC member firm in connection with PwC IT Services US’s provision of services to the PwC network 

as consistent with the purpose for which the personal information was collected. The PwC network maintains written contracts with these third parties and as between all PwC member firms. Those contracts include requirements to provide at least the same level of privacy protection and security as required by the DPF Principles. To the extent provided by the DPF Principles, PwC IT Services US remains responsible and liable under the DPF Principles if a third-party (including a PwC member firm) that it engages to process personal information on its behalf as its agent does so in a manner inconsistent with the DPF Principles, unless PwC IT Services US proves that it is not responsible for the matter giving rise to the damage.

Other than as set out above, PwC IT Services US will disclose personal information only:

• With the individual’s permission to make the disclosure.
• Where required to the extent necessary to meet a legal obligation to which PwC IT Services US is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
• Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

You may choose to opt-out of our use or disclosure your personal information as described in this DPF Policy. To opt-out, please use the Internal Complaints Mechanism, as described below.

4. Access

Individuals whose personal information is covered by this DPF Policy have the right to access the personal information that PwC IT Services US maintains about them as specified in the DPF Principles. Individuals may contact us to correct, amend or delete such personal information if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to restrict or object to the processing or disclosure of personal data, subject to applicable law.

Requests for access, correction, amendment, deletion, restriction or objection to the processing of data should be sent to the PwC IT Services US Data Protection Officer via email (please refer to the Internal Complaints Mechanism below for further details regarding how to contact us to exercise individuals’ data processing rights).

Alternatively, individuals may contact the PwC member firm with which they have a relationship. Where a request is made in this way, PwC IT Services US will act on the request once notified by that member firm and will cooperate with that member firm to fulfill the request.

5. Security

PwC IT Services US takes appropriate measures to protect personal information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of personal information and the risks involved in its processing, as well as best practices in the industry for security and data protection.

6. Data Integrity and Purpose Limitation

PwC IT Services US collects and processes personal information only to the extent that it is compatible with the purposes for which it was collected or subsequently authorized by the data subject. PwC IT Services US does not retain personal information after it no longer serves the purposes for which it was collected or subsequently authorized. PwC IT Services US takes reasonable steps to ensure that personal information is accurate, complete, current, and reliable for its intended use.

Note that the majority of data processing carried out by PwC IT Services US is in the direction of other PwC member firms. Therefore, the collection and purposes of that data processing is controlled and handled by the PwC member firm(s) with PwC IT Services US acting as a data processor.

7. Enforcement

7.1 Internal Complaints Mechanism

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PwC IT Services US commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact PwC IT Services US at: 

Nancy Dickie - Data Protection Officer, PwC IT Services US
Email
Mail: PricewaterhouseCoopers IT Services (US) LLC
4040 W Boy Scout Blvd
Tampa FL, 33607
U.S.A.

Alternatively, you can contact us via PricewaterhouseCoopers IT Services B.V., PwC IT Services’ subsidiary in the Netherlands:

Email
Mail: PricewaterhouseCoopers IT Services B.V.
Thomas R. Malthusstraat 5
1066 JR
PO Box 90351
1006 BJ
Amsterdam
The Netherlands

PwC IT Services US has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint.

Individuals may also contact us via the means outlined above regarding their data rights (i.e. access, correction, deletion, restriction or objection to the processing of data) and we will respond within forty-five (45) days of any such request.

7.2 Independent Recourse Mechanism

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PwC IT Services US commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association ("ICDR-AAA"), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR-AAA are provided at no cost to you.

7.3 Binding Arbitration

You may have the option to select binding arbitration for the resolution of your complaint regarding DPF compliance under certain circumstances, where your complaint is not resolved by any of the other DPF mechanisms. For further information, please refer to DPF ANNEX I (introduction) - Binding Arbitration

7.4 Federal Trade Commission

PricewaterhouseCoopers IT Services (US) LLC is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

8. Modifications

PwC IT Services US may update this DPF Policy at any time by publishing an updated version here. We will not update this DPF Policy in contravention of the DPF Principles so long as we remain certified under the DPF program.

Last updated: 11 November 2024