Pursuant to article 26 of the European Regulation 2016/679 of the EU Parliament and of the Council dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereinafter, the “GDPR”), PRICEWATERHOUSECOOPERS SERVICES S.R.L.
(“PwC Services”), has executed a joint control agreement with Servizi Aziendali PricewaterhouseCoopers Srl (“SAPwC”), having its seat in Milan, Piazza Tre Torri, n. 2 in person of its pro tempore legal representative, a company supplying administrative, accounting and organizational services in favour of the Italian entities belonging to PwC Network1 to which PwC Services and SAPwC are members (hereinafter, the “Joint Controllers”). Therefore, all personal data provided by the Company to PwC Services shall automatically be in the joint control of SAPwC.
Based on the above, the Joint Controllers provide the following privacy notice, pursuant to Articles 13 and 14 GDPR (hereinafter, the “Notice”) concerning the processing of personal data collected in connection to the performance of one or more professional engagements by the company (or other entity) you represent (“Client”), for the purposes of the legislation in force concerning the prevention of money laundering and terrorist financing, i.e. Legislative Decree No. 231/2007 and Legislative Decree No. 109 of 2007, with subsequent amendments and supplements, and the related implementing regulations issued by the supervisory authorities (“the Money Laundering Prevention Regulations”).
In accordance with the principle of minimization provided by the article 5, paragraph 1, letter c), GDPR, the Client therefore undertakes to refrain from sending personal data of any type to PwC Services, unless they are strictly necessary for the fulfillment of the obligations under the Anti-Money Laundering Regulations.
The processing may also involve the data of individuals, identified within the Client company, to be addressed by PwC for support in carrying out identification requirements for AML purposes (hereinafter "Contact persons").
The Client represents and warrants to process in a legitimate way and in compliance with GDPR all personal data that will be communicated to PwC Services for the above mentioned purposes.
PRICEWATERHOUSECOOPERS SERVICES S.R.L.
Piazza Tre Torri, n. 2 - 20145 Milano Tax code / VAT no.: 05508970968 Ph. (02) 43516901
SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.R.L.
Piazza Tre Torri, n. 2 - 20145 Milano
Posta elettronica certificata (PEC): sapwc@pec.it
Tax code / VAT no.: 12449670152 Ph. (02) 77851
(“DPO”) Piazza Tre Torri, n. 2 - 20145 Milano
Certified email Address (PEC): dpo-services@pec-pwc.it
Ph. (02) 91605650
Fax (02) 91606561
The data provided by you (hereinafter referred to as “the Data”) will be processed by the Owners to
(i) Fulfill the obligations under the Money Laundering Prevention Regulations, as above identified,
(ii) Perform any order of judiciary Authority, any other entity or of organization exercising controlling powers on the Joint controllers
(iii) Perform those rules, concerning the procedures of PwC Network concerning the fulfilments of the Money
laundering Prevention Regulation
(iv) Exercising the rights of the Joint Controllers, in particular, to judicial defensive rights.
(v) Request operative support from individuals identified as Contact persons concerning the fulfillment of the identification requirements of the Money Laundering Prevention Regulations.
For the purposes of the Money Laundering Prevention Regulations, the collection of your personal data is necessary, with particular reference to consent PwC Services the performance of the required “customer due diligence procedures”, which is the necessary precondition for the acceptance and performance of the engagement. A
refusal to communicate the Data and/or the opposition to their processing renders impossible the fulfilment of the
obligations provided for by the Money Laundering Prevention Regulations and, consequently, entails the obligation to abstain from rendering the professional service to the Client.
The data processing of Contact persons is optional and based on PwC's legitimate interest in relying on an effective and functional operative process for the proper fulfillment of the Money Laundering Prevention Regulations’s obligations, requiring the involvement and support also of persons other than those who will be identified.
Any opposition to the processing could make it more difficult to carry out the identification of the Client required by the Money Laundering Prevention Regulations.
Pursuant to Article 4, n. 1, GDPR, “personal data” means any information related to a directly or indirectly identified or identifiable natural person, by reference to an identifier such as a name, and identification number, location
data, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, which is processed by the Joint Controllers and collected through the Company or from private and/or public data bases or registers (hereinafter, the “Data”). For the purposes of the fulfillment of the Money Laundering Prevention Regulations, PwC Services requires to collect personal data, such as those provided for by article 1, paragraph 2, item (n) (“Identification Data”), Legislative Decree n° 231/2007 in force.
In certain cases, it could become necessary the processing of special categories of personal Data such as, by way of example and not in an exhaustive way, those related to criminal convictions and offences or connected to security measures, as provided for by Article 10, GDPR.
Contact Persons’s Data processed consists of: first and last name, business phone number, business e-mail, and professional title.
Data may be rendered accessible to:
Joint Controllers’ employees and consultants, in their role of persons authorized to process Data (hereinafter, the “Authorized Persons”),
Any third party subject performing outsourced activities, on behalf of the Joint Controllers, in their capacity of data processors, such as, by way of example, the suppliers of IT systems necessary to the registration and storage
of Data, in order to consent the solution of the technical problems or other similar activities related to the necessity to guarantee the correct performance of the systems,
Any judicial or controlling Authority, public entities (whether national or foreign ones), pursuant to the Money Laundering Prevention Regulations,
Other PwC Italian and international Network legal entities (of which Joint Controllers are members) in the cases expressly set out in the regulation.
The updated list of Data processors and Authorized Persons is kept at the Joint Controllers’ seat.
Since the Joint Controllers operate within a network composed of independent legal entities with seat in different countries worldwide, Data may be transferred to and kept also outside the European Union, including those countries not guaranteeing an adequate data protection level. However, such transfers shall occur, in any case, in compliance with Articles 45 and 46, GDPR.
Data are processed and stored on “cloud” and on servers located within the European Union, belonging to or in the availability of the Joint Controllers and/or thirdparty processors, as duly appointed. Any transfer abroad of data to non-EU countries takes place in compliance with the regulations in force, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data. Personal Data will not be subject to dissemination.
Data will be kept throughout the time-barring legal terms provided for by the Money Laundering Prevention Regulations, increased by twelve months, to possibly ascertain, exercise and protect the rights of the Joint Controllers, aimed at evidencing the due performance of the obligations provided for by the said rules.
Contact person’s Data will be kept for the duration of the engagements performed on behalf of the Client, including the preliminary stages leading to the finalization of the agreements. Collected information related to the Contact persons will be removed from PwC's systems within 6 months from the finalization of the engagements or the failure of them.
In compliance with the provisions under Chapter III, Article I, GDPR, data subjects may exercise the rights therein indicated and in particular:
Right of Access - Obtain confirmation whether Data are processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed Data, the storage period, the recipients to whom such Data can be transferred (Article 15, GDPR);
Right of rectification - Obtain, without undue delay, the rectification of inaccurate Data and to have incomplete
Data completed (Article 16, GDPR),
Right of Erasure - Right of Erasure - Obtain, without undue delay, the erasure of Data, in the cases provided
for by the GDPR Article 17, GDPR),
Right to Restriction - Obtain from the Joint Controllers the limitation to processing, in the cases provided
for by the GDPR (Article 18, GDPR),
Right to Data Portability - Receive Data as communicated to the Joint Controllers in a structured, commonly used and machine- readable format and obtain the transmission of such Data to another controller without any hindrance, in the cases provided for by the GDPR (Article 20, GDPR),
Right to object - Object to the processing of Data, unless the Joint Controllers have compelling legitimate
grounds for the continuation of the processing (Article 21, GDPR),
Right to Lodge a Complaint with the Supervisory Authority - Lodge a complaint to Autorità Garante per la protezione dei dati personali (Info available on the website: www.garanteprivacy.it).
Data subject may request to exercise such rights by sending a notice to the Data Protection Officer by the certified email address above specified.
The processing of data by the joint controllers is carried out by means of the operations indicated in article 4,
no.2, GDPR, performed with o without the aid of IT system and more precisely: collection, registration, organization,
structuring, updating, conservation, adaptation or modification, extraction and analysis, consultation, use,
communication by transmission, comparison, interconnection, limitation, cancellation or destruction of Data.
In particular, the processing of the Data provided will take place through the collection and insertion of the same in paper forms and archives, as well as through the inclusion in a computer register established pursuant
to the Anti-Money Laundering Regulations (“IT Registry”).
The Joint Controllers undertake hereby to keep confidential the Data and the information received
for the performance of the Services and to adopt any suitable measure in order to guarantee an adequate protection
of the same, granting the necessary confidentiality on their content.
The above mentioned confidentiality obligations shall keep their effect further to the date in which the performance of the professional services requested by the Client will be finalized.
Pursuant to Article 32, GDPR, taking into account nature, object, contest and purposes of the Data processing, the Joint Controllers represent having adopted adequate technical and organizational measures, also related
to the particular categories of Data pursuant to Article 10, GDPR, to safeguard the security level proportionate
to the level of risk, including by way of example and not in an exhaustive way: (i) pseudonymization and encryption
of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and valuating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Joint Controllers shall be responsible for the protection of their own information system.