PwC SpA | Informativa riguardante i trattamenti eseguiti per le finalità previste dalla normativa vigente in materia di antiriciclaggio e antiterrorismo

Privacy notice given pursuant to articles 13 and 14 of the European Regulation 2016/679 of the EU Parliament and of the Counsil dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereinafter, the “GDPR”).

Pursuant to article 26 of the European Regulation 2016/679 of the EU Parliament and of the Counsil dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereinafter, the “GDPR”), PricewaterhouseCoopers SpA (“PwC”) has executed a joint control agreement with Servizi Aziendali PricewaterhouseCoopers Srl (“SAPwC”), having its seat in Milan, Piazza Tre Torri n. 2 in person of its pro tempore legal representative, a company supplying administrative, accounting and organizational services in favour of the Italian entities belonging to PwC Network to which PwC and SAPwC are members (hereinafter, the “Joint Controllers”). Therefore, all personal data provided by the Company to PwC shall automatically be in the joint control of SAPwC.

Based on the above, the Joint Controllers provide the following information, pursuant to articles 13 and 14 GDPR (hereinafter, the “Notice”) concerning the processing of personal data collected in connection to the performance of one or more professional engagements by the company (or other entity) you represent (“Client”), for the purposes of the legislation in force concerning the prevention of money laundering and terrorist financing, i.e. Legislative Decree No. 231/2007 and Legislative Decree No. 109 of 2007, with subsequent amendments and supplements, and the related implementing regulations issued by the supervisory authorities (“the Money Laundering Prevention Regulations”).
The processing may also involve the data of individuals, identified within the Client company, to be addressed by PwC for support in carrying out identification requirements for AML purposes (hereinafter "Contact persons"). 

The Client represents and warrants to process in a legitimate way all personal data that will be communicated to PwC for the above-mentioned purposes.

a) Identity and Contact details of the Joint Controllers

PRICEWATERHOUSECOOPERS S.P.A.
Piazza Tre Torri, n.2 - 20145 Milano
Certified e-mail Address (PEC): spa@pec-pwc.it
tax code / VAT no. 12979880155
Tel. (02) 77851

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.R.L.
Piazza Tre Torri, n. 2 - 20145 Milano
Certified e-mail Address (PEC): sap@pec-pwc.it
tax code / VAT no. 12449670152  
Tel. (02) 77851

b) Contact details of the Data Protection Officer:

Office of the Data Protection Officer (“DPO”)
Piazza Tre Torri, n. 2 – 20145 Milano
Certified e-mail Address (PEC): dpo-assurance@pec-pwc.it
Tel. (02) 7785670
Fax. (02) 7785671

c) Purposes of the processing for which the personal data are intended and related legal basis

Your personal data will be processed by the Joint Controllers to:

(i) Fulfill the obligations under the Money Laundering Prevention Regulations, as above identified;
(ii) Perform any order of judiciary Authority, any other entity or of organization exercising controlling powers on the Joint controllers,
(iii) Perform those rules concerning the procedures of PwC Network concerning the fulfillment of the Money Laundering Prevention Regulations
(iv) Exercising the rights of the Joint Controllers, with reference to the rights of the Joint Controllers, in particular, to the judicial defensive rights.
(v) request operative support from individuals identified as Contact persons concerning the fulfillment of the identification requirements of the Money Laundering Prevention Regulations. 

For the purposes of the Money Laundering Prevention Regulations, the collection of your personal data is necessary, with particular reference to consent PwC the performance of the required “customer due diligence procedures”, which is the necessary precondition for the acceptance and performance of the engagement. A refusal to communicate the Data and/or the opposition to their processing renders impossible the fulfillment of the obligations provided for by the Money Laundering Prevention Regulations and, consequently, entails the obligation to abstain from rendering the professional service to the Client.
The data processing of Contact persons is optional and based on PwC's legitimate interest in relying on an effective and functional operative process for the proper fulfillment of the Money Laundering Prevention Regulations’s obligations, requiring the involvement and support also of persons other than those who will be identified. Any opposition to the processing could make it more difficult to carry out the identification of the Client required by the Money Laundering Prevention Regulations. 

d) Processed Categories of Personal Data

Pursuant to article 4, n. 1, GDPR, “personal data” means any information related to a directly or indirectly identified or identifiable natural person, by reference to an identifier such as a name, and identification number, location data, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, which is processed by the Joint Controllers and collected through the Company or from private and/or public data bases or registers (hereinafter, the “Data”).

For the purposes of the fulfillment of the Money Laundering Prevention Regulations, PwC requires to collect personal data, such as those provided for by article 1, paragraph 2, item (n) (“Identification Data”), Legislative Decree n° 231/2007.

In certain cases, it could become necessary the processing of special categories of personal Data such as, by way of example and not in an exhaustive way, those related to criminal convictions and offences or connected to security measures, as provided for by article 10, GDPR.
Contact Persons’s Data processed consists of: first and last name, business phone number, business e-mail, and professional title. 

e) Categories of personal Data recipients

Data may be rendered accessible to:

(i) Joint Controllers’ employees and consultants, in their role of persons authorised to process Data (hereinafter, the “Authorised Persons”),
(ii) Any third party subject performing outsourced activities, on behalf of the Joint Controllers, in their capacity of data processors, such as, by way of example, the suppliers of IT sistems necessary to the registration and storage of Data, in order to consent the solution of the technical problems or other similar activities related to the necessity to guarantee the correct performance of the systems;
(iii) Any judicial or controlling Authority, public entities (whether national or foreign ones), pursuant to the Money Laundering Prevention Regulations;
(iv) Other PwC Italian and international Network legal entities (of which Joint Controllers are members) in the cases expressly set out in the regulation.

The updated list of Data processors and Authorized Persons is kept at the Joint Controllers’ seat.

f) Transfer of personal data to third countries

Since the Joint Controllers operate within a network composed of independent legal entities with seat in different countries worldwide, Data may be transferred to and kept also outside the European Union, including those countries not guaranteeing an adequate data protection level. However, such transfers shall occur, in any case, in compliance with articles 45 and 46, GDPR.

Data are processed and stored on “cloud” and on servers located within the European Union, belonging to or in the availability of the Joint Controllers and/or third-party processors, as duly appointed. Any transfer abroad of data to non-EU countries takes place in compliance with the regulations in force, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data. 

Personal Data will not be subject to dissemination.

g) Personal data storage period

Data will be kept throughout the time-barring legal terms provided for by the Money Laundering Prevention Regulations, increased by twelve months, to possibly ascertain, exercise and protect the rights of the Joint Controllers, aimed at evidencing the due performance of the obligations provided for by the said rules.
Contact person’s Data will be kept for the duration of the engagements performed on behalf of the Client, including the preliminary stages leading to the finalization of the agreements. Collected information related to the Contact persons will be removed from PwC's systems within 6 months from the finalization of the engagements or the failure of them.

h) Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, data subjects may exercise the rights therein indicated and in particular:

Right of Access – Obtain confirmation whether Data are processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed Data, the storage period, the recipients to whom such Data can be transferred (Article 15, GDPR);
Right of Rectification – Obtain, without undue delay, the rectification of inaccurate Data and to have incomplete Data completed (Article 16, GDPR);
Right of Erasure – Obtain, without undue delay, the erasure of Data, in the cases provided for by the GDPR (Article 17, GDPR);
Right to Restriction – Obtain from the Joint Controllers the limitation to processing, in the cases provided for by the GDPR (Article 18, GDPR);
Right to Data Portability – Receive Data as communicated to the Joint Controllers in a structured, commonly used and machine- readable format and obtain the transmission of such Data to another controller without any hindrance, in the cases provided for by the GDPR (Article 20, GDPR);
Right to object – Object to the processing of Data, unless the Joint Controllers have compelling legitimate grounds for the continuation of the processing (Article 21, GDPR);
Right to Lodge a Complaint with the Supervisory Authority – Lodge a complaint to Autorità Garante per la protezione dei dati personali. Contact details at www.garanteprivacy.it.

Data subject may request to exercise such rights by sending a notice to the Data Protection Officer by the certified email address above specified.

The Joint Controllers undertake hereby to keep confidential the Data and the information received for the performance of the Services and to adopt any suitable measure in order to guarantee an adequate protection of the same, granting the necessary confidentiality on their content.

Confidentiality obligations above shall continue to be effective further the performance of the Services.

The above mentioned confidentiality obligations shall keep their effect further to the date in which the performance of the professional services requested by the Client will be finalized.

Pursuant to article 32, GDPR, taking into account nature, object, contest and purposes of the Data processing, the Joint Controllers represent having adopted adequate technical and organizational measures, also related to the particular categories of Data pursuant to article 10, GDPR, to safeguard the security level proportionate to the level of risk, including by way of example and not in an exhaustive way:
(i) pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Joint Controllers shall be responsible for the protection of their own information system.