PwC SpA | Information on circularisation processes

Privacy notice pursuant to articles 13 and 14, GDPR regarding the external confirmation procedures required for the execution of audit engagements

Pursuant to Article 26 of the European Regulation 2016/679 of the European Parliament and of the Council dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”), PricewaterhouseCoopers SpA audit firm (hereinafter “PwC”) has executed a joint control agreement with Servizi Aziendali PricewaterhouseCoopers S.r.l. (hereinafter “SAPwC”), having its seat in Milan, Piazza Tre Torri, n. 2, a company supplying administrative, accounting and organizational services in favor of the Italian entities belonging to PwC Network to which PwC and SAPwC (hereinafter the “Joint Controllers”) are members.Therefore, all personal data provided by PwC’s client companies shall automatically be in the joint control of SAPwC.Based on the above, the Joint controllers provide the following information, pursuant to Articles 13 and 14 GDPR (hereinafter, the “Notice”) concerning the processing of personal data collected in connection to the performance ofaudit engagements assigned byclient companies.

a) Identity and Contact details of the Joint Controllers

PRICEWATERHOUSECOOPERS S.p.A.
Piazza Tre Torri, n. 2 - 20145 Milano
Tax code/VAT: 12979880155
Tel. (02) 77851

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l.
Piazza Tre Torri, n. 2 - 20145 Milano
Tax code/VAT: 12449670152
Tel. (02) 77851
 

b) Contact details of the Data Protection Officer:

Office of the Data Protection Officer (“DPO”)
Piazza Tre Torri, n. 2 - 20145 Milano
Certified email address: dpo-assurance@pec-pwc.it
Tel. (02) 7785670 Fax. (02) 7785671
 

c) Purposes of the processing for which the personal data are collected and basis for lawful processing

The personal data will be processed for the following purposes:

(i) fulfill pre-contractual and contractual obligations concerning the Audit Engagements, as regulated by European laws, Italian laws, as well as applicable auditing standards;

(ii) fulfill obligations, as provided for by a national or European laws and regulations (for example, anti money laundering or anti terrorism law) or, as applicable, a law of a third country;

(iii) performance of an order of any judicial authority, as well as any other entity to which the Joint Controllers are subject;

(iv) performance of any activity related to PwC Network procedures for processes and organizational, administrative and operative aspects related to the assignment and the performance of professional engagements (which, in some cases, could be carried out involving other Italian or foreign legal entities belonging to the PwC Network) and the relationships with the clients (for example, independence and potential conflict of interests controls, risk management procedures and quality control procedures);

(v) exercise the rights of the Joint Controllers, with particular reference to judicial defensive rights.

The processing of personal data carried out for the purposes indicated above is necessary to implement the regulatory provisions in force, to be able to carry out the audit engagements assigned by PwC's clients, in application of the obligations established by national and European Union law and contractual obligations as well as, more generally, for the purpose of the legitimate interest, including third parties PwC’s clients having business relations, to the correct execution of the activities and the assurance about the financial statements.

also of third parties with whom PwC's client companies maintain commercial relations, to the regular execution of this activity and the consequent expression of an opinion on the accounting statements.

For the purposes indicated above the collection of the personal data is necessary and the same does not require the Data Subjects consent.
 

d) Processed categories of personal data:

Pursuant to Article 4, Paragraph 1, GDPR, “personal data” ((hereinafter, the “Data”) means any information related to a directly or indirectly identified or identifiable natural person, by reference to an identifier such as a name, and identification number, location data, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person – which is processed by the Joint Controllers and collected through the client companies or from private and/or public data bases or registers.

For the performance of the audit engagements, , considered the nature of the audit activities, in certain cases, it could become necessary the processing of special categories of personal Data such as, by way of example and not in an exhaustive way, those provided for by Article 9, GDPR (such as, Data concerning health), or Data related to criminal convictions and offences or connected to security measures, as defined by Article 10, GDPR.

e) Categories of personal Data recipients

In the performance of the audit engagements, Data may be made accessible to:

(i) corporate bodies and other corporate positions within the client companies assigned the engagement, on the basis of the adopted governance model;

(ii) external entities (even private) Italian or foreign, performing surveillance activities on the client companies, its group and/or on the Joint Controllers (such as, by way of example, Consob, Banca d’Italia, Ivass), public authorities, as well as civil, criminal and public judicial authorities;

(iii) Joint Controllers’ employees and consultants, in their role of persons authorised to process Data (hereinafter, the “Authorised Persons”);

(iv) other Italian or foreign legal entities belonging to the PwC Network, of which Joint Controllers are members, also for the purpose described in section c;

(v) external companies, firms and professionals entrusted by the Joint Controllers, who perform activities instrumental to the audit engagements or to any other engaged services to be performed;

(vi) other auditors, in the cases set forth by the law and by applicable auditing standards, or upon specific request of the client companies;

(vii) any other third party entity acting as Joint Controllers’ outsourcers, also for Data storage purposes, in their capacity of Data processors;

(viii) professionals engaged by the client companies for the performance of other services or by third parties for the performance of engagements, to which the client companies may have an interest in (for example, “due diligence” engagements involving the client company).

The updated list of Data processors and Authorized Persons is kept at the Joint Controllers’ seat.
 

f) Storage and transfer of personal data to third countries

Since the Joint Controllers operate within a network composed of independent legal entities with seat in different countries worldwide, Data may be transferred to and kept also outside the European Union, including those countries not guaranteeing an adequate data protection level. However, such transfers shall occur, in any case, in compliance with Articles 45 and 46, GDPR.

Data are processed and stored on “cloud” and on servers located within and outside the European Union, belonging to or in the availability of the Joint Controllers and/or third party processors, as duly appointed. Any transfer abroad of data to non-EU countries takes place in compliance with the regulations in force, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data. 

Personal Data will not be subject to dissemination
 

g) Personal data storage period

Personal Data are kept throughout the whole duration of the professional engagement established wit the client company assigned the engagement. As of the date of termination, for whichever reason or cause, Data will be stored for the duration provided by applicable audit standard principles, concerning the storage of the documentation of audit services and, in any case, as long as the applicable statutory terms shall apply, increased by twelvemonths.

Nevertheless, Data will be kept as long as it will be necessary to comply with specific legal requirements (by way of example, anti money laundering requirements) and well as to possibly ascertain, exercise and protect the rights of the Joint Controllers, aimed at evidencing the due performance of the professional audit engagement.

h) Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular:

Right of Access – Obtain confirmation whether your data are processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed personal data, the storage period, the recipients to whom such data can be transferred (Article 15, GDPR),

Right of Rectification – Obtain, without undue delay, the rectification of inaccurate personal data and to have incomplete personal data completed (Article 16, GDPR),

Right of Erasure – Obtain, without undue delay, the erasure of your personal data, in the cases provided for by the GDPR (Article 17, GDPR),

Right to Restriction – Obtain from the Joint Controllers the limitation to processing, in the cases provided for by the GDPR (Article 18, GDPR),

Right to Data Portability – Receive your personal data as communicated to the Joint Controllers in a structured, commonly used and machine-readable format and obtain the transmission of such data to another controller without any hindrance, in the cases provided for by the GDPR (Article 20, GDPR),

Right to object – Object to the processing of your personal data, unless the Joint Controllers have compelling legitimate grounds for the continuation of the processing (Article 21, GDPR),

Right to Lodge a Complaint with the Supervisory Authority – Lodge a complaint to Autorità Garante per la protezione dei dati personali,) (info available on the website: www.garanteprivacy.it).
Data Subject may request to exercise such rights by sending a notice thereof to the Data Protection Officer by the certified email address above specified.
 

i) Processing operations

Personal Data are processed by the Joint Controllers through the operations indicated in Article 4, n. 2), GDPR – whether or not performed by automated means – such as: collection, recording, organization, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

The Joint Controllers undertake hereby to keep confidential the Data and the information received for the performance of the Services and to adopt any suitable measure in order to guarantee an adequate protection of the same, granting the necessary confidentiality on their content.

Confidentiality obligations above shall continue to be effective further the performance of the audit engagements assigned by PwC’s clients.

Pursuant to Article 32, GDPR, taking into account nature, object, contest and purposes of the Data processing, the Joint Controllers represent having adopted adequate technical and organizational measures, also related to the particular categories of Data pursuant to articles 9 and 10, GDPR, to safeguard the security level proportionate to the level of risk, including by way of example and not in an exhaustive way: (i) pseudonymisation and encryption of Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.