Privacy Statement

Controller and contact information

This privacy statement applies to the following personal data controllers (“PwC” or “we”):

  1. PricewaterhouseCoopers SIA, registration number: 40003142793;

  2. ZAB PricewaterhouseCoopers Legal SIA, registration number: 40203342251.

In certain personal data processing processes (for example, personnel management, accounting, etc.), the above-mentioned controllers can act as joint controllers:

  • PricewaterhouseCoopers SIA together with ZAB PricewaterhouseCoopers Legal SIA.

If you have any questions about this privacy statement or how and why we process personal data, please contact us via post, phone or email:

  1. PricewaterhouseCoopers SIA, Marijas Street 2A, LV-1050, Riga, e-mail: lv_pwc.riga@pwc.com, phone: + 371 6709 4400;

  2. ZAB PricewaterhouseCoopers Legal SIA, Marijas Street 2A, LV-1050, Riga, e-mail: lv_pwc.riga@pwc.com, phone: + 371 6709 4400.

Please note that before we respond to your request, we may ask you to provide additional data to identify you.

 

Introduction

We are strongly committed to protecting personal data. This privacy statement describes why and how we collect and use personal data and provides information about your rights as a data subject.

We process the personal data for the purposes described in this privacy statement or for the purposes indicated at the time the personal data was obtained.

Personal data is any information relating to an identified or identifiable natural person. PwC processes personal data for various purposes, and the method of obtaining personal data, the legal basis for processing, use, as well as its further transfer and retention period may differ depending on the relevant purpose.

It is our policy to be transparent about why and how we process personal data.

Security

We take the security of the personal data that we process very seriously. We follow internationally recognized safety standards; an independent party has certified our information security management system for confidential client data as compliant with ISO/IEC 27001: 2013. We have implemented a data protection, privacy and security policy, procedure and training system, and we regularly review the measures to ensure that they are adequate and secure.

Purposes and legal basis for the  processing

We have described each of the purposes and legal bases for the processing in more detail in the relevant sections specified in this privacy statement.

When we process personal data for our legitimate interests, we make sure to consider and balance any potential impact on a data subject (both positive and negative), and the data subject’s rights under data protection laws. Our legitimate business interests do not automatically override interests of the data subjects - we will not process personal data for activities where our interests are overridden by the impact on the data subject  (unless we have the consent or are otherwise required or permitted to by law).

 

Data retention

Personal data collected will be retained by us for as long as it is necessary for the specific purpose and taking into account the legal basis of the processing. For example:

  1. business contacts of our customers - legal entities - as long as there is an ongoing cooperation between us and the customer, as long as the business contact works for the customer or as long as there are any other legitimate interests of ours;

  2. data of our customer - individuals - as long as there is an ongoing cooperation between us and the customer or as long as there are any other legitimate interests of ours;

  3. data of recruitment candidates - six months after the submission of the application or while the candidate's consent is valid, if it has been obtained.

Specific storage periods have been described above in specific sections of this privacy statement (see above). 

Transfer of personal data

We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.

We are part of a global network of firms and as other professional service providers, we use third parties located in other countries to help us run our business.  As a result, personal data may be transferred outside the countries where we and our customers are located. Personal data may be transferred to countries outside the European Economic Area ("EEA") and to countries that do not have laws that provide specific protection for personal data. In such cases, we have taken steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EEA are done lawfully, such as: 

  1.  in accordance with Article 45 (1) of General Data Protection Regulation - if the decision of the European Commission on the adequacy of the level of protection (adequacy decision) is valid; or
  2. in accordance with subsection c) of Article 46 (2) of General Data Protection Regulation - if standard contractual clauses for data transfers between EU and non-EU countries have been concluded.

Please note that we store your personal data on servers located in the EU/EEA. Transfer of personal data outside the EU/EEA may take place only in exceptional cases and if sufficient guarantees and protection measures have been followed.

In cases where we cooperate with third party service providers, we carefully check them to be sure they can provide the same personal data protection level as PwC companies.

If we cooperate with other PwC firms, each PwC firm in any country has implemented the same personal data protection level and security measures as PwC firms in the European Union. In addition, PwC companies have signed a global agreement that meets the requirements of applicable laws to ensure sufficient personal data protection level.

Personal data may be transferred to:

  • other PwC member firms (for details of our member firm locations, please click here):

    • where necessary for administrative purposes (e.g, to maintain applications used by PwC, to ensure risk management, etc.), or

    • to provide professional services to our customers (e.g. when providing services involving advice from PwC member firms in different territories);

  • for other purposes and legitimate interests (e.g., our business contacts are visible to and used by PwC users from other PwC member firms to learn more about a business contact, customer or opportunity they have an interest in (please see the Business contacts section of this privacy statement for more information about our processing of this type of data);

  •  

    Our business partners or service provider:

    • to help provide, run and manage our internal IT systems (for example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centers in EEA);

    • to otherwise assist us in providing services or information;

     

  • Our auditors and other professional advisers, e.g. legal assistance providers representing us in a dispute, professional risk or indemnity insurer, etc.;

  • law enforcement or other public and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation;

  • occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfill requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

Your rights and how to exercise them

Individuals have certain rights over their personal data and our as data controller responsibility is fulfilling these rights. Please read information about the rights that individuals have and how to exercise them below.

Access to personal data

You have a right of access to personal data held by us as a data controller. This right may be exercised by reaching out to us, by using our contact information.

Amendment of personal data

To update or amend your personal data submitted to us, you may reach out to us by using our contact information. We will update your personal data as soon as possible.

If your personal data is processed in our information systems to which you have direct access, you may either correct your personal data yourself or ask us to update your personal data.

Sometimes we may ask you to provide additional information in order to fulfill our obligation to process only current and correct personal data.

Withdrawal of consent

Where we process personal data based on your consent (e.g. to receive our news), you have a right to withdraw consent at any time. To withdraw your consent to our processing of your personal data please reach out to us by using our contact information, or to stop receiving an email from a PwC marketing list, please click on the unsubscribe link in the relevant email received from us.

Right to restrict or object to our processing of personal data

You have the right to restrict or object to the processing of your personal data at any time, on reasonable grounds relating to your particular situation, unless the processing is required by law. For example, you have the right to restrict your personal data that you consider to be inaccurate, for the time that we, as the data controller, can verify the accuracy of your personal data; you also have the right to restrict the processing of your personal data if you believe that we, as the data controller, are processing them illegally. You can read more about your right to restrict or object in Article 18 of General Data Protection Regulation.

In such case, we will no longer process or restrict the processing of the personal data, unless we can demonstrate compelling legitimate grounds for the processing or for the establishment, exercise or defense of legal claims.

The right to erasure of personal data

In certain cases, you have the right to request that we delete your personal data, for example, if the purpose for which this personal data was obtained no longer exists, if you have withdrawn your consent and there is no other legal basis for processing your personal data, as well as in other cases that are more detailed described in Article 17 of General Data Protection Regulation.

Please note that we will not always be able to delete your personal data, for example, we will not be able to delete your personal data if it is necessary to fulfill our obligations (e.g. the obligation to keep the personal data of employees for a certain period after the termination of the employment relationship), however we will delete your personal data, unless there is no legal obligation for us to process your personal data.

Other data subject rights

In addition to the rights described above, you may also have other rights regarding your personal data, such as, the right to data portability or the right to object to automated individual decision-making or profiling (please see the General Data Protection Regulation).

If you wish to exercise your rights, please contact us by using the contact information provided.

Complaints

We hope that you won’t ever need to, but if you do want to complain about our processing of personal data, please contact our data protection specialist (please see contact information above). We will look into and respond to any complaints we receive.

You also have the right to lodge a complaint with the State Data Protection Inspectorate, address: Elijas Street 17, Riga, LV-1050, Latvia, e-mail: pasts@dvi.gov.lv.

Changes to this privacy statement

We recognise that transparency is an ongoing responsibility so we will keep this privacy statement under regular review. This privacy statement was last updated on 8 September 2022.

 

Follow us