PwC's Data Privacy Framework Policy

Download PDF

Overview

As set forth in PwC's Global Code of Conduct: "We respect the confidentiality and privacy of our clients, our people and others with whom we do business."

PwC US Group LLP and its United States subsidiaries and affiliates using the PwC or PricewaterhouseCoopers brand name (“PwC”) comply with the EU-U.S. Data Privacy Framework (EU-U.S.DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively, the “DPF”). PwC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S.DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. PwC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this DPF policy or another applicable privacy policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data privacy framework website.

This DPF Policy applies to personal information within the scope of PwC’s DPF certification, which covers the following categories of information:

  • Personal information regarding current, former and prospective partners, principals and employees for the purposes of operating and managing PwC, performing human resource administration and maintaining contact with individuals.
  • Personal information regarding current, former and prospective clients and their personnel, customers, or other data subjects for the purposes of delivering PwC services, maintaining ongoing relationships and performing business development activities.
  • Personal information regarding our suppliers, service providers, and other third parties, and their personnel for the purposes of managing and administering PwC’s business relationships with such third parties.
  • Personal information collected from members of the general public in order to answer inquiries or provide information requested.

Certain personal information covered by PwC’s DPF certifications may also be subject to more specific privacy policies of PwC. For example:

  • Certain PwC websites maintain their own privacy policies that apply to personal information collected via those sites. These policies may be accessed through those websites.
  • Personal information obtained from or relating to clients or former clients is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client and applicable laws and professional standards.

Personal information covered by this DPF Policy is collected and processed only as permitted by the DPF Principles. Notice to individuals regarding the personal information collected from them and how that information is used may be provided through this DPF Policy, other PwC privacy notices, or other direct forms of communication with appropriate parties, such as contracts or agreements. Where necessary and appropriate, consent for personal information to be collected, used, and/or transferred may also be obtained through these same means (including opt-in consent for sensitive personal information).

PwC collects and processes personal information only to the extent that it is compatible with the purposes for which it was collected or subsequently authorized by the data subject. PwC does not retain personal information after it no longer serves the purposes for which it was collected or subsequently authorized. PwC takes reasonable steps to ensure that personal information is accurate, complete, current, and reliable for its intended use.

Accountability for Onward Transfers

Consistent with the DPF Principles, PwC may transfer personal information to third parties, including transfers from one country to another. We will only disclose an individual’s personal information to third parties under one or more of the following conditions:

  • The disclosure is to a third party providing services to PwC, or to the individual, in connection with the operation of our business, and as consistent with the purpose for which the personal information was collected. We maintain written contracts with these third parties and require that these third parties provide at least the same level of privacy protection and security as required by the DPF Principles. To the extent provided by the DPF Principles, PwC remains responsible and liable under the DPF Principles if a third party that it engages to process personal information on its behalf does so in a manner inconsistent with the DPF Principles, unless PwC proves that it is not responsible for the matter giving rise to the damage;
  • With the individual’s permission to make the disclosure;
  • Where required to the extent necessary to meet a legal obligation to which PwC is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation; 
  • Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

Individual rights

Individuals whose personal information is covered by this DPF Policy have the right to access the personal information that PwC maintains about them as specified in the DPF Principles. Individuals may contact us to correct, amend or delete such personal information if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to limit the use and disclosure of their personal information (opt out) under certain circumstances, such as marketing. Requests to access, correct, amend, delete, or limit the use and disclosure of personal information (opt out) may be submitted using our request form.

Security

PwC takes appropriate measures to protect personal information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of the personal information and the risks involved in its processing, as well as best practices in the industry for security and data protection.

Enforcement

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF Principles, PwC commits to resolve complaints about our collection or use of your personal information. Individuals with inquiries or complaints regarding our DPF Policy should first contact PwC's US Privacy Office. PwC has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PwC commits to refer unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association (“ICDR/AAA”), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR/AAA are provided at no cost to you.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PwC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

You may have the option to select binding arbitration under the applicable Data Privacy Framework Panel for the resolution of your complaint under certain circumstances. PwC is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Modifications

PwC may update this DPF Policy at any time by publishing an updated version here, however we will not update this DPF Policy in contravention of the DPF Principles.

Last updated: September, 2024

Follow us