PwC is the brand under which the member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide professional services. Together these firms form the PwC network. The PwC network consists of firms which are separate legal entities which work together to provide quality service offerings for clients throughout the world. Further information about the PwC network’s structure is available here (Note that these firms are collectively referred to as the ‘PwC network’ for the purposes of this Policy and individual firms are referred to as a ‘PwC member firm’)
The PricewaterhouseCoopers IT Services group of entities aims to provide shared technology services to PwC firms in a secure, compliant, efficient and transparent manner. PricewaterhouseCoopers IT Services Limited (“PwC IT Services”) is a UK incorporated company with its registered office in London. PwC IT Services is a separate legal entity owned and sponsored by several PwC firms on behalf of the PwC network, with subsidiaries or legal branches in the countries where it has operations. Those subsidiaries include PricewaterhouseCoopers IT Services (US) LLC (“PwC IT Services US”, “we”, “us” or “our”), a company with its principal place of business located at 4040 W Boy Scout Boulevard, Tampa FL, 33607.
Commonly with all entities in the PwC IT Services group, PwC IT Services US operates shared technology services for the benefit of the PwC network. Those services include hosting services (both on-premise and provisioning of cloud hosting platforms), information security services and application support services. PwC IT Services US does not provide those services directly to PwC clients but only to other members of the PwC network.
PwC IT Services US is a separate legal entity to PricewaterhouseCoopers LLP, the PwC firm (together with its affiliates) based in the United States that provides services to clients. PricewaterhouseCoopers LLP maintains its own separate certification under the Data Privacy Framework, details of which can be found here. Further information regarding PricewaterhouseCoopers LLP, including its privacy policy and Data Privacy Framework policy, can be found via its website.
1.1 Overview
As set forth in PwC's Global Code of Conduct: "We respect the confidentiality and privacy of our clients, our people and others with whom we do business." As a provider of shared IT services to the PwC network, we support the network in this aim through our operation of those services.
PwC IT Services US complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF and the Swiss-US Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. PwC IT Services US has certified to the U.S. Department of Commerce that it adheres to the EU-U.S Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. PwC IT Services US has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this DPF Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively referred to in this DPF Policy as the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
1.2 Categories of Information
This DPF Policy applies to personal information within the scope of PwC IT Services US’s DPF certification, which covers the following categories of information:
For the purposes of this DPF Policy, “personal information” means information that is about, or pertains to a specific individual and can be linked either directly or indirectly to that individual. In addition, certain personal information covered by PwC IT Services US’s DPF certification may be subject to more specific privacy policies of PwC member firms, which are also consistent with the requirements of the DPF Principles, and in the case of any conflict between these policies and the DPF Principles, the DPF Principles will control.
For example:
Certain PwC member firm websites maintain their own privacy policies that apply to personal information collected via those sites. These policies may be accessed through those websites. Such information may be processed by PwC IT Services US in order to provide services to the relevant PwC member firm.
Personal information obtained from or relating to clients or former clients of PwC member firms is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client and applicable laws and professional standards.
Personal information obtained from or relating to PwC Personnel is subject to the terms of any applicable personnel privacy statement or policy, any contractual arrangements with those PwC Personnel and applicable laws and professional standards.
We collect and process personal information from certain individuals and for the purposes described in this DPF Policy. Personal information covered by this DPF Policy is collected and processed only as permitted by the DPF Principles.
Notice to individuals regarding the personal information collected from them and how that information is used may be provided through this DPF Policy, other PwC network website notices, or other direct forms of communication with appropriate parties, such as contracts or agreements. Where necessary and appropriate, consent for personal information to be collected, used, and/or transferred may also be obtained through these same means of communication (including opt-in consent where appropriate). The majority of data processing carried out by PwC IT Services US is at the direction of other PwC member firms and often any such notice and/or consent is controlled and handled by the PwC member firm(s) with PwC IT Services US acting as a data processor.
Consistent with the DPF Principles, PwC IT Services US may transfer personal information to third parties, including transfers from one country to another. We will only disclose an individual’s personal information to third parties under one or more of the following conditions:
The disclosure is to:
as consistent with the purpose for which the personal information was collected. The PwC network maintains written contracts with these third parties and as between all PwC member firms. Those contracts include requirements to provide at least the same level of privacy protection and security as required by the DPF Principles. To the extent provided by the DPF Principles, PwC IT Services US remains responsible and liable under the DPF Principles if a third-party (including a PwC member firm) that it engages to process personal information on its behalf as its agent does so in a manner inconsistent with the DPF Principles, unless PwC IT Services US proves that it is not responsible for the matter giving rise to the damage.
Other than as set out above, PwC IT Services US will disclose personal information only:
With the individual’s permission to make the disclosure;
Where required to the extent necessary to meet a legal obligation to which PwC IT Services US is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.
Individuals whose personal information is covered by this DPF Policy have the right to access the personal information that PwC IT Services US maintains about them as specified in the DPF Principles. Individuals may contact us to correct, amend or delete such personal information if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to restrict or object to the processing or disclosure of personal data, subject to applicable law.
Requests for access, correction, amendment, deletion, restriction or objection to the processing of data should be sent to the PwC IT Services US Data Protection Officer via email (please refer to the Internal Complaints Mechanism below for further details regarding how to contact us to exercise individuals’ data processing rights).
Alternatively, individuals may contact the PwC member firm with which they have a relationship. Where a request is made in this way, PwC IT Services US will action the request once notified by that member firm and will cooperate with that member firm to fulfill the request.
PwC IT Services US takes appropriate measures to protect personal information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of the personal information and the risks involved in its processing, as well as best practices in the industry for security and data protection.
PwC IT Services US collects and processes personal information only to the extent that it is compatible with the purposes for which it was collected or subsequently authorized by the data subject. PwC IT Services US does not retain personal information after it no longer serves the purposes for which it was collected or subsequently authorized. PwC IT Services US takes reasonable steps to ensure that personal information is accurate, complete, current, and reliable for its intended use.
Note that the majority of data processing carried out by PwC IT Services US is at the direction of other PwC member firms. Therefore the collection and purposes of that data processing is controlled and handled by the PwC member firm(s) with PwC IT Services US acting as a data processor.
7.1 Internal Complaints Mechanism
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PwC IT Services US commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact PwC IT Services US at:
Nancy Dickie - Data Protection Officer, PwC IT Services US
Email: gbl_itsco_dpo@pwc.com
Mail: PricewaterhouseCoopers IT Services (US) LLC
4040 W Boy Scout Blvd
Tampa FL, 33607
U.S.A.
Alternatively, you can contact us via PricewaterhouseCoopers IT Services B.V., PwC IT Services’ subsidiary in the Netherlands:
Email: gbl_itsco_dpo@pwc.com
Mail: PricewaterhouseCoopers IT Services B.V.
Thomas R. Malthusstraat 5
1066 JR
PO Box 90351
1006 BJ
Amsterdam
The Netherlands
PwC IT Services US has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint.
Individuals may also contact us via the means outlined above regarding their data rights (i.e. access, correction, deletion, restriction or objection to the processing of data) and we will respond within forty-five (45) days of any such request.
7.2 Independent Recourse Mechanism
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, PwC IT Services US commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution/American Arbitration Association ("ICDR-AAA"), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR-AAA are provided at no cost to you.
7.3 Binding Arbitration
You may have the option to select binding arbitration for the resolution of your complaint regarding DPF compliance under certain circumstances, where your complaint is not resolved by any of the other DPF mechanisms. For further information, please refer to DPF ANNEX I (introduction) - Binding Arbitration
7.4 Federal Trade Commission
The Federal Trade Commission has jurisdiction over PwC IT Services US’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
PwC IT Services US may update this DPF Policy at any time by publishing an updated version here. We will not update this DPF Policy in contravention of the DPF Principles so long as we remain certified under the DPF program.
Last updated: 20 October 2023