Privacy Statement

View this page in: Hungarian

General information on our data processing activities

PricewaterhouseCoopers Hungary Ltd. (registered office: Bajcsy-Zsilinszky út 78., 1055 Budapest, Hungary, entered in the company register by the Budapest Metropolitan Court as court of registry under Cg. 01-09-961102),

PricewaterhouseCoopers Auditing Ltd. (registered office: Bajcsy-Zsilinszky út 78., 1055 Budapest, Hungary, entered in the company register by the Budapest-Metropolitan Court as court of registry under Cg. 01-09-063022), and

PricewaterhouseCoopers Data Analytics Services Ltd. (registered office: Bajcsy-Zsilinszky út 78., 1055 Budapest, Hungary, entered in the company register by the Budapest-Metropolitan Court as court of registry under Cg. 01-09-947848)

(hereinafter “PwC”, “we”, “us” or “our”) have prepared and updated this privacy statement to comply with the obligation to provide information on our data processing.

Introductory provisions

For the purposes of this privacy statement, personal data is any information relating to an identified or identifiable individual (“data subject”).

PwC is strongly committed to protecting and lawfully processing personal data. This privacy statement, in accordance with the provisions of the GDPR[1] and relevant Hungarian sectoral legislation, in particular Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information, describes for what purpose, on what legal grounds, and how we process personal data, and provides information about the rights of individuals in connection with such processing, and any other circumstances relevant to the data processing.

We may use the personal data obtained by us for specific purposes described in this privacy statement or as stated at the point of collection. In accordance with the principle of purpose limitation, we process data only for specified, explicit and legitimate purposes. We may use the personal data provided to us solely for the purposes stated at the point of collection, or as obvious from the context of the collection and as reasonably expected by the data subject.

Given its activity, PwC processes personal data for numerous purposes, and the means of collection, the lawful basis of processing, and the retention periods for each purpose may differ.

We have extremely strict organisational and IT measures in place to keep the data we process secure. We adhere to internationally recognised security standards, and our information security management system relating to client data is independently certified as complying with the requirements of ISO/IEC 27001:2013. We have a framework of policies, procedures and training in place covering data protection, confidentiality, and data security, and we ensure that our staff continuously improve their privacy awareness through regular data protection training.

We consult other member firms in the PwC network in order to improve the efficiency of our internal privacy and data security procedures, and to bring them into line with the applicable regulations.

We regularly review our internal processes, data processing practices and related documentation.

We also have a Data Protection Officer who monitors the lawfulness of data processing, and serves as a point of contact for data subjects, and for the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”).

Data Protection Officer:

Name: dr. András Csenterics

Email: hu_dataprotection@pwc.com

Phone: +36 1 461 9100

When collecting and using personal data, our policy is to be transparent about why and how we process personal data. In order to make clear distinction between the data processing activities, this privacy statement contains the related information per processing purpose and activity type.

To find out more about our specific processing activities, please go to the relevant sections of this statement.

[1] Regulation (EU) 2016/678 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

PwC's Academy

Collection of personal data

During or in relation to the provision of the training services of PwC’s Academy, we may process the personal data of personal clients or individuals associated with our corporate clients (e.g. contact persons, employees).

In accordance with the principle of purpose limitation, we ask our clients to share personal data only where it is strictly needed for the purposes of registering for and attending our training courses.

Depending on the type of service, we will process in particular the following personal data.

Participation in training organised within the scope of the Adult Education Act

Pursuant to Section 21 (1) of Act LXXVII of 2013 on Adult Education (“Adult Education Act”), we are required to process the following information in respect of data subjects participating in training that is organised by PwC’s Academy within the scope of the Adult Education Act or Government Decree No. 315/2013 (VIII. 13.) on the Rules of Complex Professional Examination (e.g. “OKJ” training, state-funded training, or any additional type of training for which the training institution has obtained an adult education licence):

  • name, birth name, mother’s name, place of birth, date of birth, sex, nationality, address of place of residence and place of stay, telephone number;
  • for non-Hungarian citizens, legal basis for stay in Hungary, and description and number of residence document;
  • training-related data that concern the participants’ level of education and professional qualifications, language skills, admission into the training programme, evaluation and rating of studies, description of the qualification or other competence acquired through completion of the training, and the venue, date, and result of the examination;
  • the participants’ social security number;
  • other personal data prescribed by the Adult Education Act.

In view of the mandatory nature of the data processing set out in the above section of the Adult Education Act, the legal basis for our data processing in this respect is to comply with a legal obligation to which we are subject.

Training provided as a service

Pursuant to the provisions of Act CLV of 2016 on Official Statistics and Government Decree No. 388/2017 (XII. 13.) on Mandatory Reporting under the National Statistical Reporting Program (“OSAP”), if a data subject participates in training provided by the trainer as a free-market service, to conclude the relevant contract the trainer is required to process data that is indispensable for complying with mandatory statistical reporting requirements, completing Schedule No. 11 to Government Decree No. 93/2002 (V. 5.) on the Registration of Accounting Professionals, and liaising with the data subject, as follows:

  • name, address of place of residence and place of stay, telephone/mobile phone number, and/or email address;
  • labour market status;
  • highest level of education completed;
  • birth name, place of birth, date of birth, and mother’s name for persons without a registration number and required to participate in CPD training.

Corporate clients that provide personal data to us for the purposes of the above training (e.g. personal data of employees participating in the training) qualify as independent data controllers with regard to their own data processing (i.e. before they provide personal data to us), for which PwC cannot be held liable. PwC is solely responsible for its own data processing, from the date on which the personal data are provided to PwC.

Use of personal data

We use personal data for the following purposes:

  • delivering training courses and exams;
  • issuing certificates of completion of the services provided;
  • registration in the training management system;
  • administering, managing and developing our business and services;
  • communication;
  • providing information about trainings, industry updates and insights, invitations to professional events, and promotional materials, if the data subject has consented to receiving such information;
  • organising professional events;

Legal grounds

The legal grounds for our data processing are:

  • when providing training courses (including keeping contact as required), in the case of natural person clients the performance of our agreement concluded with them as data subjects, in the case of non-natural person clients, our legitimate interest related to performing our agreement concluded with them;
  • in respect of the mandatory reporting requirements described above, to comply with a legal obligation to which we are subject;
  • related to administering, managing and developing our business and services, our legitimate interest;
  • in the case of providing information on us and our range of services, including offers, industry updates and insights, and other marketing materials, the data subject’s informed, explicit and voluntary consent.

Additional data processing 1 - Security, quality and risk management activities

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
  • We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.

This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from providing services to a particular client.

Legal grounds

  • This processing is necessary for us to comply with legal obligations, for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
  • Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.

Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights

In addition to the above, due to the nature of our activities, we also process personal data in connection with the following:

  • As with any provider of professional services, we are subject to legal and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
  • We are required to disclose data to authorities monitoring the use of state and EU funds, and representatives of such authorities may inspect documentation containing personal data during an audit.
  • As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data.

This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation to which we are subject.
  • In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of prudent business operation.
  • In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.

As part of that process:

  • If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period. We note in this respect that training providers are obliged to retain personal data for five years, in accordance with the Adult Education Act.

In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).

View more

Business contacts

Collection of personal data

PwC processes business contact details of existing and potential PwC clients and/or individuals associated with them for the purposes, based on the legal grounds and using the methods set out below.

Business contact details are collected and stored in the Salesforce customer relationship management system (“PwC CRM”). The collection of personal data about contacts and the addition of that personal data to the PwC CRM is in some cases done manually (e.g. by a PwC employee receiving a business card with contact details from a client) or such data are automatically uploaded from newsletter, event or training registration forms completed by the data subject, from email correspondence, or from calendaring systems used by PwC.

The data collected include

  • the data subject’s name,
  • the employer’s name,
  • the data subject’s title,
  • telephone number,
  • email address, and
  • other business contact details.

Use of personal data

Personal data listed in this section may be used for the following purposes:

  • providing professional services;
  • making offers for specific professional services;
  • administering, managing and developing our businesses and services;
  • performing analytics, including producing metrics, such as on relationship maps, sales intelligence and progress against business goals;

Legal grounds

  • If we are under a contract to provide professional services, in the case of our natural person clients the legal grounds of the data processing is fulfilling our contract concluded with the subject, while in the case of non-natural clients, the legal grounds is our legitimate interests related to meeting our contractual obligations.
  • The legal grounds for processing in the PwC CRM system (including making offers, administering, managing and developing our business, and performing analytics) is that the processing is necessary for the purposes of the legitimate interests pursued by us in providing our services, like most multinational company groups, through a single interface, ensuring efficient information flow between member firms, and in accordance with clients’ needs for cross-border services. To ensure that processing is done lawfully, prior to commencing such processing PwC undertook a balancing test to assess whether its legitimate interest described above overrides the impact of such processing on the fundamental rights and freedoms of the data subjects. The balancing test involved an assessment of all essential elements of processing, including the safeguards and security measures applied. As a result of the balancing test, PwC has established that the rights of the data subjects do not override its identified legitimate interests, and therefore processing on the grounds of such legitimate interests may be performed lawfully (subject to the application of appropriate security and legal safeguards).

Data transfers

As a result of the operational specificities of the PwC CRM, the information in the PwC CRM may also be accessed by employees of PwC member firms other than the PwC member firm that collected the personal data. This may necessitate cross-border data transfers, including the transfer of personal data outside the European Union.

We apply additional safeguards as required by the GDPR when transferring personal data to a third country. There are contractual arrangements in place for such purposes between the members of the PwC network that are in line with the European Commission approved standard contractual clauses on the transfer of personal data, ensuring appropriate protection of personal data in all cases where a PwC member firm receiving such data is located in a country outside the EU.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.

As part of that process:

  • Personal data will be retained in the PwC CRM for as long as the business relationship between PwC and the client exists or as long as such data must be retained for any of the above purposes (e.g. for as long as we have, or need to keep a record of, a relationship with a business contact).
  • If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.

In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).

View more

Individuals associated with our corporate clients

Collection of personal data

In the interest of providing our professional services we may collect personal data of individuals associated with our corporate clients (e.g. employees or representatives of such clients).

In accordance with the principle of purpose limitation, we ask data subjects who may come into contact with us only to share personal data with us where it is relevant and strictly necessary for the purposes of communicating with them or managing our relationship with the client.

Depending on the type of service, we may collect in particular the following personal data:

  • name,
  • position,
  • email address,
  • phone number.

We note that corporate clients that provide personal data to us for the purposes of providing our professional services (e.g. personal data of contact persons) qualify as independent data controllers with regard to their own data processing (i.e. before they provide personal data to us), for which PwC cannot be held liable. PwC is solely responsible for its own data processing, from the date on which the personal data are provided to PwC.

Use of personal data

Personal data listed in this section may be used for the following purposes:

  • providing professional services;
  • administering, managing and developing our business and services;
  • managing our relationship with clients.

Legal grounds

The processing takes place based on the following legal grounds:

  • regarding the data processing in connection with our contractual obligations to corporate clients, our legitimate interest related to fulfilling said obligations;
  • regarding the legal obligations applicable to us set forth in the law, performing said obligations;
  • regarding administering, managing and developing our business and services, our legitimate interest related thereto.

Additional data processing 1 - Security, quality and risk management activities

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
  • We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.

This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from providing services to a particular client.

Legal grounds

  • This processing is necessary for us to comply with legal obligations; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
  • Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.

Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
  • Representatives of authorities may inspect documentation containing personal data during an administrative audit.
  • As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our clients to facilitate subsequent retrieval of such conversations and properly document the matter concerned.

This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation to which we are subject.
  • In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of prudent business operation.
  • In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.

As part of that process:

  • If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.

In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).

View more

Personal clients

Collection of personal data

During the provision or in relation to the provision of our professional services to personal clients we process personal data of such clients.

In accordance with the principle of purpose limitation, we ask data subjects who may come into contact with us only to share personal data with us where it is relevant and strictly needed for the purposes of communicating or managing our relationship with them.

Where we need to process such personal data to provide our services, we ask our clients to provide the necessary information regarding its use to other data subjects concerned (such as e.g. family members in the case of preparing personal income tax returns).

Given the diversity of the services we provide to personal clients (click here for information on our services), we process many categories of personal data, including in particular the following, as appropriate for the services we are providing:

  • contact details;
  • business activities;
  • family information, where relevant to the provision of our services;
  • income, taxation and other financial-related details;
  • investments and other financial interests;
  • health-related information.

Use of personal data

We use personal data for the following purposes:

  • providing professional services,
  • administering, managing and developing our businesses and services,
  • managing our relationship with clients,
  • organising professional events,
  • providing information, industry updates and insights, invitations to professional events, and promotional materials, if the data subject has consented to receiving such information.

Legal grounds

This processing is necessary for us

  • to meet our contractual obligations to personal clients,
  • to comply with the legal obligations to which we are subject,
  • when administering, managing and developing our business and services, our legitimate interest related thereto,
  • when providing information on us and our range of services, including offers, industry updates and insights, and other marketing materials, the data subject’s informed, explicit and voluntary consent.

Additional data processing 1 - Security, quality and risk management activities

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
  • We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.

This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from working with a particular client.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
  • Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.

Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
  • Representatives of authorities may inspect documentation containing personal data during an administrative audit.
  • As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our clients to facilitate subsequent retrieval of such conversations and properly document the matter concerned.

This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation to which we are subject.
  • In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of business operation.
  • In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.

As part of that process:

  • If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.
  • In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).

View more

Individuals who use our applications

In some cases, we may provide external users access to various applications and systems managed by us.

Such applications will contain their own privacy statements explaining why and how personal data is collected and processed by those applications. We encourage users of our applications to refer to the privacy statements available in those applications.

View more

Individuals whose personal data we obtain in connection with providing services

Collection of personal data

For certain services or activities, we may process information and documents (e.g. as part of an audit of an organisation) that may contain the personal data of individuals not directly associated with our corporate clients. We may obtain personal data from our clients or from a third party acting on the instructions of the relevant client.

We note that corporate clients who provide personal data to us for the purposes of providing our services qualify as independent data controllers with regard to their own data processing (i.e. before they provide personal data to us), for which we cannot be held liable. PwC is solely responsible for its own data processing, from the date on which the personal data are provided to PwC.

For the above purposes, we process many categories of personal data, including:

  • contact details;
  • business activities of individuals;
  • information about representatives and employees;
  • payroll and other financial details relating to individuals;
  • investments and other financial interests relating to individuals.

Use of personal data

We use personal data for the following purposes:

  • Providing professional services;
  • Administering, managing and developing our businesses and services;
  • Managing our relationship with clients.

Legal grounds

The legal grounds for our processing comprise

  • for personal data obtained by us in connection with fulfilling our contractual obligations to a corporate client, our legitimate interests in fulfilling such obligations,
  • for personal data obtained by us in connection with fulfilling our contractual obligations to a personal client as a data subject, to fulfil such obligations,
  • regarding our data processing related to complying with legal obligations, to comply with a specific legal obligation set forth in law, to which we are subject,
  • regarding administering, managing and developing our business and services, our legitimate interest related thereto.

Additional data processing 1 - Security, quality and risk management activities

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
  • We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.

This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from providing services to a particular client.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
  • Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.

Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
  • Representatives of authorities may inspect documentation containing personal data during an administrative audit.
  • As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our clients to facilitate subsequent retrieval of such conversations and properly document the matter concerned.

This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation to which we are subject.
  • In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of business operation.
  • In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected. As part of that process:

  • If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.

In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).

View more

Others who get in touch with us

Collection of personal data

We collect personal data when an individual gets in touch with us with a question, complaint, comment or feedback.

These data are as follows:

  • name,
  • contact details,
  • contents of the communication (which may also include information qualifying as personal data).

In these cases, the individual is in control of the personal data shared with us. We ask you to share personal data with us only where in your view it is strictly needed for the purposes of responding to the question or comment, or investigating the complaint concerned.

Use of personal data

We use personal data for the following purposes:

  • answering questions;
  • handling complaints;
  • establishing contact and liaising in connection with the above.

Legal grounds

The legal grounds for such processing by us is that the processing is necessary for the purposes of the legitimate interests pursued by us in providing, as soon as reasonably possible, an informative response to individuals who get in touch with us but are not in a direct contractual relationship with us.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.

As part of that process:

  • We process personal data in relation to questions or complaints received by us until successful completion of the communications established on the basis of such questions or complaints, that is until the complaint is finally resolved or the question is successfully answered.

If in our view the communications conducted in response to a complaint or question contain information that may subsequently be required in pursuing a legal claim, the retention period will follow the general limitation period under civil law (five years).

View more

Recruitment applicants

When applying online for a position at PwC via the PwC careers website, applicants should refer to the information made available when applying for a job for details about why and how we process their personal data, and about the rights of individuals in connection with such processing.

For more details about our recruitment processes, please visit our career page.

View more

Alumni Programme

PwC Hungary has created an Alumni Programme for former employees who now pursue their careers at other organisations and companies. Applicants to the Alumni Programme become members of our Alumni Club, and will receive the latest information on PwC’s initiatives, networking activities and events. The purpose of providing this information is to maintain relationships with former colleagues.

When registering for the PwC Alumni Programme, applicants must accept the following terms and conditions for data protection before their registration is finalised.

Collection of personal data

In order to register for the Alumni Programme you have to provide us with the following data:

  • name,
  • email address,
  • alumni details (line of service, industry),
  • current business details (position, company name, industry, office email address),
  • portrait photo.

Use of personal data

Personal data provided in connection with the Alumni Programme will be used for the following purposes:

  • sending information about Alumni events,
  • publishing news about our firm and former employees in the Alumni newsletter;
  • providing information about our latest initiatives.

Legal grounds

As applications for the Alumni Programme are submitted on a voluntary basis, the legal grounds for data processing is the applicant’s fully informed, voluntary and explicit consent.

Changes in personal details, termination of membership

If you wish to update the personal information you have given us, please let us know through the Alumni registration page at www.pwc.com/hu/alumni or email us at alumni.hungary@hu.pwc.com

If we are informed about changes in any personal data provided to us, we will make the necessary changes based on the updated information sent to us by the person concerned.

If you would like to check whether your data are up-to-date, please notify us at the above addresses, and we will give you access to your data.

You may ask for your Alumni Club membership to be discontinued by sending an email to alumni.hungary@hu.pwc.com You can request deletion of all personal data we manage about you by sending an email to alumni.hungary@hu.pwc.com which will also result in termination of your Alumni Club membership.

Data retention

We will retain the data you have provided for the period of your Alumni Club membership.

View more

Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors)

Collection of personal data

We collect and process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide professional services to our clients through the use of subcontractors.

Data processed by us for such purposes include in particular the following:

  • name,
  • title or position at the subcontractor or supplier,
  • email address,
  • phone number,
  • other contact details.

Use of personal data

We use personal data for the following purposes:

  • Receiving services from our subcontractors and suppliers

We process personal data in relation to our suppliers and their staff as necessary to receive the services. For example, where a supplier is providing us with facilities management or other outsourced services, we will process personal data about those individuals who are our appointed contact persons or involved in the provision of the services.

  • Providing professional services to clients

Where a supplier is helping us to deliver professional services to our clients, we process personal data about the individuals involved in providing the services in order to manage our relationship with the supplier and to provide such services to our clients.

If a supplier acts as PwC’s processor, we make sure that it carries out its activities in accordance with a substantially appropriate processing agreement that complies with GDPR requirements, ensuring that such processing is done lawfully.

  • Administering, managing and developing our businesses and services.

Legal grounds

The legal grounds of our data processing our:

  • performing the contracts concluded with our individual (natural person) subcontractors and suppliers;
  • our legitimate interests in performing the contracts concluded with our corporate (non-natural person) subcontractors and suppliers.

Additional data processing 1 - Security, quality and risk management activities

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
  • We monitor our suppliers and subcontractors for quality and risk management purposes, which may involve processing personal data. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.

This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from working with a particular supplier or subcontractor.

Legal grounds

  • This processing is necessary for the purposes of complying with a legal obligation to which we are subject; for example with respect to conducting know-your-customer checks.
  • Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.

Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights

In addition to the above, due to the nature of our activities, we also process data in connection with the following:

  • as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
  • Representatives of authorities may inspect documentation containing personal data during an administrative audit.
  • As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our suppliers and subcontractors to facilitate subsequent retrieval of such conversations and properly document the matter concerned.

This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.

Legal grounds

  • This processing is necessary for us to comply with a legal obligation to which we are subject.
  • In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of business operation.
  • In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.

Data retention

We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.

As part of that process:

  • If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.

In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).

View more

Visitors to our offices

We have security measures in place at our office building, including CCTV and building access controls operated by the facility manager of the building. We neither have access to, nor control or process personal data of visitors.

For more information, please contact the facility managing entity, that processes such data.

View more

Visitors to PwC events (excluding PwC’s Academy events)

Collection of personal data

To ensure the successful organisation of our events, we process, in particular, the following personal data:

  • name,
  • function, title,
  • email address,
  • phone number,
  • other contact details,
  • portrait photo or video.

Use of personal data

Personal data may be used for the following purposes:

  • organising the event (registration, preparing presentation materials, etc.);
  • developing our business and services;
  • identifying clients, performing analytics such as on market trends, relationships maps or sales opportunities;
  • providing information about us, our range of services, and events organised by us, e.g. in the form of newsletters, subject to the data subject’s consent.

Legal grounds

The legal grounds for our processing comprise

  • the data subject’s explicit, voluntary and informed consent in connection with applying for and participating at events;
  • the legitimate interests pursued by us in developing our business and preparing analyses;
  • the data subject’s explicit, voluntary and informed consent in connection with providing information about us, our range of services, and events organised by us.

Data retention

Personal data that are strictly needed for organising an event will be retained until the event is successfully completed.

Where a participant has consented to continue to receive from us further information about our company, services and events, the data will be processed until such consent is withdrawn.

View more

Visitors to our website

Collection of personal data

Visitors to our websites are not required to provide any personal data or information on the public areas of our websites or to register to gain access to areas of these websites. Certain areas of our websites, e.g. pages that contain confidential information, are only accessible with a user name and password that can be obtained through registration. In these cases, data are processed for the purpose of providing access to specific content, and on the legal grounds of the data subject’s explicit, freely given and informed consent.

Visitors to these areas of our website may choose to provide contact information (such as name, position, office held, email address and telephone number) in order to contact us for further information, order publications, register for events and conferences or participate in our “join our mailing list” initiatives. For the purposes and legal grounds for such processing, please see the relevant sections of this privacy statement.

Should you later wish to unsubscribe from our mailing list or cancel any registration on our website, we will provide instructions on the appropriate web page, in our communication to you, or you may email us at hu_dataprotection@pwc.com

Use of personal data

Data obtained through our website are processed for the following purposes:

  • registering for access to specific website content;
  • ordering publications or subscribing to news and updates;
  • enquiring for further information, asking questions, making complaints;
  • registering for events and conferences;
  • participating in “join our mailing list” initiatives,
  • submitting curriculum vitae for a job application;
  • administration and management of our website

Legal grounds

The legal grounds for our processing comprise

  • the data subject’s explicit, freely given and informed consent in connection with registering to access specific website content, subscribing to newsletters, signing up for events, ordering publications and other materials for professionals,
  • the legitimate interests pursued by us in processing data to administer our website,
  • the legal grounds for data processing in connection with submitting curriculum vitae and applying for jobs are detailed in our specific job application privacy notice.

Data retention

Personal data collected via our websites will be retained by us for as long as strictly necessary for the purpose it was collected (e.g. as long as we have a relationship with the relevant individual) or as long as required by law.

As part of that process:

  • Contact information about visitors (such as personal data provided through registration for access to areas on the site) will be kept as long as the information is required to completely service the contact request or until the user requests that we delete that information. Mailing list emails and data are kept only for the period necessary to facilitate the visitor’s requests.
  • Should you choose to unsubscribe from mailing lists or any registrations, we will provide instructions on the appropriate web page or in communications to you, or you may contact us by email to hu_dataprotection@pwc.com
  • If in our view the personal data we hold for the purposes of a specific processing may subsequently be required in pursuing a legal claim, the retention period will follow the general limitation period under civil law (five years).
  • For information on the retention of CVs, please see our relevant specific job application privacy notice.

Data collection for marketing purposes, profiling, remarketing

Our websites do not collect or compile personal data for the dissemination or sale to third parties for consumer marketing purposes or host mailings on behalf of third parties. We do not conduct any profiling. If there is an instance where personal information may be shared with a party that is not a PwC member firm, visitors will be asked for their consent beforehand.

PwC uses third party vendor remarketing tracking cookies, including the Google Adwords tracking cookie.

Google, whose services we use will place cookies in web browsers that visitors use for accessing our website in order to serve ads based on past visits to our website. This allows us to make special offers and continue to market our services to those who have shown interest in them.

You can opt out of Google’s use of cookies by visiting Google’s Ads Settings. Alternatively, you can opt out of a third-party vendor’s use of cookies by visiting the Network Advertising Initiative opt-out page.

Using DoubleClick’s remarketing pixels – PwC may use DoubleClick’s remarketing pixels. You can opt out of DoubleClick’s use of cookies by visiting the DoubleClick opt-out page or the Network Advertising Initiative opt-out page.

Links to other websites

There are places at our website that may link to other websites that do not operate under our or pwc.com’s privacy practices. When you link to other websites, PwC’s privacy practices no longer apply. We have no control over any third-party website, and the operator of that website will be regarded as the controller.

We encourage visitors to review each site’s privacy statement before disclosing any personally identifiable information.

Website analytics

Although it does not involve the processing of data, we note that we use Google Analytics and Adobe Analytics systems for collecting visitors’ data related to the website.

Such data is not related to individuals and cannot be identified individually.

In order to allow users to dispose of the collected data, both systems offer the possibility to unsubscribe from data collection:

Cookies

For more information on cookies, please click here for our cookie policy.

View more

Newsletter registrants

We ask individuals registering for our newsletters to give their consent, in accordance with the provisions of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, to receiving electronic communication from entities within the PwC network. You have the right to withdraw your consent at any time. Every email we send you will include a one-click unsubscribe link so you can leave the mailing list at any time.

Use of personal data

Your personal data may be used for the following purposes:

  • providing you with the newsletter you have subscribed for;
  • providing information to you about us, our range of services and events;
  • business development, managing our relationship with clients

Legal grounds

  • Our legal grounds for data processing related to newsletters and other informative materials is the data subject’s explicit, freely given and informed consent;
  • regarding developing our business and managing our relationship with clients, the legal grounds for data processing is our legitimate interest related thereto.

Data retention

We retain your personal data as part of the data processing discussed in this section for as long as strictly necessary for the purpose for which it was collected, or until you withdraw your consent.

We note that consent is voluntary, and refusal to give consent will not put you at a disadvantage. However, as certain personal data are strictly necessary for accessing some services and information, refusing to provide the required data may result in that service or information not being available to you.

View more

Transferring data, making available personal data held

We will only share personal data with third parties when we are legally permitted to do so. When we share personal data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with both the legal requirements and our internal data protection, confidentiality and security standards, as well as the relevant professional standards.

We are part of PwC’s global network of firms and in common with other professional service providers, we use third parties located in other countries to help us run our business. As a result, personal data may be transferred and become available outside the countries where we and our clients are located.

Cross-border transfers may include transfers to countries outside the European Union (“EU”) and to countries that do not have laws that provide the level of protection for personal data expected by the EU. We have taken steps to ensure all personal data are provided with adequate protection as required by the EU also in cases in which personal data is transferred outside the EU. Where we transfer personal data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.

In certain cases, the recipient to whom the personal data are transferred will act as data controller, as it will determine the purpose of processing independently. This may be the case when our services provided to clients involve the services of other PwC member firms, where these member firms determine their own policies for providing their services.

In other cases, the recipient may act as PwC’s data processor, as it will not determine the purpose and method of processing by itself, but rather follows PwC’s documented instructions. For example, an IT services company may provide us services by processing data based on our instructions (e.g. data storage), or we may transfer data to an external event organiser for the sole purpose of facilitating the technical organisation of an event. If the recipient acts as PwC’s data processor, we make sure that it carries out its activities in accordance with a substantially appropriate processing agreement that complies with GDPR requirements, ensuring that such processing is done lawfully.

Personal data held by us may be transferred to:

  • Other PwC member firms;

For details of our member firm locations, please click here. We may share personal data with other PwC member firms where necessary for administrative purposes and to provide professional services to our clients (e.g. when providing services involving advice from PwC member firms in different territories). Our business contacts are visible to and may be used by PwC member firms to learn more about a client (please see the Business contacts section of this privacy statement for more information about our processing of this type of data).

  • Third-party organisations that provide applications, IT or other services to us.

For example, providers of information technology, cloud-based software infrastructure providers, identity management, website hosting and management, data analysis, data backup, security and storage services.

  • Third-party organisations that otherwise assist us in providing goods, services or information (e.g. subcontractors contributing to the provision of professional advice, event organisers);
  • Auditors, insurers and professional advisers;
  • Correspondent law firms, member firms of the PwC Legal network in particular;
  • Courts, law enforcement or other government and professional agencies or other third parties as required by, and in accordance with, applicable law or regulation.

We will only fulfil requests for transferring personal data where we are permitted to do so in accordance with applicable laws.

Changes to this privacy statement

We recognise that transparency and ensuring lawful processing is an ongoing responsibility so we will review this privacy statement annually.

We reserve the right to modify or amend this privacy statement at any time.

We will communicate any significant changes to this privacy statement by means of specific notification.

Data controllers and contact information

For the purposes of data processing covered by this privacy statement, the data controller is:

PricewaterhouseCoopers Hungary Ltd. (registered office: Bajcsy-Zsilinszky út 78., 1055 Budapest, Hungary, entered in the company register by the Budapest Metropolitan Court as court of registry under Cg. 01-09-063022)

PricewaterhouseCoopers Auditing Ltd. (registered office: Bajcsy-Zsilinszky út 78., 1055 Budapest, Hungary, entered in the company register by the Budapest Metropolitan Court as court of registry under Cg. 01-09-961102)

PricewaterhouseCoopers Data Analytics Services Ltd. (registered office: Bajcsy-Zsilinszky út 78., 1055 Budapest, Hungary, entered in the company register by the Budapest Metropolitan Court Court as court of registry under Cg. 01-09-947848)

Given the organisational structure of the PwC group in Hungary and the distribution of administrative and operative functions between the individual companies, PricewaterhouseCoopers Hungary Ltd., PricewaterhouseCoopers Auditing Ltd., and PricewaterhouseCoopers Data Analytics Services Ltd. may, in certain cases, act as joint data controllers. In such cases, data controllers will clearly agree among themselves on their obligations and responsibilities.

If you have any questions about this privacy statement or how and why we process personal data, or you wish to exercise your rights detailed below, please contact us via our website or:

E-mail: hu_dataprotection@pwc.com

Phone: +36 1 461 9100

Data Protection Officer: dr. András Csenterics

What rights do you have as a data subject in relation to data processed by PwC?

You may request access to and rectification or erasure of your personal data or, in certain cases, restriction of processing, and may object to the processing of personal data. You have the right to data portability, the right to file a complaint with the supervisory authority, and the right to judicial remedy, or in the case of automated individual decision-making, you have the right not to be subject to the decision, and the right to obtain human intervention.

Where the processing is based on the data subject’s consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right of access

You have the right to obtain information at any time about whether PwC processes personal data about you, the means and purposes for which the data are processed, the recipients to whom the personal data have been disclosed, the source from which PwC has obtained the personal data, the period for which the personal data are processed, and information on automated decision-making and profiling, and in the case of transfer to third countries and international organisations, information on related additional safeguards. When exercising your right of access, you also have the right to receive a copy of your personal data; in the case of a request filed electronically, unless otherwise noted, PwC will provide the requested information electronically (in PDF format).

If your right of access adversely affects the rights or freedoms of others, including trade secrets or intellectual property, PwC is entitled to refuse to act on your request to the necessary and proportionate extent. If you request the above information in additional copies, PwC will charge you a reasonable fee that is proportionate to the administrative costs incurred in preparing any additional copies, which is HUF 20 per page.

Right to rectification

You have the right to request PwC to amend or rectify your personal data where it is inaccurate. If there is any doubt regarding the data to be amended, PwC may request you to verify the data by any appropriate means (primarily by means of an official document). If PwC has disclosed the personal data concerned to other persons (recipients such as processors), PwC will communicate any rectification of personal data to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort. PwC will inform you about these recipients if you request it.

Right to erasure (“right to be forgotten”)

If you request PwC to erase any or all of your personal data, PwC will erase the personal data concerned without undue delay if:

  • PwC no longer needs the personal data for the purposes for which they were collected or otherwise processed;
  • you withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
  • the data processing was carried out on grounds of the legitimate interests of PwC or a third party, but you objected to the processing, and there are no overriding legitimate grounds for the processing (unless the personal data are processed for direct marketing purposes, where this condition need not be met);
  • PwC has unlawfully processed the personal data or the personal data have to be erased for compliance with a legal obligation.

If PwC has disclosed the personal data concerned to other persons (recipients such as processors), PwC will communicate any erasure of personal data to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort. PwC will inform you about these recipients if you request it.

PwC’s obligation to erase the personal data will not apply to the extent that processing is necessary for the establishment, exercise or defence of legal claims.

Right to restriction of processing

You may request restriction of processing of your personal data in the following cases:

  • you contest the accuracy of the personal data, for a period enabling PwC to verify the accuracy of the personal data;
  • the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead;
  • PwC no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
  • you have objected to the processing, pending verification of whether PwC’s legitimate grounds override your rights.

Where processing has been restricted, PwC will, with the exception of storage, only process such personal data with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

PwC will inform you before the restriction of processing is lifted. If PwC has disclosed the personal data concerned to other persons (recipients such as processors), PwC will communicate any restriction of processing to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort. PwC will inform you about these recipients if you request it.

Right to object

If the data processing is carried out on grounds of the legitimate interests of PwC or a third party, you have the right to object to the processing. PwC may refuse to comply with the objection if PwC demonstrates

  • compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
  • for the establishment, exercise or defence of legal claims.

Right to lodge a complaint, and judicial remedy

You have the right to lodge a complaint with a data protection supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that PwC’s processing of your personal data infringes the existing data protection laws, in particular the provisions of the GDPR. In Hungary, you may turn to the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”).

You may contact NAIH at:

Website: http://naih.hu/

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: +36-1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Without prejudice to your right to lodge a complaint, you have the right to judicial remedy. You have the right to judicial remedy also against a legally binding decision of a supervisory authority concerning you. You also have the right to judicial remedy where the supervisory authority does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint you have lodged.

If you wish to exercise any of the above rights (except for lodging a complaint with NAIH or seeking judicial remedy), please email us at hu_dataprotection@pwc.com.

Complaints relating to our use of personal data may be sent by email, with details of your complaint, to data.protection.hu@hu.pwc.com. We will look into and respond within one month to any complaints we receive.

This privacy statement was adopted on 22 May 2018, and revised on 17 May 2019.

Follow us