PwC's Academy
In relation to the provision of the training services of PwC’s Academy, we may process the personal data of private individual clients or individuals associated with our corporate clients (e.g., individuals registered for training by a corporate client).
Depending on the type of service, we will process the following personal data.
Training organised within the scope of the Adult Education Act
Pursuant to Section 21 (1) of Act LXXVII of 2013 on Adult Education (“Adult Education Act”), we are required to process the following information in respect of data subjects participating in training that is organised by PwC’s Academy within the scope of the Adult Education Act, the Act LXXX of 2019 on Vocational Training or Governmental Decree No. 12/2020 (II. 7.) on the Implementation of the Act on Vocational Training (e.g. “OKJ” training, state-funded training, or any additional type of training for which PwC has obtained an adult education licence):
- surname and first name, birth surname and first name, mother’s surname and first name, place and date of birth;
- sex;
- nationality, for non-Hungarian citizens, legal basis for stay in Hungary, and type and number of residence document;
- address, mailing address, email address, telephone number;
- training-related data that concern the participants’ education, qualifications and foreign language skills, entering and completing the training or leaving the training without completion, assessment and qualification during training, training-related payment obligations and the training loan utilised;
- social security number;
- tax identification number
Training provided as a service
Pursuant to the provisions of Act CLV of 2016 on Official Statistics and Governmental Decree No. 388/2017 (XII. 13.) on Mandatory Reporting under the National Statistical Reporting Program and also in the case of the compulsory professional training for accountants, pursuant to the provisions of Governmental Decree No. 93/2002 (V. 5.) on the Registration of Accounting Professionals if a data subject participates in training provided by PwC as a free-market service, PwC is required to process the following personal data about the participant :
- surname and first name;
- address of place of residence and place of stay;
- telephone/mobile phone number, or email address;
- labour market status;
- highest level of education completed;
- in the case of the compulsory professional training of accounting service providers, the registration number of the person required to complete the training, in the case of those not having such a number, birth surname and first name, place and time of birth and mother’s birth surname and first name.
Use of personal data
We use the personal data for the following purposes:
- organization of training courses and exams;
- issuing certificates of completion of the services provided;
- registration in the training management system;
- keeping contact in relation to training
Legal grounds
The legal grounds for our data processing are as follows:
- in respect of the mandatory reporting requirements described above, to comply with a legal obligation to which we are subject to;
- in respect of personal data outside the scope of mandatory data processing, in the case of private individual clients the performance of our training agreement concluded with them as data subjects and in the case of corporate clients, our legitimate interest related to performing our agreement concluded with them
Additional data processing 1 - Security, quality and risk management activities
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
- We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in relation to the training or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.
This processing is necessary for us to comply with our legal obligations, including data protection, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from providing services to a particular client.
Legal grounds
- This processing is necessary for us to comply with legal obligations, for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
- Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.
Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights
In addition to the above, due to the nature of our activities, we also process personal data in connection with the following:
- As with any provider of professional services, we are subject to legal and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
- We are required to disclose data to authorities monitoring the use of state and EU funds, and representatives of such authorities may inspect documentation containing personal data during an audit.
- As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data.
This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.
Legal grounds
- This processing is necessary for us to comply with a legal obligation to which we are subject.
- In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of prudent business operation.
- In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.
As part of that process:
- If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period. We note in this respect that in the case of trainings within the scope of the Adult Education Act, training providers are required to retain until the last day of the 8th year following the entry into the adult education agreement, in accordance with Section 21 (5) of the Adult Education Act.
- In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).
Business contacts
Collection of personal data
PwC processes business contact details of existing and potential PwC clients and/or individuals associated with them for the purposes, based on the legal grounds and using the methods set out below.
Business contact details are collected and stored in the Salesforce customer relationship management system (“PwC CRM”). The collection of personal data about contacts and the addition of that personal data to the PwC CRM is in some cases done manually (e.g. by a PwC employee receiving a business card with contact details from a client) or such data are automatically uploaded from newsletter, event or training registration forms completed by the data subject, from email correspondence, or from calendaring systems used by PwC.
The data collected include
- the data subject’s name,
- the employer’s name,
- the data subject’s title,
- telephone number,
- email address, and
- other business contact details.
Use of personal data
Personal data listed in this section may be used for the following purposes:
- providing professional services;
- making offers for specific professional services;
- administering, managing and developing our businesses and services;
- performing analytics, including producing metrics, such as on relationship maps, sales intelligence and progress against business goals;
Legal grounds
- If we are under a contract to provide professional services, in the case of our natural person clients the legal grounds of the data processing is fulfilling our contract concluded with the subject, while in the case of non-natural clients, the legal grounds is our legitimate interests related to meeting our contractual obligations.
- The legal grounds for processing in the PwC CRM system (including making offers, administering, managing and developing our business, and performing analytics) is that the processing is necessary for the purposes of the legitimate interests pursued by us in providing our services, like most multinational company groups, through a single interface, ensuring efficient information flow between member firms, and in accordance with clients’ needs for cross-border services. To ensure that processing is done lawfully, prior to commencing such processing PwC undertook a balancing test to assess whether its legitimate interest described above overrides the impact of such processing on the fundamental rights and freedoms of the data subjects. The balancing test involved an assessment of all essential elements of processing, including the safeguards and security measures applied. As a result of the balancing test, PwC has established that the rights of the data subjects do not override its identified legitimate interests, and therefore processing on the grounds of such legitimate interests may be performed lawfully (subject to the application of appropriate security and legal safeguards).
Data transfers
As a result of the operational specificities of the PwC CRM, the information in the PwC CRM may also be accessed by employees of PwC member firms other than the PwC member firm that collected the personal data. This may necessitate cross-border data transfers, including the transfer of personal data outside the European Union.
We apply additional safeguards as required by the GDPR when transferring personal data to a third country. There are contractual arrangements in place for such purposes between the members of the PwC network that are in line with the European Commission approved standard contractual clauses on the transfer of personal data, ensuring appropriate protection of personal data in all cases where a PwC member firm receiving such data is located in a country outside the EU.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.
As part of that process:
- Personal data will be retained in the PwC CRM for as long as the business relationship between PwC and the client exists or as long as such data must be retained for any of the above purposes (e.g. for as long as we have, or need to keep a record of, a relationship with a business contact).
- If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.
In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).
Individuals associated with our corporate clients
Collection of personal data
In the interest of providing our professional services we may collect personal data of individuals associated with our corporate clients (e.g. employees or representatives of such clients).
In accordance with the principle of purpose limitation, we ask data subjects who may come into contact with us only to share personal data with us where it is relevant and strictly necessary for the purposes of communicating with them or managing our relationship with the client.
Depending on the type of service, we may collect in particular the following personal data:
- name,
- position,
- email address,
- phone number.
We note that corporate clients that provide personal data to us for the purposes of providing our professional services (e.g. personal data of contact persons) qualify as independent data controllers with regard to their own data processing (i.e. before they provide personal data to us), for which PwC cannot be held liable. PwC is solely responsible for its own data processing, from the date on which the personal data are provided to PwC.
Use of personal data
Personal data listed in this section may be used for the following purposes:
- providing professional services;
- administering, managing and developing our business and services;
- managing our relationship with clients.
Legal grounds
The processing takes place based on the following legal grounds:
- regarding the data processing in connection with our contractual obligations to corporate clients, our legitimate interest related to fulfilling said obligations;
- regarding the legal obligations applicable to us set forth in the law, performing said obligations;
- regarding administering, managing and developing our business and services, our legitimate interest related thereto.
Additional data processing 1 - Security, quality and risk management activities
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
- We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.
This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from providing services to a particular client.
Legal grounds
- This processing is necessary for us to comply with legal obligations; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
- Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.
Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
- Representatives of authorities may inspect documentation containing personal data during an administrative audit.
- As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our clients to facilitate subsequent retrieval of such conversations and properly document the matter concerned.
This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.
Legal grounds
- This processing is necessary for us to comply with a legal obligation to which we are subject.
- In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of prudent business operation.
- In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.
As part of that process:
- If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.
In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).
Personal clients
Collection of personal data
During the provision or in relation to the provision of our professional services to personal clients we process personal data of such clients.
In accordance with the principle of purpose limitation, we ask data subjects who may come into contact with us only to share personal data with us where it is relevant and strictly needed for the purposes of communicating or managing our relationship with them.
Where we need to process such personal data to provide our services, we ask our clients to provide the necessary information regarding its use to other data subjects concerned (such as e.g. family members in the case of preparing personal income tax returns).
Given the diversity of the services we provide to personal clients (click here for information on our services), we process many categories of personal data, including in particular the following, as appropriate for the services we are providing:
- contact details;
- business activities;
- family information, where relevant to the provision of our services;
- income, taxation and other financial-related details;
- investments and other financial interests;
- health-related information.
Use of personal data
We use personal data for the following purposes:
- providing professional services,
- administering, managing and developing our businesses and services,
- managing our relationship with clients,
- organising professional events,
- providing information, industry updates and insights, invitations to professional events, and promotional materials, if the data subject has consented to receiving such information.
Legal grounds
This processing is necessary for us
- to meet our contractual obligations to personal clients,
- to comply with the legal obligations to which we are subject,
- when administering, managing and developing our business and services, our legitimate interest related thereto,
- when providing information on us and our range of services, including offers, industry updates and insights, and other marketing materials, the data subject’s informed, explicit and voluntary consent.
Additional data processing 1 - Security, quality and risk management activities
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
- We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.
This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from working with a particular client.
Legal grounds
- This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
- Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.
Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
- Representatives of authorities may inspect documentation containing personal data during an administrative audit.
- As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our clients to facilitate subsequent retrieval of such conversations and properly document the matter concerned.
This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.
Legal grounds
- This processing is necessary for us to comply with a legal obligation to which we are subject.
- In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of business operation.
- In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.
As part of that process:
- If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.
- In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).
Individuals who use our applications
In some cases, we may provide external users access to various applications and systems managed by us.
Such applications will contain their own privacy statements explaining why and how personal data is collected and processed by those applications. We encourage users of our applications to refer to the privacy statements available in those applications.
Individuals whose personal data we obtain in connection with providing services
Collection of personal data
For certain services or activities, we may process information and documents (e.g. as part of an audit of an organisation) that may contain the personal data of individuals not directly associated with our corporate clients. We may obtain personal data from our clients or from a third party acting on the instructions of the relevant client.
We note that corporate clients who provide personal data to us for the purposes of providing our services qualify as independent data controllers with regard to their own data processing (i.e. before they provide personal data to us), for which we cannot be held liable. PwC is solely responsible for its own data processing, from the date on which the personal data are provided to PwC.
For the above purposes, we process many categories of personal data, including:
- contact details;
- business activities of individuals;
- information about representatives and employees;
- payroll and other financial details relating to individuals;
- investments and other financial interests relating to individuals.
Use of personal data
We use personal data for the following purposes:
- Providing professional services;
- Administering, managing and developing our businesses and services;
- Managing our relationship with clients.
Legal grounds
The legal grounds for our processing comprise
- for personal data obtained by us in connection with fulfilling our contractual obligations to a corporate client, our legitimate interests in fulfilling such obligations,
- for personal data obtained by us in connection with fulfilling our contractual obligations to a personal client as a data subject, to fulfil such obligations,
- regarding our data processing related to complying with legal obligations, to comply with a specific legal obligation set forth in law, to which we are subject,
- regarding administering, managing and developing our business and services, our legitimate interest related thereto.
Additional data processing 1 - Security, quality and risk management activities
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
- We monitor the services provided to clients for quality and risk management purposes, which may involve processing personal data stored in the relevant client file or in digitally stored client materials. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.
This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from providing services to a particular client.
Legal grounds
- This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations.
- Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.
Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
- Representatives of authorities may inspect documentation containing personal data during an administrative audit.
- As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our clients to facilitate subsequent retrieval of such conversations and properly document the matter concerned.
This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.
Legal grounds
- This processing is necessary for us to comply with a legal obligation to which we are subject.
- In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of business operation.
- In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected. As part of that process:
- If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.
In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).
Others who get in touch with us
Collection of personal data
We collect personal data when an individual gets in touch with us with a question, complaint, comment or feedback.
These data are as follows:
- name,
- contact details,
- contents of the communication (which may also include information qualifying as personal data).
In these cases, the individual is in control of the personal data shared with us. We ask you to share personal data with us only where in your view it is strictly needed for the purposes of responding to the question or comment, or investigating the complaint concerned.
Use of personal data
We use personal data for the following purposes:
- answering questions;
- handling complaints;
- establishing contact and liaising in connection with the above.
Legal grounds
The legal grounds for such processing by us is that the processing is necessary for the purposes of the legitimate interests pursued by us in providing, as soon as reasonably possible, an informative response to individuals who get in touch with us but are not in a direct contractual relationship with us.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.
As part of that process:
- We process personal data in relation to questions or complaints received by us until successful completion of the communications established on the basis of such questions or complaints, that is until the complaint is finally resolved or the question is successfully answered.
If in our view the communications conducted in response to a complaint or question contain information that may subsequently be required in pursuing a legal claim, the retention period will follow the general limitation period under civil law (five years).
Recruitment applicants
When applying online for a position at PwC via the PwC careers website, applicants should refer to the information made available when applying for a job for details about why and how we process their personal data, and about the rights of individuals in connection with such processing.
For more details about our recruitment processes, please visit our career page.
Alumni Programme
PwC Hungary has created an Alumni Programme for former employees who now pursue their careers at other organisations and companies. Applicants to the Alumni Programme become members of our Alumni Club, and will receive the latest information on PwC’s initiatives, networking activities and events. The purpose of providing this information is to maintain relationships with former colleagues.
When registering for the PwC Alumni Programme, applicants must accept the following terms and conditions for data protection before their registration is finalised.
Collection of personal data
In order to register for the Alumni Programme you have to provide us with the following data:
- name,
- email address,
- alumni details (line of service, industry),
- current business details (position, company name, industry, office email address),
- portrait photo.
Use of personal data
Personal data provided in connection with the Alumni Programme will be used for the following purposes:
- sending information about Alumni events,
- publishing news about our firm and former employees in the Alumni newsletter;
- providing information about our latest initiatives.
Legal grounds
As applications for the Alumni Programme are submitted on a voluntary basis, the legal grounds for data processing is the applicant’s fully informed, voluntary and explicit consent.
Changes in personal details, termination of membership
If you wish to update the personal information you have given us, please let us know through the Alumni registration page at www.pwc.com/hu/alumni or email us at alumni.hungary@hu.pwc.com
If we are informed about changes in any personal data provided to us, we will make the necessary changes based on the updated information sent to us by the person concerned.
If you would like to check whether your data are up-to-date, please notify us at the above addresses, and we will give you access to your data.
You may ask for your Alumni Club membership to be discontinued by sending an email to alumni.hungary@hu.pwc.com You can request deletion of all personal data we manage about you by sending an email to alumni.hungary@hu.pwc.com which will also result in termination of your Alumni Club membership.
Data retention
We will retain the data you have provided for the period of your Alumni Club membership.
Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors)
Collection of personal data
We collect and process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide professional services to our clients through the use of subcontractors.
Data processed by us for such purposes include in particular the following:
- name,
- title or position at the subcontractor or supplier,
- email address,
- phone number,
- other contact details.
Use of personal data
We use personal data for the following purposes:
- Receiving services from our subcontractors and suppliers
We process personal data in relation to our suppliers and their staff as necessary to receive the services. For example, where a supplier is providing us with facilities management or other outsourced services, we will process personal data about those individuals who are our appointed contact persons or involved in the provision of the services.
- Providing professional services to clients
Where a supplier is helping us to deliver professional services to our clients, we process personal data about the individuals involved in providing the services in order to manage our relationship with the supplier and to provide such services to our clients.
If a supplier acts as PwC’s processor, we make sure that it carries out its activities in accordance with a substantially appropriate processing agreement that complies with GDPR requirements, ensuring that such processing is done lawfully.
- Administering, managing and developing our businesses and services.
Legal grounds
The legal grounds of our data processing our:
- performing the contracts concluded with our individual (natural person) subcontractors and suppliers;
- our legitimate interests in performing the contracts concluded with our corporate (non-natural person) subcontractors and suppliers.
Additional data processing 1 - Security, quality and risk management activities
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- We have security measures in place to protect the personal data we process, which involve detecting, investigating and resolving security threats, and mitigating the consequences of unavoidable threats. Personal data may be processed as part of the security monitoring that we undertake (for example, automated scans to identify harmful emails).
- We monitor our suppliers and subcontractors for quality and risk management purposes, which may involve processing personal data. We also carry out searches using publicly available sources (such as internet searches, sanctions lists and public registers), which may constitute data processing.
This processing is necessary for us to comply with our legal obligations, including data protection and confidentiality, to identify heightened risk individuals and organisations, and check that there are no issues that would prevent us from working with a particular supplier or subcontractor.
Legal grounds
- This processing is necessary for the purposes of complying with a legal obligation to which we are subject; for example with respect to conducting know-your-customer checks.
- Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to ensure our prudent and economically sustainable operation.
Additional data processing 2 - Complying with any requirement of law, regulation or a professional body of which we are a member, and defending our legal rights
In addition to the above, due to the nature of our activities, we also process data in connection with the following:
- as with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep records to demonstrate that our services are provided in compliance with our legal and professional obligations, and those records may contain personal data.
- Representatives of authorities may inspect documentation containing personal data during an administrative audit.
- As with any legal entity, it is in our vital interest to have the necessary information available in the case of a legal dispute to uphold our legitimate interests and defend our position. This requires the processing of personal data. Processing by us for such purposes may include the recording of phone call conversations (including in particular conference calls) with our suppliers and subcontractors to facilitate subsequent retrieval of such conversations and properly document the matter concerned.
This processing of personal data is necessary for us to demonstrate our compliance with professional standards, and to protect and enforce our interests in the event of a legal dispute, including being able to substantiate our legal claims.
Legal grounds
- This processing is necessary for us to comply with a legal obligation to which we are subject.
- In the absence of specific legal requirements, for compliance-related data processing, the legal grounds for our processing is our legitimate interest to ensure compliance and the highest level of business operation.
- In the event of a legal dispute, the grounds for processing is that we have a legitimate interest in enforcing our claims and defending our position.
Data retention
We retain the personal data processed by us for as long as strictly necessary for the purpose for which it was collected.
As part of that process:
- If a mandatory retention period is prescribed by law for a given activity, personal data will be retained until the expiry of the statutory retention period.
In the absence of other specific legal, regulatory or contractual requirements, our retention period for personal data follows the statutory limitation period prescribed by law. Data that must be kept until the expiry of the limitation period under tax law is retained for a maximum of seven years, and data that is necessary for fulfilling accounting obligations is retained for a maximum of eight years. If neither of the above categories is applicable, the retention period will follow the general limitation period under civil law (five years).
Visitors to our offices
We have security measures in place at our office building, including CCTV and building access controls operated by the facility manager of the building. We neither have access to, nor control or process personal data of visitors.
For more information, please contact the facility managing entity, that processes such data.
We would also like to inform you that when requesting a parking space in the underground garage of our office building before your visit, it is necessary for PwC to process the license plate number of your vehicle, as this information is needed to reserve a parking space.
Visitors to PwC events (excluding PwC’s Academy events)
Collection of personal data
To ensure the successful organisation of our events, we process, in particular, the following personal data:
- name,
- function, title,
- email address,
- phone number,
- other contact details,
- the license plate number of your vehicle if you have previously requested a parking space in the office building,
- your image in the form of a photo or video recording (if you do not wish your image to be recorded, please take a seat in one of the last two rows at our events),
- personal data related to the measures required due to the COVID-19 pandemic, including a statement on the detection of certain symptoms and contact with potentially infected persons, as well as the result of any measurement of body temperature (the latter data will not be recorded or retained in any form). We will provide you with a separate, detailed privacy statement about the processing related to COVID before your visit (by e-mail or at the reception before entering).
Use of personal data
Personal data may be used for the following purposes:
- organising the event (registration, preparing presentation materials, etc.);
- developing our business and services;
- identifying clients, performing analytics such as on market trends, relationships maps or sales opportunities;
- providing information about us, our range of services, and events organised by us, e.g. in the form of newsletters, subject to the data subject’s consent;
- ensuring the health and safety of our colleagues and visitors during the COVID-19 pandemic.
Legal grounds
The legal grounds for our processing comprise
- the data subject’s explicit, voluntary and informed consent in connection with applying for and participating at events;
- the legitimate interests pursued by us in developing our business and preparing analyses;
- the data subject’s explicit, voluntary and informed consent in connection with providing information about us, our range of services, and events organised by us.
Data retention
Personal data that are strictly needed for organising an event will be retained until the event is successfully completed.
Where a participant has consented to continue to receive from us further information about our company, services and events, the data will be processed until such consent is withdrawn.
Visitors to our website
Collection of personal data
Visitors are not required to provide any personal data or to register in order to access the public content on our website.
Access to premium content (e.g. studies, white papers, analyses) available on our website requires prior registration.
The registration requires the acceptance of the related general terms and conditions, as well as providing the following personal data:
- username;
- password;
- name;
- email address;
- country and chosen language;
- if the data subject registers on behalf of a company or other organization, the name of the company or other organization and the title of the data subject therein;
- type of relationship with PwC (choosing from the following categories: client, media, other)
Use of personal data
Personal data processed in the context of our website is processed for the following purposes:
- providing access to premium content;
- ordering publications, professional materials or subscribing to newsletters;
- registering for events and conferences;
- maintenance of our website.
Legal grounds
The legal grounds for our processing are as follows:
- in relation to subscribing to newsletters, signing up for events, ordering publications and other professional materials, the data subject’s explicit, voluntary and informed consent.
- in the case of data processing related to registration prior to accessing premium content, the legal basis depends on whether the data subject registers as a private individual or on behalf of a company or other organization. If the data subject registers as a private individual, the legal basis is the performance of contractual obligations as the registration and the acceptance of the related general terms and conditions create a legal relationship between the individual and PwC. If the data subject registers on behalf of a company or other organization, the legal basis for data processing is PwC’s legitimate interest related to fulfilling its obligations derived from the legal relationship between the company or other organization registering by way of its representative and PwC by providing access to the premium content.
- in the case of processing personal data in connection with the marketing functions of our website, the legal basis is our legitimate interest related thereto.
Data retention
Personal data collected via our websites will be retained by us for as long as strictly necessary for the purpose it was collected (e.g. as long as we have an active relationship with the relevant individual), or as long as required by law.
As part of that process:
- contact information about visitors (such as personal data provided through registration for access to certain areas of the site) will be retained as long as the information is required to completely service the contact request or until the user requests that we erase the information. Mailing list emails and data are retained only for the period necessary to carry out the visitor’s requests.
- Should you choose to unsubscribe from mailing lists or any active registrations, we will provide instructions on the appropriate web page or in the emails sent to you, or you may contact us by email at hu_dataprotection@pwc.com
- If, in our view, the personal data we hold for the purposes of a specific data processing may be required in relation to pursuing a legal claim, the retention period will follow the general civil law statutory limitation period (five years).
Data collection for marketing purposes, profiling, remarketing
Our websites do not collect or compile personal data for the dissemination or sale to third parties for consumer marketing purposes or host mailings on behalf of third parties.
However, PwC uses third party vendor remarketing tracking cookies, including the Google Adwords tracking cookie. These cookies only work if the user explicitly allows it in the cookie setting of the website.
Besides blocking it in the cookie settings, you can opt out of Google’s use of cookies by visiting Google’s Ads Settings. Alternatively, you can opt out of a third-party vendor’s use of cookies by visiting the Network Advertising Initiative opt-out page.
Using DoubleClick’s remarketing pixels – PwC may use DoubleClick’s remarketing pixels. You can opt out of DoubleClick’s use of cookies by visiting the DoubleClick opt-out page or the Network Advertising Initiative opt-out page.
Links to other websites
There are surfaces at our website that may link or redirect to websites that do not operate in line with our privacy practices or those of www.pwc.com. When you click on such surfaces and are redirected accordingly, PwC’s privacy principles and rules no longer apply. We have no control over any third-party websites, and it is the operator of such websites that will be regarded as the controller.
We encourage visitors to review each website’s privacy statement before disclosing any personally identifiable information.
Website analytics
Although it does not involve the processing of personal data, we note that we use Google Analytics and Adobe Analytics systems for collecting visitors’ data related to the website.
Such data is not related to private individuals and do not make their identification possible.
However, in order to allow users to have complete control over the collected data, both systems offer the possibility to unsubscribe from data collection using the following links:
- Google Analytics: https://tools.google.com/dlpage/gaoptout
- Adobe Analytics: http://www.adobe.com/privacy/opt-out.html
Cookies and IP addresses
In some cases, the IP address of the device used to visit our website may be recorded, however, this information does not allow PwC to identify you.
For more detailed information on the processing of IP addresses and cookies used on our website, please visit our cookie policy.
Newsletter registrants
We ask individuals registering to our newsletters to give their consent to receiving electronic communications from entities within the PwC network in accordance with the provisions of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities. You have the right to withdraw your consent at any time. Every email sent to you will include a one-click unsubscribe link so you can leave the mailing list at any time.
Use of personal data
Your personal data may be used for the following purposes:
- providing you with the newsletter you have subscribed to;
- providing information to you about our company, our range of services and events;
- business development, managing our client relations.
Legal grounds
- Our legal grounds for data processing related to newsletters and other informative materials is the data subject’s explicit, voluntary and informed consent;
- regarding developing our business and client relationship management, the legal grounds for data processing is our legitimate interest related thereto.
Data retention
We retain your personal data as part of the data processing discussed in this section for as long as strictly necessary for the purpose for which the data was collected, or until you withdraw your consent.
We note that consent is voluntary, and refusal to give consent will not put you at a disadvantage. However, as certain personal data are strictly necessary for accessing some services and information, refusing to provide the required data may result in that service or information not being available to you.