PwC SpA | Privacy notice audit engagements

Privacy notice pursuant to articles 13 and 14, GDPR regarding the processing of personal data collected for the execution of audit engagements

Personal Data Processing

Pursuant to Article 26 of the European Regulation 2016/679 of the European Parliament and of the Council dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”), PwC has executed a joint control agreement with Servizi Aziendali PricewaterhouseCoopers S.r.l. (hereinafter “SAPwC”), having its seat in Milan, Piazza Tre Torri, n. 2, a company supplying administrative, accounting and organizational services in favor of the Italian entities belonging to PwC Network to which PwC and SAPwC (hereinafter the “Joint Controllers”) are members.

Therefore, all personal data provided by the Company to PwC shall automatically be in the joint control of SAPwC.

Based on the above, the Joint controllers provide to the Company the following information, pursuant to Articles 13 and 14 GDPR (hereinafter, the “Notice”) concerning the processing of personal data collected in connection to the performance of the Services required by Company.

For the performance of the professional engagement assigned by the Company (hereinafter referred to as “Services”, as well as “Audit Engagement” or “Engagement”), in most cases, PwC shall not require to process personal data pursuant to the GDPR, save for those concerning the contact legal representatives of the Company. In compliance with the principle of data minimization provided for by Article 5, Paragraph 1, Letter c), GDPR, the Company undertakes therefore to refrain to send to PwC any personal data, except for those strictly necessary for the performance of the Audit Engagement. In such a case, the personal data shall be sent to the Joint Controllers in an anonymous way or by means of pseudonyms, as expressly set forth by the GDPR.

Should it be necessary for the performance of the Engagement to process personal data further to these of the legal representatives and/or of the contact persons of the Company and the same shall not be collectable in an anonymous or pseudonymised manner, PwC shall evaluate with the Company the most suitable processing measures.

However the Company represents and warrants to legitimately process all personal data that should be communicated to the PwC during the performance of the Services in compliance with the GDPR and, in particular, hereby represents that an adequate information notice has been provided to Data Subjects, expressly mentioning the possibility to send the personal data to third companies engaged for the performance of professional services. The Company also represents that it has obtained any consent possibly required. The Company undertakes, as well, to highlight to its employees and/or collaborators that the Joint Controllers’ information Notice is available on the website., in order to allow that the same Notice is sent by the Joint Controllers to the Data Subjects pursuant to Articles 13 and 14, GDPR.

a) Identity and Contact details of the Joint Controllers

Piazza Tre Torri, n. 2 - 20145 Milano
Tax code/VAT: 12979880155
Tel. (02) 77851

Piazza Tre Torri, n. 2 - 20145 Milano
Tax code/VAT: 12449670152
Tel. (02) 77851

b) Contact details of the Data Protection Officer:

Office of the Data Protection Officer (“DPO”)
Piazza Tre Torri, n. 2 - 20145 Milano
Certified email address:
Tel. (02) 7785670 Fax. (02) 7785671

c) Purposes of the processing for which the personal data are collected and basis for lawful processing

The personal data will be processed for the following purposes:

(i) fulfill pre-contractual and contractual obligations concerning the Audit Engagement, as regulated by European laws, Italian laws, as well as applicable auditing standards;

(ii) fulfill obligations, as provided for by a national or European laws and regulations (for example, anti money laundering or anti terrorism law) or, as applicable, a law of a third country;

(iii) performance of an order of any judicial authority, as well as any other entity to which the Joint Controllers are subject;

(iv) performance of any activity related to PwC Network procedures for processes and organizational, administrative and operative aspects related to the assignment and the performance of professional engagements (which, in some cases, could be carried out involving other Italian or foreign legal entities belonging to the PwC Network) and the relationships with the clients (for example, independence and potential conflict of interests controls, risk management procedures and quality control procedures);

(v) exercise the rights of the Joint Controllers, with particular reference to judicial defensive rights.

For the purposes indicated above the collection of the personal data is necessary and the same does not require the Data Subjects consent. Lacking the data or any express refusal to process such data may cause the impossibility for PwC to perform the Engagement and, for SAPwC, to perform its own ancillary activities as above described.
Moreover, personal data may be processed in order to pursue the legitimate interest of the Joint Controllers and/or the other (Italian and foreign) legal entities belonging to the PwC Network in establishing and building profitable and optimal business relationships with its current or potential clients. For this purpose, personal data may be processed to carry out “customer relationship management” activities, consisting mainly in tracing and managing the relationships and interactions that legal entities of the PwC Network, through the professionals belonging to it, develop with the contact persons of current and potential clients, for the purpose of understanding clients’ needs and expectations, improving services offered, developing new services based on the market’s requirements, as well as growing the business. For those purposes the contact persons data will be entered into special data bases owned by or available to the Joint Controllers and will be made accessible to the other Italian and foreign entities of the PwC Network based in the countries listed on the following webpage:

Where specific obligations of confidentiality or professional secrecy exist, as well as when there are particular reasons of expediency, the data will be made available solely to professionals of the Italian legal entities of the PwC Network (excluding foreign entities), or solely to the Joint Controllers, or exclusively to the members of the team assigned to a professional engagement. In any case, in respect of the “customer relationship management” activities described above, the Data Subjects may be contacted, if necessary, only through the professionals who operate within the Italian legal entity with which they have established the main relationship.

d) Processed categories of personal data:

Pursuant to Article 4, Paragraph 1, GDPR, “personal data” means any information related to a directly or indirectly identified or identifiable natural person, by reference to an identifier such as a name, and identification number, location data, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person – which is processed by the Joint Controllers and collected through the Company or from private and/or public data bases or registers (hereinafter, the “Data”).

For the performance of the Engagement, and without prejudice to the principle of the minimization as above indicated, considered the nature of the audit activities, in certain cases, it could become necessary the processing of special categories of personal Data such as, by way of example and not in an exhaustive way, those provided for by Article 9, GDPR (such as, Data concerning health), or Data related to criminal convictions and offences or connected to security measures, as defined by Article 10, GDPR.

e)    Categories of personal Data recipients

In the performance of the Audit Engagement, Data may be made accessible to:

(i) corporate bodies and other corporate positions within the Company, on the basis of the adopted governance model;

(ii) external entities (even private) Italian or foreign, performing surveillance activities on the Company, its group and/or on the Joint Controllers (such as, by way of example, Consob, Banca d’Italia, Ivass), public authorities, as well as civil, criminal and public judicial authorities;

(iii) Joint Controllers’ employees and consultants, in their role of persons authorised to process Data (hereinafter, the “Authorised Persons”);

(iv) other Italian or foreign legal entities belonging to the PwC Network, of which Joint Controllers are members, also for the purpose described in section c), including the performance of “customer relationship management” activities as above mentioned by entering the data and information into specific databases owned and/or managed by Joint Controllers;

(v) external companies, firms and professionals entrusted by the Joint Controllers, who perform activities instrumental to the Audit Engagement or to any other engaged Services to be performed;

(vi) other auditors, in the cases set forth by the law and by applicable auditing standards, or upon specific request of the Company;

(vii) any other third party entity acting as Joint Controllers’ outsourcers, also for Data storage purposes, in their capacity of Data processors;

(viii) professionals engaged by the Company for the performance of other services or by third parties for the performance of engagements, to which the Company may have an interest in (for example, “due diligence” engagements involving the Company).

The updated list of Data processors and Authorized Persons is kept at the Joint Controllers’ seat.

f) Storage and transfer of personal data to third countries

Since the Joint Controllers operate within a network composed of independent legal entities with seat in different countries worldwide, Data may be transferred to and kept also outside the European Union, including those countries not guaranteeing an adequate data protection level. However, such transfers shall occur, in any case, in compliance with Articles 45 and 46, GDPR.

Data are processed and stored on “cloud” and on servers located within and outside the European Union, belonging to or in the availability of the Joint Controllers and/or third party processors, as duly appointed. Any transfer abroad of data to non-EU countries takes place in compliance with the regulations in force, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data. 

Personal Data will not be subject to dissemination, except for the case of “customer relationship management” activities described above.

g) Personal data storage period

Personal Data are kept throughout the whole duration of the professional Engagement. As of the date of termination, for whichever reason or cause, Data will be stored for the duration provided by applicable audit standard principles, concerning the storage of the documentation of audit services and, in any case, as long as the applicable statutory terms shall apply, increased by twelvemonths.

Nevertheless, Data will be kept as long as it will be necessary to comply with specific legal requirements (by way of example, anti money laundering requirements) and well as to possibly ascertain, exercise and protect the rights of the Joint Controllers, aimed at evidencing the due performance of the professional engagement Services.
In respect of the “customer relationship management” activities, personal data will be stored for a period of three years.

h) Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular:

Right of Access – Obtain confirmation whether your data are processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed personal data, the storage period, the recipients to whom such data can be transferred (Article 15, GDPR),

Right of Rectification – Obtain, without undue delay, the rectification of inaccurate personal data and to have incomplete personal data completed (Article 16, GDPR),

Right of Erasure – Obtain, without undue delay, the erasure of your personal data, in the cases provided for by the GDPR (Article 17, GDPR),

Right to Restriction – Obtain from the Joint Controllers the limitation to processing, in the cases provided for by the GDPR (Article 18, GDPR),

Right to Data Portability – Receive your personal data as communicated to the Joint Controllers in a structured, commonly used and machine-readable format and obtain the transmission of such data to another controller without any hindrance, in the cases provided for by the GDPR (Article 20, GDPR),

Right to object – Object to the processing of your personal data, unless the Joint Controllers have compelling legitimate grounds for the continuation of the processing (Article 21, GDPR),

Right to Lodge a Complaint with the Supervisory Authority – Lodge a complaint to Autorità Garante per la protezione dei dati personali,) (info available on the website:
Data Subject may request to exercise such rights by sending a notice thereof to the Data Protection Officer by the certified email address above specified.

i) Processing operations

Personal Data are processed by the Joint Controllers through the operations indicated in Article 4, n. 2), GDPR – whether or not performed by automated means – such as: collection, recording, organization, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

The Joint Controllers undertake hereby to keep confidential the Data and the information received for the performance of the Services and to adopt any suitable measure in order to guarantee an adequate protection of the same, granting the necessary confidentiality on their content.

Confidentiality obligations above shall continue to be effective further the performance of the Services.

Pursuant to Article 32, GDPR, taking into account nature, object, contest and purposes of the Data processing, the Joint Controllers and the Company reciprocally represent having adopted adequate technical and organizational measures, also related to the particular categories of Data pursuant to articles 9 and 10, GDPR, to safeguard the security level proportionate to the level of risk, including by way of example and not in an exhaustive way: (i) pseudonymisation and encryption of Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Joint Controllers and the Company shall be responsible for the protection of their own information system.