Site Search

Loading Results

Information on the processing of audit assignments

View this page in Italian

PRIVACY NOTICE PURSUANT TO ARTICLES 13 AND 14, GDPR

Esteemed supplier,

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l. (hereinafter, “SAPwC” or "Controller"), having its head office in Milan, Piazza Tre Torri n. 2, in person of its pro tempore legal representative - a company providing administrative, accounting and organisational services to the  Italian legal entities belonging to the PwC Network1, with which it has executed a joint control agreement pursuant to Section 26, GDPR2 the essential content of which is available on demand at the Controller's premises - as well as any additional Italian legal entity belonging to the PwC Network with which You have professional or business relationships (hereinafter referred to as "Joint Controller"), are glad to provide You, pursuant to Sections 13 and 14, GDPR, with all of the following information (hereinafter, the “Information Notice”).

(a) Identity and Contact details of the Controller

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l.
Piazza Tre Torri, 2 – 20145 Milano 
Certified email address (PEC): sap@pec-pwc.it
Tax code / VAT Registration: 12449670152 
Tel. (02) 77851

(b) Contact details of the Data Protection Officer

 Office of the Data Protection Officer (“DPO”)
 Piazza Tre Torri, 2 – 20145 Milano
 Certified email address (PEC): dpo-sap@pec-pwc.it
 Tel. (02) 66734162
 Fax (02) 66734163

 (c) Purposes of the processing for which the personal data are intended and related legal basis

Your personal data will be processed without your consent (section 6, items b, c, f, GDPR), for the following purposes:

  • performance of pre-contractual and contractual obligations deriving from the execution of a supply contract;
  • compliance with legal obligations, as provided for by a law (national or EU) or perform an order of any authority, as well of any other entity to which the Controller is subject;
  • carrying out supplier relationship management activities (including the suppliers qualification process) and maintain profitable professional relationships with suppliers (current and potential);
  • exercise the rights of the Controller and/or Joint Controller, with particular reference to judicial defensive rights.

For the purposes mentioned above, the collection of your personal data is necessary. In lack of the data or in case of any express refusal of consent to process such data may cause the impossibility to the Controller to perform the contractual obligations or the possible violation of the competent Authorities requests.

(d) Processed Categories of Personal Data

Pursuant to art. 4, n. 1, GDPR the "personal data" that will be processed by the Data Controller for the purposes of the aforementioned treatments, have as their subject, name and surname, tax code, VAT number, residence, domicile, registered office workplace, e-mail or PEC address, telephone and fax number, and, where appropriate, bank, financial and insurance data ("Data").

You will refrain from sending the Data to the Data Controller, which is not strictly necessary for the performance of contractual and / or commercial activities. Otherwise, the Data must be transmitted to the Data Controller anonymously or pseudonymised, in accordance with the principle of minimization provided for in article 5, paragraph 1, GDPR.

In the event that, in carrying out the contractual relationship, you communicate to the Data Controller (in a non-anonymous or pseudonymised way) Data of other parties (eg. employees or collaborators of the legal entity represented by you), declares and guarantees to treat legitimately and in compliance with the GDPR all the aforementioned personal data, also declaring having already provided the interested parties with adequate information, expressing the possibility of providing personal data to third-party companies and having obtained any necessary consents for the purpose.

To this end, the Information Notice can be consulted by the other Data Subjects on the website https://www.pwc.com/it/informative-privacy.

(e) Categories of Personal Data Recipients

The personal data you will submit us for the purposes mentioned under par. (c) above, could be transferred to:

  1. Employees and collaborators of the Controller, in their capacity of persons duly authorised to data processing;
  2. Any third party subject, performing outsourced activities on behalf of the Controller, in their capacity of data processors;
  3. Any judicial or controlling Authority, public entities (whether national or foreign ones);
  4. Any other entities belonging to the national and international PwC Network to which the Controller is part thereof.

(f) Storage and Transfer of Personal Data to Third Countries 

Personal data are processed and stored “on cloud” and on servers located within and outside EU, belonging to or in the possession of the Controller and/or third party processors, as duly appointed.

Any transfer abroad of data to non-EU countries takes place in compliance with the regulations in force, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data.

Your personal data will not be subject to dissemination.

(g) Personal Data Storage Period

Personal Data provided for the purposes indicated under par. (c), above are processed and stored for the entire duration of the supply contract, if applicable.

As of the termination of such contractual relationship, for whichever reason or cause, personal data will be stored as long as time-barring legal terms will be elapsed.

In the event the assignment is not granted, the personal data collected will be stored for a period of 2 years.

(h) Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular:

  • Right of Access – Obtain confirmation whether your data is processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed personal data, the storage period, the recipients to whom such data can be transferred (Section 15, GDPR);
  • Right of Rectification – Obtain, without undue delay, the rectification of inaccurate personal data and to have incomplete personal data completed (Section 16, GDPR);
  • Right of Erasure – Obtain, without undue delay, the erasure of your personal data, in the cases provided for by the GPDR (Section 17, GDPR);
  • Right to Restriction – Obtain from the Joint Controllers the limitation to processing, in the cases provided for by the GDPR (Section 18, GDPR);
  • Right to Data Portability – Receive your personal data as communicated to the Joint Controllers in a structured, commonly used and machine-readable format and obtain the transmission of such data to another controller without any hindrance, in the cases provided for by the GDPR (Section 20, GDPR);
  • Right to object – Object to the processing of your personal data, unless the Joint Controllers have compelling legitimate grounds for the continuation of the processing (Section 21, GDPR);
  • Right to Lodge a Complaint with the Supervisory Authority – Lodge a complaint to Autorità Garante per la protezione dei dati personali (info available on the website: www.garanteprivacy.it).

You may exercise such rights by means of a request to be sent by email to the Data Privacy Officer certified email address above indicated.

(i) Processing Operations

Your personal data is processed through the operations indicated in section 4, n. 2), GDPR  - whether or not performed by automated means – such as: collection, recording, organisation, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

Whichever the way, it will guarantee their security, logical and physical, and overall their confidentiality, adopting all necessary technical and organisational measures appropriate to guarantee the data security.

The Data Controller undertakes, from now on, to keep the data and information received for the purpose of the contract confidential and to adopt appropriate measures to ensure adequate protection of the same, ensuring the necessary confidentiality and confidentiality regarding their content.

The confidentiality obligations mentioned above will also take effect after the date on which the contract ceases to have effect.

In accordance with the provisions of Article 32, GDPR, taking into account the nature, object, context and purpose of the processing, the Controller and the Supplier mutually claim to have implemented appropriate technical and organizational measures, including with reference the particular categories of Data referred to in articles 9 and 10, GDPR, to guarantee a level of security appropriate to risk, which include, by way of example and not exhaustively: (i) pseudonymisation and encryption of data; (ii) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of the processing systems and services; (iii) the ability to promptly restore data availability and access in the event of a physical or technical incident; (iv) a procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the security of the treatment. The Controller and the Supplier will be responsible for the protection of their IT system.

Follow us