PricewaterhouseCoopers Business Services s.r.l. | Privacy notice

Privacy notice pursuant to articles 13 and 14, GDPR regarding the processing of personal data collected for the execution of professional engagements

Personal Data Processing

Pursuant to Article 26 of the European Regulation 2016/679 of the European Parliament and of the Council dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”), PwC has executed a joint control agreement, with Servizi Aziendali PricewaterhouseCoopers S.r.l. (hereinafter “SAPwC”), having its seat in Milan, Piazza Tre Torri, n. 2, a company supplying administrative, accounting and organizational services in favor of the Italian PwC Firm (Further information on PwC Network and its single entities may be found on www.pwc.com) to which PwC and SAPwC (hereinafter the “Joint Controllers”) are members. The essential content of such agreement is available on demand at the Joint Controllers premises.
Therefore, all personal data provided by the Company to PwC shall automatically be in the joint control of SAPwC.
Based on the above, the Joint Controllers provide to the Company the following information, pursuant to Articles 13 and 14 GDPR (hereinafter, the “Notice”) concerning the processing of personal data collected in connection to the performance of the Services required by the Company.

For the performance of the professional engagement assigned by the Company (hereinafter referred to as “Services”, as well as “Engagement”) PwC shall not require to process personal data pursuant to the GDPR, save for those concerning the contact legal representatives of the Company. In compliance with the principle of data minimization provided for by Article 5, Paragraph 1, Letter c), GDPR, the Company undertakes therefore to refrain to send to PwC personal data of any type, except for those strictly necessary for the performance of the Engagement. In such a case, the personal data shall be sent to the PwC in an anonymous way or by means of pseudonyms, as expressly set forth by the GDPR.
Should it be necessary for the performance of the Engagement to process personal data further to these of the legal representatives and/or of the contact persons of the Company and the same shall not be collectable in an anonymous or pseudonymised manner, PwC shall evaluate with the Company the most suitable processing measures.

However, the Company represents and warrants to legitimately process all personal data that should be communicated to PwC during the performance of the Services in compliance with the GDPR and, in particular, hereby represents that an adequate information notice has been provided to data subjects, expressly mentioning the possibility to send the personal data to third companies engaged for the performance of professional services. The Company also represents that it has obtained any consent possibly required. The Company undertakes, as well, to highlight to its employees and/or collaborators that the Joint Controllers’ Notice is available on the website https://www.pwc.com/it/informative-privacy, in order to allow that the same Notice is sent by the Joint Controllers to the data subjects (as defined according to Article 4, n. 1, GDPR) pursuant to Articles 13 and 14, GDPR.

a) Identity and Contact details of the Joint Controllers

PRICEWATERHOUSECOOPERS BUSINESS SERVICES S.r.l.
Piazza Tre Torri, n. 2 - 20145 Milano
Tax code / VAT no.: 06234620968
Tel. (02) 77851

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l.
Piazza Tre Torri, n. 2 - 20145 Milano
Tax code/VAT no. 12449670152
Tel. (02) 77851

b) Contact details of the Data Protection Officer

Office of the Data Protection Officer (“DPO”)
Piazza Tre Torri, n. 2 - 20145 Milano
Certified email address (PEC): dpo-business-services@pec-pwc.it
Tel. (02) 72509280
Fax (02) 72509281

c) Purposes of the processing for which the personal data are collected and basis for lawful processing

The personal data will be processed for the following purposes:

i. fulfill pre-contractual and contractual obligations deriving from the Services under the Engagement Letter,

ii. fulfill obligations, as provided for by Italian or European laws and regulations (for example, anti money laundering or anti terrorism law) or, as far as applicable, of a third country,

iii. performance of an order of any judicial authority, as well as any other entity to which the Joint Controllers are subject,

iv. performance of any activity related to PwC Network procedures for processes and organizational, administrative and operative aspects related to the assignment and the performance of professional services (which, in some cases, could be carried out involving other Italian or foreign legal entities belonging to the PwC Network) and the relationships with the clients (for example, independence and potential conflict of interests controls, risk management procedures and quality control procedures),

v. exercise the rights of the Joint Controllers, with particular reference to judicial defensive rights.

For the purposes indicated above the collection of the personal data is necessary and the same does not require the data subject consent. Lacking the data or any express refusal to process such data may cause the impossibility for PwC to perform the Engagement and, for SAPwC, to perform its own ancillary activities as above described. Moreover, personal data may be processed in order to pursue the legitimate interest of the Joint Controllers and/or the other (Italian and foreign) legal entities belonging to the PwC Network in establishing and building profitable and optimal business relationships with its current or potential clients. For this purpose, personal data may be processed to carry out “customer relationship management” activities, consisting mainly in tracing and managing the relationships and interactions that legal entities of the PwC Network, through the professionals belonging to it, develop with the contact persons of current and potential clients, for the purpose of understanding clients’ needs and expectations, improving services offered, developing new services based on the market’s requirements, as well as growing the business. For those purposes the contact persons data will be entered into special data bases owned by or available to the Joint Controllers, and will be made accessible to the other Italian and foreign entities of the PwC Network based in the countries listed on the following webpage: https://www.pwc.com/gx/en/about/office-locations.html.
Where specific obligations of confidentiality or professional secrecy exist, as well as when there are particular reasons of expediency, the data will be made available solely to professionals of the Italian legal entities of the PwC Network (excluding foreign entities), or solely to the Joint Controllers, or exclusively to the members of the team assigned to a professional engagement. In any case, in respect of the “customer relationship management” activities described above, the Data subjects may be contacted, if necessary, only through the professionals who operate within the Italian legal entity with which they have established the main relationship.

d) Processed categories of personal data

Pursuant to Article 4, n. 1, GDPR, “personal data” means any information related to a directly or indirectly identified or identifiable natural person, by reference to an identifier such as a name, and identification number, location data, on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, which is processed by the Joint Controllers and collected through the Company or from private and/or public data bases or registers (hereinafter, the “Data”).

For the performance of the Engagement, and without prejudice to the principle of the minimization as above indicated, considered the nature of the Services, in certain cases, it could become necessary the processing of special categories of personal Data such as, by way of example and not in an exhaustive way, those provided for by Article 9, GDPR (such as, Data concerning health), or Data related to criminal convictions and offences or connected to security measures, as defined by Article 10, GDPR.

e) Categories of personal Data recipients

In the performance of the Engagement, Data may be made accessible to:

i. Joint Controllers’ employees and consultants, in their role of persons authorised to process Data (hereinafter, the “Authorised Persons”),

ii. Any third party subject performing outsourced activities, including the Data storage, on behalf of the Joint Controllers, in their capacity of data processors,

iii. Any judicial or controlling Authority, public entities (whether national or foreign ones),

iv. other Italian or foreign legal entities belonging to the PwC Network, of which Joint Controllers are members, also for the purpose described in section c), including the performance of “customer relationship management” activities as above mentioned by entering the data and information into specific databases owned and/or managed by Joint Controllers.

The updated list of Data processors and Authorized Persons is kept at the Joint Controllers’ seat. 

f) Storage and transfer of personal data to third countries

Since the Joint Controllers operate within a network composed of independent legal entities with seat in different countries worldwide, Data may be transferred to and kept also outside the European Union, including those countries not guaranteeing an adequate data protection level. However, such transfers shall occur, in any case, in compliance with Articles 45 and 46, GDPR.

Data are processed and stored on “cloud” and on servers located within and outside the European Union, belonging to or in the availability of the Joint Controllers and/or third party processors, as duly appointed. Any transfer abroad of data to non-EU countries takes place in compliance with the regulations in force, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data. 

Personal Data will not be subject to dissemination, except for the case of “customer relationship management” activities described above.

g) Personal data storage period

Data will be kept throughout the whole duration of the professional Engagement. As of the date of termination, for whichever reason or cause, Data will be stored as long as time-barring legal terms will be elapsed, increased by twelve months, and well as to possibly ascertain, exercise and protect the rights of the Joint Controllers, aimed at evidencing the due performance of the professional engagement Services. In respect of the “customer relationship management” activities, personal data will be stored for a period of three years.

h) Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, data subjects may exercise the rights therein indicated and in particular:

Right of Access – Obtain confirmation whether Data are processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed Data, the storage period, the recipients to whom such Data can be transferred (Article 15, GDPR),

Right of Rectification – Obtain, without undue delay, the rectification of inaccurate Data and to have incomplete Data completed (Article 16, GDPR),

Right of Erasure – Obtain, without undue delay, the erasure of Data, in the cases provided for by the GDPR (Article 17, GDPR),

Right to Restriction – Obtain from the Joint Controllers the limitation to processing, in the cases provided for by the GDPR (Article 18, GDPR),

Right to Data Portability – Receive Data as communicated to the Joint Controllers in a structured, commonly used and machine-readable format and obtain the transmission of such Data to another controller without any hindrance, in the cases provided for by the GDPR (Article 20, GDPR),

Right to object – Object to the processing of Data, unless the Joint Controllers have compelling legitimate grounds for the continuation of the processing (Article 21, GDPR),

Right to Lodge a Complaint with the Supervisory Authority – Lodge a complaint to Autorità Garante per la protezione dei dati personali (Info available on the website: www.garanteprivacy.it). Data subject may request to exercise such rights by sending a notice to the Data Protection Officer by the certified email address above specified.

i) Processing operations

Data are processed by the Joint Controllers through the operations indicated in Article 4, n. 2, GDPR – whether or not performed by automated means – such as: collection, recording, organization, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

The Joint Controllers undertake hereby to keep confidential the Data and the information received for the performance of the Services and to adopt any suitable measure in order to guarantee an adequate protection of the same, granting the necessary confidentiality on their content.
Confidentiality obligations above shall continue to be effective further the performance of the Services.

Pursuant to Article 32, GDPR, taking into account nature, object, contest and purposes of the Data processing, the Joint Controllers and the Company reciprocally represent having adopted adequate technical and organizational measures, also related to the particular categories of Data pursuant to articles 9 and 10, GDPR, to safeguard the security level proportionate to the level of risk, including by way of example and not in an exhaustive way: (i) pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Joint Controllers and the Company shall be responsible for the protection of their own information system.