SAPwC | Privacy notice

Privacy notice given pursuant to Article 13, GDPR

This Privacy Note is addressed to the data subjects that, in various capacities, have had or have professional, trading or business relationships with one or more of the Italian, or foreign, entities of the PricewaterhouseCoopers international Network1 (the “PwC Network” or the “Network” or “PwC”). Examples: data subjects acting in their own name or as contacts of legal entities qualified as (current or prospective) clients of the PwC Network, who attended a training event or another initiative organised by PwC, PwC Alumni, etc.

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l. (hereinafter “SAPwC” or the “Controller”), with registered office in Milan, Piazza Tre Torri 2, represented by its pro-tempore legal representative, is a company providing administrative, accounting and organisational services to the Italian entities belonging to the PwC Network1.

In this context, SAPwC is the joint controller of the personal data the controller of which is originally each of the above-mentioned Italian entities1, with which it has executed specific and separate joint control agreements pursuant to Article 26 of GDPR2 , the key content of which is available on demand at the premises of SAPwC or of the relevant legal entity of the PwC Network involved as the original controller (hereinafter also the “Joint Controller” and, jointly with SAPwC, the “Joint Controllers”).

In consideration of the above, in parallel with (or in addition to) the privacy notice you have already received from the Joint Controller (which in any case, you can consult at: Privacy Information), SAPwC, in turn, hereby provides the information required by Article 13 of GDPR (the “Privacy Notice”).

 

(a)         Contact details of the Controller

               SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l.
               Piazza Tre Torri, n. 2 - 20145 Milano
               Fiscal Code and VAT Registration: 12449670152
               Tel. +39 02 77851

(b)        Contact details of the data protection officer

               Data Protection Officer (“DPO”)
               Piazza Tre Torri, n. 2 - 20145 Milano
               PEC (certified electronic mail): dpo-sap@pec-pwc.it
               Tel. +39 02 66734162
               Fax. +39 02 66734163

 

(c)         Purposes of the processing of personal data and legal grounds

Your personal data shall be processed:

(c.1) without your consent, by the Controller, as well as the Joint Controller, for the following purposes:

(i) Complying with specific pre-contractual or contractual obligations undertaken by us to you and/or to the legal entity for which you work (Article 6, letter b, GDPR);

(ii) Complying with national or EU laws and regulations, or executing orders or instructions given to the Controller and/or the Joint Controller by judicial authorities, oversight authorities or professional bodies (Article 6, letter c, GDPR);

(iii) Exercising the rights of the Controller and/or the Joint Controller, specifically defending themselves in court proceedings (Article 6, letter f, GDPR).

Based on the legitimate interests of the Joint Controllers (and of the other Italian and foreign legal entities of the PwC Network) to establish and maintain beneficial and optimal professional relationships with current and prospective clients (Article 6, letter f, GDPR), your personal data shall be processed by the Controller and/or by the Joint Controller for the following purposes:

(iv) Inviting you to events, meetings, workshops, roundtables, congresses (including professional training), identified as of specific interest to you, organised and managed by the Controller, by the Joint Controller and/or one or more of the other Italian entities of the PwC Network, independently or in cooperation with other entities identified from time to time in the invitations (brochures and/or presentations) that will be previously mailed or delivered to you to allow you to register for the event (hereinafter, respectively, the “Event(s)” and the "Partner(s) in the Event”); executing complementary activities following your registration for the Event, such as, for example, activities related to the organisation and management of the Event itself; if you attend, using your personal images that may have been collected in the course of the Event for possible publication on different (paper, tape and/or digital) supports, or through other means of communication or media, including websites, portals and social networks present on the internet;

(v) Sending you newsletters, publications, studies, survey results, market analyses or analyses of specific industries or businesses, and any other type of professional information material, identified as of specific interest to you, prepared or published by the Controller, by the Joint Controller and/or one or more of the Italian (and, in certain circumstances, foreign) entities of the PwC Network, independently or in cooperation with other entities identified from time to time in the specific document (hereinafter, the “Publications” and “Publication Partner(s)”, respectively);

Moreover, also on the basis of the legitimate interests of the Joint Controllers and of the other Italian and foreign entities of the PwC Network (article 6, letter f, GDPR), your personal data shall be processed without your consent by the Italian and foreign PwC entities for the following purposes:

(vi) Carrying out customer relationship management, consisting mainly in tracing and managing the relationships and interactions that Italian and foreign legal entities of the PwC Network, through the professionals belonging to it, develop with the ‘contacts’ of current and prospective clients, and any other persons/entities with whom/which PwC Network professionals have developed business relationships, for the purpose of understanding their needs and expectations, improving services offered, developing new services based on the market’s requirements, as well as growing the business. For those purposes the personal information of ‘contacts’, including your personal information, will be entered into special data bases owned by or available to the Controllers and will thus be made accessible to the other Italian and foreign entities of the PwC Network based in the countries listed on the following webpage: https://www.pwc.com/gx/en/about/office-locations.html. Where specific obligations of confidentiality or professional secrecy exist, as well as when there are particular reasons of expediency, your personal information will be made available, depending on the circumstances, solely to professionals of the Italian legal entities of the PwC Network (excluding foreign entities), or solely to the Controllers, i.e. solely to the members of the team of the Joint Controller assigned to the specific professional engagement. In any case, it is agreed that you may be contacted, for customer relationship management purposes, only through the professionals who operate within the Italian legal entity (Controller or Joint Controller) with which you have established the main relationship;

(vii) Complying with the policies and procedures adopted by the Controllers and/or by other Italian and foreign legal entities by virtue of their belonging to the PwC Network, also designed suitably to manage shared verification processes preliminary to the acceptance and correct performance of possible assignments and quality control processes as well as specific cooperation relationships between legal entities belonging to the Network.

(c.2) with your consent (Article 6, letter a, GDPR), for the following purposes:

(i) Inviting you to take part in surveys or to complete questionnaires (also relating to customer satisfaction) in the interests or for the benefit of the Controller, the Joint Controller and/or one or more of the other Italian entities of the PwC Network and conducting other activities consisting in the direct promotion of specific professional services by one or more of such entities;

 (ii) Allowing one or more of the foreign entities of the PwC Network to conduct the same activities listed above in item (i) of paragraph (c.2) and in items (iv) and (v) of paragraph (c.1).

(iii) Transferring your personal data to the Partner(s) in the Event and/or the Publications Partner(s), as already defined, who may use them, as independent Data Controllers, for marketing initiatives aimed at: promoting products or services, carrying out market research, performing statistical surveys, any further activities that these subjects will be required, pursuant to the current legislation on the protection of personal data, to communicate by means of a privacy notice.

Consent to the use of the data for the purposes listed in paragraph (c.2) above is optional, therefore you may decide not to give your consent, or to withdraw it at any time, using the following link.

 

(d)        Categories of personal data processed

For the purposes of processing listed in paragraph (c) above, only ‘common’ personal data shall be processed, such as for instance: given name and family name, fiscal code, VAT registration number, residence, domicile, place of work, email or certified email (PEC) address, telephone and telefax number, employer, company role and/or grade, etc.

 

(e)        Categories of recipients of the personal data

For the purposes of processing listed in paragraph (c.1) above, access to the personal data that you provide may be given to:

  1. Employees and freelancers of the Joint Controllers, in their capacity as persons entrusted with processing the data (“Persons authorised to process the personal data”);
  2. Judicial or supervisory authorities, public sector (domestic and foreign) administrations, bodies and organisations, and professional bodies;
  3. Professionals and advisors, also not belonging to the PwC Network, engaged by the Controller and/or by the Joint Controller to carry out activities related to the administrative management of the relevant corporate structure, the management of professional engagements or defence in court proceedings;
  4. Employees and freelancers of other Italian and foreign3 entities of the PwC Network in relation to customer relationship management, or to comply with shared policies and procedures, as mentioned in paragraph (c.1), items (vi) and (vii);
  5. Partner(s) in the Event or Publications Partner(s), as previously defined, as well as to third parties who carry out outsourced activities for the benefit of the Data Controller and/or the Joint Controller, for the execution of activities and services functional to the organization and/or management of the Event or the transmission of the Publications, in their capacity as Data Processors.

For the purposes of processing listed in paragraph (c.2) above, access to the personal data that you provide may be given to:

  1. If you consent to the use of your personal data in connection with paragraph (c.2), item (i), your personal information may be processed, for the purposes listed therein, by employees and freelancers of the Joint Controllers and/or of other Italian entities of the PwC Network, in their capacity as persons entrusted with processing the data (“Persons authorised to process the personal data”);
  2. In case you give consent to the use of your personal data in connection with paragraph (c.2), item (ii), your personal information may be processed, for the purposes listed in paragraph (c.2), item (i), and in paragraph (c.1), items (iv) and (v) of this Privacy Notice, also by foreign3 legal entities of the PwC Network;
  3. Should you give your consent to the use of your personal data in relation to the activities indicated in section (c.2) , point (iii), the data may be processed by the Partner(s) in the Event and/or the Publications Partner(s), for the purposes indicated therein.

 

(f)         Storage and transfer abroad of personal data

Personal data are managed and stored in the cloud and on servers located within and outside the European Union that are owned by and/or available to the Joint Controllers and/or third parties duly appointed as data processors.

Personal data may be transferred abroad to countries outside the EU in compliance with the regulations in force, as well as in accordance to the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data.

In the absence of consent, your personal data shall not be disseminated except as specified in paragraph (c.1), item (vi).

 

(g)        Period of storage of personal data

The personal data collected for the purposes listed in paragraph (c.1) above shall be processed and stored for the following lengths of time:

(i) In connection with complying with specific pre-contractual or contractual obligations to you by the Controller and/or by the Joint Controller: for a period of 10 years, increased by 12 months;

(ii) In connection with complying with national or EU laws and regulations, or the execution of orders or instructions from judicial or supervisory authorities, or professional bodies, as well as to enable the Controller and/or the Joint Controller to exercise its/their rights, specifically defending itself/themselves in court proceedings: for the statutory time limit established by the specific legislation applicable in the circumstances, increased by 12 months;

(iii) In connection with inviting you to Events, meetings, workshops, roundtables, congresses: for a period of 2 years after the organisation of the Event or other activities;

(iv) In connection with sending you newsletters, publications, studies, survey results, market analyses or analyses of specific industries or businesses, and any other type of professional information material: for no longer than 2 years after the last mailing date;

(v) In connection with customer relationship management: for a period of 6 months after the last interaction (e.g. exchange of e-mails, telephone call or meeting) attesting that an active relationship with the data subject is in place;

(vi) In connection with complying with the policies and procedures adopted by virtue of belonging to the PwC Network: for a period of 3 years after compliance with the requirements set out in those documents.

In connection with data processing for the purpose of the activities described in paragraph (c.2), such as inviting you to take part in surveys or to complete questionnaires as well as conducting other activities consisting in the direct promotion of specific professional services: your personal data shall be stored for no longer than 2 years from the date of your consent.

 

(h)        Rights of the data subject:

In compliance with the provisions of Chapter III, Section I, GDPR, you can exercise the rights indicated therein and in particular:

  • Right of access – The right to obtain confirmation as to whether or not personal data concerning yourself are being processed and, where that is the case, to obtain information, in particular about: the purposes of the processing, the categories of personal data processed and the period of storage, the recipients to whom the personal data may be disclosed (Article 15 of GDPR);
  • Right to rectification – The right to obtain, without undue delay, the rectification of inaccurate personal data concerning yourself and to have incomplete personal data completed (Article 16 of GDPR);
  • Right to erasure – The right to obtain, without undue delay, the erasure of your personal data, in the circumstances envisaged by GDPR (Article 17 of GDPR);
  • Right to restriction of processing – The right to obtain from the Joint Controllers the restriction of processing in the circumstances envisaged by GDPR (Article 18 of GDPR);
  • Right to data portability - The right to receive the personal data concerning yourself which you have provided to the Controller or the Joint Controller in a structured, commonly used and machine-readable format, and to have those data transmitted to another controller without hindrance, in the circumstances envisaged by GDPR (Article 20 of GDPR);
  • Right to object - The right to object to processing of personal data concerning yourself, unless legitimate grounds for the Controller or the Joint Controller continuing the processing exist (Article 21 of GDPR);
  • Right to file a complaint with the Authority - The right to file a complaint with the Italian data protection authority, Garante per la protezione dei dati personali. Information and contact details can be found on the authority’s website www.garanteprivacy.it).

You may exercise the above rights simply by sending an e-mail to the PEC address of the Data Protection Officer reported above, as well as by using the additional IT systems, adopted by the Joint Controllers and indicated in the cover letters related to the Privacy Notice, which will allow you to independently modify or revoke the consents previously expressed and, where possible, to re-evaluate your preferences regarding the data processing carried out by the Joint Controllers (e.g. mail-in and preference centers managed on IT platforms).

 

(i)             Method of processing

Processing of your personal data takes place through the operations listed in Article 4, item (2) of GDPR – whether or not with the help of information systems – specifically: collection, recording, organisation, structuring, updating, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, comparison, interconnection, restriction, erasure or destruction.

In any case, the logic security and physical safety and, in general, the confidentiality of the personal data processed shall be ensured, through all necessary, appropriate technical and organizational measures.

 

Notes

[1] Further information on the PwC Network and individual legal entities may be found on www.pwc.com.

[2] European Regulation 2016/679 of the EU Parliament and of the Council dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data (“GDPR”).

[3] The list of countries where legal entities of the PwC Network are located may be found on https://www.pwc.com/gx/en/about/office-locations.html.

Follow us