PwC's Data Privacy Framework Policy

Download PDF

Overview

As set forth in PwC's Global Code of Conduct: "We respect the confidentiality and privacy of our clients, our people and others with whom we do business."

PricewaterhouseCoopers LLP and its United States subsidiaries and affiliates (“PwC”) comply with the requirements of the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (collectively, the “DPF”). PwC has certified to the U.S. Department of Commerce that it adheres to the DPF Principles with respect to personal information (as described below) that is transferred from the European Union and its Member States, the European Economic Area, the United Kingdom (and Gibraltar), and/or Switzerland to the United States. If there is any conflict between the terms in this DPF Policy or another applicable privacy policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework and to view PwC’s certification, please visit https://www.dataprivacyframework.gov.

This DPF Policy applies to personal information within the scope of PwC’s DPF certification, which covers the following categories of information:

  • Personal information regarding current, former and prospective partners, principals and employees for the purposes of operating and managing PwC, performing human resource administration and maintaining contact with individuals.
  • Personal information regarding current, former and prospective clients and their personnel, customers, or other data subjects for the purposes of delivering PwC services, maintaining ongoing relationships and performing business development activities.
  • Personal information regarding our suppliers, service providers, and other third parties, and their personnel for the purposes of managing and administering PwC’s business relationships with such third parties.
  • Personal information collected from members of the general public in order to answer inquiries or provide information requested.

Certain personal information covered by PwC’s DPF certifications may also be subject to more specific privacy policies of PwC. For example:

  • Certain PwC websites maintain their own privacy policies that apply to personal information collected via those sites. These policies may be accessed through those websites.
  • Personal information obtained from or relating to clients or former clients is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client and applicable laws and professional standards.

Personal information covered by this DPF Policy is collected and processed only as permitted by the DPF Principles. Notice to individuals regarding the personal information collected from them and how that information is used may be provided through this DPF Policy, other PwC privacy notices, or other direct forms of communication with appropriate parties, such as contracts or agreements. Where necessary and appropriate, consent for personal information to be collected, used, and/or transferred may also be obtained through these same means (including opt-in consent for sensitive personal information).

PwC collects and processes personal information only to the extent that it is compatible with the purposes for which it was collected or subsequently authorized by the data subject. PwC does not retain personal information after it no longer serves the purposes for which it was collected or subsequently authorized. PwC takes reasonable steps to ensure that personal information is accurate, complete, current, and reliable for its intended use.

Accountability for Onward Transfers

Consistent with the DPF Principles, PwC may transfer personal information to third parties, including transfers from one country to another. We will only disclose an individual’s personal information to third parties under one or more of the following conditions:

  • The disclosure is to a third party providing services to PwC, or to the individual, in connection with the operation of our business, and as consistent with the purpose for which the personal information was collected. We maintain written contracts with these third parties and require that these third parties provide at least the same level of privacy protection and security as required by the DPF Principles. To the extent provided by the DPF Principles, PwC remains responsible and liable under the DPF Principles if a third party that it engages to process personal information on its behalf does so in a manner inconsistent with the DPF Principles, unless PwC proves that it is not responsible for the matter giving rise to the damage;
  • With the individual’s permission to make the disclosure;
  • Where required to the extent necessary to meet a legal obligation to which PwC is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation; 
  • Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

Individual rights

Individuals whose personal information is covered by this DPF Policy have the right to access the personal information that PwC maintains about them as specified in the DPF Principles. Individuals may contact us to correct, amend or delete such personal information if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to limit the use and disclosure of their personal information (opt out) under certain circumstances, such as marketing. Requests to access, correct, amend, delete, or limit the use and disclosure of personal information (opt out) may be submitted using our request form.

Security

PwC takes appropriate measures to protect personal information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of the personal information and the risks involved in its processing, as well as best practices in the industry for security and data protection.

Enforcement

In compliance with the DPF Principles, PwC commits to resolve complaints about our collection or use of your personal information. Individuals with inquiries or complaints regarding our DPF Policy should first contact PwC's US Privacy Office. PwC has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint. If an individual has an unresolved complaint or concern that is not addressed satisfactorily, that individual may contact our U.S. based third party dispute resolution provider (free of charge), the International Centre for Dispute Resolution/American Arbitration Association ("ICDR/AAA"). Please contact or visit ICDR/AAA for more information or to file a complaint.

If the dispute involves human resources personal information or information collected in the context of an employment relationship, we will cooperate with the competent EU, UK, or Swiss data protection authorities and comply with the advice of such authorities.

You may have the option to select binding arbitration under the EU-U.S. Data Privacy Framework Panel for the resolution of your complaint under certain circumstances. PwC is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. 

Modifications

PwC may update this DPF Policy at any time by publishing an updated version here, however we will not update this DPF Policy in contravention of the DPF Principles.

Last updated: September, 2023

Follow us