Privacy statement
23/03/23
PwC’s processing of personal data in, and in conjunction with, client assignments
This information is directed towards PwC’s clients and describes the reasons behind, and manner in which, we process personal data in our operations.
By ”PwC” is meant the international PwC network and/or the Swedish PwC companies included in that network. Each PwC company in the network is an independent legal entity. For information regarding the companies included in the PwC network, click on this link. For further information regarding the network and its operations refer to www.pwc.com/structure www.pwc.com/structure and http://www.pwc.com/gx/en/about/office-locations.html.
By ”personal data” is meant all information which can be linked to a specific individual. When we refer to ”processing” or ”personal data processing” this can refer to both the handling, collection, storage, processing and/or erasing of personal data.
Within PwC, personal data is processed for a variety of reasons. The starting point in our operations is that all data processing is to be transparent and that information is to be able to be provided to the registered individual as to why, when and how such data processing can take place.
PwC in the role of Personal Data Controller
PwC is the Personal Data Controller in the processing of personal data within the framework of the following activities:
The provision of statutory and contractual audits and reviews.
The execution of administrative measures associated to client assignments.
In undertaking direct marketing measures vis á vis clients.
Statutory and contractual audits
In performing a statutory or contractual audit, PwC can process personal data in its audit of client information. This can take place through the audit of many different types of information, from salary files to minutes of the Board of Directors’ meetings and other documents regarding the operations of the client and any Group companies of the client. The personal data which is subjected to processing can be of such a nature as referring to the client’s owners and personnel, but can also refer to other individuals, such as the client’s customers and suppliers. The determination of the specific personal data that can be processed is dependent on the focus of the audit and, consequently, on the information which is the subject of the audit.
The following categories of personal data can be processed.
contact details such as the individual’s name, address, telephone number and e-mail address
data regarding employment, such as employee number, departmental affiliation, position and period of employment
data regarding absence due to illness, leave of absence or parental leave
trade union affiliation
personal identity number/co-ordination number
data regarding financial circumstances such as bank account details, data on salaries and other benefits, insurance details and registration number details for company cars,
data regarding insurance policies and pensions, or
other categories of personal data required in complying with the performance of an audit on the basis of generally accepted auditing standards and professional ethics for accountants in Sweden.
The legal basis of this processing is that such processing is necessary in order that PwC, and when applicable an auditor elected to personally serve as auditor, can fulfil their obligations according to the Engagement Letter and applicable laws and regulations, as well as in accordance with generally accepted auditing standards and professional ethics for accountants in Sweden. The personal data will be processed during the period required to perform the audit assignment. After this point in time the auditor’s working papers are saved for eleven (11) years from the date on which the audit was completed.
Administrative measures associated with the client assignment
Registration of contact details in PwC’s client register and checks on data regarding the client’s representatives.
In preparation for, and during, the performance of the assignment, PwC will process names and contact details of the client’s representatives registered in PwC’s client register in order to be able to administer the assignment. Furthermore, PwC will process personal data referring to the client’s representatives in order to perform checks on independence and anti-money laundering measures, as well as regards other risk management measures. The legal basis for processing of personal data in the client register is that PwC is to be able to fulfil its obligations according to the Engagement Letter. The legal grounds for checks on independence and anti-money laundering measures is that these checks are necessary in order that PwC can fulfil its obligations according to the law; the Swedish Auditors Act (2001:883) and the Swedish Money Laundering and Terrorist Prevention Act (2017:630).
The legal grounds for processing of other risk management measures is that PwC, in a consideration of interests, has the legitimate interest to process the data with the aim of minimizing the risks in their operations. The data that can be processed is names, personal identity numbers/dates and places of birth, addresses, telephone numbers and e-mail addresses to workplaces and possible data regarding department-affiliation and work positions. The personal data in the client register will be saved for a period of twelve (12) months after the end of the Engagement Letter. Personal data referring to checks of independence and anti-money laundering measures will, however, be saved during a period of five (5) years after the termination of the Engagement Letter. If it is a question of an audit client, the personal data referring to checks of independence and anti-money laundering measures will be saved in the auditor’s working papers during a period of eleven (11) years from the end of the year in which the audit was completed.
Follow-up of the assignment and statistics
After an assignment has been completed, PwC will process the names and contact data of the client’s representatives in following-up the assignment and in producing overall statistics. The legal grounds for this processing is that PwC, in a
consideration of interests, is seen to incur a legitimate interest in processing personal data in order to evaluate the client’s satisfaction with the assignment. This processing will take place within the framework of the contractual relationship for a period of twelve (12) months after the termination of the contractual relationship. After this point in time, the information will be erased. However, produced statistics will be designed in such a manner that the data cannot be linked to the registered individuals. Ensuring that the data is, in this manner, anonymous implies that the data, after such a measure, no longer comprises personal data, and such anonymous information will be stored until further notice.
Supervision and quality controls
As a registered auditing firm, PwC is under the supervision of, and is subject to, regular quality controls. Against this background, PwC is obliged to store its working papers produced in performing its assignments. Within the framework of this supervision, personal data which PwC has previously received and processed within the framework of the assignment can be processed again, but with the aim of controlling the quality of the performed work. The legal grounds for this processing is that this processing is necessary for PwC to comply with its obligations according to the Swedish Auditors Act (2001:883). The data will be stored during eleven (11) years from the end of the year in which the audit was performed.
Determine, enforce, alternatively, defend PwC’s legal entitlement
PwC will store its working papers not only to comply with the statutory requirements of supervision and quality control, but also to be able to determine, enforce and defend its legal entitlement against legal claims. The legal basis for archiving data is that PwC, in the case of a consideration of interests, has a legitimate interest to store working papers should a claim for damages or a dispute on fees arise, and, consequently, PwC is required to determine, enforce or defend its entitlement. The personal data will be saved during eleven (11) years from the end of the year in with the assignment was completed.
Direct marketing measures
Direct marking based on consideration of interests
With the aim of undertaking direct marketing activities regarding PwC’s offering of services to both existing and potential clients, PwC can process personal data regarding clients’ representatives. The legal basis for processing data in this context is that in a consideration of interests to ensure PwC’s legitimate interest in providing, during a limited period of time and to a limited degree, information, and in offering various market activities to a select target group. The data which can be processed is names, addresses, telephone numbers and e-post addresses to workplaces and possible data regarding departmental affiliation and work positions.
Such information and offerings can be provided per telephone, letter, e-mail, SMS and/or similar communication channels used in electronic communication. In the case there is an Engagement Letter between the registered individual’s employer and PwC, the processing will take place on the basis of the contractual relationship stipulated in the Engagement Letter and during a period of twelve (12) months after the contractual relationship has ceased. In the case such a contractual relationship does not exist, the personal data will be processed during period of three (3) months. The registered individual has the right to, at any point in time, object to this processing.
Direct marketing based on consent
In the case PwC wishes to continue to process personal data attributable to client representatives of potential and previous clients (as regards the latter, this refers to clients where the contractual relationship has been terminated for more than twelve (12) months) and a further three (3) months has passed since that time, there is a requirement of consent on behalf of the registered individual. If the registered individual has provided consent, then, such consent comprises the legal grounds for such processing.
If the registered individual has voluntarily provided their personal data for a certain purpose and, in conjunction with this, has been informed of the processing, the registered individual will be seen to have provided their consent to the processing. The data which can be processed is names, addresses, telephone numbers and e-mail addresses of workplaces and possible data regarding departmental affiliation and work positions. The information and offering of marketing activities can be provided by telephone, letter, e-mail, SMS and/or similar communication channels used in electronic communication. The processing will take place during the period during which the consent has not been withdrawn by the registered individual.
Execution of marketing activities
If the registered individual has actively applied to participate in a marketing activity (event, lecture, seminary or similar activity), PwC will process their name and contact data with the purpose of being able to send out a notice of the event, list of participants and material, prior to and after the activity. In the case that meals are to be served during the activity, details regarding special food requirements may need to be processed. The legal basis for this processing is that it is necessary in order to perform the activity. In addition, PwC can follow-up, after the activity has taken place and through PwC’s sales and marketing department, the information regarding the individuals participating in the activity.
This follow-up is undertaken by the sales and marketing department being provided with participant lists and, in this manner, the sales and marketing department can undertake direct marketing vis á vis those participants. The legal basis for this processing is, that in a consideration of interests, PwC’s legitimate interest in providing direct offers regarding PwC’s services to participants is ensured. The participant list is saved for administration and follow-up during a maximum period of six (6) months. A participant list can also, in certain cases, comprise material/documentation to be used in PwC’s accounting and bookkeeping of possible representation expenses, etc.
Media production and marketing
With the aim of marketing PwC and spreading knowledge regarding its operations, PwC can process personal data in the form of images – both still and moving– and recorded messages. This processing is undertaken on the basis of specific and informed consent provided by the registered individual. This processing will take place during the period during which such consent is in effect, that is, as long as the consent has not been withdrawn by the registered individual. The registered individual has the right to, at any point in time, object to this processing and, thereby, withdraw their consent.
Website interaction
In visiting PwC’s websites, information from browsers can be both collected and stored, usually in the form of cookies, with the aim of optimizing both the function and experience of the website. The information is usually comprised of the website visitor’s preferences and information regarding the unit from which the visit takes place. However, there is no identification of the visitor. Even if there is no identification of the visitor, there is a requirement of specific and informed consent from the website visitor in order that PwC can use the cookies. If the website visitor has provided consent, such consent comprises the legal grounds for the processing. Further information as regards the cookies which PwC processes, and how long the information from the cookies is saved, can be found on the following website: https://www.pwc.se/cookies.
PwC in the role of Personal Data Processor
Non-audit advisory services and consulting assignments
Usually PwC serves as Personal Data Processor in processing personal data within the framework of independent non-audit advisory services (independent in relation to the assistance and advice provided in performing the audit) and within consulting assignments. This implies that all processing of personal data takes place on the basis of the client’s specific instructions. It is the client who is the Personal Data Controller in relation to the registered individuals. The personal data which can be processed is dependent on the nature and focus of the assignment. Consequently, in these assignments a Personal Data Processor agreement is established regulating the categories of data which can be processed, the purpose of the processing and the manner in which it is to take place.
Exceptions from PwC’s role as Personal Data Processor
In processing personal data within the framework of tax advisory services, pension advice and other associated services to private individuals, PwC is the Personal Data Controller. In these assignments, and with the help of special systems solutions, PwC is provided with personal data directly by the individuals concerned. Information regarding PwC’s processing of this data is provided to the individuals in conjunction with the performance of these types of assignments.
Rights of the data subject
Right to access to personal data being processed (so-called register extracts)
The registered individual has the right to request receipt of a confirmation from PwC that PwC processes personal data pertaining to the individual and, in such a case, they can request access to the personal data in the form of a so-called register extract.
Right to rectification of data
If the registered individual believes that data referring to them is incorrect or incomplete, they also have the right to request rectification of such incorrect or incomplete data.
Right to object to processing based on consent
If it is a question of processing of the registered individual’s personal data for direct marketing purposes, the registered individual has the right to, at any point in time, object to this and can request that they be deleted from the register as regards any future distribution. Such request is to be notified to PwC by, for example, clicking on the deletion link in the electronic information which has been sent out to the individual.
Right to object processing based on PwC’s legitimate interest
In addition to the above rights, the registered individual also incurs, to the degree allowed by applicable data protection legislation, the right to object processing based on PwC’s legitimate interests. However, PwC can continue to process the registered individual’s data, in spite of their objection to such processing, if PwC has imperative grounds for such processing which outweigh the interest of data integrity.
Right to request limitation or erasure, alternatively right to object to processing and data portability
Under certain premises the registered individual also has the right to request limitation or erasure of their personal data, or they can incur the right to object to the processing. In addition, the registered individual also has the right to receive a copy of the personal data pertaining to them which they have provided to PwC. This is to be provided in a structured, generally usable and machine readable format (data portability) for transfer to another Personal Data Controller.
Security measures
Goal
PwC’s goal is to ensure the protection of personal integrity and undertake all technical and organizational measures required to protect personal data and ensure that the processing takes place according to applicable data protection regulations and internal guidelines, policies and routines for handling personal data. This implies that only those individuals requiring access to the data in order to perform their work duties have access to the data. A more details description of PwC security measures can be received by sending a request for this information to PwC.
Transfer and sharing of personal data
In order to fulfil the purposes of PwC’s processing of personal data as described above, PwC contracts, as applicable, IT services and systems suppliers who process personal data on behalf of PwC. These services and systems suppliers may only process personal data according to PwC’s specific instructions and may not use the data for their own purposes. They are also obliged by law and contractually to undertake the appropriate technical and organizational security measures required to protect the data.
In certain cases, PwC can share personal data with recipients other than those stated above, with the purpose of complying with applicable laws and regulations, in response to a request, or in the context of an injunction from an authorized court or authority, as well as when ensuring PwC’s legitimate interest in determining, enforcing and defending itself against legal claims.
PwC can also transfer personal data to recipients located in countries outside the EU/EEA who do not have the same level of protection as regards personal data as is provided in the EU. In order to ensure that the personal data is covered by appropriate safeguards, PwC has entered into data transfer agreements, including the EU Commission’s standard clauses, with recipients, or has ensured that there are other appropriate protection measures in place. In contacting PwC, a registered individual has the right to request a list of the countries to whom PwC transfers personal data including a statement of the category of recipient and a copy of EU’s standard clauses.
See below for contact details.
Contact details
Please submit a request to exercise a legal right in relation to your personal data, or an enquiry if you have a question or complaint about the handling of your personal data. You can also get in contact via email address se_personuppgiftsombudet@pwc.com.
or postal address:
PwC
Personuppgiftsombudet
113 97 Stockholm
The registered individual also has the right to present complaints to the Swedish Authority for Privacy Protection.
