PwC’s privacy policy

PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab ("PwC", "we", "us" or "our") is committed to protecting the confidentiality, integrity and availability of information about our clients and other relations. We are strongly committed to protecting personal data and continuously strive to ensure ongoing compliance with data protection law.

This privacy policy provides information about PwC’s processing of personal data when PwC is acting as data controller.  

For certain services, PwC acts as data processor. This applies, for example, to certain assistance services and administration of whistleblower schemes. In cases where PwC acts as a data processor, PwC acts on instructions from the data controller and in accordance with a data processor agreement, therefore this privacy policy does not apply in these cases.

1. Data controller

The legal entity responsible for the processing of personal data undertaken by PwC is:

PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab
CVR-no. 33 77 12 31
Strandvejen 44
DK-2900 Hellerup
Danmark.

Contact information:
Att.: OGC (Inhouse Legal)
Strandvejen 44, 2900 Hellerup
Phone: +45 3945 3945
Email: dk_databeskyttelse@pwc.com

2. Our processing activities

In the sections below,  you can read more about which categories of personal data we process, for what purposes, and on which legal basis, with reference to the General Data Protection Regulation (GDPR) and/or the Data Protection Act (DPA).

Purpose
The purpose is to manage our engagements with our clients, this includes creating the client and the engagement, , carrying out quality assurance and control, to communicate with the client, its management and employees as well as invoicing.

Furthermore, the purpose is to be able to manage and develop our business and services, operate and maintain our IT systems made available to or used as part of the servicing of the client, and carry out statistical processing.

Data subject
The client, its owners, management, and/or its employees, if any.

Categories of personal data
We process general personal data about all data subjects, including contact information, job title, company name, company address, and information about the data subjects' relation to PwC.

Legal basis
The processing of personal data about the client is necessary in order to perform the agreement with the client or in order to take steps at the request of the client prior to entering into the agreement, see Art. 6(1)(b) of the GDPR.

Furthermore, the processing of personal data about the client, its owners, management and/or its employees, if any, is necessary in order for us to pursue a legitimate interest in managing the client cooperation, managing and developing our business and services, operating and maintaining IT systems made available or used as part of our servicing of the client, and processing data for statistical purposes, see Art. 6(1)(f) of the GDPR.

Source
The client, the client’s owners, the management, and/or the client’s employees, if any.

Duration of processing
We process the personal data for ten years, counting from the end of the calendar year in which the last job/engagement is completed, unless special circumstances require longer periods of processing, e.g. if a case is pending or we are legally required to do so.

Recipients, including third country transfers
We engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

PwC discloses personal data to professional advisers, including accountants and public authorities, in the event that PwC is required to do so, see GDPR Art. 6(1)(c). 

In regard to clients with activities outside of Denmark, we may transfer personal data to PwC firms in the PwC Network located within and outside the EU/EEA, GDPR Art. 6(1)(b) and Art. 6(1)(f). All PwC firms in the PwC Network have entered into an Intra Network Transfer Agreement (INTA) based on the EU-Commission's standard contractual clauses. The INTA is updated regularly and latest in 2022. You can at any point contact PwC and request a copy of the standard contractual clauses. 

Purpose
The purpose is to ensure the completion of the statutory client due diligence procedure.

Data subject
The ultimate business owners or the daily management of the client.

Categories of personal data
We process general confidential personal data included in identity documents, such as health insurance card and passport or driving licence, including national identification number. We store copies of such documents. Furthermore, we collect general personal data about politically exposed persons (PEP) and their relations.

Legal basis
PwC is subject to the provisions of the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (Hvidvaskloven). We process the personal data in accordance with the client identification procedures of the said Act, see sections 11-21, in particular section 11(1)(i), which must be performed to comply with a legal obligation to which PwC is subject, see Art. 6(1)(c) and Art. 87 of the GDPR, and section 11(2)(1) of the DPA.

Source
The client, the ultimate business owners, or the daily management of the client. Additionally , we collect information from the Central Business Register (virk.dk), Dun & Bradstreet, and public media.

Duration of the processing
We process the personal data for five years, counting from the end of the calendar year in which the engagement with the client terminates or the individual transaction is executed, unless special circumstances require a longer period of processing, e.g. if a case is pending or we are legally required to do so.

Recipients, including third country transfers
PwC may be ordered to disclose personal data to public authorities. Where a suspicion of money laundering or terrorist financing cannot be rebutted, PwC is obligated to report and pass on the information to the Danish State Prosecutor for Serious Economic and International Crime and any other supervisory authority under section 26 of the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism, see GDPR Art. 6(1)(c) and Art. 9(2)(f). 

To the extent that PwC engages another PwC firm as subcontractor, PwC may disclose anti-money laundering documentation to such a firm located within the EU/EEA in order for such foreign PwC firm to comply with its legal obligations, cf. GDPR Art. 6(1)(c) and Art. 9(2)(f).

Additionally, the disclosing of national identification number is a natural element of the ordinary operation and the disclosure is of decisive importance for unique identification of the data subject, see Art. 78 of the GDPR, cf. Section 11(2)(3) of the DPA.

Moreover, we engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to perform statutory audits and other assurance statements. 

Data subject
The client, its management, employees and client’s customers, vendors, and other relations.

Categories of personal data
We process general personal data, including contact information and financial information about all data subjects. In some cases, we process national identification numbers of the client, its employees, and its management.  

Legal basis

The processing of general personal data about the client is necessary for the performance of the contract with the client, see GDPR Art. 6(1)(b). 

Furthermore, the processing of general personal data and general confidential personal data about all data subjects, including information on criminal offences and suspicion thereof, is necessary to comply with a legal obligation under section 23(1), see section 1(2) of the Danish Act on Approved Auditors and Audit Firms (Revisorloven), and generally accepted auditing principles in accordance with section 16(1) of the said Act in connection with the provision of assurance reports, see Art. 6(1)(c) of the GDPR as well as Art. 10 of the GDPR, cf. Section 8(3) of the DPA.

In addition, the processing of general personal data about all data subjects is necessary in order for PwC to perform quality management and control, see Art 6(1)(f) of the GDPR.

Finally, we process national identification number if required by law or when reporting on behalf of the client where such disclosure is a natural element of the ordinary operation and the disclosure is of decisive importance for unique identification of the data subject, see Art. 78 of the GDPR, cf. Sections 11(2)(1) and 11(2)(3) of the DPA.

Source
The client or its management and employees.

Duration of the processing
We process the information for five to ten years, depending on the storage obligations applicable to PwC in connection with an audit, counting from the end of the calendar year in which the assurance report is made, unless special circumstances require longer periods of processing,  e.g. if a case is pending or we are legally required to do so.

Recipients, including third country transfers
PwC will solely disclose personal data to the client and foreign audit firms, to enable the provision of services by such firms to affiliates of the client, see GDPR Art. 6(1)(c), cf. Danish Act on Approved Auditors and Audit Firms (Revisorloven) § 30.

Note that if we transfer personal data to PwC firms located outside the EU/EEA, we have entered into an Intra Network Transfer Agreement (INTA) based on the EU-Commission's standard contractual clauses. The INTA is updated regularly and latest in 2022. You can at any point contact PwC and request a copy of the standard contractual clauses.

In addition, we engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to provide consulting and assistance to the client within PwC’s business area, including legal advice, tax advice, consultant- and transaction services, as well as accounting assistance.

Data subject
We process personal data about the client, the owners, management, and employees of the client, as well as the client's clients, vendors, and other business relations.  

Categories of personal data
We process general personal data, including contact information about all data subjects.. 

In regard to advice within employment law, we process general confidential personal data about the client, its management and employees, including information about salary and employment as well as other financial information, national identification number, information about criminal offences or suspicions thereof as well as special categories of personal data, including information about health.

In regard to tax advice, we process general personal data about the client, its management and employees, client’s clients, suppliers and other business relations, as well as the client’s employees children, this includes contact information, financial information, national identification number, as well as special categories of personal data.

In regard to due diligence tasks and advising within transaction services we process general personal data, including financial information about the client, its management and employees, client’s clients, vendors and other business relations. For some due diligence tasks we may additionally process national identification number, information about criminal offences or suspicions thereof as well as special categories of personal data.

In regard to forensic services, we additionally process general confidential personal data about the client’s clients, including information about criminal offences or suspicions thereof.

In regard to digital services we may additionally process general confidential personal data, including national identification number, information about tax, and economic information about the client’s employees and vendors.

In regard to advising on whistleblower schemes, we may additionally process general confidential personal data, including contact information, information about criminal offences or suspicions thereof, as well as special categories of personal data regarding the client, client’s owners, management and employees, as well as client’s clients, suppliers and other business relations, including the person who reported the matter within a whistleblower scheme.

Legal basis
The processing of general personal data about the client is necessary in order to perform the agreement with the client, see Art 6(1)(b) of the GDPR. The processing of general personal data about other data subjects is necessary in order for PwC to perform the services to the client, see Art 6(1)(f) of the GDPR.

In regard to processing personal data about criminal offences or suspicions thereof in relation to advising within employment law, due diligence, transaction services, forensics and advising in relation to whistleblower schemes, PwC is pursuing a legitimate interest of PwC or the client in uncovering actual or potential violations of the law, or other serious offences, see Art. 10 of the GDPR, cf. Section 8(3) of the DPA.

In regard to advising within employment law, tax law, and in relation to due diligence and transaction services as well as advising within whistleblower schemes we process special categories of personal data when necessary for the establishment, exercise or defence of legal claims, see Art. 9(2)(f) of the GDPR. When advising in relation to a whistleblower scheme, the personal data can additionally be published by the data subject, see GDPR Art. 9(2)(e), or the processing can be necessary for reasons of substantial public interest, see Art. 9(2)(g) of the GDPR.

We process national identification number in relation to advising within employment law, tax law, and in relation to due diligence and transaction services as well as digital services, if required by law or when reporting on behalf of the client, and the disclosure is of decisive importance for unique identification of the data subject, see Art. 78 of the GDPR, cf. Sections 11(2)(1) and 11(2)(3) of the DPA.

Source
We receive personal data from the client or the management and/or employees of the client.

For advice in relation to whistleblower schemes, we collect the personal data from the reporting person, who may choose to be anonymous. Additionally, we may collect personal data from other people involved in a reported whistleblower matter..

Duration of the processing
Generally, the personal data is processed for five years, counting from the end of the calendar year in which the client relationship is terminated, unless special circumstances require a longer period of processing, e.g. if a case is pending or we are legally required to do so. 

For engagements concerning tax advice, personal data is processed for ten years, counting from the end of the calendar year in which the client relationship is terminated.

Recipients, including third country transfers
For tasks regarding tax advising, we disclose personal data to public authorities for registration or identification purposes when necessary to provide the service, see GDPR Art. 6(1)(b), Art. 6(1)(f), and GDPR Art. 78, cf. DPA Section 11(2)(1) and (3).

Furthermore, in relation to advising on a reported matters under a whistleblower scheme as well as due diligence and transactional services, we may disclose personal data to counterparties, representatives, including lawyers and other advisers, if this is necessary to provide the service, see GDPR Art. 6(1)(b) and Art. 6(1)(f).

We may, within all services, also disclose personal data to other PwC firms in the PwC Network located within as well as outside the EU/EEA, if it is necessary to provide the service, see GDPR Art. 6(1)(b) and Art. 6(1)(f). An Intra Network Transfer Agreement (INTA) based on the EU Commission's standard contractual clauses has been concluded between all PwC firms in the PwC Network. It is updated continuously and at the latest in 2022. You can at any point contact PwC and request a copy of the standard contractual clauses. 

We engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to administer registration, arrange events and courses and to keep in touch with the participants before, during and after the events and courses.

Data subject
The participants and the speaker.

Categories of personal data
We process general personal data, including contact information, job titles, company names, and central business registration numbers.

Legal basis
The processing of personal data is based on the participants’ consent, see Art. 6(1)(a) of the GDPR, or if necessary for the performance of a contract to which the data subject is a party, see Art. 6(1)(b) of the GDPR

Furthermore, the processing is necessary in order for PwC to organise, execute, and evaluate courses and events, see Art. 6(1)(f) of the GDPR. 

Source
The participants and the speaker.

Duration of the processing
We process the personal data for five years, counting from the date of the course or event.

Recipients, including third country transfers
We disclose personal data to business partners and/or instructors/speakers, if any, see GDPR Art. 6(1)(b) and Art. 6(1)(f). Additionally, we disclose personal data to the other participants in the course or the event, see GDPR Art. 6(1)(f).

PwC engages with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to administrate, organise, evaluate and benchmark the event ‘Årets Ejerleder’ (Owner-Manager of the year).

Data subject
Each Owner-Manager, members of the jury, and the speakers.

Categories of personal data
We process general personal data about the Owner-Manager, including contact information, company name, company address, photos, films, and other general personal data. Moreover, we process general personal data about jury members and presenters, including contact information, job title, company name and company number.

Legal basis
The processing of personal data about the Owner-Manager is based on the consent of the Owner-Manager, see Art. 6(1)(a) of the GDPR.

The processing of personal data about jury members and presenters is necessary in order to perform the agreements with the jury members and presenters, see GDPR Art. 6(1)(b).

Furthermore, the processing of personal data about the Owner-Manager, jury members and presenters is necessary in order to pursue our legitimate interest in administering, organising, carrying out, and subsequently evaluating the event, see Art. 6(1)(f) of the GDPR.

Source
Each Owner-Manager, members of the jury, and the speakers.

Duration of the processing
We process the personal data for up to three years, counting from the date of the event (the final election of Owner-Manager of the year).

Recipients, including third country transfers
We disclose personal data about the Owner-Manager to business partners, members of the jury, and various news media. Additionally, we publish pictures and films in which the Owner-Manager may appear if consent is given.

We engage with data processors, including IT suppliers, to whom we make personal data available. We enter into data processing agreements with all data processors to ensure appropriate security.

Please note that if the individual application links to third-party content, the processing carried out by such third-party is not covered by PwC's privacy policy. We encourage you to review the privacy policy of each such website.

Purpose
The purpose is to be able to run and administer PwC’s applications, this includes the application’s features being available to the users, and that PwC can improve the user experience regarding the content. Moreover, PwC wants to be able to communicate with users.

The purpose of the individual application will appear from the application itself.

Data subject
The user of the application.

Categories of personal data
We process general personal data, such as contact information and company name.

Legal basis
The processing of personal data is necessary in order to perform the agreements with the users about delivery of the applications, see Art. 6(1)(b) of the GDPR.

Moreover, the processing is necessary in order to pursue our legitimate interest of being able to run and administer the application and improve the user experience, see Art. 6(1)(f) of the GDPR.

Source
The user of the application.

Duration of the processing
We process the information as long as the user has an active user profile, unless the individual application says differently. 

Recipients, including third country transfers
We do not disclose personal data, unless the user utilises functions with third party content, but we use data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to launch marketing initiatives, including target communication to our relations. Additionally, the purpose is to build and manage strong relationships with our existing and potential clients.

Data subject
Our relation with an existing or potential client.

Categories of personal data
We process general personal data, including contact information, job title, and company name. 

Legal basis
The processing is necessary to pursue our legitimate interest, including our interest in branding our firm, as well as our interest in targeting material distributed by PwC, see Art. 6(1)(f) of the GDPR.

Source
The relation, e.g. via auto signature, business card etc. We may also collect information from our employees or via publicly available sources, such as the central business register (cvr.dk) or LinkedIn.

Duration of the processing
We process personal data for five years, counting from our most recent dialogue with the relation.

Recipients, including third country transfers
We engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

We disclose personal data to other PwC firms in the PwC Network located within the EU/EEA as well as outside, see GDPR Art. 6(1)(f). All PwC firms in the PwC Network have entered into a Intra Network Transfer Agreement (INTA) based on the EU-Commission's standard contractual clauses. The INTA is updated regularly and latest in 2022. You can at any point contact PwC and request a copy of the standard contractual clauses

Purpose
The purpose is to establish and maintain a relationship with candidates selected by PwC at employer branding events with a view to future recruitment.

Data subject
The candidate.

Categories of personal data
We process general personal data forwarded by candidates, including contact information, data in applications, curriculum vitae, references, exam papers, photos, and other supporting documents.

Legal basis
The processing of personal data is necessary in order to pursue our legitimate interest in processing and assessing the candidate for subsequent recruitment processes, see Art. 6(1)(f) of the GDPR.

Source
The candidate.

Duration of the processing
We process the personal data for up to six months, counting from the date of collection.

Recipients, including third country transfers
We do not disclose the personal data to third parties, but in some cases we engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
We process personal data in order to deliver newsletters. When signing up for PwC's newsletter, personal data is collected for use in profiling and analysis, which will help targeting and organise the content of newsletters, for example, in which order the news should be presented in the newsletter. We carry out profiling by compiling information about the recipient's behaviour on our website and in newsletters, enabling us to ensure that the content is always relevant for the individual recipient.

Data subject
The recipient of PwC's newsletters.

Categories of personal data
We process general personal data, including contact information, company name, company address, job title, information about who opens the newsletter and when (date and time), which links are clicked on and when (date and time), whether it is done from a mobile device, operating system, browser, email client, IP address and location (city).

Legal basis
We process the information based on the  recipient's consent, which was given when signing up for the newsletter, see Art. 6(1)(a) of the GDPR.

Source
The recipient of PwC's newsletters and PwC's supplier.

Duration of processing
We process the information from the time the recipient gives consent and until it is revoked. We process information about the consent for two years, counting from the time of revocation in order to document the consent.

Recipients, including third country transfers
PwC uses an external service for sending newsletters. We thus engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
We process personal data in order to provide a certain service,such as, booking of meetings, requests for PwC to contact the visitor, newsletter signup or participation in online chats. Moreover, PwC collects personal data for the purpose of remembering the visitor's settings, making traffic measurements, tracking the visitor's use of the website, and targeted marketing.

Data subject
The visitor of the website.

Categories of personal data
PwC solely processes general personal data submitted by the data subject, such as, contact information, company name, company address, job title, and other identification data, as well as login information assigned to a visitor in connection with the use of PwC’s services.

PwC also collects information about visitor activity on www.pwc.dk, IP address, cookie preferences, and browser settings. Read more about PwC’s use of Cookies.

Legal basis
We process the personal data on the basis of the visitor's consent, e.g. registration to a given service or delivery hereof, to make traffic measurements, track the visitor's use of the website, and targeted marketing, see Art. 6(1)(a) of the GDPR.

In addition, we pursue a legitimate interest in conducting internal market surveys and make our website usable by activating basic features and remembering the visitor's settings, see Art. 6(1)(f) of the GDPR.

Source
The visitor.

Duration of the processing
We process the information for two years, counting from the date on which the visitor submits his/her personal data. If we process personal data on the basis of consent, we proces information about the consent for two years, counting from the time of withdrawal of the consent.

In regard to information collected through the use of cookies, we refer to PwC's use of Cookies

Recipients, including third country transfers
We disclose IP addresses to third parties, including providers of analytics programming and social media. In connection to this, we may transfer personal data to third countries if PwC can ensure the necessary guarantees for the data subject.

In addition, we engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

PwC and the provider of the social media platforms are joint data controllers for the personal data that is collected. In regard  to the provider's further processing, please refer to the privacy policy of the social media providers for more information on how these providers process personal data about visitors.

Purpose
The purpose of processing personal data about visitors to PwC's sites on social media is marketing in general, statistics and analysis in order to improve and target the content on our social media, campaigns, and in connection with competitions.

Data subject
The visitor of PwC social media.

Categories of personal data
We process general personal data about the visitor, including the information that appears in the profile of the visitor who participates in competitions on social media, this includes images and videos. We also process information about visitor interaction on PwC's posts such as likes and comments. 

Legal basis
If the visitor uses one of our forms on social media to, e.g. sign up for our newsletter, download a publication, or be contacted by our experts, the personal data is processed on the basis of the visitor's consent, see Art. 6(1)(a) of the GDPR. Similarly, if the visitor participates in competitions organised by PwC.

PwC's processing of personal data on social media is also based on PwC's legitimate interest in communicating and brandingPwC, as a company on social media, see Art 6(1)(f) of the GDPR.

Source
The visitor and social media providers.

Duration of the processing
We process personal data collected on the basis of the visitor’s consent until the consent is withdrawn. In addition, we process information about the consent for two years, counting from the withdrawal of the consent in order to document the consent.

In regard to processing of personal data based on legitimate interests, the duration of the processing follows the erasure deadlines stated in the privacy policies of the social media providers.

Recipients, including third country transfers
In connection with visits to our sites on social media, personal data is disclosed to the providers of the social media. We refer to the privacy policy of the social media providers for more information on how these providers process personal data about visitors.

Purpose
We process personal data about visitors for security purposes.

Data subject
Visitors at PwC's offices.

Categories of personal data
We process general personal data such as contact information, job title, company name, and vehicle registration number, if you have parked in our parking lot. Additionally, we process images of visitors from our video surveillance.

Legal basis
Our processing of personal data is necessary in order to pursue our legitimate interest in ensuring a high level of security, see Art. 6(1)(f) of the GDPR. PwC’s processing of personal data is carried out in accordance with s. 3(1) of the Danish Act on Television Surveillance (TV-overvågningsloven). Signs in our office show that CCTV is in operation.

Source
Visitors at PwC's offices.

Duration of the processing
We process information about the visitor for one year, counting from the visit. CCTV footage is automatically deleted after 30 days, counting from the recording, unless a situation that requires investigation (such as a theft) has been identified.

Recipients, including third country transfers
We only disclose personal data to the police if there is a situation requiring investigation (e.g. theft), see GDPR Art. 6(1)(c).

We engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to manage contracts, communicate, receive goods and services from our suppliers and business partners, andt to provide professional services to our clients when relevant.

Data subject
The supplier or business partner, including any of their employees.

Categories of personal data
PwC processes general personal data about the supplier and/or the business partner, including contact information as well as any bank account information.

Aditionally, PwC processes general personal data, including contact information and job title of any employees indicated as contact persons of suppliers and business partners.

Legal basis
The processing of personal data about the supplier and/or business partner is necessary in order to perform the agreement with the supplier and the business partner, see Art. 6(1)(b) of the GDPR. 

The processing of personal data relating to employees indicated as contact persons of a supplier and its business partners is necessary to enable us to pursue our legitimate interest in administering and performing the agreement with the business partner, see Art. 6(1)(f) of the GDPR.

Source
The supplier, business partner, or their contacts.

Duration of the processing
We process personal data for five years, counting from termination of the supplier relationship or business partnering, unless special circumstances require a longer period of processing, e.g. if a case is pending or we are legally required to do so.

Recipients, including third country transfers
We engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to be able to recruit, including to process and assess candidates in relation to current or future positions within PwC.

Data subject
The candidate and any references specified by the candidate.

Categories of personal data
We process general personal data forwarded by the candidate or any external recruitment agencies, including contact information, data in applications, curriculum vitae, references, exam papers, photos, and other supporting documents.

If a candidate is invited to an interview, we collect and process personal data in connection with personality and proficiency tests and any references.

We may also ask candidates to present their criminal records, if relevant to the current position.

In exceptional cases, we may process sensitive personal data received from the candidate if relevant to the candidate’s position with PwC.

Legal basis
The processing of general personal data about the candidate is necessary in order to perform the agreement with the candidate or implement measures at the candidate's request prior to the conclusion of the agreement, see Art 6(1)(b) of the GDPR.

Additionally, the processing is necessary in order to pursue our legitimate interest in processing and assessing the candidate, filling the position with an appropriate candidate and storing the personal data for subsequent recruitment processes, see Art. 6(1)(f) of the GDPR.

We process general personal data collected from tests completed by the candidate, as well as references on the basis of the candidate's consent, see Art. 6(1)(a) of the GDPR.

We process personal data derived from criminal records if necessary for the purpose of a legitimate interest in ensuring that the candidate is suited for the position at PwC that is being recruited for, see Art. 10 of the GDPR, cf. Section 8(3) of the DPA. This is applicable in relation to, for example, PwC’s compliance with Section 8 of the Anti-Money Laundering Act section 8.

The processing of  special categories of personal data about the candidate is necessary for the purposes of meeting and respecting our or the candidate’s labour law obligations and specific rights, see Section 12(1) of the DPA, cf Section 2 of the Act On The Use Of Health Information, etc. on the labour market

Additionally, we process general personal data which is manifestly made public by the candidate, see Art. 9(2)(e) and Art. 6(1)(f) of the GDPR. 

Finally, the processing of general personal data about possible references is necessary to follow our legitimate interest in processing and assessing the candidate whilst occupying the open position with a suitable candidate, see GDPR Art. 6(1)(f).

Source
The candidate, external recruitment agencies, and any references.

During the selection process, PwC may search for relevant information published on the Internet, for example LinkedIn, Facebook, and similar social media.

Duration of the processing
If the candidate is not offered a position, we process the information for six months, counting from the date of collection, unless the candidate has consented to us storing it for a longer period of time, for example, in connection with the recruitment for other or future positions, or if special circumstances warrant a longer period of processing, e.g. if a case is pending or we are legally required to do so. 

Recipients, including third country transfers
We do not disclose the personal data to third parties, but in some cases we may make them available to data processors, such as test providers, recruitment agencies, etc., which provide services to us in connection with a recruitment process. In that case, PwC enters into data processing agreements with all data processors to ensure appropriate security.

3. Security of processing

Information security is a business risk given top priority at PwC. We take the security of all the data we hold very seriously and we adhere to internationally recognised security standards. We have security measures in place to ensure data protection of client information, personal data, and other confidential information. We regularly perform internal follow-up in relation to the appropriateness of and compliance with policies and procedures.

4. The data subjects rights

As a data subject, you have certain rights, which PwC as data controller shall fulfil if the conditions are met.

Right to access
You are generally entitled to be informed as to whether or not PwC is processing personal data about you and if so, you are entitled to be informed what types of personal data we process and to which purpose we process them. Additionally, you are entitled to receive a copy of such data.

Right to rectification
You are entitled to have any incorrect or incomplete personal data rectified. 

Right to erasure
You may be entitled to have your personal data that PwC is processing deleted.

Right to restriction of processing
You may be entitled to have the processing of your personal data restricted so that the data can only be stored by PwC. 

Right to data portability
In certain cases, you are entitled to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit those data to another controller.

Right to object to PwC’s processing
In certain cases, you are entitled to object to our processing of your personal data.

5. Withdrawal of consent

In cases where our processing of your personal data is based on your consent, you are entitled to withdraw such consent at any time.  In order to withdraw your consent to our processing of your personal data, we ask that you contact us.

If you have signed up for a newsletter from PwC and you no longer wish to receive emails containing information and marketing materials from PwC, you can easily unsubscribe from the newsletter by clicking “unsubscribe from newsletter” in the email received from PwC.

However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

6. Balancing of interests

When processing general personal data based on legitimate interest in GDPR Art. 6(1)(f), the data subject has the right to object at any given time, see GDPR Art. 21(4).

7. Changes to this privacy policy

We recognise that transparency is an ongoing responsibility, hence we will keep this privacy policy under regular review. This privacy policy was last updated on 7 December 2023.

8. Contact information and complaints

If you want to exercise your rights as described above, or if you have any questions about our processing of your personal data or this privacy policy, please contact us at:

PwC
Att.: OGC (Inhouse Legal)
Strandvejen 44, DK-2900 Hellerup
Phone: +45 39 45 39 45
Email: dk_databeskyttelse@pwc.com

If you want to complain about our processing of personal data, please send an email with the details of your complaint to dk_databeskyttelse@pwc.com. We will consider the complaint and get back to you.

You also have the right to lodge a complaint with the Danish Data Protection Agency in relation to your rights and to PwC’s processing of your personal data. For further information about how to complain to the Danish Data Protection Agency, please refer to the Danish Data Protection Agency’s website www.datatilsynet.dk.

9. Rules

The rules applicable to PwC’s processing of your personal data are set out in the following:

The General Data Protection Regulation
The Act on Processing of Personal Data

Følg PwC