PwC’s privacy policy

Purpose
The purpose is to manage our engagements with our clients, this includes creating the client and the engagement, , carrying out quality assurance and control, to communicate with the client, its management and employees as well as invoicing.

Furthermore, the purpose is to be able to manage and develop our business and services, operate and maintain our IT systems made available to or used as part of the servicing of the client, and carry out statistical processing.

Data subject
The client, its owners, management, and/or its employees.

Categories of personal data
We process general personal data, including contact information, job title, company name, company address, and information about the relation to PwC.

Legal basis
The processing of personal data is necessary in order to perform the agreement with the client or implement measures at the client's request prior to the conclusion of the agreement, see Art 6(1)(b) of the GDPR.

Furthermore, the processing is necessary in order to pursue our legitimate interest in managing the client cooperation, managing and developing our business and services, operating and maintaining IT systems made available or used as part of our servicing of the client, and processing data for statistical purposes, see Art. 6(1)(f) of the GDPR.

Source
The client, the client’s owner(s), if any, the management, and/or the client’s employees.

Duration of processing
We process the personal data for ten years, counting from the end of the calendar year in which the last job/engagement was completed, unless special circumstances require shorter or longer periods of storage.

Recipients, including third country transfers
We engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

PwC discloses personal data to professional advisers, including accountants and public authorities, in the event that PwC is required to do so. 

We may also transfer personal data to PwC firms in the PwC Network located outside the EU/EEA. All PwC firms in the PwC Network have entered into an Intra Network Transfer Agreement (INTA) based on the EU-Commission's Standard Contractual Clauses. The INTA is updated regularly and latest in 2022.

Purpose
The purpose is to ensure the completion of the statutory client due diligence procedure.

Data subject
The ultimate business owners or the daily management of the client.

Categories of personal data
We process personal data included in identity documents, such as health insurance card and passport or driving licence. We store copies of such documents. Furthermore, we collect personal data about politically exposed persons (PEP) and their relations.

Legal basis
PwC is subject to the provisions of the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (Hvidvaskloven). We process the personal data in accordance with the client identification procedures of the said Act, see sections 11-21, in particular section 11(1)(i), which must be performed to comply with a legal obligation to which PwC is subject, see Art. 6(1)(c) and Art. 87 of the GDPR, and section 11(2)(1) of the DPA.

Disclosure by PwC is based on the principle of legitimate interest laid down by Art. 6(1)(f) of the GDPR, according to which disclosure is necessary to ensure that subcontractors assisting PwC in providing services comply with national anti-money laundering legislation.

In addition, the disclosure is a natural element of the ordinary operation of the type of enterprises in question and the disclosure is of decisive importance for unique identification of the data subject, see Art. 87 of the GDPR and section 11(2)(3) of the DPA.

Source
The client, the ultimate business owners, or the daily management of the client. Additionally , we collect information from the Central Business Register (virk.dk), Dun & Bradstreet, and public media.

Duration of the processing
We process the personal data for five years, counting from the end of the calendar year in which the engagement with the client terminates or the individual transaction is executed, unless special circumstances require a longer period of storage.

Recipients, including third country transfers
PwC may be ordered to disclose personal data to public authorities. Where a suspicion of money laundering or terrorist financing cannot be rebutted, PwC is obligated to report and pass on the information to the Danish State Prosecutor for Serious Economic and International Crime and any other supervisory authority under section 26 of the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism.

To the extent that PwC engages another PwC firm as subcontractor, PwC may disclose anti-money laundering documentation to such a firm located within the EU/EEA in order for such foreign PwC firm to comply with its legal obligations.

In addition, we engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to perform statutory audits and other assurance statements. 

Data subject
The client, its management, employees and client’s customers, vendors, and other relations.

Categories of personal data
We process non-sensitive personal data, including contact information and financial information. In some cases, we process civil registration numbers of the client and its employees. 

In addition, PwC may process data on criminal convictions and offences, including information on pending or potential legal proceedings against the client.

Legal basis
The processing is necessary to comply with a legal obligation under section 23(1), see section 1(2) of the Danish Act on Approved Auditors and Audit Firms (Revisorloven), and generally accepted auditing principles in accordance with section 16(1) of the said Act in connection with the provision of assurance reports, see Art. 6(1)(c) of the GDPR as well as Art. 10 of the GDPR, cf. Section 8(3) of the DPA.

Furthermore, the processing is necessary in order to perform the agreement with the client, see Art 6(1)(b) of the GDPR.

In addition, the processing is necessary in order for PwC to perform the services to the client and for quality management and control, see Art 6(1)(f) of the GDPR.

Furthermore, we process national identification number where this follows from the law or for reporting on behalf of the client where such disclosure is a natural element of the ordinary operation of enterprises etc. of the type in question and the disclosure is of decisive importance for unique identification of the data subject, see Art. 78 of the GDPR, cf. Sections 11(2)(1) and 11(2)(3) of the DPA.

Source
The client or its employees.

Duration of the processing
We process the information for five to ten years, depending on the storage obligations applicable to PwC in connection with an audit, counting from the end of the calendar year in which the assurance report is made, unless special circumstances require shorter or longer periods of processing.

Recipients, including third country transfers
PwC will solely disclose personal data to the client and foreign audit firms, to enable the provision of services by such firms to affiliates of the client.

In addition, we engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to provide consulting and assistance to the client within PwC’s business area, including legal advice, tax advice, consultant- and transaction services, as well as accounting assistance.

Data subject
We process personal data about the client as well as the management and employees of the client. 

For certain services, including due diligence and forensic, advising relating to whistleblower schemes, and for digital services, we process personal data about the client, the management, and employees of the client as well as the client’s clients, vendors, and other relations.

Finally, in connection with tax advice, we may process personal data about the client, the management and employees of the client as well as the client’s clients, vendors and other business relations, and children of the client’s employees.

Categories of personal data
We process general personal data, including contact information. 

In regard to advice within employment law, we process general personal data, including contact information, information about salary and employment as well as other financial information, national identification number, information about criminal offences or suspicions thereof as well as special categories of personal data, including information about health.

In regard to tax advice, we process general personal data, including contact information, financial information, national identification number, as well as special categories of personal data.

In regard to due diligence and forensic service, we may process general personal data, including contact information, national identification number, information about criminal offences or suspicions thereof, as well as special categories of personal data.

In regard to advising on whistleblower schemes, we process general personal data, including contact information, information about criminal offences or suspicions thereof, as well as special categories of personal data.

Legal basis
The processing of general personal data is necessary in order to perform the agreement with the client, see Art 6(1)(b) of the GDPR. The processing is also necessary in order for PwC to perform the services to the client, see Art 6(1)(f) of the GDPR.

Inregard to processing personal data about criminal offences or suspicions thereof, PwC is pursuing a legitimate interest of PwC or the client in uncovering violations of the law, potential violations, or other serious offences, see Art. 10 of the GDPR, cf. Section 8(3) of the DPA.

Cases where we process special categories of personal data are as follows: if the personal data is manifestly made public by the data subject, see Art. 9(2)(e) of the GDPR, the processing is necessary for the establishment, exercise or defence of legal claims, see Art. 9(2)(f) of the GDPR or the processing is necessary for reasons of substantial public interest, see Art. 9(2)(g) of the GDPR.

In addition, we process national identification number when required by the law or where such disclosure is a natural element of the ordinary operation of enterprises etc. of the type in question, and the disclosure is of decisive importance for unique identification of the data subject, see Art. 78 of the GDPR, cf. Sections 11(2)(1) and 11(2)(3) of the DPA.

Source
We may collect the personal data from the client or the management and/or employees of the client. 

For advice relating to whistleblower schemes, we collect the personal data from the reporting person, who may be anonymous. Additionally, we may collect personal data from other people involved in a reported matter.

Duration of the processing
Generally, the personal data is processed for 5 years, counting from the end of the calendar year in which the client relationship is terminated. 

For engagements concerning tax advice, personal data is processed for 10 years, counting from the end of the calendar year in which the client relationship is terminated. 

In relation to information collected in connection with a reported matter under a whistleblower scheme and advice hereof, the personal data is processed until the reported matter is completed, after which the personal data is deleted.

Recipients, including third country transfers
We disclose personal data to public authorities for registration or identification purposes when necessary to provide the service.

Furthermore, we may disclose the personal data to counterparties, representatives, including lawyers and other advisers, if this is necessary to provide the service.

We may also disclose personal data to other PwC firms in the PwC Network located within as well as outside the EU/EEA, if it is necessary to provide the service. An Intra Network Transfer Agreement (INTA) based on the EU Commission's Standard Contractual Clauses has been concluded between all PwC firms in the PwC Network. It is updated continuously and at the latest in 2022.  

We engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to administer registration, arrange events and courses and to keep in touch with the participants before, during and after the events and courses.

Data subject
The participants and the speaker.

Categories of personal data
We process general personal data, including contact information, job titles, company names, and central business registration numbers.

Legal basis
The processing of personal data is based on the participants’ consent, see Art. 6(1)(a) of the GDPR. Furthermore, the processing is necessary for the performance of a contract to which the data subject is party, see Art. 6(1)(b) of the GDPR.

Furthermore, the processing is necessary in order for PwC to organise, execute, and evaluate courses and events, see Art. 6(1)(f) of the GDPR. 

Source
The participants and the speaker.

Duration of the processing
We process the personal data for 5 years, counting from the date of the course or event.

Recipients, including third country transfers
We disclose personal data to business partners and/or instructors/speakers, if any. Additionally, we disclose personal data to the other participants in the course or the event.

PwC engages with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to administrate, organise, evaluate and benchmark the event ‘Årets Ejerleder’ (Owner-Manager of the year).

Data subject
Each Owner-Manager, members of the jury, and the speakers.

Categories of personal data
We process general personal data, including contact information, company name, company address, photos, and films, if any. Other general personal data provided by the Owner-Manager to PwC.

Legal basis
The processing of personal data is based on the consent of the Owner-Manager, see Art. 6(1)(a) of the GDPR.

Furthermore, the processing is necessary in order to pursue our legitimate interest in administering, organising, carrying out, and subsequently evaluating the event, see Art. 6(1)(f) of the GDPR.

Source
Each Owner-Manager, members of the jury, and the speakers.

Duration of the processing
We process the personal data for up to three years, counting from the date of the event (the final election of Owner-Manager of the year).

Recipients, including third country transfers
We disclose personal data to business partners, members of the jury, and various news media.  Additionally, we publish pictures and films in which the Owner-Manager may appear if consent is given.

We engage with data processors, including IT suppliers, to whom we make personal data available. We enter into data processing agreements with all data processors to ensure appropriate security.

Please note that if the individual application links to third-party content, the processing carried out by such third-party is not covered by PwC's privacy policy. We encourage you to review the privacy policy of each such website.

Purpose
The purpose is to be able to run and administer PwC’s applications, this includes the application’s features beingavailable to the users, and that PwC can improve the user experience regarding the content. Moreover, PwC wants to be able to communicate with users.

The purpose of the individual application will appear from the application itself.

Data subject
The user of the application.

Categories of personal data
We process general personal data, such as contact information and company name.

Legal basis
The processing of personal data is necessary in order to perform the agreements with the users about delivery of the applications, see Art. 6(1)(b) of the GDPR.

Moreover, the processing is necessary in order to pursue our legitimate interest of being able to run and administer the application and improve the user experience, see Article 6(1)(f) of the GDPR.

Source
The user of the application.

Duration of the processing
We process the information for as long as the user has an active user profile. 

Recipients, including third country transfers
We do not disclose personal data, but we use data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to launch marketing initiatives, including target communication to our relations. Additionally, the purpose is to build and manage strong relationships with our existing and potential clients.

Data subject
The relation.

Categories of personal data
We process general personal data, including contact information, job title, and company name. 

Legal basis
The processing is necessary to pursue our legitimate interest, including our interest in branding our firm, as well as our interest in targeting material distributed by PwC, see Art. 6(1)(f) of the GDPR.

Source
The relation, e.g. via the auto signature, business card etc. We may also collect information from our employees or via publicly available sources, such as the central business register (cvr.dk) or LinkedIn.

Duration of the processing
We process personal data for five years, counting from our most recent dialogue with the relation.

Recipients, including third country transfers
We engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

We disclose personal data to other PwC firms located within the EU/EEA as well as outside. All PwC firms in the PwC Network have entered into a Intra Network Transfer Agreement (INTA) based on the EU-Commission's Standard Contractual Clauses. The INTA is updated regularly and latest in 2022.

Purpose
The purpose is to establish and maintain a relationship with candidates selected by PwC at employer branding events with a view to future recruitment.

Data subject
The candidate.

Categories of personal data
We process general personal data forwarded by candidates, including contact information, data in applications, curriculum vitae, references, exam papers, photos, and other supporting documents.

Legal basis
The processing of personal data is necessary in order to pursue our legitimate interest in processing and assessing the candidate for subsequent recruitment processes, see Art. 6(1)(f) of the GDPR.

Source
The candidate.

Duration of the processing
We process the personal data for up to six months, counting from the date of collection.

Recipients, including third country transfers
We do not disclose the personal data to third parties, but in some cases we engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
We process personal data in order to deliver newsletters. When signing up for PwC's newsletter, personal data is collected for use in profiling and analysis, which will help targeting and organise the content of newsletters, for example, in which order the news should be presented in the newsletter. We carry out profiling by compiling information about the recipient's behaviour on our website and in newsletters, enabling us to ensure that the content is always relevant for the individual recipient.

Data subject
The recipient of PwC's newsletters.

Categories of personal data
We process general personal data, including contact information, company name, company address, job title, information about who opens the newsletter and when (date and time), which links are clicked on and when (date and time), whether it is done from a mobile device, operating system, browser, email client, IP address and location (city).

Legal basis
We process the information based on the  recipient's consent, which was given when signing up for the newsletter, see Art. 6(1)(a) of the GDPR.

Source
The recipient of PwC's newsletters and PwC's supplier.

Duration of processing
We process the information from the time the recipient gives consent and until it is revoked. We process information about the consent for 2 years, counted from revocation.

Recipients, including third country transfers
PwC uses an external service for sending newsletters. We thus engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
We process personal data in order to provide a certain service,such as, booking of meetings, requests for PwC to contact the visitor, newsletter signup or participation in online chats. Moreover, PwC collects personal data for the purpose of remembering the visitor's settings, making traffic measurements, tracking the visitor's use of the website, and targeted marketing.

Data subject
The visitor of the website.

Categories of personal data
PwC solely processes general personal data submitted by the data subject, such as, contact information, company name, company address, job title, and other identification data, as well as login information assigned to a visitor in connection with the use of PwC’s services.

PwC also collects information about visitor activity on www.pwc.dk, IP address, cookie preferences, and browser settings. Read more about PwC’s use of Cookies.

Legal basis
We process the personal data on the basis of the visitor's consent, e.g. registration to a given service or delivery hereof, , to make traffic measurements, track the visitor's use of the website, and targeted marketing, see Art. 6(1)(a) of the GDPR.

In addition, we pursue a legitimate interest in conducting internal market surveys and make our website usable by activating basic features and remembering the visitor's settings, see Art. 6(1)(f) of the GDPR.

Source
The visitor.

Duration of the processing
We process the information for two years, counting from the date on which the visitor submitted his/her personal data. If we process personal data on the basis of consent, we delete information about the consent after 2 years, counting from the withdrawal of the consent.

In regard to information collected through the use of cookies, we refer to PwC's use of Cookies. 

Recipients, including third country transfers
We disclose IP addresses to third parties, including providers of analytics programming and social media. In connection to this, we may transfer personal data to third countries if PwC can ensure the necessary guarantees for the data subject.

In addition, we engage with data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

PwC and the provider of the social media platforms are joint data controllers for the personal data that is collected. In regard  to the provider's further processing, please refer to the privacy policy of the social media providers for more information on how these providers process personal data about visitors.

Purpose
The purpose of processing personal data about visitors to PwC's sites on social media is marketing in general, statistics and analysis in order to improve and target the content on our social media, campaigns, and in connection with competitions.

Data subject
The visitor.

Categories of personal data
We process general personal data, including the information that appears in the profile of the visitor who participates in competitions on social media, this includes images and videos. We also process information about visitor interaction on PwC's posts such as likes and comments. 

Legal basis
If the visitor uses one of our forms on social media to, e.g. sign up for our newsletter, download a publication, or be contacted by our experts, the personal data is processed on the basis of the visitor's consent, see Art. 6(1)(a) of the GDPR. Similarly, if the visitor participates in competitions organised by PwC.

PwC's processing of personal data on social media is also based on PwC's legitimate interest in communicating and brandingPwC, as a company on social media, see Art 6(1)(f) of the GDPR.

Source
The visitor and social media providers. .

Duration of the processing
We process personal data collected on the basis of the visitor’s consent until the consent is withdrawn. In addition, we process information about the consent for 2 years, counting from the withdrawal of the consent.

In regard to processing of personal data based on legitimate interests, the duration of the processing follows the erasure deadlines stated in the privacy policies of the social media providers.

Recipients, including third country transfers
In connection with visits to our sites on social media, personal data is disclosed to the providers of the social media. We refer to the privacy policy of the social media providers for more information on how these providers process personal data about visitors.

Purpose
We process personal data about visitors for security purposes.

Data subject
The visitor.

Categories of personal data
We process general personal data such as contact information, job title, company name, and registration number of any vehicle if you have parked in our car park. Additionally, we process images of visitors from our video surveillance.

Legal basis
Our processing of personal data is necessary in order to pursue our legitimate interest in ensuring a high level of security, see Art. 6(1)(f) of the GDPR. PwC’s processing of personal data is carried out in accordance with s. 3(1) of the Danish Act on Television Surveillance (TV-overvågningsloven). Signs in our office show that CCTV is in operation.

Source
The visitor.

Duration of the processing
We process information about the visitor for one year, counting from the visit. CCTV footage is automatically deleted after 30 days, counting from the recording, unless an issue that requires investigation (such as a theft) has been identified.

Recipients, including third country transfers
We only disclose personal data to the police where there is a security incident requiring investigation (e.g. theft).

We engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to carry out contract management, communicate, receive goods and services from our suppliers and business partners, andt to provide professional services to our clients when relevant.

Data subject
The supplier or business partner, including any contacts employed with them.

Categories of personal data
PwC processes general personal data, including contact information as well as any bank account information on suppliers and business partners. In addition, PwC processes contact information and job title of any contacts employed by suppliers and business partners.

Legal basis
The processing of personal data is necessary in order to perform the agreement with the supplier and the business partner, see Art. 6(1)(b) of the GDPR. 

The processing of personal data relating to the contacts of a supplier and its business partners is necessary to enable us to pursue our legitimate interest in administering and performing the agreement with the business partner, see Art. 6(1)(f) of the GDPR.

Source
The supplier, business partner, or their contacts.

Duration of the processing
We process personal data for five years, counting from termination of the supplier relationship or business partnering, unless special circumstances require shorter or longer periods of storage.

Recipients, including third country transfers
We engage data processors, including IT suppliers, to whom we make personal data available. PwC enters into data processing agreements with all data processors to ensure appropriate security.

Purpose
The purpose is to be able to recruit, including to process and assess candidates in relation to current or future positions within PwC.

Data subject
The candidate and any references specified by the candidate.

Categories of personal data
We process general personal data forwarded by the candidate or any external recruitment agencies, including contact information, data in applications, curriculum vitae, references, exam papers, photos, and other supporting documents.

If a candidate is invited to an interview, we collect and process personal data in connection with personality and proficiency tests and any references.

We may also ask candidates to present their criminal records, if relevant to the current position.

In exceptional cases, we may process sensitive personal data received from the candidate if relevant to the candidate’s position with PwC.

Legal basis
The processing of personal data is necessary in order to perform the agreement with the candidate or implement measures at the candidate's request prior to the conclusion of the agreement, see Art 6(1)(b) of the GDPR.

The processing of personal data is necessary in order to pursue our legitimate interest in processing and assessing the candidate, filling the position with an appropriate candidate and storing the personal data for subsequent recruitment processes, see Art. 6(1)(f) of the GDPR.

We process information from tests, collection of references and criminal records on the basis of the candidate's consent, see Art. 6(1)(a) of the GDPR.

We process personal data on criminal records if it is necessary for the purpose of a legitimate interest in ensuring that the candidate is suited for the position at PwC that is being recruited for, see Art. 10 of the GDPR, cf. Section 8(3) of the DPA. This is applicable in relation to, for example, PwC’s compliance with Section 8 of the Anti-Money Laundering Act section 8.

The processing of  special categories of personal data is necessary for the purposes of meeting and respecting our or the candidate’s labour law obligations and specific rights, see Section 12(1) of the DPA, cf Section 2 of the Act On The Use Of Health Information, etc. on the labour market

We process personal data which are manifestly made public by the candidate, See Art. 9(2)(e) and Art. 6(1)(f) of the GDPR. 

Source
The candidate, external recruitment agencies, and any references.

During the selection process, PwC may search for relevant information published on the Internet, for example LinkedIn, Facebook, and similar social media.

Duration of the processing
If the candidate is not offered a position, we process the information for six months, counting from the date of collection, unless the candidate has consented to us storing it for a longer period of time, for example, in connection with the recruitment for other or future positions, or if special circumstances warrant a longer period of storage.

Recipients, including third country transfers
We do not disclose the personal data to third parties, but in some cases we may make them available to data processors, such as test providers, recruitment agencies, etc., which provide services to us in connection with a recruitment process. In that case, PwC enters into data processing agreements with all data processors to ensure appropriate security.