Access and Building Management

7. Access and Building Management

7.1. Access Control

We use an electronic access control system at our locations. Your data is processed for the purposes of ensuring the physical security of individuals and company assets, administering and managing access authorisations to our offices and particularly sensitive areas, and preventing, detecting, and investigating unauthorised access and other security-relevant incidents.

In these cases, we process personal data of clients, visitors, and other external persons when such individuals receive an access card in the course of visiting our offices.

Legal basis: Compliance with a legal obligation pursuant to Article 6(1)(c) GDPR in conjunction with Article 32 GDPR and Section 13.3.2 of the Annex to Commission Implementing Regulation (EU) 2024/2690 laying down implementing rules for Directive (EU) 2022/2555 (NIS-2 Directive).

An additional legal basis is Article 6(1)(f) GDPR. PwC’s legitimate interests consist in ensuring the physical security of individuals and company assets, granting access authorisations, and being able to trace access and detect unauthorised access in the event of incidents.

Categories of data: First name, last name, card number, location, company affiliation, and in the event of security incidents, the date and time of access.

Retention period: Data are stored for the duration of the card being issued. Thereafter, they are deleted. Log data are retained for up to 30 days.

Categories of recipients: Cloud service providers, service providers, PwC network firms.

Transfers to third countries: Some of our service providers are established in third countries. For some of these countries, an adequacy decision by the European Commission exists. Where no adequacy decision exists, an adequate level of data protection has been ensured through the conclusion of Standard Contractual Clauses and, where applicable, additional safeguards.

7.2. Video Surveillance

Marked areas at our locations are subject to video surveillance. Your data is processed for the purposes of ensuring the physical security of individuals and company assets, protecting particularly sensitive areas, and detecting and investigating unauthorised access and other security-relevant incidents.

Legal basis: Article 6(1)(f) GDPR. PwC’s legitimate interests are to ensure the security of individuals, offices, and premises, and to be able to investigate incidents and unauthorised access by individuals.

Categories of data: Image data of individuals within the cameras’ field of capture, including the date and time of recording and the camera location.

Retention period: Recordings are generally retained for 72 hours. Longer retention occurs only on a case-by-case basis where necessary to investigate a specific incident.

Categories of recipients: Cloud service providers, service providers, PwC network firms.

Transfers to third countries: Some of our service providers are established in third countries. For some of these countries, an adequacy decision by the European Commission exists. Where no adequacy decision exists, an adequate level of data protection has been ensured through the conclusion of Standard Contractual Clauses and, where applicable, additional safeguards.