Skip to content Skip to footer
Search

Loading Results

Business relationship

3. Business relationship

While your specific contractual relationship is with a particular PwC firm, the firm cooperates with the other PwC firms in certain areas as a joint manager in the provision of its services. If you have any questions regarding this joint responsibility, please send them to at_datenschutz@pwc.com.

To learn more about the processing, please click on the relevant purpose.

  • Provision of services to corporate clients (learn more)
  • Provision of services to private customers (learn more)
  • Customer Relations Management (learn more)
  • Prevention of money laundering and measures against terrorist financing (learn more)

3.1 Provision of services to corporate clients

In the course of our business relationship with corporate clients, it is essential that we process personal data of contact persons, managing directors, employees or, if applicable, customers or other third parties. The respective scope of data processing depends on the specific services to be provided, which is defined in the Engagement Letter. In our work for you, we also make use of innovative cloud solutions, which enable video conferences, data rooms or joint work on a document. We only process personal data here if this is necessary for the fulfilment of our contractual obligations or if there is an overriding interest on our part in the processing. This is particularly the case when we process personal data of your employees and/or suppliers, customers for the purpose of providing you with services (eg in connection with pension provisions calculations).

If you do not provide us with this data or not to the extent required, we may not be able to provide the services you request. Please note that this would not be considered a contractual non-fulfilment on our part. If we receive personal data from you, we assume that you are entitled to transfer them to us.

Legal basis: Performance of contract according to Art 6 para 1 lit b and legitimate interest according to Art 6 para 1 lit f GDPR

Categories of data: The data varies according to the service provided, but generally includes at least the following categories of data: first name, last name, e-mail, telephone number, academic title, company affiliation and function, employee salary data, employee social insurance data, contract data with third parties. 

Storage period: Until the end of service provision. After completion of the service provision, we are subject to different professional and tax retention regulations. 

Recipients: Cloud service provider, IT service provider, PwC network companies

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees. This mainly concerns cloud service providers in the USA.

3.2 Provision of services to private customers

In the course of our business relationship with you it is essential that we process your personal data. The respective scope of data processing depends on the specific services to be provided, which is defined in the Engagement Letter. In our work for you, we also make use of innovative cloud solutions which, among other things, enable video conferences, data rooms or joint work on a document. We only process personal data here if this is necessary for the fulfilment of our contractual obligations or if there is an overriding interest on our part in the processing. This is particularly the case if we process personal data of your family members, possible employees and/or suppliers, customers in order to provide you with a service (eg to determine shareholding relationships, tax information, etc). 

If you do not provide us with this data or not to the extent required, we may not be able to provide the services you requested. Please note that this would not be regarded as a contractual non-fulfilment on our part. If we receive personal data from you which are not your own, we assume that you are entitled to transfer them to us.

Legal basis: Performance of contract according to Art 6 para 1 lit b and legitimate interest according to lit f GDPR

Data: The data varies according to the service provided, but usually includes at least the following categories of data: contact details, business activity, family members, income and other tax-related information, investments and other financial information.

Duration of storage: Until the end of the service provision. After completion of the service provision, we are subject to different professional and tax retention regulations. 

Recipients: Cloud service provider, IT service provider, PwC network companies

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees. This mainly concerns cloud service providers in the USA .

3.3 Customer Relations Management

PwC processes personal data about contacts (existing and potential clients and/or people associated with them) using a customer relationship management tool and a marketing tool. The collection of personal data from contacts and the completion of this personal data in these systems is carried out by our staff. As a matter of principle, your personal data will not be disclosed to third parties. Companies in the PwC network are excluded from this. You can revoke the consent you have given us at any time with effect for the future. To do so, please send an appropriate request to at_datenschutz@pwc.com.

The systems are provided by SAP and hosted in SAP’s European data centers.

Legal basis: Consent in accordance with Art 6 para 1 lit a GDPR and § 107 TKG

Data: First name, last name, e-mail, telephone number, academic title, company affiliation and function.

Storage period: Until you withdraw your consent.

Recipient: Cloud service provider, PwC network companies, IT service providers

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees. This mainly concerns cloud service providers in the USA.

3.4 Prevention of money laundering and measures against terrorist financing

PwC is legally obliged to process personal data of its clients and, in the case of corporate clients, of the beneficial owners and other corporate representatives on the basis of national laws arising from EU money laundering and anti-terrorist financing regulations. After carrying out these checks with a compliance tool, the underlying documents must be retained for at least 5 years in accordance with professional regulations.

In order not to prevent effective measures from being taken, it may be that at certain points in time the rights of data subjects (in particular the right to information, correction, deletion or data transferability) cannot be implemented. This is always the case if the response to requests from data subjects results in the measures being thwarted or jeopardised.

Legal basis: Compliance with a legal obligation in accordance with Art 6 para 1 lit c GDPR (§§ 87 WTBG, Austrian Public Accountants and Auditors Act)

Data: key data, tax information, company investments, account information

Storage period: at least 5 years after completion of the checks

Recipients: Cloud service providers, PwC network companies, IT service providers

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees. This mainly concerns cloud service providers in the USA.