Privacy Statement for assignments
This statement was last updated on May 11th 2022.
Proper processing of business information and personal information is very important to PwC. Our internal routines for processing personal data are designed to comply with relevant legislation. The Norwegian PwC companies are part of the PwC network, which is a global network of legally independent companies. Through the PwC network, we are also bound by the network's internal standards for the processing of business information and personal data. We only allow the processing of personal data where we have a legitimate purpose and a legal basis for this.
Transfers of personal data between companies in the PwC network are regulated by an Intra Network Transfer Agreement. Such an agreement has been in force since 2007, and PwC continuously updates the agreement in accordance with current legislation, no later than 2021, when updated EU Standard Contractual Clauses were adopted.
All employees in PwC sign an annual declaration for IT-discipline, where it is stated that breaches of the rules may have consequences for the employment relationship. Furthermore, we also conduct regular training on information security and privacy for our employees.
At PwC, we have extensive experience with the processing of personal data for clients who have very strict requirements for internal control regarding the processing of business information and personal data.
Collection of personal data
We collect personal information in connection with
execution of our assignments, including auditing services, accounting, legal assignments and various consulting and advisory assignments
customer control and reporting of suspicion under the Money Laundering Act
customer contact and marketing.
Data controller and data processor
We are data controllers in accordance with the GDPR when processing personal data in connection with auditing services, when the law firm provides legal services, when preparing annual accounts and tax returns for our own auditing clients and certification services. We are normally data controllers when processing personal data in connection with due diligence assignments, investigation assignments and internal audit assignments. As the data controller, we are responsible for complying with the requirements of the privacy rules that apply to our processing of your personal data, including that your rights are safeguarded.
In some cases, however, we act as a data processor for our customers. This means that we process your personal data on behalf of our client (data controller). This applies to most consulting and advisory assignments etc. where it is our client (data controller) who decides what information we are to process. In these cases, we will enter into a Data Processor Agreement with our client (the data controller). In such cases, we process your personal data in accordance with the Data Processor Agreement.
Your rights
You can exercise your rights by contacting our Data Protection Officer. See contact information at the bottom of this statement. You will receive an answer without undue delay, and no later than within 30 days.
Below we provide information on how we safeguard the rights that are most relevant to our business.
Access to information
Anyone who requests it has the right to know what kind of processing of personal data we carry out, as well as basic information about the processing. Such information is provided in this privacy statement. However, we may reject manifestly unfounded or exaggerated requests, cf. Article 12 (5) of the GDPR.
When you request access, we will consider whether we can provide access without prejudice to our statutory duty of confidentiality, and, if permitted, inform you about personal data that has been processed. We are, among other things, subject to a statutory duty of confidentiality based on the Auditors Act, and for legal assignments, lawyers' duty of confidentiality will also limit the opportunities to gain access to information we process about you that also applies to others. Access to internal documents may also be denied as far as is necessary to ensure sound internal decision-making processes, cf. the Norwegian Personal Data Act § 16 first paragraph letter e.
Erasure and rectification
You have the right to have information about yourself erased if it is no longer necessary for following up the assignment properly and which we do not have a statutory obligation to keep. However, we may have a legitimate interest in retaining information beyond this if it is necessary to defend us against claims for damages or accusations, cf. GDPR, Article 6, paragraph 1, letter f.
If we process personal information about you that is incorrect or incomplete, you may, within the limits set out in the privacy rules and other legislation, demand that your personal information be rectified.
Complain
Contact our Data Protection Officer if you believe we do not comply with the privacy policy.
You can also complain about our processing of personal data to the Norwegian Data Protection Authority (Datatilsynet).
Information security, confidentiality and storage
We have routines to ensure the confidentiality and integrity of our customers' data. The security mechanisms include role and access control and requirements for built-in privacy in our IT systems. When material containing sensitive personal information is transferred electronically to or from us, the information must always be secured by means of encryption. Sensitive personal data means so-called special categories of personal data, social security numbers and information about criminal offenses and similar offenses.
We are subject to a duty of confidentiality under the Auditors Act regarding everything we are acquainted with in our business, both in connection with statutory assignments and other assignments. Section 211 of the Penal Code further imposes on lawyers a duty of confidentiality for information entrusted to them in connection with the position or assignment. Chapter 12 of the Advocate Regulations (code of conduct for Norwegian lawyers) also imposes a duty of confidentiality on lawyers in connection to information the lawyer becomes familiar with in his work as a lawyer, even if they are not covered by a statutory duty of confidentiality.
There are some exceptions to the duty of confidentiality, see below on the statutory transfer of personal data.
Pursuant to the Auditors Act and regulations to the Auditors Act, we must keep our documentation in an orderly and reassuring manner secured against destruction, loss and change, for at least five years. According to the Money Laundering Act, we are obliged to store information and documents that have been used for customer control or investigation of suspicious transactions under the Money Laundering Act for five years after the customer relationship or transaction has ended. PwC also needs to keep the data for a period of time in order to be able to meet any claims for damages or other charges. Based on the limitation period, the ordinary storage period is therefore set at 11 years. That is, 10 years after completing the assignment, as well as one year to complete the deletion.
Transfer of personal data
Retention
Retention of customer data, including personal data, takes place mainly within the EU / EEA. However, data can be transferred to third countries by giving non-EU personnel access to personal data. This will primarily happen when there is a need for support that can not be solved by our internal IT department, where access to personal information is necessary to solve the problem. Such transfers are protected by EU Standard Contractual Clauses, cf. Article 46.2.c. of the GDPR.
For customers who are part of an international business, it may be necessary to transfer personal data to another country. If the transfer does not take place to an EEA country or a country approved by the EU Commission, the transfer takes place based on standard privacy provisions adopted by the EU Commission or binding corporate rules for a group or group of companies.
Statutory transfer of personal data
PwC is in some cases required by law to transfer information to other authorities. Such transfers may contain personal information. As examples of such statutory transfers, it is pointed out that:
Finanstilsynet has access to our documentation in connection with their supervisions
auditors or accountants who perform quality control with us have access to our documentation
we are required to report suspicious transactions to Økokrim, see section 6.4
the police can be given access to documentation if required by law
we may be required to transfer information to the tax authorities that may contain personal information, if an audit of a customer is carried out
we may be obliged to provide information that may contain personal information to the debt tribunal, bankruptcy estate or trustee in connection with debt negotiation or bankruptcy
we have a general duty to testify if we are called as a witness in a trial. This applies if it does not apply to matters covered by lawyers' duty of confidentiality.
Auditors, lawyers, accountants and the authorities mentioned here are subject to a statutory duty of confidentiality.
Our use of data processors
We use service providers to operate our information systems and store data for us. It includes the processing of personal data as described in point 5 above. We have data processor agreements with all service providers that process personal data on our behalf.
Collection and use of personal information
PwC's processing of customer contact information
PwC processes customer contact information for all our customers. This is information about our customers' names, addresses, telephone numbers, email addresses and positions with the customer. PwC is the data controller for the processing of this information. The information is registered within our client register. The information is usually received from the customer himself, but can also come from external sources, such as publicly available information. The information is used to perform risk and independence checks, for managing the assignment and for marketing and improving our services.
PwC's processing of market contact information
PwC processes contact information for market contacts. This is information regarding name, email address, employer, and phone number. PwC is the data controller for the processing of this information. The information is registered in our market system. The information is normally received from the market contact itself, through registration for events and subscription to newsletters. The information is used to advertise our newsletters and events, but also to adapt our marketing to become more relevant. The legal basis for this processing is PwC's legitimate interest in marketing our services, and in making our marketing more relevant to the recipient.
See also our own privacy statement related to the processing of personal data that takes place via our websites.
PwC's processing of assignment information
PwC processes personal data in connection with the performance of our assignments, for example in cases where part of the assignment involves the processing of personal data. It will depend on the assignment what kind of personal information this is. Normally, this personal information will be received from our customer, but it can also come from external sources, such as public portals, if we have permission to use this. This assignment documentation mainly contains company-related information. However, it will also contain certain personal information to the extent this is necessary for the assignment. This can e.g. be:
Name and job title, etc. on persons from whom we have obtained information in connection with the assignment.
Information about salaries and working conditions for employees of the company we are auditing.
Assessments of the competence and integrity of persons responsible for the accounts or other matters that we are to confirm.
It may also include special categories of personal information or other sensitive information if necessary for the completion of the assignment. For example, we may have to process information about individuals' offenses, including criminal offenses, if the audit should reveal such offenses.
Duties under the Money Laundering Act
The Norwegian Money Laundering Act states that we are required to perform customer control of all our customers. In this connection, we will confirm the identity of the person acting on behalf of the customer and the ultimate beneficial owner who ultimately control the company / customer. We will record information about these people, including copies of identification documents used to confirm identity.
By the Norwegian Money Laundering Act, we are also required to report suspicions of money laundering and terrorist financing to Økokrim. Reports to Økokrim about suspicious transactions must include everything we are aware of about the relationship that has led to suspicion, including information related to persons involved. Such messages are exempt from access for those involved.
Data controllers
PwC in Norway consists of the three companies PricewaterhouseCoopers AS, Advokatfirmaet PricewaterhouseCoopers AS or PwC Tax Services AS. Which company that is the data controller for processing of personal data will depend on the nature of the assignment.
Contact us
If you have any questions or complaints regarding this privacy statement or the way your personal information is processed, or want to exercise any of your rights listed above, please contact us:
- By email to no_personvern@pwc.com
- Via contact form, or
- send by mail:
PricewaterhouseCoopers AS
Att: Office of General Counsel (OGC)
P.O. Box 748 Sentrum, 0106 Oslo
