Privacy Statement

This Privacy Statement (this “Statement”) was last updated on 1 October 2020.
  

Introduction

PwC is strongly committed to protecting personal information. This Statement explains what information we gather about you, what we use that information for, and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries.

“PwC”, “we”, “us” and “our” refer to PwC Member Firms¹ operating in Chinese Mainland, Hong Kong SAR and Macau SAR. 

Please click the links below for a list of all PwC Member Firms operating in the following locations:

• Chinese Mainland
• Hong Kong SAR
• Macau SAR

Click on the links in our index below to take you to the more detailed sections of this Statement.

1. Scope
2. Collection of personal information
3. Use of personal information
4. Marketing
5. Third party links
6. Security of personal information
7. Cookies
8. Transfer of personal information
9. Retention of personal information
10. Access to data & Rights in relation to your information
11. Children
12. Contact us
13. Modifications
14. Appendix 1 - Applicable only to Individuals based in the European Economic Area

1.  Scope

The privacy of your personal information is important to us. This Statement describes how PwC handles personal information collected through our websites, social media platforms, applications, products and/or services provided by PwC Member Firms operating in Chinese Mainland, Hong Kong SAR and Macau SAR (referred to as “PwC Services”).

Some PwC Services provided by PwC Member Firms may have Privacy Statements that differ from this one and/or contain additional information as required under local laws. Please refer to the relevant Privacy Statements in order to understand how they process your personal information.  

Many of our PwC Services require some personal data to be collected. If you choose not to provide us with the personal data necessary to enable us to provide such product/service, you may not be able to use that product/service.

In this Statement, your information is sometimes called “personal data” or “personal identifiable information” or “personal information”. We also sometimes collectively refer to handling, collecting, protecting or storing your personal information as “processing” such personal information.

This Statement applies to any personal data provided to us, and any personal data created in connection with our PwC Services.

For personal data collected in Chinese Mainland: If you are providing personal data of other individuals, please make sure that

(i) the personal data is from a legitimate and lawful source;

(ii) the other individuals are aware of the purpose(s) for collecting his/her personal data and all other relevant arrangement described in this Statement relating to the processing and use of personal data, and that he/she has consented to such disclosure and data processing.

We may contact you to inquire and confirm with you in relation to (i) and (ii) above.  If you receive such an enquiry from us, please kindly assist and provide us with prompt response.  We may have to discontinue the PwC Services if we are unable to obtain the verification needed.

By using our PwC Services and providing personal information to us, you acknowledge that you have read this Statement, and subject to your explicit consent which we may separately seek from you as may be required by applicable law, you consent to the terms of this Statement (including international transfers as set out in this Statement to countries outside where you are located).

If you do not agree with the terms in this Statement and have concerns about the categories of personal data, we require from you, please do not provide any personal information to us without contacting us.

If you are an individual based in the European Economic Area (“EEA”) and the European Union General Data Protection Regulation (“GDPR”) is applicable to PwC in providing the PwC Services in question, we may rely on legal basis other than consent to process your personal information as set out in Appendix 1.

2.  Collection of personal information

When you use our PwC Services, we may collect information about you including through cookies and analytics tools. We may collect personally identifiable information about you either directly from you, or by combining information we collect and maintain through other means (such as client relationship management systems or identification and access management systems, including IP addresses) or as we may receive from publicly available sources such as social media or other third-party sites.

2.1 Categories of Personal Data

The personal information we collect may include:

• name, current job title, name of employer, email address, contact numbers, or your location (country / city) when you:
  
  (a) subscribe to receive communications from us, create a user profile, or send an inquiry through our websites; or
  
  (b) register for our webinars / webcast / events. At the time of your registration, you might also be asked for your postal address and whether or not you would like to be informed of upcoming webinars / webcasts via the contact information you provided and/or through your postal address. We use registration information for internal research and analysis purposes to help us understand who is viewing our webcasts, and become better equipped to serve your needs;
• your social network ID, such as WeChat ID and LinkedIn profile URL, when you register as an alumni.  Any personal information that an alumnus submits to us will only be used to maintain contact with that alumnus, and will not be disclosed to any third party without your express permission;
• name and email address, when you access our applications (such as when you respond to a survey or access specific content);
• name, correspondence address, email address, national identification details, for purpose of performing our pre-engagement acceptance checks (which may include conflicts, anti-money laundering or other regulatory-related checks) and these are necessary for us to fulfil such checks;  and in the course of providing our products and/or services to you/your organisation/your employer when it is necessary for business purposes.
• information which you have made publicly available on your social networking account, such as your name and your interests in our products and services, when you interact with us on our pages at social networking sites. The social networking sites may provide statistics and insights to us which help us understand the types of actions that people take on our pages. Where applicable, we and the social media site(s) have entered into an arrangement which determines our respective responsibilities;
• content that you provide, including but not limited to postings on any blogs, forums, wikis and other social media applications and services that we may provide;
• certain personal identification information (e.g. your national ID number) may be requested for security purposes before you are granted access to our premises;
• any other additional information you choose to provide to us (e.g. your working history), for instance, when you use any “Contact Us” feature of our PwC Services, as part of the registration process, register a user account, and/or create and update your user profile.

We may also collect personal data indirectly, such as using cookies. For more information on our use of cookies, please refer to Cookies section.

It is our policy that you are only required to supply us with the minimum scope of personal information that is necessary for us to complete your request and/or to provide you our PwC Services (“Necessary Personal Information”). You may voluntarily provide us with additional personal information we ask for, which will help us to improve PwC Services and to better serve your needs. Failure to provide us with such additional personal information will not negatively affect your use of PwC Services.  

2.2 Sensitive personal information

We do not usually seek personal sensitive information (e.g., data relating to personal ID, personal asset, race or ethnic origin, religious beliefs, criminal record, physical or mental health, or sexual orientation) from visitors to our websites. As indicated in 2.1 above, we may however collect certain categories of personal data, which may be regarded as sensitive personal data under relevant laws in Chinese Mainland for purposes of conducting pre-engagement checks and for security purposes (granting access to our premises).

We will not collect and process your sensitive personal data unless we have obtained your explicit consent as may be required under applicable law.

3.  Use of personal information

For Necessary Personal Information we collect, we will use it to complete your specific request and/or to provide you the PwC Services, which may further include:

• to provide, administer, manage and develop different functions of our products/services, such as conducting pre-engagement acceptance checks prior to providing those products/services;
• to communicate with you, such as responding to your enquiry and/or request; confirming and authenticating your identity in order to prevent unauthorised access to restricted areas of the site, content, or other services; determining the organisation that you work for or with which you are otherwise associated and staying in touch with our business contacts;
• to manage our business, such as operating and maintaining our operations and quality of our services; conducting quality and risk management reviews; operating and maintaining our IT systems; maintaining the security of data and our services; sorting and analysing user data, conducting surveys, or for benchmarking and data analysis; maintaining our client relationship management systems; understanding how people use the features and functions of our PwC Services in order to improve user experience and providing you with information about us and our range of products/services as explained in more detail in section 4 below; and
• to comply with any requirement of laws, regulation, or any government authority or agency, regulator, or a professional body of which we are a member; or to conduct any action to meet our obligations or those of any PwC Member Firms.

For personal information that is not Necessary Personal Information we collect, we will use it to improve the PwC Services, to develop different functions of our products/services and to better serve your needs.

We will only use the personal information collected for the above purposes where we have a lawful basis for such processing, including obtaining any prior consent as may be required under applicable law.

4.  Marketing

We may send you communications including publications from time to time, technical updates, upcoming events/seminars/webcasts, or surveys, PwC's latest insights and activities in major business and industry areas which may be of interest to you, and products or services that you request from us.

Where we are legally required to obtain your consent to provide you with marketing materials, we will only send marketing materials if you have given consent for us to do so. 

If you would like to subscribe to our e-newsletter, update your contact details or customise the information you receive from us, please complete the form at https://www.pwchk.com/en/subscribe-to-e-newsletter.html.

You may opt out of receiving marketing materials from us at any time at https://www.pwchk.com/en/unsubscribe.html.  

5.  Third party links

Our PwC Services may link to third-party sites not controlled by PwC and which do not operate under PwC’s privacy practices. PwC assumes no responsibility for the information practices of these third-party sites that a user is able to access through ours. When you link to third-party sites, PwC's privacy practices no longer apply. We encourage visitors to review each third-party site’s privacy policy before disclosing any personally identifiable information.

6.  Security of personal information

We have implemented generally accepted standards of technology and operational security in order to protect personally identifiable information from loss, misuse, alteration or destruction. Only authorised persons are provided access to personal information collected via the PwC Services; such individuals have agreed to maintain the confidentiality of this information.

Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.

Where a personal information security incident arises, we shall respond to the incident, assess the likely impact of the incident, and take necessary actions to bring the incident under control. Where necessary, we will report to the appropriate authority, notify you of the incident and provide relevant information, as may be required under applicable laws and regulations.

7.  Cookies

Cookies may be placed on your computer or device whenever you visit us online for PwC Services. Cookies are small text placed on our device that assist us in providing a more customised experience. If you are concerned about cookies, most browsers permit individuals to decline cookies. In most cases, you can refuse a cookie, however some functionality may be impaired. You can always delete cookies if you wish via your browser’s setting.

Please see our Cookie Policy.

8.  Transfers of personal information

Your personal data may be transferred to, processed by and stored with, the following classes of transferees/categories of recipients for the purposes as described in this Statement:

8.1 Network Member Firms

As PwC is a global network with Member Firms around the world, your personal information may be transferred to other PwC Member Firms (and their respective subsidiaries and affiliates). Other PwC Member Firms may process your personal information on behalf of the Data Controller² for the same purposes as set out herein. In addition, each PwC Member Firm whom you share your information may determine jointly with other PwC Member Firms the means of processing of your personal information. 

8.2 Third party service providers

Your information may also be transferred to third party service providers that are not members of the PwC network to process on a PwC Member Firm’s behalf. We may transfer or disclose the personal data we collect to third party contractors or subcontractors of PwC Member Firms (and their respective subsidiaries and affiliates), as well as other third parties, which may include providers of IT services, identity management, website hosting and management, data analysis, data back-up and archiving, security and storage services (including cloud service providers), event management, and other services with respect to the operation of our business. We use such third parties to support us in providing our PwC Services.

When we transfer your personal data to third parties, we do so for the purposes stated under this Statement, for the administration and maintenance of websites and associated systems, and/or other internal or administrative purposes.

It is our policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality and process personal information only as instructed by us pursuant to the contract between us. Subject to the foregoing, third party service providers may also use their respective subsidiaries and affiliates, and their own third party subcontractors that have access to personal data (sub-processors) to meet purposes of disclosure and/or transfer.

8.3 Other disclosures

We may also disclose personal information to third parties under the following circumstances:

• when explicitly requested by you including delivering publications or reference materials as requested by you;
• when required to facilitate conferences or events hosted by a third party or co-hosted with a third party which you have registered for; personal information may be collected via event registration forms and the type of information collected will vary.  We may share such information with third parties for purposes connected to the event;
• when PwC is involved in a merger, acquisition, or sale of all or a portion of its assets; and/or
• as otherwise set out in this Statement.

We may also disclose your personal information to law enforcement, regulatory and other government agencies and authorities, professional bodies and other third parties, as required by and/or in accordance with applicable law or regulation. This may include disclosures outside the country or region where you are located.

8.4 International transfers

As PwC is a global network with Member Firms and third party service providers located around the world, your personal information may be transferred to and stored outside the country or region where you are located. PwC Member Firms, our service providers and sub-processors they engage may use servers and other resources in various countries and territories to process your information. Such jurisdictions may have different data protection laws. It is our policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality and process personal information only as instructed by PwC. This may include confidentiality agreements with parties that we commission to handle personal information, requiring them to process personal information in accordance with our requirements, this Statement and any other relevant confidentiality and security measures.

We will take steps to ensure that your personal information is adequately protected within the territory of the People's Republic of China. For example, we may ask for your consent to the transfer of personal information across borders, or to implement security measures such as data de-identification prior to cross-border data transfer.

Since we provide PwC Services through resources and servers around the world, your personal information may be transferred to foreign jurisdictions outside Chinese Mainland unless restricted under applicable laws and regulations or specifically agreed by agreement.  

Where we collect personal information from within the EEA, in circumstances where the GDPR is applicable to PwC in providing the PwC Services in question, please refer to Appendix 1.

8.5 Transfer of business

This Statement discusses information practices of PwC in the ordinary course of its business. PwC reserves the right to transfer all data in its possession to a successor-in-interest to its business or assets.

We will require such successor-in-interest to continue to be bound by this Statement, otherwise they will be required to seek your consent.

9.  Retention of personal information

It is our policy to retain personal data only for as long as  is necessary for the fulfilment of the purposes for which the data are to be used, or as required by law, regulation or professional standards and in order to establish, exercise or defend our legal rights.

We keep contact information (such as mailing list information) until a user unsubscribes or requests that we delete that information. If you choose to unsubscribe from a mailing list, we may keep certain limited information about you so that we may honour your request.

10.  Access to data & Rights in relation to your information

You may have certain rights under applicable laws in relation to the personal information we hold about you, including:

• Right to enquire and request for copy of certain categories of personal information, including basic information, identification information, health information (if applicable) and education information;
• Right to update/correct your personal information which is inaccurate;
• Right to request deletion of your personal information;
• Right to request cancellation of your account; and
• Right to withdraw consent to processing your personal information (to the extent such processing is based on consent and consent is the only permissible basis for processing).  Should your consent withdrawal be effective, we will no longer process the corresponding personal information. However, your decision to withdraw your consent will not affect the processing of personal information previously based on your authorization.

If you would like to exercise any of these rights, please contact our Privacy Team. We will treat your requests in accordance with applicable legal requirements.

We may charge a fee for your request to access your information, if permitted by applicable law.

If you are an individual based in the EEA and GDPR is applicable to PwC in providing the PwC Services in question, you may be entitled to additional rights (see Appendix 1).

11.  Children

We are committed to protecting children’s privacy. The PwC Services are not intentionally designed for or directed at children, and we do not knowingly collect or store personal information about children. In the case of collecting personal information of a child in Chinese Mainland under the age of 14 (i.e. a minor), we will only use or publicly disclose such information if we have obtained explicit consent of the minor's parent or guardian. We will protect the confidentiality and security of children's personal information in accordance with relevant applicable laws and regulations.

12.  Contact us

If you wish to submit a request to exercise your rights, under applicable privacy law, or have questions about how your information is handled at any time, or to make complaints, please send your request to our Privacy Team.

When requested, and provided that it is practical and commercially feasible to comply with the request, we will reply to your request within 30 days or such time as prescribed under applicable law.

Should you not be satisfied with the way PwC has resolved your concern, you have the right to complain to the data protection authority in your territory.

13.  Changes to this Statement

We may need to update this Statement from time to time to comply with applicable law and regulations or other legitimate purposes. We may also separately advise you about the change. Subject to obtaining your explicit consent as may be required by applicable law, the new modified privacy statement will apply from that revision date. Therefore, we encourage you to review this Statement periodically to be informed about how we are protecting your information.

Appendix 1: Applicable only to Individuals based in the EEA

Appendix 1 of this Statement applies if you are an individual based in the EEA regardless of nationality or your employer or authorised representative is providing your personal data to us from a country in the EEA, and the GDPR is applicable to PwC in providing the PwC Services in question.

Legal grounds for processing personal information

We process personal data for the purposes set out in this Statement, as described above. For the purposes of complying with the GDPR, we do not need to collect your consent in order to process your personal data (except in limited circumstances where we process your special categories of personal data, where we may sometimes require your consent, in which case we will obtain your consent). Instead, we rely on one or more of the following processing conditions:

These are the principal legal grounds that justify our processing of your information:

We justify our use of personal data in the manner set out in clause 3 of this Statement above as follows:

(a) To provide you with our products/services:

Use justification: contract performance, legitimate interests (to enable us to provide our products/services).

(b) For communication with you:

Use justification: legitimate interests (to enable us to effectively communicate with you).

(c) For managing our business:

Use justification: legitimate interests including:

• to enable us to provide ongoing information about our products and services;
• to monitor satisfaction and views of our clients, customers and business partners etc. and help us grow our business;
• to ensure the smooth operation of our internal management and IT infrastructure processes;

Use justification: legal and regulatory obligations and legal claims (to enable us to cooperate with law enforcement and regulatory authorities).

(d) Others: For compliance with laws and other legal obligations and policies

Use justification: legal and regulatory obligations, legitimate interests (to enable us to achieve a consistent approach to compliance across our business).

International Transfers of Personal Data

Our business may require us to transfer your personal data to countries outside the EEA, including countries that may not provide the same level of data protection as your home country. Where we collect personal data from within the EEA, transfer outside the EEA will be only:

• to a recipient located in a country which provides an adequate level of protection for your personal information; and/or
• under an agreement which covers the EU requirements.

Please contact us at the contact details in this Statement if you would like to see a copy of the specific safeguards to export of your personal information.

Your Rights

Subject to limitations in applicable law, you are entitled to object to or request the restriction of processing of your personal data, and to request access to, rectification, erasure and portability of your own personal data.

Where the use of your personal data is based on consent, you can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

You may also have the right to object to any processing based on the legitimate interests ground if our reasons for undertaking that processing outweigh any prejudice to your data protection rights.

Whilst a complaint is being investigated, you have the right to restrict how we use your information.

Your exercise of these rights is subject to certain exemptions to safeguard public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.

If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you have the right to lodge a complaint with a relevant supervisory authority.