This Privacy Statement (this “Statement”) was last updated on 1 October 2020.
PwC is strongly committed to protecting personal information. This Statement explains what information we gather about you, what we use that information for, and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries.
“PwC”, “we”, “us” and “our” refer to PwC Member Firms1 operating in Chinese Mainland, Hong Kong SAR and Macau SAR.
Please click the links below for a list of all PwC Member Firms operating in the following locations:
Click on the links in our index below to take you to the more detailed sections of this Statement.
The privacy of your personal information is important to us. This Statement describes how PwC handles personal information collected through our websites, social media platforms, applications, products and/or services provided by PwC Member Firms operating in Chinese Mainland, Hong Kong SAR and Macau SAR (referred to as “PwC Services”).
Some PwC Services provided by PwC Member Firms may have Privacy Statements that differ from this one and/or contain additional information as required under local laws. Please refer to the relevant Privacy Statements in order to understand how they process your personal information.
Many of our PwC Services require some personal data to be collected. If you choose not to provide us with the personal data necessary to enable us to provide such product/service, you may not be able to use that product/service.
In this Statement, your information is sometimes called “personal data” or “personal identifiable information” or “personal information”. We also sometimes collectively refer to handling, collecting, protecting or storing your personal information as “processing” such personal information.
This Statement applies to any personal data provided to us, and any personal data created in connection with our PwC Services.
For personal data collected in Chinese Mainland: If you are providing personal data of other individuals, please make sure that
(i) the personal data is from a legitimate and lawful source;
(ii) the other individuals are aware of the purpose(s) for collecting his/her personal data and all other relevant arrangement described in this Statement relating to the processing and use of personal data, and that he/she has consented to such disclosure and data processing.
We may contact you to inquire and confirm with you in relation to (i) and (ii) above. If you receive such an enquiry from us, please kindly assist and provide us with prompt response. We may have to discontinue the PwC Services if we are unable to obtain the verification needed.
By using our PwC Services and providing personal information to us, you acknowledge that you have read this Statement, and subject to your explicit consent which we may separately seek from you as may be required by applicable law, you consent to the terms of this Statement (including international transfers as set out in this Statement to countries outside where you are located).
If you do not agree with the terms in this Statement and have concerns about the categories of personal data, we require from you, please do not provide any personal information to us without contacting us.
If you are an individual based in the European Economic Area (“EEA”) and the European Union General Data Protection Regulation (“GDPR”) is applicable to PwC in providing the PwC Services in question, we may rely on legal basis other than consent to process your personal information as set out in Appendix 1.
When you use our PwC Services, we may collect information about you including through cookies and analytics tools. We may collect personally identifiable information about you either directly from you, or by combining information we collect and maintain through other means (such as client relationship management systems or identification and access management systems, including IP addresses) or as we may receive from publicly available sources such as social media or other third-party sites.
2.1 Categories of Personal Data
The personal information we collect may include:
We may also collect personal data indirectly, such as using cookies. For more information on our use of cookies, please refer to Cookies section.
It is our policy that you are only required to supply us with the minimum scope of personal information that is necessary for us to complete your request and/or to provide you our PwC Services (“Necessary Personal Information”). You may voluntarily provide us with additional personal information we ask for, which will help us to improve PwC Services and to better serve your needs. Failure to provide us with such additional personal information will not negatively affect your use of PwC Services.
2.2 Sensitive personal information
We do not usually seek personal sensitive information (e.g., data relating to personal ID, personal asset, race or ethnic origin, religious beliefs, criminal record, physical or mental health, or sexual orientation) from visitors to our websites. As indicated in 2.1 above, we may however collect certain categories of personal data, which may be regarded as sensitive personal data under relevant laws in Chinese Mainland for purposes of conducting pre-engagement checks and for security purposes (granting access to our premises).
We will not collect and process your sensitive personal data unless we have obtained your explicit consent as may be required under applicable law.
For Necessary Personal Information we collect, we will use it to complete your specific request and/or to provide you the PwC Services, which may further include:
For personal information that is not Necessary Personal Information we collect, we will use it to improve the PwC Services, to develop different functions of our products/services and to better serve your needs.
We will only use the personal information collected for the above purposes where we have a lawful basis for such processing, including obtaining any prior consent as may be required under applicable law.
We may send you communications including publications from time to time, technical updates, upcoming events/seminars/webcasts, or surveys, PwC's latest insights and activities in major business and industry areas which may be of interest to you, and products or services that you request from us.
Where we are legally required to obtain your consent to provide you with marketing materials, we will only send marketing materials if you have given consent for us to do so.
If you would like to subscribe to our e-newsletter, update your contact details or customise the information you receive from us, please complete the form at https://www.pwccn.com/en/subscribe-to-e-newsletter.html.
You may opt out of receiving marketing materials from us at any time at https://www.pwccn.com/en/unsubscribe.html.
Our PwC Services may link to third-party sites not controlled by PwC and which do not operate under PwC’s privacy practices. PwC assumes no responsibility for the information practices of these third-party sites that a user is able to access through ours. When you link to third-party sites, PwC's privacy practices no longer apply. We encourage visitors to review each third-party site’s privacy policy before disclosing any personally identifiable information.
We have implemented generally accepted standards of technology and operational security in order to protect personally identifiable information from loss, misuse, alteration or destruction. Only authorised persons are provided access to personal information collected via the PwC Services; such individuals have agreed to maintain the confidentiality of this information.
Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.
Where a personal information security incident arises, we shall respond to the incident, assess the likely impact of the incident, and take necessary actions to bring the incident under control. Where necessary, we will report to the appropriate authority, notify you of the incident and provide relevant information, as may be required under applicable laws and regulations.
Your personal data may be transferred to, processed by and stored with, the following classes of transferees/categories of recipients for the purposes as described in this Statement:
8.1 Network Member Firms
As PwC is a global network with Member Firms around the world, your personal information may be transferred to other PwC Member Firms (and their respective subsidiaries and affiliates). Other PwC Member Firms may process your personal information on behalf of the Data Controller2 for the same purposes as set out herein. In addition, each PwC Member Firm whom you share your information may determine jointly with other PwC Member Firms the means of processing of your personal information.
8.2 Third party service providers
Your information may also be transferred to third party service providers that are not members of the PwC network to process on a PwC Member Firm’s behalf. We may transfer or disclose the personal data we collect to third party contractors or subcontractors of PwC Member Firms (and their respective subsidiaries and affiliates), as well as other third parties, which may include providers of IT services, identity management, website hosting and management, data analysis, data back-up and archiving, security and storage services (including cloud service providers), event management, and other services with respect to the operation of our business. We use such third parties to support us in providing our PwC Services.
When we transfer your personal data to third parties, we do so for the purposes stated under this Statement, for the administration and maintenance of websites and associated systems, and/or other internal or administrative purposes.
It is our policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality and process personal information only as instructed by us pursuant to the contract between us. Subject to the foregoing, third party service providers may also use their respective subsidiaries and affiliates, and their own third party subcontractors that have access to personal data (sub-processors) to meet purposes of disclosure and/or transfer.
8.3 Other disclosures
We may also disclose personal information to third parties under the following circumstances:
We may also disclose your personal information to law enforcement, regulatory and other government agencies and authorities, professional bodies and other third parties, as required by and/or in accordance with applicable law or regulation. This may include disclosures outside the country or region where you are located.
8.4 International transfers
As PwC is a global network with Member Firms and third party service providers located around the world, your personal information may be transferred to and stored outside the country or region where you are located. PwC Member Firms, our service providers and sub-processors they engage may use servers and other resources in various countries and territories to process your information. Such jurisdictions may have different data protection laws. It is our policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality and process personal information only as instructed by PwC. This may include confidentiality agreements with parties that we commission to handle personal information, requiring them to process personal information in accordance with our requirements, this Statement and any other relevant confidentiality and security measures.
We will take steps to ensure that your personal information is adequately protected within the territory of the People's Republic of China. For example, we may ask for your consent to the transfer of personal information across borders, or to implement security measures such as data de-identification prior to cross-border data transfer.
Since we provide PwC Services through resources and servers around the world, your personal information may be transferred to foreign jurisdictions outside Chinese Mainland unless restricted under applicable laws and regulations or specifically agreed by agreement.
Where we collect personal information from within the EEA, in circumstances where the GDPR is applicable to PwC in providing the PwC Services in question, please refer to Appendix 1.
8.5 Transfer of business
This Statement discusses information practices of PwC in the ordinary course of its business. PwC reserves the right to transfer all data in its possession to a successor-in-interest to its business or assets.
We will require such successor-in-interest to continue to be bound by this Statement, otherwise they will be required to seek your consent.
It is our policy to retain personal data only for as long as is necessary for the fulfilment of the purposes for which the data are to be used, or as required by law, regulation or professional standards and in order to establish, exercise or defend our legal rights.
We keep contact information (such as mailing list information) until a user unsubscribes or requests that we delete that information. If you choose to unsubscribe from a mailing list, we may keep certain limited information about you so that we may honour your request.
You may have certain rights under applicable laws in relation to the personal information we hold about you, including:
If you would like to exercise any of these rights, please contact our Privacy Team. We will treat your requests in accordance with applicable legal requirements.
We may charge a fee for your request to access your information, if permitted by applicable law.
If you are an individual based in the EEA and GDPR is applicable to PwC in providing the PwC Services in question, you may be entitled to additional rights (see Appendix 1).
We are committed to protecting children’s privacy. The PwC Services are not intentionally designed for or directed at children, and we do not knowingly collect or store personal information about children. In the case of collecting personal information of a child in Chinese Mainland under the age of 14 (i.e. a minor), we will only use or publicly disclose such information if we have obtained explicit consent of the minor's parent or guardian. We will protect the confidentiality and security of children's personal information in accordance with relevant applicable laws and regulations.
If you wish to submit a request to exercise your rights, under applicable privacy law, or have questions about how your information is handled at any time, or to make complaints, please send your request to our Privacy Team.
When requested, and provided that it is practical and commercially feasible to comply with the request, we will reply to your request within 30 days or such time as prescribed under applicable law.
Should you not be satisfied with the way PwC has resolved your concern, you have the right to complain to the data protection authority in your territory.
We may need to update this Statement from time to time to comply with applicable law and regulations or other legitimate purposes. We may also separately advise you about the change. Subject to obtaining your explicit consent as may be required by applicable law, the new modified privacy statement will apply from that revision date. Therefore, we encourage you to review this Statement periodically to be informed about how we are protecting your information.
Appendix 1 of this Statement applies if you are an individual based in the EEA regardless of nationality or your employer or authorised representative is providing your personal data to us from a country in the EEA, and the GDPR is applicable to PwC in providing the PwC Services in question.
We process personal data for the purposes set out in this Statement, as described above. For the purposes of complying with the GDPR, we do not need to collect your consent in order to process your personal data (except in limited circumstances where we process your special categories of personal data, where we may sometimes require your consent, in which case we will obtain your consent). Instead, we rely on one or more of the following processing conditions:
These are the principal legal grounds that justify our processing of your information:
Contract performance: where your information is necessary to enter into or perform our contract with you. |
Legal and regulatory obligation: where we need to use your information to comply with our legal and regulatory obligations. |
Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights. |
Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party. |
Employment legal obligations and rights: where our legal duties as employers necessitate the processing. |
Consent: where you have consented to our use of your information. |
We justify our use of personal data in the manner set out in clause 3 of this Statement above as follows:
(a) To provide you with our products/services:
Use justification: contract performance, legitimate interests (to enable us to provide our products/services).
(b) For communication with you:
Use justification: legitimate interests (to enable us to effectively communicate with you).
(c) For managing our business:
Use justification: legitimate interests including:
Use justification: legal and regulatory obligations and legal claims (to enable us to cooperate with law enforcement and regulatory authorities).
(d) Others: For compliance with laws and other legal obligations and policies
Use justification: legal and regulatory obligations, legitimate interests (to enable us to achieve a consistent approach to compliance across our business).
Our business may require us to transfer your personal data to countries outside the EEA, including countries that may not provide the same level of data protection as your home country. Where we collect personal data from within the EEA, transfer outside the EEA will be only:
Please contact us at the contact details in this Statement if you would like to see a copy of the specific safeguards to export of your personal information.
Subject to limitations in applicable law, you are entitled to object to or request the restriction of processing of your personal data, and to request access to, rectification, erasure and portability of your own personal data.
Where the use of your personal data is based on consent, you can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
You may also have the right to object to any processing based on the legitimate interests ground if our reasons for undertaking that processing outweigh any prejudice to your data protection rights.
Whilst a complaint is being investigated, you have the right to restrict how we use your information.
Your exercise of these rights is subject to certain exemptions to safeguard public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.
If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you have the right to lodge a complaint with a relevant supervisory authority.
1. "Member Firm" means an entity or partnership within the worldwide network of PricewaterhouseCoopers firms and entities, each of which is a separate and independent legal entity. For further details, please see pwc.com/structure.
For a list of countries and regions where PwC firms are located, please see http://www.pwc.com/gx/en/about/office-locations.html.
2. "Data Controllers" of personal information are one or more of the PwC Members Firms, that either alone or jointly or in common determines the purposes and means of the processing of personal data.
Generally, the Data Controller for the personal data is the PwC Member Firm(s) operating in Chinese Mainland, Hong Kong SAR and Macau SAR providing the relevant PwC Services unless specified otherwise (e.g. by way of contracts).