Appendix 1: Applicable only to Individuals based in the EEA

This section of the privacy statement applies if you are an individual based in the EEA regardless of nationality or your employer or authorised representative is providing your personal data to us from a country in the EEA, and the GDPR is applicable to PwC in the processing activities in question.

Legal grounds for processing personal information

We process personal data for the purposes set out in this privacy statement. For the purposes of complying with the GDPR, we do not need to collect your consent in order to process your personal data (except in limited circumstances where we process your special categories of personal data, where we may sometimes require your consent, in which case we will obtain your consent). Instead, we rely on one or more of the following processing conditions:

These are the principal legal grounds that justify our processing of your information:

  • Contract performance: where your information is necessary to enter into or perform our contract with you.
  • Legal and regulatory obligation: where we need to use your information to comply with our legal and regulatory or professional body of which we are a member (for example, for some of our services, we have a legal obligation to provide the service in a certain way).
  • Legitimate interests: Our legitimate interests in the effective delivery of information and services to you and in the effective and lawful operation of our businesses and the legitimate interests of our clients in receiving professional services from us as part of running their organisation (provided these do not interfere with your rights);
    Our legitimate interests in developing and improving our businesses, services and offerings and in developing new PwC technologies and offerings (provided these do not interfere with your rights).
  • Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
  • Employment legal obligations and rights: where our legal duties as employers necessitate the processing.
  • Consent: where you have consented to our use of your information.


We justify our use of personal data for the purposes described in this privacy statement as follows:

(a) To provide you with our products/services:

Use justification: contract performance, legitimate interests (to enable us to provide our products/services).

(b) For communication with you:

Use justification: legitimate interests (to enable us to effectively communicate with you).

(c) For managing our business:

Use justification: legitimate interests including:

  • to enable us to provide ongoing information about our products and services;
  • to monitor satisfaction and views of our clients, customers and business partners etc. and help us grow our business;
  • to ensure the smooth operation of our internal management and IT infrastructure processes ;

Use justification: legal and regulatory obligations and legal claims (to enable us to cooperate with law enforcement and regulatory authorities).

(d) Others : For compliance with laws and other legal obligations and policies

Use justification: legal and regulatory obligations, legitimate interests (to enable us to achieve a consistent approach to compliance across our business).

International Transfers of Personal Data

Our business may require us to transfer your personal data to countries outside the EEA, including countries that may not provide the same level of data protection as your home country. Where we collect personal data from within the EEA, transfer outside the EEA will be only:

  • to a recipient located in a country which provides an adequate level of protection for your personal information; and/or
  • under an agreement which covers the EU requirements.

Please contact us at the contact details in the privacy statement if you would like to see a copy of the specific safeguards to export of your personal information.

Your Rights

Subject to limitations in applicable law, you are entitled to object to or request the restriction of processing of your personal data, and to request access to, rectification, erasure and portability of your own personal data.

Where the use of your personal data is based on consent, you can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

You may also have the right to object to any processing based on the legitimate interests ground if our reasons for undertaking that processing outweigh any prejudice to your data protection rights.

Whilst a complaint is being investigated, you have the right to restrict how we use your information.

Your exercise of these rights is subject to certain exemptions to safeguard public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.

If you are not satisfied with our use of your personal data or our response to any exercise of these rights, you have the right to lodge a complaint with a relevant supervisory authority.