Version of 29 April 2022
This Personal Data Processing and Protection Policy (the “Policy”) is adopted and in effect in the following legal entities: Private Limited Liability Company PricewaterhouseCoopers Russia B.V., Joint-Stock Company “Technologies of Trust – Audit”
, Limited Liability Company “Technologies of Trust – Consulting”, Limited Liability Company “Technologies of Trust – Audit Services”
, Limited Liability Company “Technologies of Trust – Legal Services”, Limited Liability Company “Technologies of Trust – Property”, Limited Liability Company “TeDo”, Private Institution of Continuing Professional Education “Corporate Training Centre “Technologies of Trust - Expert”, Limited Liability Company “Technologies of Trust – Professional Services”
, Limited Liability Company “Digital Formula of Trust”
which are all located at 10 Butyrsky Val, Moscow, Russia, 125047 (hereinafter each individually referred to as the “Company” and collectively as the “Company” or “we”).1. General
We may collect and use the personal data you provide to us when:
- you access our websites and mobile applications (the “websites”) from any device or when communicating with us in any form in compliance with this Policy. By using our websites and providing your personal data to us, you give your consent to have your personal data processed in compliance with this Policy;
- you get in touch with us with a question, complaint, comment or feedback (such as name, contact details and contents of the communication). In these cases, the individual is in control of the personal data shared with us and we will only use the data for the purpose of responding to the communication and handling the matter as appropriate. The personal data referred above may include full name, employer name, contact title, phone, email and other business contact details;
- you apply online for a job at one of our Companies via our careers website;
- you visit our offices. We need to obtain and process your personal data in order to comply with security measures and build access control;
- we provide services to our clients. Our policy is to collect only the personal data necessary for specified purposes and we ask our clients only to share personal data where it is strictly needed for those purposes. Where we need to process personal data to provide our services, we ask our clients to get appropriate person’s authorization and provide the necessary information to the data subjects concerned regarding its use;
- we manage the relationship, contract and receive services from our suppliers and subcontractors.
We process personal data about contacts (existing and potential Company clients and/or individuals associated with them) using a customer relationship management system (the “Company CRM”).
The collection of personal data about contacts and the addition of that personal data to the Company CRM is initiated by a Company user and will include name, employer name, contact title, phone, email and other business contact details. In addition, the Company CRM helps Company users to manage relations with contacts or third parties by observing data concerning interactions between the Company users and contacts or third parties in the Company email (sender name, recipient name, date and time) and calendar (organiser name, participant name, date and time of event). Personal data relating to business contacts may be visible to and used by the Company users to learn more about an account, client or opportunity they have an interest in.2. Key terms and definitions
“Personal data” means any information that is related directly or indirectly to a specific or identifiable individual.
“Personal data processing” is performing any actions (operation) or sets of actions (operations), with or without means of automation, with respect to your personal data including the following: collect, record, systemise, gather, store, update, alter, extract, use, transfer (provide, access), depersonalise, block, delete, destroy with and without the use of personal data automated processing systems.3. The principles of processing personal data
4. The types of data we collect
- We process personal data lawfully and fairly.
- Processing involves only the personal data which meet the intended purposes of the processing thereof.
- The contents and scope of processed personal data correspond to the declared purposes of processing. Processed personal data is not excessive in respect of the declared purposes of processing thereof.
- The term of processing of personal data is limited within the scope of specified, preset and lawful purposes.
- We take all necessary measures for providing security of processing personal data.
- We respect lawful rights of personal data subjects and ensure their protection in the processing of personal data.
We may collect the following types of data:
5. Purposes of personal data processing
- the personal data you provide to us when filling out information fields at our websites, including filling out the contact form, subscribing to news mailouts, registering for our events;
- the personal data and other information contained in the messages you send to us;
- the personal data you provide at our job and internship offerings website;
- the personal data you provide to us when you visit our offices;
- the personal data that we need to obtain and process in order to render services and provide or receive professional advice and deliverables.
We may process your personal data for purposes it has been provided for only, including the following:
- registering you at our websites to grant access to selected sections;
- providing you with information about the Company, our services and events;
- answering your requests and enquiring for additional information;
- organising your participation in our events and surveys;
- sending you our news casts;
- distributing requested reference materials;
- submitting curriculum vitae;
- discharging legal, regulatory and professional obligations imposed on the Company in compliance with the Russian law or by a professional body of which we are a member. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data;
- conducting client acceptance procedures;
- providing or receiving professional services;
- developing our businesses and services;
- making personal data available to the Company employees for performing services and for offering new services;
- identifying clients with similar needs;
- performing analytics such as on market trends, relationships maps or sales opportunities; in addition, the Company CRM uses an algorithm to evaluate the strength of interactions between a Company user and a contact. This ranking is primarily based on interaction frequency, duration, recency and response time;
- administering managing and developing our businesses and services, including:
➔ managing our relationship with clients;
➔ developing our businesses and services (such as identifying client needs and improvements in service delivery);
➔ maintaining and using IT systems;
➔ hosting or facilitating the hosting of events; and
➔ administering and managing our website and systems and applications;
- security, quality and risk management activities, including:
➔ detecting, investigating and resolving security threats;
➔ monitoring the quality of our services and managing risks in relation to our clients as part of our client engagement and acceptance procedures;
➔ monitoring the quality of our services and managing risks in relation to our suppliers and subcontractors as part of our contracting procedures.
- other purposes upon your consent.
We process technical data to:
- ensure our websites’ operability and security
- improve our websites’ quality.
We do not place your data in publicly available sources. We do not make any decisions that would have adverse legal implications for or otherwise violate your rights and rightful interests based on personal data automated processing only.6. Your rights
Protecting your personal data rights and liberties is pivotal to the way we do business.
To ensure that your rights and liberties are protected, upon your request, we will:
7. How you can contact us
- confirm whether we process your personal data and will allow you to look through it within the period established by Russian law in effect;
- inform you on the source and contents of your personal data that we process;
- inform you on the legal basis, purposes, terms and means of processing your personal data;
- introduce the necessary changes to your personal data if you confirm it is incomplete, inaccurate or outdated within the period established by Russian law in effect, and notify you on the changes made;
- notify you on the cross-border transfer of your personal data made or planned;
- notify you on the name and location of the organisations, which have access to your personal data and to which your personal data may be disclosed upon your consent;
- inform you about the company name or full name of entities/individuals charged with processing your personal data;
- notify you on the exercise of your rights during our processing of your personal data;
- exclude you from our news mailout list;
- stop processing your personal data within the period established by the law in effect, provided there are no other legal basis for personal data processing stipulated by the Russian law;
- stop processing your personal data if unlawful processing on our side is confirmed and notify you on remedial action taken;
- destroy your personal data if unlawful receipt or unintended use thereof is confirmed within the period established by the law in effect, and notify you on remedial action taken;
- answer any questions related to your personal data we process.
You can send us a request or complaint related to your personal data processing by email email@example.com
or by post under the subject “Request on Personal Data” including information on the purposes for which your data was provided to us and context of our processing activities to the email address firstname.lastname@example.org
or postal address: 10 Butyrsky Val, Moscow, Russia, 125047. We may ask you to provide additional information regarding your request which is necessary for provision of response to you.8. Consent withdrawal
You can send us a personal data consent withdrawal under subject “Personal Data Processing Consent Withdrawal” including information on the purposes for which your data was provided to us and context of our processing activities to the email address email@example.com
or postal address: 10 Butyrsky Val, Moscow, Russia, 125047.
9. When and how we share personal data and locations of processing
We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.
In common with other professional service providers, we use third parties located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our clients are located. Your personal data security during cross-border transfers is very important to us. We take all necessary measures to guarantee confidentiality and security of your personal data.
Cross-border transfers of personal data to countries that do not ensure adequate protection of personal data are permissible only with your written consent or to execute a contract to which you are a Party, and in other cases provided by the Russian law on personal data. We have taken steps to ensure all personal data is provided with adequate protection and that all transfers of personal data are done lawfully.
Personal data held by us may be transferred to:
10. Personal data security
- Third party organisations that provide applications/functionality, data processing or IT services to us.
- We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud-based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them.
- Third party organisations that otherwise assist us in providing services, products or information.
- Auditors and other professional advisers.
- Law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulations.
- Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
To ensure the security of your personal data during processing, we take all necessary and sufficient legal, organisational and technical measures to protect personal data from unauthorised or accidental access, destruction, alteration, blocking, copying, disclosure or distribution, as well as against all other unlawful actions with respect to personal data.
For ensuring the adequate protection of your personal data, we assess the potential damage that could be inflicted on you if your personal data were compromised, and identify relevant threats to your personal data security during processing in personal data information systems.
The Company has adopted internal regulations on personal data security. The Company's employees who have access to personal data are familiar with this Policy and other internal regulations on personal data processing.11. Cessation of personal data processing
We stop processing your personal data in the following cases:
- conditions of cessation of personal data processing arise or the agreed term expires;
- data processing purposes are achieved or it is no longer necessary to achieve such purposes;
- upon your request if the personal data processed have been obtained unlawfully or are not necessary for the stated purpose of processing;
- if the processing is identified as unlawful and it is impossible to ensure its lawfulness;
- when your data processing consent expires or you withdraw your consent provided there are no other legal bases for personal data processing stipulated by the Russian law;
- the Company is liquidated.
for details.13. Links to third-party websites
Our websites may contain links to third-party websites and services beyond our control. We do not bear any liability for the security and confidentiality of any information collected by third-party websites or services.14. Policy changes
We may update the Policy if necessary. We advise you to check for the latest version of this Policy from time to time. By continuing to use our websites after the Policy is updated, you agree with the latest changes introduced.
If you have any questions about this policy, please contact our personal data team by sending your message by email firstname.lastname@example.org
or by post under the subject “Request on Personal Data” to the email address email@example.com
or postal address: 10 Butyrsky Val, Moscow, Russia, 125047.