Business relationship
3. Business relationship
While your specific contractual relationship is with a particular PwC firm, the firm cooperates with the other PwC firms in certain areas as a joint manager in the provision of its services. If you have any questions regarding this joint responsibility, please send them to at_datenschutz@pwc.com.
To learn more about the processing, please click on the relevant purpose.
- Inquiries for consultation purposes (learn more)
- Provision of services to corporate clients (learn more)
- Provision of services to private customers (learn more)
- Customer Relations Management (learn more)
- Prevention of money laundering and measures against terrorist financing (learn more)
- Engagement documentation (learn more)
3.1 Inquiries for consultation purposes
On our website, we offer you the opportunity to leave your contact details on specific topics in order to be contacted directly by our experts. We process the data provided here on the basis of pre-contractual measures requested by you.
Legal basis: fulfillment of pre-contractual measures based on your request in accordance with Art 6(1)(b) GDPR.
Categories of data: Name, e-mail, company, interests, other information provided by you
Storage period: Until completion of the pre-contractual measures or a resulting assignment
3.2 Provision of services to corporate clients
In the course of our business relationship with corporate clients, it is essential that we process personal data of contact persons, managing directors, employees or, if applicable, customers or other third parties. The respective scope of data processing depends on the specific services to be provided, which is defined in the Engagement Letter.
In our work for you, we also use innovative cloud solutions, which in particular enable video conferences, data rooms or collaborative work on a document. In some cases, video and audio conferences can also be recorded or streamed if this is necessary to promote collaboration or knowledge sharing. In the course of our work for you, we may also use selected and non-public generative AI tools such as Copilot for Microsoft 365.
In order to increase efficiency and optimise the provision of services, it may be possible for specialised PwC service centres to be involved in the provision of services. In this context, the necessary operational data will be transmitted to the service centres. Your data is also processed for administrative purposes in order to facilitate the handling of business transactions and internal processes.
In these cases, we only process personal data if this is necessary to fulfil our contractual obligations or if we have an overriding interest in the processing. This is particularly the case if we process personal data of your employees and/or suppliers, customers for the provision of services to you (e.g. in connection with calculations for pension provisions).
If you do not provide us with this data or not to the extent required, we may not be able to provide the services you request. Please note that this would not be considered a contractual non-fulfilment on our part. If we receive personal data from you, we assume that you are entitled to transmit them to us.
Legal basis: Performance of contract according to Art 6(1)(b) and legitimate interest according to Art 6(1)(f) GDPR
Categories of data: The data varies depending on the service provided, but generally includes at least the following categories of data: First name, surname, email, telephone number, academic title, company affiliation and function, salary data, social security data, tax-related data, contractual data with third parties, other operational data.
Storage period: Until the end of service provision. After completion of the service provision, we are subject to different professional and tax retention regulations.
Recipients: Cloud service providers, IT service providers, PwC network companies.
Transfer to third countries: Some of our service providers are located in non-EEA countries. For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees.
3.3 Provision of services to private customers
In the course of our business relationship with you it is essential that we process your personal data. The respective scope of data processing depends on the specific services to be provided, which is defined in the Engagement Letter.
In our work for you, we make use of innovative cloud solutions that enable video conferencing, data rooms or joint work on a document, among other things. In some cases, video and audio conferences can also be recorded or streamed if this is necessary to promote collaboration or knowledge sharing. In the course of our work for you, PwC AT may also use selected and non-public generative AI tools such as Copilot for Microsoft 365.
In order to increase efficiency and optimise the provision of services, it may be possible for specialised PwC service centres to be involved in the provision of services. In this context, the necessary operational data will be transmitted to the service centres. Your data is also processed for administrative purposes in order to facilitate the handling of business transactions and internal processes.
We only process personal data here if this is necessary to fulfil our contractual obligations or if we have an overriding interest in the processing. This is particularly the case if we process personal data of your family members, any employees and/or suppliers, customers for the provision of services to you (e.g. in connection with the determination of shareholding relationships, tax information, etc.).
If you do not provide us with this data or not to the extent required, we may not be able to provide the services you requested. Please note that this would not be regarded as a contractual non-fulfilment on our part. If we receive personal data from you which are not your own, we assume that you are entitled to transfer them to us.
Legal basis: Performance of contract according to Art 6(1)(b) and legitimate interests as per Art 6(1)(f) GDPR
Categories of data: The data varies according to the service provided, but usually includes at least the following categories of data: contact details, business activity, family members, income and other tax-related information, social security data, investments and other financial information.
Storage period: Until the end of the service provision. After completion of the service provision, we are subject to different professional and tax retention regulations.
Recipients: Cloud service provider, IT service provider, PwC network firms.
Transfer to third countries: Some of our service providers are located in non-EEA countries. For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees.
3.4 Customer Relations Management
PwC processes personal data about contacts (existing and potential clients and/or people associated with them) using a customer relationship management tool and a marketing tool. The collection of personal data from contacts and the completion of this personal data in these systems is carried out by our staff. As a matter of principle, your personal data will not be disclosed to third parties. Firms in the PwC network are excluded from this. You can revoke the consent you have given us at any time with effect for the future. To do so, please send an appropriate request to at_datenschutz@pwc.com.
The systems are provided by Salesforce and hosted in Salesforce’s European data centers.
Legal basis: Consent in accordance with Art 6(1)(a) GDPR and Section 174 TKG 2021
Categories of data: First name, last name, e-mail, telephone number, academic title, company affiliation and function.
Storage period: Until you withdraw your consent.
Recipients: Cloud service provider, PwC network firms, IT service providers, external service providers
Transfer to third countries: Some of our service providers are located in non-EEA countries. For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees.
3.5 Prevention of money laundering and measures against terrorist financing
PwC is legally obliged to process personal data of its clients and, in the case of corporate clients, of the beneficial owners and other corporate representatives on the basis of national laws arising from EU money laundering and anti-terrorist financing regulations. After carrying out these checks with a compliance tool, the underlying documents must be retained for at least 5 years in accordance with professional regulations.
In order not to prevent effective measures from being taken, it may be that at certain points in time the rights of data subjects (in particular the right to information, correction, deletion or data transferability) cannot be implemented. This is always the case if the response to requests from data subjects results in the measures being thwarted or jeopardised.
Legal basis: Compliance with a legal obligation in accordance with Art 6(1)(c) GDPR (Section 87 WTBG, Austrian Public Accountants and Auditors Act)
Categories of data: core data, tax information, company investments, account information
Storage period: at least 5 years after completion of the checks
Recipients: Cloud service providers, PwC network firms, IT service providers
Transfer to third countries: Some of our service providers are located in non-EEA countries. For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees.
3.6. Engagement documentation
PwC in Austria is required by law to maintain proper records and comprehensive documentation of its engagements. These records and documentation must also be retained and stored after the completion of an engagement or mandate for the retention periods specified by law.
In addition, PwC in Austria is subject to further statutory documentation and retention obligations based on, but not limited to, tax law, accounting provisions or commercial and corporate law requirements for companies. The data, work results as well as associated mandate-related correspondence subject to the documentation obligations may also contain data of clients, therefore these are also part of record management and archiving. The record management, documentation and archiving of mandate documents at PwC takes place in PwC’s IT systems, in some cases, paper files are stored additionally.
Legal basis: fulfilment of a legal obligation pursuant to Art. 6 para. 1 lit c GDPR (including professional law, tax, commercial and company law)
Categories of data: The data varies depending on the service provided, but generally includes the following categories of data: First name, surname, email, telephone number, academic title, company affiliation and function, social security data, contractual data with third parties, operational data, master data, tax information, company shareholdings, account information
Storage period: depending on the underlying statutory retention periods
Recipients: Cloud service providers, PwC network companies, IT service providers
Transfer to third countries: Some of our service providers are based in third countries. The European Commission has issued an adequacy decision for some of these countries. If such a decision does not exist, an adequate level of data protection has been achieved by concluding standard contractual clauses and, if necessary, additional guarantees.