As of October 6th, 2015, the US-EU Safe Harbor framework has been declared invalid by the European Court of Justice. Nonetheless, EY continues to adhere to the Safe Harbor principles set out in this document. EY has also established a Binding Corporate Rules (BCR) Program to comply with European data protection law, specifically regarding transfers of personal data between the Member Firms.
Ernst & Young LLP and its affiliated U.S. entities ("the firm," "we," "us," or "our") adhere to the Safe Harbor Frameworks concerning the transfer of personal data from the European Union (EU) and Switzerland to the United States. Accordingly, we follow the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles published by the U.S. Department of Commerce ("Principles") with respect to all such data. This statement outlines our general policy and practices for implementing the Principles, including the types of personal data the firm gathers, how we use it, and the choices affected individuals have regarding our use of, and their ability to correct, the personal data relating to them. If there is any conflict between this statement and the Principles, the Principles will govern. To learn more about the Safe Harbor program, and to view EY’s certification, please visit http://www.export.gov/safeharbor.
This policy applies to all personal data we handle, including on-line (except as noted below), off-line, and manually processed data. For purposes of this statement, "personal data" means information that:
- is transferred from EU or Switzerland to the United States
- is about, or pertains to, a specific individual
- can be linked to that individual
In this policy, the firm and its international affiliates are referred to together as "EY."
Principles Protecting Individuals Privacy Notice and Choice
We notify individuals about the personal data we collect from them, how we use it and how to contact us with privacy concerns. We provide such notice through this statement, our engagement letters or other similar documents, and direct communication with individuals from whom we collect personal data. We collect and process personal data about EY personnel for the purpose of human resources administration and recruitment. We collect and process personal data about our clients and their personnel for the purpose of rendering professional services to our clients.
We collect personal data from individuals only as permitted by the Principles. Consent for personal data to be collected, used, and/or disclosed in certain ways (including opt-in consent for sensitive data) may be required in order for an individual to obtain or use our services. Such consent is provided through our engagement letters, employment agreements, and other similar documents.
EY does not use personal information for purposes it considers to be incompatible with the purpose for which the information was originally collected or authorized by the individual.
Disclosures and Transfers
We do not disclose an individual's personal data to third parties, except when one or more of the following conditions is true:
- We have the individual's permission to make the disclosure
- The disclosure is required by law, legal process or mandatory professional standards
- The disclosure is reasonably related to the sale or other disposition of all or part of our business
- The information in question is publicly available
- The disclosure is reasonably necessary for the establishment of legal claims
- The disclosure is to another EY entity or to persons or entities providing services on our or the individual's behalf (each a "transferee"), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
- is subject to law providing an adequate level of privacy protection; or
- has agreed to provide an adequate level of privacy protection.
Permitted transfers of personal data, either to third parties or within EY, include the transfer of data from one jurisdiction to another, including transfers to and from the United States. Because privacy laws vary from one jurisdiction to another, personal data may be transferred to a jurisdiction where the laws provide less or different protection than the jurisdiction in which the data originated. In such cases, we will take appropriate measures to protect personal data in accordance with the Principles.
Data, Security, Integrity, and Access
We employ various physical, electronic, and managerial measures, including education and training of our personnel, designed to provide personal information with reasonable protection from loss, misuse or unauthorized access, disclosure, alteration or destruction. Personal data collected or displayed through a website is protected in transit by standard encryption processes. However, we cannot guarantee the security of information on or transmitted via the Internet.
We process personal data only in ways compatible with the purpose for which it was collected or authorized by the individual. To the extent necessary for such purposes, we take reasonable steps so that personal data is accurate, complete, current, and otherwise reliable with regard to its intended use.
If an individual becomes aware that information we maintain about that individual is inaccurate, or if an individual would like to update or review his or her information, the individual may contact us using the contact information below. The individual will need to provide sufficient identifying information, such as name, address, and birth date. We may request additional identifying information as a security precaution such as possibly a national identifier (eg. a Social Security number). In addition, we may limit or deny access to personal information where providing such access would be unreasonably burdensome or expensive in the circumstances, or as otherwise permitted by the Safe Harbor Principles. In some circumstances, we may charge a reasonable fee, where warranted, for access to personal information.
Accountability and Enforcement
We have established a program to monitor our adherence to the Principles and to address questions and concerns regarding our adherence. This program will include a statement, at least once a year, signed by an authorized representative of EY, verifying that this statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and accessible. We encourage interested persons to raise any concerns with us using the contact information below.
Individuals may file a complaint with our Office of Ethics and Compliance in connection with EY's processing of their personal data under the Safe Harbor Principles. With respect to any dispute relating to this policy that cannot be resolved through our internal processes:
- If the dispute involves data collected in the context of an employment relationship, we will cooperate with competent EU or Swiss data protection authorities and comply with the advice of such authorities. In the event that we or such authorities determine that we did not comply with this policy, we will take appropriate steps to address any adverse effects and to promote future compliance.
- If the dispute involves other types of data, individuals may pursue the matter by filing a claim with the International Centre for Dispute Resolution®, the international division of the American Arbitration Association® (ICDR/AAA).
- Personnel who violate our privacy policies will be subject to disciplinary process.
We may amend this policy from time to time by posting a revised policy on this website, or a similar website that replaces this site. If we amend the policy, the new policy will apply to personal data previously collected only insofar as the rights of the individual affected are not reduced. So long as we adhere to the Safe Harbor Principles, we will not amend our policy in a manner inconsistent with the Principles.
Information subject to Other Policies
We are committed to following the Principles for all personal data within the scope of the Safe Harbor Agreement. However, certain information is subject to policies of the firm that may differ in some respects from the general policies set forth in this statement.
Certain EY websites have their own privacy policies that apply to those sites. These policies may be accessed through the websites in question.
Information relating to present or former EY personnel is subject to our policies concerning personnel data privacy, which are available to current EY personnel on EY's intranet site and former EY personnel upon request.
Information obtained from or relating to clients or former clients is further subject to the terms of any privacy notice to the client, any engagement letter or other similar letters or agreements with the client, and applicable laws and professional standards.
For further information, please contact us.
Americas Office of Ethics and Compliance
Ernst & Young LLP
5 Times Square
New York, New York 10036