This privacy notice explains how EY collects and uses personal data, and describes the rights you have with respect to your personal data.
In this notice, “EY,” “our”, “we” or “us” refers to the global organization of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity, or refers to one or more of those member firms. The controllers of your personal data are one or more of the EY entities listed here (see the list of EY member firms and affiliates).
EY processes personal data for a variety of purposes. We collect this personal data directly from you, for example, if you engage us to prepare your tax return, if you visit ey.com (our website), if you submit your contact details to receive marketing communications from us or submit a job application via the EY careers website. Alternatively, we process your personal data in the context of providing professional services to your employer or service provider, for example, conducting an audit of your bank or payroll for the company you work for. Finally, we obtain your personal data via publicly available sources. This privacy notice is intended to cover all of the above-mentioned scenarios.
Click on the links in our index to take you to the more detailed information regarding various purposes for which we process personal data:
- Visiting our website "Entrepreneur Of The YearTM"
- Client support and providing our services, such as consulting and auditing services
- Contact maintainance and customer relationship management (CRM)
- Participants of EY meetings, conferences, events and learning sessions
- Providing tools, IT solutions and applications
- Marketing and social media
- Responsing to your requests
- Applicant management
- Alumni network
- Supply management
- Compliance with legal requirements, such as EY/Ethics
- Visitor management
If you have any questions regarding the processing of your personal data or wish to contact the data protection officer of an EY member firm, please contact the EY data protection team who will direct your query to the appropriate person or team within the organization.
The data protection officer for the Austrian data controllers can be reached at the following contact details:
Data Protection Officer
Ernst & Young ServicegmbH & Co OG Steuerberatungsgesellschaft
Wagramer Straße 19, IZD-Tower
In this privacy notice, “personal data” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. Personal data also refers to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
The following categories of data are particularly sensitive:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Membership of a trade union
- Genetic data
- Biometric data
- Physical or mental health or condition
- Sex life or sexual orientation
- Personal data relating to criminal convictions and offenses
You have the following rights in relation to your personal data:
- You have the right to be informed about your personal data stored by EY.
- You can request that your personal data be corrected, for example if it is incomplete or incorrect.
- You have the right to opt out of receiving marketing communications at any time.
- If EY procesess your personal data on the basis of an overriding legitimate interest, you have the right to object at any time for reasons arising from your individual freedom and fundamental rights which outweigh our interest in the processing.
- You can request that the processing of your personal data be restricted or stopped or that your personal data be deleted (in certain circumstances and in accordance with applicable law).
- You have the right (in certain circumstances and in accordance with applicable law) to receive a copy of the personal data which you have provided to EY in a structured, commonly used and machine-readable format (known as “data portability”).
- Where you have provided personal data voluntarily, or otherwise consented to its use, you have the right to withdraw your consent.
- You have the right to complain to a data protection authority (see section “Complaints”).
If you have a query or wish to exercise your rights, please contact the EY data protection team.
If you are concerned about an alleged breach of privacy law or any other regulation by EY, you can contact the EY data protection officer. Our data protection officer will investigate your complaint and give you information about how it will be handled.
You also have the right to complain to the Austrian data protection authority, Barichgasse 40 - 42, 1030 Vienna, or refer the matter to a court of competent jurisdiction or as specified in any applicable engagement agreement with EY.
Personal data that we collect about you when you visit our website falls into several categories.
Information that you provide directly
We collect personal data that you provide through our website, for example, when completing online forms to contact us, subscribing to a newsletter, using one of our online benchmark tools, subscribing to receive marketing communications from us, participating in surveys or registering for events or webcasts that we are organizing. The information we collect about you include the following:
- Company or organization
- Contact information, including primary email, email address and telephone numbers
- Demographic information, such as country, postcode, preferences and interests
- Other information relevant to client surveys or similar research
- Information pertinent to fulfilling our services to you
- Any other personal data that you voluntarily choose to provide to us
If you register on our website, for example for our newletters, webcasts or events, your personal data will be stored in our CRM system and used to answer your enquiry or to carry out the event or webcast.
Information that we collect automatically
Our website also uses various social media plugins.
Purposes for which we process your personal data as a visitor to our website are:
- To provide and ensure the security and stability of our website
- To manage our website, including to confirm and authenticate your identity, and prevent unauthorized access to restricted areas of our website
- To personalize and enrich your browsing experience by displaying content that is more likely to be relevant and of interest to you
- To analyze the data of visitors to our website
- To determine the company, organization, institution or agency that you work for or with which you are otherwise associated
- To develop our business and services
- To conduct benchmarking and data analysis (for example, regarding usage of our website and demographic analyses of visitors of our website)
- To understand how visitors use the features and functions of our website
- To conduct quality and risk management reviews
- Any other purpose for which you provided information to EY
Legal grounds for processing personal data of visitors of our website are:
- Our legitimate interest in the effective delivery of information and services to you, and the effective and lawful operation of our businesses
- Our legitimate interest in developing and improving our website, and your user experience
EY accepts nominations for the EY Entrepreneur Of The Year™ program via our website. Personal data, including financial data, is required of the nominee and he or she must sign the nomination form. Nomination forms are provided to the program sponsors, and independent national and regional panels of judges in order to select award recipients.
The EY Entrepreneur Of The Year™ global system contains a separate privacy notice. We encourage individuals participating in our Entrepreneur Of The Year™ program to refer to the privacy notice available on that system.
When you engage us to provide you with professional services, we collect and use personal data when we have a valid business reason to do so in connection with those services. For an overview of our services, click here .
In the context of providing professional services to clients, EY also processes personal data of individuals who are not directly our clients (for example, employees, customers or suppliers of our clients). See the section “Individuals whose personal data we obtain in connection with providing services to our clients ” for additional information.
The majority of the personal data we collect and use to provide our services is supplied voluntarily by (or collected by us from sources at the request of) our clients. Because of this, if you are a client of EY, then it will generally be obvious to you what personal data we collect and use. This information can include:
- Basic information, such as your name, the company you work for, your position and your relationship to a person
- Contact information, such as your postal address, email address and telephone numbers
- Financial information, such as payment-related information
- Any other personal data relating to you or other third parties which you provide to us for the purpose of receiving our services
We use this information:
- To provide services to you
- To administer our relationship and maintain contractual relations
- For accounting and tax purposes
- For marketing and business development
- To comply with our legal and regulatory obligations
- To establish, exercise or defend legal rights
- For historical and statistical purposes
Given the diversity of the services we provide, we process many categories of personal data. Please see below examples of personal data categories for our four main service lines:
In providing assurance services, EY will process information that contains personal data, such as payroll files, board records and other documents attributable to the audit client's and any group companies' activities. Examples of categories of personal data that are processed are:
- Contact details, such as name, address, telephone numbers and email address
- Details of employment, such as employment number, employment department, role and employment time
- Leave of absence or parental leave
- Trade union membership
- Personal identity number
- Information on financial conditions, such as bank account information, salary details and other benefits, insurance data and the license plate number of a company car
- Information on insurances and occupational pensions
- Other categories of personal data needed for conducting the audit in accordance with good auditor’s and auditing standards
Examples of personal data categories processed by EY tax client engagement teams are:
- Personal details for the individual client and their family members, including names, addresses and demographic, contact information, dates of birth, and tax identifiers, including social security numbers and email addresses
- Personal details for the individual client’s delegates, including names, contact information and email addresses
- Tax return files: liability, dates produced and sent, and comments on tax returns
- Tax equalization data: liability, dates produced, settlement amounts and taxes paid
- Organizers used for collecting the individual taxpayer’s (and if required, their family members’) country-specific personal income tax information, education, employment, medical, legal history and other data that is required in rendering services
- Compensation data from employers; sourcing of income based on assignment and travel calendar data
- Current, past or future travel information for the individual, including locations visited and workday activities that occurred in each location
- Documents, such as tax returns, assignment letters, immigration documents, audit requests from taxing authorities, and official and personal documents (birth certificates, marriage licenses, education documentations and degrees, and passport copies)
- Financial reporting oversight role (FROR) questionnaires, indicating employment status, employer and job description
- Company-specific information: HR contact persons of company clients and department designation
- Sending data: Information on current working and living conditions, including country and place of posting, employer's department for financing wage/salary and posting costs
- Immigration data: work permit questionnaires, status of work permit, copy of application form, copy of work permit, copy of visa, copy of passport and other immigration documents
In providing advisory services, EY processes a wide variety of information, including potentially all types of personal data. The scope depends on the service and the sector in which the EY member firm’s client is active. For example, providing cybersecurity services for a bank involves the processing of different types of personal data than helping a client in the pharmaceutical sector build a better way of tracking health outcome data.
Examples of personal data categories received or processed by Advisory client engagement teams are:
- Contact details, such as name, address, telephone numbers and email address
- HR and supplier records of clients, which include personal details of employees or suppliers of the client, such as name, contact details, date of birth, race, government identification numbers, employment contracts and service contracts
- Financial data, such as wage and salary information, pension and retirement benefits information, and bank account numbers
- Health information about individuals receiving specific drugs or treatments
- Personal data of employees affected by outsourcing
- Customer data, including race or gender during a customer experience engagement
Several personal data is processed by the Client Engagement teams EY Transaction Advisory Services client engagement teams. These include information about buyers and actual or potential target companies, which primarily includes personal information about management and key employees, such as:
- Salara data
- Employment contracts
- Information on pension and other retirement provisions
- Entries in accident books
- Client lists
- Consumer contracts
- Company register
In addition, we also process identification and background information as part of our client acceptance, finance, administration and marketing processes, including audit independence, anti-money laundering, conflicts, reputational and financial checks, and to fulfill any other legal or regulatory requirements to which we are subject.
The checks could include the following:
- Identity verification: proof of name and address
- Ultimate beneficial ownership of corporate and other legal entities
- Conflicts checks: to avoid a conflict of interest with any other client
- Anti-money laundering, proceeds of crime and terrorist financing checks
- Politically exposed persons (PEP) checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates
- Adverse media checks
- Government sanctions list checks
- Independence checks
These checks are made for legal, regulatory or business reasons and need to be repeated during the course of our engagement. As part of these checks, we are required to process special category data (for example, to verify if you are a politically exposed person or to collect information about criminal convictions where this is required for anti-money laundering laws). It is important you provide us with all necessary information and documents as this affects our ability to provide services to you.
Legal grounds for processing personal data of our clients are:
- Performance of a contract
- Compliance with a legal or regulatory obligation
- Our legitimate interest in providing you with seamless, consistent, high-quality services and securing prompt payment of any fees, costs and debts in respect of our services
- Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation
- Our legitimate interest in safeguarding EY against inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism)
As part of the professional services EY provides to clients, EY processes personal data of individuals with whom we do not have a direct (contractual or other) relationship. For example, if we perform a statutory audit, our engagement team will be required to audit our client’s books, which could include payroll data for employees of the client, supplier data, financial administration, data regarding claimants and legal proceedings. To take another example: if we undertake a due diligence review of an acquisition of a target on behalf of a client, EY obtains personal data concerning the target’s employees, management and customers.
We seek confirmation from our clients that they have the authority to provide personal data to us in connection with the performance of the services and that any personal data they provide to us has been processed in accordance with applicable law.
Given the diversity of services we provide, we process many categories of personal data such as:
- Personal details (such as name, age, data of birth, gender, marital status and country)
- Contact details (such as phone numbers, email address and postal address)
- Financial details (such as salary, payroll, income, investments, benefits and tax status)
- Employment details (such as role, rank, experience, performance data and employment numbers)
For certain services, we also process special category data. For example, in certain countries performing tax return services involves the processing of details of payments made by our client, his or her spouse and dependents with respect to a trade union membership, to a political party, for medical treatments or to a religious charity. Such data is collected intentionally and will be used only where necessary in connection with the provision of the service for which the data was collected, such as determining the correct taxation of our client’s income and for claiming the correct tax deduction with respect to such payments.
Legal grounds for processing personal data of individuals whose personal data we obtain in connection with providing services to our clients are:
- Compliance with a legal or regulatory obligation
- Our legitimate interest in making sure our clients are provided with seamless, consistent and high-quality services worldwide
- Improvement of processes and communication within the scope of operational audits
Once a company undergoes an insolvency, one or more EY insolvency practitioners (i.e., administrators and liquidators) could be appointed to manage the company’s affairs, business and property. Similarly, when a debtor is subject to insolvency or a restructuring regime, one or more EY insolvency practitioners could be appointed to manage the debtor’s affairs, business and property.
In this section the terms listed below have the following meanings:
- Office holder refers to the EY insolvency practitioners.
- Company refers to the insolvent entity for which the office holders have been appointed.
- Debtor refers to the individual who is subject to an insolvency or restructuring regime.
- “You” refers to the data subjects concerned by the insolvency procedure of the company or debtor.
In providing insolvency services, EY processes your personal data for the legitimate interests of assisting the office holders in the performance of their legal and regulatory obligations with regard to the insolvency procedures. For clarity purposes, the company or debtor remains data controller of your personal data processed for purposes that are not related to the legal and regulatory obligations of the office holders.
Most of the personal data we process is obtained from you directly, but we also indirectly obtain personal data about you.
The office holders and EY process your personal data for the following (non- exhaustive) purposes:
- Communicating with the company or debtor’s creditors and individual creditors: specific information essential in order to carry out statutory duties (this information is to be used to assess, for example, an entitlement to any dividend should one be payable)
- Provision of references or reports to government departments, regulatory authorities and appropriate bodies in connection with the holding of public office or responding to requests
- Provision of statutory returns
- Case administration purposes, including the realization of assets, agreement of claims and payment of distributions
- Processing for personal purposes of employees in accordance with the law and the company’s own policies
- Administration of payroll, raising invoices, credit control and other data relating to the company’s finances
- The reasonable and lawful provision of information to interested parties
- The prevention and detection of crime or fraud
- Establishing, exercising or defending legal rights, taking legal advice, taking or defending legal proceedings
- Complying with legal obligations to which the company or debtor is subject
- Quality and risk management purposes
The types of personal data processed for the above purposes include (but are not limited to) name, address, identifying information, payroll information, as well as any information with your dealings with the company or debtor that are necessary for the performance of the office holders’ statutory obligations during the insolvency procedure.
You have certain rights in relation to your personal data. If you have a query or wish to exercise your rights, please make a written request to the party responsible for your personal data (the company, debtor or the office holder) using the contact details provided in communications about the insolvency.
We process personal data about contacts (former, existing and potential clients and individuals employed by, or associated with, such clients and other business contacts, such as alumni, consultants, regulators and journalists) in our CRM systems. These CRM systems support the marketing operations of EY. Contacts in our CRM systems will be sent EY Thought Leadership materials, newsletters, marketing materials, learning opportunities, surveys and invitations to events.
In our CRM systems, we process the following categories of personal data:
- Name, job title, address, email address, phone and fax numbers
- Name of employer or organization the individual is associated with
- Marketing preferences
- Invitation responses and event attendance confirmations
We do not intentionally collect sensitive category data, unless you provide us with such data (for example, special dietary requirements which reveal your religious affiliation or any food allergies), if you attend one of our events.
Legal grounds for processing personal data of business contacts are:
- Explicit consent of the business contact
- Our legitimate interest in managing the relationship with our business contacts and providing information about EY, our services and events we organize
We process personal data about participants in EY meetings, conferences, events and learning sessions (events). We use various applications to manage event registration processes, which applications will contain their own privacy notices explaining why and how personal data is collected and processed by these applications. We encourage participants to refer to the privacy notices available on those applications.
For a general overview of how we process your personal data in connection with our events, please refer to our event data protection declaration.
We provide external users access to various applications managed by us (such as the EY Client Portal). In instances where such applications process personal data that goes beyond basic contact information used for application authentication purposes, such applications will contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our applications to refer to the privacy notices available on those applications.
EY uses various social media platforms, for example, for recruitment or marketing purposes. We use social media to provide you with easy access to relevant information regarding job opportunities at EY and events we organize, and to promote our services and brand.
While EY will be responsible for the content it publishes using social media platforms, EY will not be responsible for managing the social media platforms (such as creating user statistics or placing cookies). When using these social media platforms, you are obliged to adhere to the legal and privacy terms imposed by the social media platform providers. Such providers collect personal data about you, including statistical and analytical data regarding your use of the social media platforms, such as an overview of pages you have accessed, “likes,” recent visits, posts you publish or find interesting.
If you require access to such data or want to invoke one of your other rights (such as the right to object to the processing of your data), you should contact the social media platform provider. Some social media providers provide EY with aggregate data relevant for our pages, such as the amount of “likes” triggered by our content or the amount of posts, visitors to ourweb sites, photos that are downloaded or links that are clicked.
On our website, we implement so-called social media plugins. When you visit a page that displays one or more of such buttons, your browser will establish a direct connection to the relevant social network server and load the button from there. At the same time, the social media provider will know that the respective page on our website has been visited. We have no influence on the data that the social media providers collect on the basis of the buttons. If you wish to prevent this, please log out of your social media accounts before visiting our website. Social media providers set cookies as well, unless you have disabled the acceptance and storage of cookies in your browser settings.
Our website includes plugins for the social network, Facebook. The Facebook plugins can be recognized by the Facebook logo or by the like button on our websites. For an overview of Facebook plugins, click here.
Our website contains functions of the Instagram service.
If you are logged into your Instagram account, you can click the Instagram button to link the content of our pages with your Instagram profile. This means that Instagram can associate visits to our pages with your user account. If you are not yet logged into your Instagram account, clicking an Instagram button will show you the Instagram login page for you to enter your login credentials. We expressly point out that we receive no information on the content of the transmitted data or its use by Instagram.
Our website uses plugins from YouTube, which is operated by Google.
If you visit one of our pages featuring a YouTube plugin, it is a connection to the YouTube servers. Here, the YouTube server is informed about which pages you have visited.
If you’re logged in to your YouTube account, YouTube allows you to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. If you are not yet logged in, clicking a YouTube button will show you the YouTube login page for you to enter your login credentials.
LinkedIn Lead Gen Forms
EY uses LinkedIn Lead Gen Forms for EY sponsored content, and sponsored LinkedIn InMails for recruitment and marketing campaigns. Once LinkedIn members click on EY advertisement, they will see a form that is pre-filled with information from their LinkedIn profile, such as their name, contact information, company name, seniority, job title and location. As soon as a LinkedIn member submits a lead form, they will be connected to EY.
Our site uses the Google Maps map service via an application programming interface (API).
To use Google Maps, it is necessary to save your IP address. This information is generally translated to a Google server in the United States and stored there. We have no influence on this data transfer.
Legal grounds for processing personal data of visitors to our social media pages, and the use of social media plugins and tools are:
- Our legitimate interest in promoting EY services and brand
- Our legitimate interest in attracting, identifying and sourcing talent
- Our legitimate interest to improve your website experience and to optimize our services
EY uses a variety of tools to maintain the security of our IT infrastructure, including our email facilities. Examples of such tools are:
- Systems that scan incoming emails to EY recipients for suspicious attachments and URLs, in order to prevent malware attacks
- Tools that provide end-point threat detection to detect malicious attacks
- Tools that block certain content or websites
If you correspond via email with an EY recipient, your emails will be scanned by the tools EY operates to maintain the security of its IT infrastructure, which could result in content being read by authorized EY persons other than the intended recipient.
Legal grounds for processing personal data of individuals who correspond with EY via email:
- Our legitimate interest in protecting our IT infrastructure against unauthorized access or data leakage
- Our legitimate interest in analyzing email traffic
If you apply for a job at EY, your data will be processed to check and process your application. Please note that depending on the country in which you apply, different information is required. In general, the data, information that we receive about CVs, certificates and other documents. Further data is collected if you provide it directly to us or if a legal requirement exists.
Your personal data will only be processed by the responsible specialist departments for the purpose of carrying out the application procedure. For further information, please refer to our data protection declaration for the application procedure
Depending on the country in which you apply, EY collects personal data about candidates (“you”) from the following sources:
- Directly from you – for example, information that you have provided when applying for a position directly through the EY careers website (for additional information about the processing of your personal data via our global recruitment management system, please read the data privacy statement available in this system)
- From recruitment agencies – for example, when a recruitment agency with your details contacts us to suggest you as a potential candidate
- Through publicly available sources online – for example, where you have a professional profile posted online (e.g., on your current employer's website or on a professional networking site, such as LinkedIn)
- By reference – for example, through a reference from a former employee or employer, or from a referee you have identified
- Results of background screening checks
Legal grounds for processing personal data of our job applicants are:
- Our legitimate interest to hire and onboard candidates by making an offer to successful candidates
- Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work)
EY hopes to maintain a lifelong, mutually beneficial relationship with EY alumni (former member firm partners and employees). If we invite you to our alumni community, your name, contact details, role, last EY office, rank, service line and country will be used to create a record for you in one of our alumni databases.
We process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and contractors) in order to manage our contract and to receive services from our suppliers.
The personal data we process is generally limited to contact information (name, name of employer, phone, email and other contact details) and financial information (payment-related information).
In addition, we also use data about our suppliers to check whether we have a conflict of interest or audit independence restriction to appointing a supplier.
Legal grounds for processing personal data of our suppliers are:
- Performance of a contract
- Compliance with a legal or regulatory obligation
- Our legitimate interest in managing payments, fees and charges, and to collect and recover money owed to EY
EY/Ethics provides EY people, clients and others outside of EY with a means to confidentially, and either anonymously or on a disclosed basis, report an activity that involves unethical or illegal behavior that is in violation of professional standards or otherwise inconsistent with our EY Global Code of Conduct. Reports can be made either online or via a telephone hotline.
EY/Ethics contains its own privacy notice and consent form which describes the practices EY follows in relation to EY/Ethics. We encourage individuals using EY/Ethics to refer to this EY/Ethics notice and consent form.
When you visit an EY office, we process your personal data in order to provide you with certain facilities (such as access to our buildings and conference rooms or Wi-Fi), to control access to our buildings, and to protect our offices, personnel, goods and confidential information.
The personal data we collect is generally limited to your name, contact information, location, and the time you enter and leave our office.
Visitor records and access badges
We require visitors to our offices to sign in at reception and we keep that record of visitors for a short period of time. Visitors to our offices are provided with a temporary access badge to access our offices. Our visitor records will be used to verify that access badges are returned, to look into a security incident and for emergency purposes (for example, if an office needs to be evacuated).
We monitor and log the traffic on our Wi-Fi networks to ensure the security of our network and to prevent and prosecure violations by users.
EY member firms operate in more than 150 countries across the globe. Certain aspects of the EY infrastructure are centralized, including information technology services provided to member firms. In addition, where engagements with EY clients span more than one jurisdiction, certain information will need to be accessed by all those within the EY organization who are working on the matter. Therefore, your personal data will be transferred to and stored outside the country in which you are located. This includes countries outside the European Economic Area (EEA) and countries with laws that have not necessarily been determined to provide an adequate level of protection for the processing of personal data under the laws of the EU or other jurisdictions.
We take appropriate security and legal precautions to safeguard the safety and integrity of personal data that is transferred within the EY organization. EY has implemented binding corporate rules (BCRs) that allow for global transfers within the EY organization of personal data originating in the EEA in accordance with applicable European privacy laws. The BCRs require all EY entities worldwide to use the same standards of protection for personal data.
You can access our BCRs here.
Ernst & Young LLP, US, and its affiliated US entities, adheres to the EU-US and Swiss-US Privacy Shield Frameworks published by the US Department of Commerce. To learn more, see Ernst & Young LLP’s Privacy Shield Data Privacy Statement.
Your personal data will also be processed by EY support providers that support our internal ancillary processes. For more information, click the section “Support providers”.
We transfer or disclose the personal data we collect to external support providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage support providers to provide IT functions such as identity management, hosting, data analyses, data storage, security and cloud storage services and as well as the archiving and safe disposal of our files and documents in paper form.
It is our policy to only use third-party support providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected. For data collected in the EEA or which relates to data subjects in the EEA, EY requires an appropriate transfer mechanism as necessary to comply with applicable law.
Use of Service Providers
Information on the use of service providers
When performing client engagements, EY may call on the services of other members of the global network of Ernst & Young firms (“EY member firms” – a list of locations of EY member firms can be found at www.ey.com) as well as external service providers and IT service providers including external data storage (cloud services).
Where necessary, EY ensures all service providers used in rendering our services undertake to maintain professional secrecy and comply with data protection requirements. If EY uses service providers outside of the European Union, EY will ensure an adequate level of data protection.
We draw your attention to the fact that the following list of service providers and IT service providers may change.
To ensure our client engagements are performed efficiently, EY engages the following service providers:
- GDS Shared Service Center
The GDS Shared Service Centers are distinct and separate service entities and members of the global network of Ernst & Young firms. The GDS Shared Service Centers render client-specific assurance, tax, advisory and TAS services as well as general technical and administrative support. The GDS Shared Service Centers are located in:
- IT Service providers
In the course of providing our advisory services, EY uses the following IT service providers:
- EY Global Services Limited
EY Global Services Limited operates EY’s global data center infrastructure with locations in Germany, the US and Singapore.
EY engages BMD as an IT service and software provider for rendering our tax advisory services. BMD, with its registered office in Steyr, Austria, uses only German data centers to store data.
CapGemini is a global consulting and IT services firm with its registered office in Paris, France, and data centers across Europe which EY uses in connection with technology services.
- Cognizant Technology Solutions
Cognizant Technology Solutions Corporation is a US IT services provider with its registered office in Teaneck, USA. Data are stored in data centers in the US.
- Hexaware Technologies
Hexaware Technologies Limited is a service provider specializing in IT and business process outsourcing with its registered office in Navi Mumbai, India, and global data centers.
Microland is an Indian IT company with its registered office in Bangalore, India, focusing on Digital Networks, Digital Computing, Digital Application, Digital Workplace and Cyber Security with global data centers.
- Tata Consultancy Services (TCS)
TCS is a global provider of IT services, advisory services and business solutions with its registered office in Mumbai, India, and global data centers.
- EY Global Services Limited
- Cloud service providers
In the course of providing our advisory services, EY uses the following service providers (among others) for IT infrastructure and cloud computing services:
- Telekom Deutschland GmbH (Open Telekom Cloud/Sealed Cloud)
The Open Telekom Cloud offers computing functions (virtual server types with different computing powers), storage functions (virtual volume storage and object storage) and network functions (virtual network Services). EY uses Sealed Cloud for fully encrypted data and file transfers. Both cloud systems are provided in German data centers of the Deutsche Telekom AG Group.
- T-Systems International GmbH (Microsoft Azure Deutschland)
T-Systems International is an independent German subsidiary of Deutsche Telekom AG. The Trusted Telekom Cloud data custodian model provides more extensive control over client data with no automatic access for Microsoft. T-Systems provides the Data Trustee Cloud internationally in German data centers.
- Microsoft (Azure Cloud, Office365 Cloud)
EY uses Microsoft, with its registered office in Remond, USA, and global data centers as a provider of comprehensive cloud computing services. Ireland and the Netherlands are used as primary data centers for data storage.
- Amazon Web Services (AWS)
EY uses AWS with its registered office in Seattle, USA, and global data centers as a provider of cloud computing services. Data centers in Europe are used as primary data centers for data storage.
- International Business Machines Corporation (IBM)
IBM with its registered office in Armonk, USA, is an IT consulting and software engineering company with global data centers and is used by EY as a software and cloud computing provider.
Rackspace is a web hosting company with its registered office in San Antonio, USA, and global data centers and is used by EY for IT infrastructure.
- Telekom Deutschland GmbH (Open Telekom Cloud/Sealed Cloud)
- Software-as-a-service providers
To provide and optimize advisory services, EY uses the following software providers, among others:
LexisNexis is a commercial host specializing in IT and technology solutions with its registered office in Dayton, USA, and is used by EY as a provider of databases with legal information.
Oracle is a manufacturer of software and hardware with its registered office in Redwood City, USA. EY uses Oracle as a software provider.
SAP is a software provider with its registered office in Walldorf, Germany. EY uses SAP as a software provider.
- Service Now
Service Now with its registered office in Santa Clara, USA, is a global cloud computing company that EY uses as a global IT service provider for IT infrastructure maintenance.
Tableau Software with its registered office in Seattle, USA, is a manufacturer of a visualization software that can be used to visualize data and for reporting.
- Thomson Reuters
Thomson Reuters with its registered office in Toronto, Canada, is used by EY as a provider of information databases in the areas of assurance, tax advisory services and legal.
- Wolters Kluwer
Wolters Kluwer is an information provider with its registered office in Alphen aan den Rijn, Netherlands, and is used by EY as a provider of specialist information and software.
- GDS Shared Service Center
EY discloses your personal data:
- Where this is appropriate for the purposes described in the section “Purposes for which we process personal data,” including within the EY organization itself
- If required, by applicable law
- In connection with a reorganization or combination of our organization with another organization
- If we believe that such disclosure is appropriate to enforce or apply terms of engagement, and other agreements or otherwise protect and defend EY rights, property or safety
- In order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry or
- With your consent
We would like to draw particular attention to the fact that in certain jurisdictions, EY has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under anti-money laundering, terrorist financing, insider dealing or related legislation. EY also reports suspected criminal activity to the police and other law enforcement bodies. We are not always permitted by the law to inform you about this in advance of the disclosure, or at all.
Third-party recipients of personal data include:
- Professional advisors, such as law firms, tax advisors or auditors
- Audit regulators
- Tax and customs authorities and consumption tax authority
- Regulatory and other professional bodies
- Stock exchange and listing authorities
- Public registries of company directors and shareholdings
- Providers of identity verification services
- The courts, police and law enforcement agencies
- Government departments and agencies
- Service providers
EY protects the confidentiality and security of information you collect in the course of your business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure.
Additional information regarding our approach to data protection and information security is available in our Protecting your data brochure.
We maintain the accuracy and completeness of the personal data we hold. It is important that you inform us of any updates to your contact details or other personal data so that we have the most up-to-date information about you. Please contact the person you usually deal with at EY. You can also contact our data protection team.
We store personal data only as long as it is necessary for the purposes described in the section "Purposes for which we process personal data". Please note that the retention periods vary from country to country and are determined in accordance with local legal and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights, and for archiving and historical purposes we need to retain information for significant periods of time.
The duration of the legally stipulated retention periods can, for example, result from the following laws: WTBG, BAO, UGB, UStG, GewO. The retention periods vary in length and in justified individual cases (e.g. preservation of evidence) the retention period can also be longer (for example, in the case of limitation periods of up to 30 years; the regular limitation period is seven years). If the data concerned are subject to different retention periods, the longest retention period in each case is decisive.
We will occasionally update this privacy notice to reflect changes in our practices and services. When we post changes to this privacy notice, we will revise the “last updated” date at the top of this privacy notice. If we make any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes on the website. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.
Our Site is not intended for use by minors under the age of sixteen (16) years. EY does not knowingly collect, disclose, or sell the personal data of minors under 16 years of age. If you are under 16 years old, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parent(s) or legal guardian(s) to notify us and we will delete your personal data.
The following EY policies provide additional information on EY’s privacy practices:
- For transfers of personal data between EY Network entities, see the EY Binding Corporate Rules Program.
- For California residents, see the ey.com California Privacy Statement.
- For information about how Ernst & Young LLP and its affiliated US entities adhere to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, see the Ernst & Young LLP Privacy Shield Privacy Statement.