1. Introduction
This Consent Acknowledgement is intended to describe the practices EY follows in relation to Qualtrics CoreXM (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Consent Acknowledgement should be read together with the ey.com Privacy Statement, and in case of any conflict with the ey.com Privacy Statement, the terms of this Consent Acknowledgement will prevail. Please read this Consent Acknowledgement carefully.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can determine the purposes and means for data processing in its own right (i.e. act as a data controller or in a similar capacity) . The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is EY Global Services Limited. EY Global Services Limited licenses the Tool from Qualtrics, 400 West Qualtrics Drive, Provo, United States UT 84606.
The personal data in the Tool is shared by EY Global Services Limited with one or more member firms of EYG (see “Who can access your personal data” section 6 below).
The Tool is hosted on the servers in Frankfurt by Qualtrics.
3. Why do we need your personal data?
The Tool provides an enterprise-wide survey tool to serve a variety of needs for data collection throughout the EY organization, allowing EY employees, contractors, and any individual with an EY email address to create and send surveys to internal and external responders to gather data required for business purposes.
Your personal data processed in the Tool is used as follows: survey authors will process information received in response to feedback requests into relevant presentations for clients or for internal purposes. Data will be aggregated and anonymized when processed for these presentations.
EY relies on the following basis to legitimize the processing of your personal data in the Tool: processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) are conducting client engagements, and learning and events registration and management.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).
4. What type of personal data is processed in the Tool?
The Tool processes these personal data categories:
- For EY survey authors, the Tool will process the author’s full name and EY email address
- For internal EY survey respondents, the Tool will process the respondent’s full name, EY email address, rank, Global personnel Number (GPN), and office location
- For external respondents such as clients, potential clients, suppliers or other stakeholders, the Tool will process the respondent’s email address in a restricted survey
- For any respondent, data entered as responses in the Tool will also be processed
This data is sourced from: EY partners, employees or contractors, clients and any other survey recipients.
5. Sensitive personal data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool’s intention is not to process such information.
6. Who can access your personal data?
Your personal data is accessed in the Tool by the following persons/teams:
- EY personnel have access to the data in the surveys they have created or have been granted access to.
- Five Brand Admins located in the US and India have full access to the tool for the purposes of: implementing and maintaining the application with standard configurations; defining templates and metadata; and configuring the question bank and logic for branching that is usable by all. These Admins will arrange for EY personnel to have access to the tool and register users for access and control permissions/rights.
- Survey authors who are located globally have read, write, edit and delete access (depending on the data type) for the purposes of: creating surveys; extending invitations to responders; managing and controlling access to surveys; corresponding results; and creating reports based on results.
- Survey responders (internal EY users and EY clients who are invited to respond anonymously to surveys) who are located globally have read, write and edit access to their own responses to the survey for the purposes of submitting their own survey responses.
- Vendor personnel located in USA, Ireland, Poland and Australia will have limited read, write, edit and delete access when providing support to the system such as reviewing and correcting any issues.
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). An overview of EY network entities providing services to external clients is accessible here (See Section 1 (About EY) - “View a list of EY member firms and affiliates”). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules.
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Consent Acknowledgement will not apply.
For data collected in the European Economic Area (EEA) or which relates to individuals in the EEA, EY requires an appropriate transfer mechanism as necessary to comply with applicable law. The transfer of personal data from the Tool to the system vendor and client personnel is governed by an agreement between EY and the service provide or client that includes standard data protection clauses adopted by the European Commission
7. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.
The policies and/or procedures for the retention of personal data in the Tool are defined by: the EY Records Retention Global Policy, the relevant Country Retention Schedule and, for log data, the EY IT Logging Policy.
After the end of the data retention period, your personal data will be deleted.
8. Security
EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data brochure.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool or (where applicable) to withdraw your consent, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Object, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can object to the processing of your personal data or request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com.
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
