Privacy statement

December 2023

Introduction

This Privacy statement explains how EY collects and uses personal data and describes the rights you have with respect to your personal data.

In this Privacy statement, “EY,” “our”, “we” or “us” refers to the global organization of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity, or refers to one or more of those member firms. The EY firms and affiliates are listed here.

The data controller collecting and processing the personal data provided by a visitor to Our Sites (see list of our Sites at the end of this Privacy statement) is the EY member firm to which Our Site relate or a member firm providing professional services to you or otherwise process your personal data as described in more detail below (see the list of EY member firms and affiliates.

In this Privacy statement, personal data means any information which relates to an individual and which identifies that individual, either directly or indirectly, such as your name or your contact information. You can find more information under section “What data is covered?” below. 

Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU for the purpose of compliance with the EU General Data Protection Regulation (GDPR). Further information and the contact details of these representatives are available here.

If you have any questions or want to use your Data Subject rights under the EU General Data Protection Regulation (GDPR) regarding the processing of your personal data, you can contact the data protection officer for the Nordics through this link: contact us.

More contact details are set out at the end of this Privacy statement.

EY processes personal data for a variety of purposes. EY is in most cases deemed to be the Controller of the personal data unless otherwise stated. We collect personal data directly from you, for example, if you engage us to prepare your tax return, if you visit Our Site, if you submit your contact details to receive marketing communications from us or submit a job application via the EY careers website. Alternatively, we process your personal data in the context of providing professional services to your employer or service provider, for example, conducting an audit of your bank or provide payroll services for the company you work for. Finally, we may obtain your personal data via publicly available sources, such as LinkedIn. This privacy statement is intended to cover all of the above-mentioned scenarios.

In our index below you will find more detailed information regarding various purposes for which we process personal data. Click on the tile ”Purposes for which we process your personal data”, where you will find more information relating to the areas listed below.

  • Visitors to Our Site
  • Entrepreneur Of The YearTM
  • Clients
  • Individuals whose personal data we obtain in connection with providing services to our clients
  • Insolvency services
  • Contacts in our customer relationship management (CRM) systems
  • Marketing
  • Participants of EY meetings, conferences, events and seminars and webinars
  • Individuals who use our applications
  • Individuals who visit our social media sites, social media plugins and tools
  • Individuals who correspond with EY via email
  • Individuals who correspond with EY via voicemail services
  • Job applicants
  • Alumni
  • Suppliers
  • EY/Ethics
  • Visitors to EY offices

If you have any questions regarding the processing of your personal data or wish to contact the data protection officer of an EY member firm, please contact the data protection team in the Nordics who will direct your query to the appropriate person or team within the organization.

  • What data is covered?

    In this privacy statement, “personal data” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. Personal data also refers to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. 

    Personal data may also include special categories of personal data (sensitive personal data) from which we can determine or infer an individual's

    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Membership of a trade union
    • Genetic data
    • Biometric data
    • Physical or mental health or condition
    • Sex life or sexual orientation

    In addition, personal data relating to criminal convictions and offenses may be processed, but only where legally permissible under applicable laws.

  • Your rights in relation to personal data

    You have the following rights in relation to your personal data:

    • To access your personal data held by EY
    • To have your personal data corrected, for example, if it is incomplete or incorrect
    • To restrict or object to the processing of personal data or request erasing personal data (in certain circumstances and subject to applicable law)
    • To receive a copy of the personal data which you have provided to EY, in a structured, commonly used and machine-readable format (known as “data portability”) (in certain circumstances and subject to applicable law)
    • Where you have provided personal data voluntarily, or otherwise consented to its use, the right to withdraw your consent
    • The right to complain to a data protection authority (see section “Complaints ”)

    If you have a query or wish to exercise your rights under GDPR, please contact the person you usually are in touch with at EY or contact the EY data protection team. Please, note that the above-mentioned rights are not absolute, as they may be restricted by legal requirements and/or EY’s legitimate interests. 

  • Complaints

    If you are concerned about a possible breach of privacy law or any other regulation by EY, you can contact the data protection team. An EY privacy leader will investigate your complaint and give you information about how it will be handled.

    You also have the right to complain to the data protection authority in your country or refer the matter to a court of competent jurisdiction.

  • Purposes for which we process personal data

    • Visitors to Our Site

      Personal data that we collect about you when you visit Our Site falls into several categories.

      Registration is not required for you to use Our Site. If you are an unregistered visitor, we do not collect any personal data about you, except to the limited extent, as described below (Information that we collect automatically). 

      Information that you provide voluntarily

      We collect personal data that you provide voluntarily through Our Site, for example, when completing online forms to contact us, subscribing to a newsletter, using one of our online benchmark tools, subscribing to receive marketing communications from us, participating in surveys or registering for events that we are organizing. The information we collect about you may include the following:

      • Name
      • Job title, job level or job function, role
      • Company or organization
      • Company data
      • Contact information, including primary email address, email address and telephone numbers
      • Demographic information, such as industry, country, postcode, preferences and interests
      • Other information relevant to client surveys or similar research
      • Information pertinent to fulfilling our services to you
      • Any other personal data that you voluntarily choose to provide to us

      We do not intentionally collect sensitive personal data about you, unless you provide us with such data. While there may be free text boxes on Our Site where you are able to enter any information, we do not intend to process sensitive personal data.  You are not required to provide, and should not disclose, sensitive personal data in the free text boxes. If you choose to provide any sensitive personal data in this manner, you acknowledge your consent to the collection and processing of such personal data.

      If you register on Our Site, your personal data will be stored in our CRM (client relationship management) system. Data of registrants is deleted after an individual has not actively engaged with EY for 18 months, or sooner if required by law.

      If you have opted out of receiving EY publications, your basic contact details will remain on our opt-out list.

      Information that we collect automatically

      When you visit Our Site, we collect certain personal data automatically from your device. Specifically, the data we collect automatically include information, such as your IP address, device type, unique device identification number, browser type, operating system, broad geographic location (e.g., country or city-level location) and other technical information. We also collect information about how your device has interacted with Our Site, including the pages accessed, current URL, time you visited the site and links clicked. Collecting this information enables us to better understand the visitors who come to Our Site, where they come from and what content on Our Site is of interest to them. We use this information for our internal analytics purposes, and to improve the quality and relevance of Our Site to our visitors. Information will be collected using cookies and similar tracking technology, as explained further in the EY Cookie Policy. Note that if the “Do Not Track” or “Global Privacy Control” setting in your browser is enabled, Marketing/Targeting cookies will be disabled by default.

      Our Site uses Adobe Analytics (“Adobe”) to provide reporting, visualisations and analysis of data. Adobe processes the following types of personal data: your IP address (to populate geo segmentation reports and to identify internal EY and external users accessing Our Site) and user IDs, email addresses, names and passwords to the extent provided directly by visitors of the site. Your personal data will be processed by Adobe for the following purposes: (i) to capture web metrics about the journey of users within Our Site (e.g. pages viewed and links clicked); (ii) to analyze and understand overall site traffic information; (iii) to allow us to make informed decisions about Our Site; and (iv) to authenticate users and permit them to access Our Site. EY Global Services Limited is the data controller for the purposes of this processing and licenses Adobe from Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Saggart, Dublin 24, Ireland, who hosts it in London, United Kingdom. Click here to learn more about Adobe’s privacy practices and to make choices regarding Adobe’s tracking activities.

      Our Site also uses various social media plugins.

      Purposes for which we process your personal data as a visitor to our site are:

      • To administer and manage Our Site, including to confirm and authenticate your identity, and prevent unauthorized access to restricted areas of Our Site
      • To personalize and enrich your browsing experience by displaying content (including targeted advertising) that is more likely to be relevant and of interest to you
      • To analyze the data of visitors to Our Site and site traffic information
      • To analyze the data of visitors to Our Site and site traffic information
      • To determine the company, organization, institution or agency that you work for or with which you are otherwise associated
      • To develop our business and services
      • To provide you with marketing communications, EY Thought Leadership materials and online benchmarking tools
      • To conduct benchmarking and data analysis (for example, regarding usage of Our Site and demographic analyses of visitors of Our Site)
      • To understand how visitors use the features and functions of Our Site
      • To monitor and enforce compliance with applicable terms of use
      • To conduct quality and risk management reviews
      • To enable the better management of EY events, including World Entrepreneur of the Year
      • To enable teams managing events to coordinate their email campaigns and event notifications more effectively
      • To allow for event and webinar sign-up
      • To allow for content download and lead capturing
      • To allow services and information to be delivered effectively to you
      • Any other purpose for which you provided information to EY

      Legal grounds for processing personal data of visitors of our site are:

      • Our legitimate interest in the effective delivery of information and services to the visitor, and the effective and lawful operation of our businesses
      • Our legitimate interest in developing and improving Our Site, and the visitor’s user experience, or
      • Explicit consent of the visitor 
    • Entrepreneur Of The Year

      EY accepts nominations for the EY Entrepreneur Of The Year™ program via Our Site. Personal data, including financial data, is required of the nominee and he or she must sign the nomination form. Nomination forms are provided to the program sponsors, and independent national and regional panels of judges in order to select award recipients.

      Further, some of the information on the nomination form may be used for research, educational, or any other purpose, but we will not divulge the personal identity of the nominee or the identity of the nominee's company to any person other than the sponsors, the judges, and their respective affiliates.

      The EY Entrepreneur Of The Year™ global system contains a separate Privacy Notice. We encourage individuals participating in the EY Entrepreneur Of The Year™ program to refer to the Privacy Notice available on that system, click here.

    • Clients

      When you engage us to provide you with professional services, we collect and use personal data when we have a valid business reason to do so in connection with those services. For an overview of our services, click here.

      In the context of providing professional services to clients, EY also processes personal data of individuals who are not directly our clients (for example, employees, customers or suppliers of our clients). See the section “Individuals whose personal data we obtain in connection with providing services to our clients” for additional information.

      The majority of the personal data we collect and use to provide our services is supplied voluntarily by (or collected by us from third-party sources at the request of) our clients. Because of this, if you are a client of EY, then it will generally be known to you what personal data we collect and use. This information can include:    

      • Basic information, such as your name, the company you work for, your position and your relationship to a person
      • Contact information, such as your email address and telephone numbers
      • Financial information, such as payment-related information
      • Any other personal data relating to you or other third parties which the client/ you provide to us for the purpose of receiving our services

      We use this information for the following purposes, subject to applicable law:

      • To provide services to our clients
      • To administer our relationship and maintain contractual relations
      • For accounting and tax purposes
      • For marketing and business development (only contact information)
      • To comply with our legal and regulatory obligations
      • To establish, exercise or defend legal rights
      • For historical and statistical purposes

      Given the diversity of the services we provide, we process many categories of personal data. Please see below (non-exhaustive) examples of personal data categories for our four main service lines:

      • Assurance

        In providing assurance services, EY will process information that contains personal data, such as payroll files, board records and other documents attributable to the audit client's and any group companies' activities. Examples of categories of personal data that are processed are:

        • Contact details, such as name, address, telephone numbers and email address
        • Details of employment, such as employment number, employment department, role and employment time
        • Health and absence data, e.g., medical certificate and information on sick leave, leave of absence or parental leave
        • Trade union membership
        • Personal identity number
        • Information on financial conditions, such as bank account information, salary details and other benefits, insurance data and the license plate number of a company car
        • Information on insurances and occupational pensions

        Or

        • Other categories of personal data needed for conducting the audit in accordance with good auditor’s and auditing standards
      • Tax

        Examples of personal data categories processed by EY tax client engagement teams are:

        • Personal details for the individual client/client’s employees and their family members, including names, addresses and demographic, contact information, dates of birth, and tax identifiers, including social security numbers and email addresses
        • Personal details for the individual client’s/client’s employees, delegates, including names, contact information and email addresses
        • Tax return files: liability, dates produced and sent, and comments on tax returns
        • Tax equalization data: liability, dates produced, settlement amounts and taxes paid
        • Organizers used for collecting the individual taxpayer’s (and if required, their family members’) country-specific personal income tax information, education, employment, medical, legal history and other data that is required in rendering services
        • Workpapers used to edit client information received from organizers or other means; compensation data from employers; sourcing of income based on assignment and travel calendar data
        • Current, past or future travel information for the individual, including locations visited and workday activities that occurred in each location
        • Documents, such as tax returns, assignment letters, immigration documents, audit requests from taxing authorities, and official and personal documents (birth certificates, marriage licenses, education documentations and degrees, and passport copies)
        • Financial reporting oversight role (FROR) questionnaires, indicating employment status, employer, and job description
        • Company-specific information: corporate client personnel contacts and division names
        • Assignment data: details regarding current working and living arrangements, including country and city of assignment, employer division funding salary and assignment costs
        • Immigration data: work permit questionnaires, status of work permit, copy of application form, copy of work permit, copy of visa, copy of passport and other immigration documents
        • Payroll data: HR-data required for payroll.
      • Consulting

        In providing consulting services, EY processes a wide variety of information, including potentially all types of personal data. The scope depends on the service and the sector in which the EY member firm’s client is active. For example, providing cybersecurity services for a bank involves the processing of different types of personal data than helping a client in the pharmaceutical sector build a better way of tracking health outcome data.

        Examples of personal data categories received or processed by Consulting client engagement teams are:

        • Contact details, such as name, address, telephone numbers and email address
        • HR and supplier records of clients, which include personal details of employees or suppliers of the client, such as name, contact details, date of birth, race, government identification numbers, employment contracts and service contracts
        • Financial data, such as wage and salary information, pension and retirement benefits information, and bank account numbers
        • Health information about individuals receiving specific drugs or treatments
        • Personal data of employees potentially impacted by supply chain changes or outsourcing
        • Customer data, including race or gender during a customer experience engagement
      • Strategy and Transactions

        Several personal data categories are processed by EY Strategy and Transactions client engagement teams. These include information about buyers and actual or potential targets, which mainly constitute personal details of directors and key personnel, such as:

        • Payroll details
        • Employment contracts
        • Pension and retirement benefits information
        • Entries in accident books
        • Insurance claims
        • Customer lists
        • Consumer contracts
        • Company registers

      In addition, we also process identification and background information as part of our client acceptance, finance, administration and marketing processes, including audit independence, anti-money laundering, conflict-checking, reputational and financial checks, and to fulfill any other legal or regulatory requirements to which we are subject.

      These checks could include the following:

      • Identity verification: proof of name and address
      • Ultimate beneficial ownership of corporate and other legal entities
      • Conflicts checks: to avoid a conflict of interest with any other client
      • Anti-money laundering, proceeds of crime and terrorist financing checks
      • Politically exposed persons (PEP) checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates
      • Adverse media checks
      • Government sanctions list checks
      • Independence checks

      These checks are made for legal, regulatory or business reasons and need to be repeated during the course of our engagement. As part of these checks, we are required to process sensitive personal data (for example, to verify if you are a politically exposed person or to collect information about criminal convictions where this is required according to applicable local anti-money laundering legislation). It is important you provide us with all necessary information and documents as this affects our ability to provide services to you.

      Legal grounds for processing personal data of our clients are:

      • Performance of a contract
      • Compliance with a legal or regulatory obligation
      • Our legitimate interest in providing you with seamless, consistent, high-quality services and securing prompt payment of any fees, costs and debts in respect of our services
      • Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation
      • Our legitimate interest in safeguarding EY against inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism)
    • Individuals whose personal data we obtain in connection with providing services to our clients

      As part of the professional services EY provides to clients, EY processes personal data of individuals with whom we do not have a direct (contractual or other) relationship. For example, if we perform a statutory audit, our engagement team will be required to audit our client’s books, which could include payroll data for employees of the client, supplier data, financial administration, data regarding claimants and legal proceedings. To take another example: if we undertake a due diligence review of an acquisition of a target on behalf of a client, EY may process personal data concerning the target’s employees, management and customers.

      We seek confirmation from our clients that they have the authority to provide personal data to us in connection with the performance of the services and that any personal data they provide to us has been processed in accordance with applicable law.

      Given the diversity of services we provide, we process many categories of personal data such as:

      • Personal details (such as name, age, data of birth, gender, marital status and country)
      • Contact details (such as phone numbers, email address and postal address)
      • Financial details (such as salary, payroll, income, investments, benefits and tax status)
      • Employment details (such as role, rank, experience, performance data and employment numbers)

      For certain services, we may also process sensitive personal data. For example, in certain countries performing tax return services involves the processing of details of payments made by our client, his or her spouse and dependents with respect to a trade union membership, to a political party, for medical treatments or to a religious charity. Such data is collected intentionally and will be used only where necessary in connection with the provision of the service for which the data was collected, such as determining the correct taxation of our client’s income and for claiming the correct tax deduction with respect to such payments.

      Legal grounds for processing personal data of individuals whose personal data we obtain in connection with providing services to our clients are:

      • Compliance with a legal or regulatory obligation
      • Our legitimate interest in making sure our clients are provided with seamless, consistent and high-quality services worldwide
    • Insolvency Services (only in countries where such services may be provided)

      Once a company undergoes an insolvency, one or more EY insolvency practitioners (i.e., administrators and liquidators) could be appointed to manage the company’s affairs, business and property, provided that such services may be provided in the relevant country. Similarly, when a debtor is subject to insolvency or a restructuring regime, one or more EY insolvency practitioners could be appointed to manage the debtor’s affairs, business and property, only in countries where such services may be provided.

      In this section:

      • Office holder refers to the EY insolvency practitioners.
      • Company refers to the insolvent entity for which the office holders have been appointed.
      • Debtor refers to the individual who is subject to an insolvency or restructuring regime.
      • “You” refers to the data subjects concerned by the insolvency procedure of the company or debtor.

      In providing insolvency services, EY processes your personal data for the legitimate interests of assisting the office holders in the performance of their legal and regulatory obligations with regard to the insolvency procedures. For clarity purposes, the company or debtor remains data controller of your personal data processed for purposes that are not related to the legal and regulatory obligations of the office holders.

      Most of the personal data we process is obtained from you directly, but we also indirectly obtain personal data about you.

      The office holders and EY process your personal data for the following (non- exhaustive) purposes:

      • Communicating with the company or debtor’s creditors and individual creditors: specific information essential in order to carry out statutory duties (this information is to be used to assess, for example, an entitlement to any dividend should one be payable)
      • Provision of references or reports to government departments, regulatory authorities and appropriate bodies in connection with the holding of public office or responding to requests
      • Provision of statutory returns
      • Case administration purposes, including the realization of assets, agreement of claims and payment of distributions
      • Processing for personal purposes of employees in accordance with the law and the company’s own policies
      • Administration of payroll, raising invoices, credit control and other data relating to the company’s finances
      • The reasonable and lawful provision of information to interested parties
      • The prevention and detection of crime or fraud
      • Establishing, exercising or defending legal rights, taking legal advice, taking or defending legal proceedings
      • Complying with legal obligations to which the company or debtor is subject
      • Quality and risk management purposes

      The types of personal data processed for the above purposes include (but are not limited to) name, address, identifying information, payroll information, as well as any information with your dealings with the company or debtor that are necessary for the performance of the office holders’ statutory obligations during the insolvency procedure.

      You have certain rights in relation to your personal data. If you have a query or wish to exercise your rights, please make a written request to the party responsible for your personal data (the company, debtor or the office holder) using the contact details provided in communications about the insolvency.

    • Contacts in our customer relationship management (CRM) systems

      We process personal data about our business contacts such as former, existing and potential clients and individuals employed by, or associated with, clients and other business contacts, such as alumni, consultants, regulators and journalists in our CRM systems.

      In our CRM systems, we process the following categories of personal data:

      • Name, job title, work address, email address, phone and fax numbers
      • Name of employer or organization the individual is associated with

      Data of business contacts who have not been actively engaged with EY in the past 18 months will be deleted from our CRM systems. 

      Legal grounds for processing personal data of business contacts are:

      • Legitimate interest in managing the relationship with our business contacts as described above
    • Marketing

      EY may process personal data relating to our business contacts for purposes of marketing EY’s services and brand. Such contacts may be sent EY Thought Leadership materials, newsletters, other marketing materials, invites to events, seminars, webinars, surveys etc.

      The following categories of personal data and user activities may be processed for marketing purposes:

      • Name, job title, email address, phone and fax numbers, and place of work
      • Name of employer or organization the individual is associated with
      • User preferences (such as areas of topics selected for newsletters etc.)
      • Opening emails, bounces and opt-outs (unsubscriptions), registration for events, seminars or webinars, attendance or no show at events, seminars or webinars.

      Legal grounds for processing personal data for marketing purposes are:

      • Your prior consent where this is legally required (e.g. Denmark and Norway), but also when you have provided your consent in other cases.
      • In all other cases, we will apply EY’s legitimate interest to provide information about EY and its services to our business contacts in their professional capacity (B2B) and to send invitations to events etc. which we believe are in their professional interest.

      All recipients of marketing via electronic communication is offered the possibility to opt out (unsubscribe) from receiving further marketing from EY. If a recipient has opted out from receiving future EY marketing, we will cease processing the personal data for marketing purposes, however the basic contact details of an individual who has opted out will remain on our opt-out list.

    • EY meetings, conferences, events, seminars and webinars

      We process personal data about participants in EY meetings, conferences, events, seminars, webinars and similar activities (jointly referred to as "events"). We use various applications to manage event registration processes, which applications will contain their own privacy notices explaining why and how personal data is collected and processed by these applications. We encourage participants to refer to the Privacy Notices available on those applications.

      As part of our event management processes, we may process the following personal data (but only to the extent applicable and required for the specific event):

      • Name, age or date of birth
      • Client personnel information (office and business information)
      • Credit or debit card number
      • Customer information (office and business information)
      • Email address
      • Gender
      • Home or other physical address
      • Names of employers
      • Occupation (job title)
      • Passport number
      • Personal web URL (if you have a personal website that you would like to share)
      • Telephone or fax numbers
      • Event-related data such as: food preferences or other special requirements, registration status, participant status/type, media interview attendance, previous event experience, arrival time/departure time, hotel check-in/check-out time, flight information (airline, arrival and departure dates)

      We do not intentionally collect sensitive personal data, unless you provide us with such data (for example, special dietary requirements which reveal your religious affiliation or any food allergies or other data relating to your health necessary to provide support to you at an event, for example, if a wheelchair will be required). We may have collected this information when you signed up for the event or seminar, however such information will be deleted after the event or seminar.

      Participants of EY events hosted at external venues are required to bring a photo ID for identification purposes to safeguard our people, assets and information, and to prevent unauthorized people gaining access to off-site EY events.

      EY may take photographs and make audio or video recordings (jointly “Recordings”)  in public areas of the EY events, hence personal data of participants to our events may be processed in such Recordings. Recordings may be edited, copied, exhibited, distributed to the participants and/or published in digital as well as in printed media for marketing purposes, however subject to the below stated.

      Legal grounds for processing personal data in relation to EY events:

      • Legal grounds for processing the personal data referred to above in connection with the administration of EY events is based on consent in accordance with Art. 6 (1) (a) GDPR, which is provided in connection with the registration for the event. The personal data is processed to enable EY to organize, administrate and follow up on events, and to prevent unauthorized people from gaining access to EY events (e.g. by using badges) as well as to protect assets and information that may be available at such events.
      • The legal grounds for processing information about specific dietary requirements or allergies provided by a participant in connection with registration for an event is also consent. This information is processed by us to pre-order food and beverages for the event. Such data is deleted after the event.

      Legal grounds for processing personal data in form of Recordings of participants to EY events:

      • The legal grounds for processing pictures, video recordings etc. of participants to EY events which have been taken in general situations (not close-ups) is that EY has a legitimate interest in accordance with Art. 6 (1) (f) GDPR to process the personal data to inform about and market EY’s business, which overrides the participants’ interests and rights and freedoms, provided that the picture, video recordings etc. is taken in a general situation with no intention to picture any specific individual.
      • The legal grounds for processing Recordings of a specific participant to an EY event (a close-up) for example when interviewing a participant to an event, is consent in accordance with Art. 6 (1) (a) GDPR, i.e. the participant has given his/her consent to the processing of Recordings in which the participant occurs for the stated purpose. In such case, EY will obtain and document the consent provided by the participant
    • Individuals who use our applications

      We provide external users access to various applications managed by us (such as the EY Client Portal and My EY platform).  In instances where such applications process personal data that goes beyond basic contact information used for application authentication purposes, such applications will contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our applications to refer to the privacy notices available on those applications.

    • Individuals who visit our social media sites, social media plugins and tools

      • Social media sites

        EY uses various social media platforms, for example, for recruitment or marketing purposes. We use social media to provide you with easy access to relevant information regarding job opportunities at EY and events we organize, and to promote our services and brand.

        While EY will be responsible for the content it publishes using social media platforms, EY will not be responsible for managing the social media platforms (such as creating user statistics or placing cookies). When using these social media platforms, you are obliged to adhere to the legal and privacy terms imposed by the social media platform providers. Such providers collect personal data about you, including statistical and analytical data regarding your use of the social media platforms, such as an overview of pages you have accessed, “likes,” recent visits, posts you publish or find interesting. If you require access to such data or want to invoke one of your other rights (such as the right to object to the processing of your data), you should contact the social media platform provider. Some social media providers provide EY with aggregate data relevant for our pages, such as the number of “likes” triggered by our content or the amount of posts, visitors to Our Site, photos that are downloaded or links that are clicked. 

      • Social media plugins (such as like and share buttons)

        On Our Site, we implement so-called social media plugins. When you visit a page that displays one or more of such buttons, your browser will establish a direct connection to the relevant social network server and load the button from there. At the same time, the social media provider will know that the respective page on Our Site has been visited. We have no influence on the data that the social media providers collect on the basis of the buttons. If you wish to prevent this, please log out of your social media accounts before visiting our website. Social media providers set cookies as well, unless you have disabled the acceptance and storage of cookies in your browser settings.

         

        Facebook plugins

        Our Site includes plugins for the social network, Facebook. The Facebook plugins can be recognized by the Facebook logo or by the like button on Our Site. For an overview of Facebook plugins, click here.

        When you visit Our Site, a direct connection between your browser and the Facebook server is established via the plugin. This enables Facebook to receive information that you have visited Our Site from your IP address. If you click on the Facebook “like button” while you are logged into your Facebook account, you can link the content of Our Site to your Facebook profile. This allows Facebook to associate visits to Our Site with your user account. If you are not yet logged into your Facebook account, clicking a Facebook button will show you the Facebook login page for you to enter your login credentials. Please note that we have no knowledge of the content of the data transmitted to Facebook or of how Facebook uses these data. For more information, please see Facebook's privacy policy.

        Twitter plugin

        Functions of the Twitter service have been integrated into Our Site. When you use Twitter and the “retweet” function, the websites you visit are connected to your Twitter account and made known to other users. If you are not yet logged into your Twitter account, clicking a Twitter button will show you the Twitter login page for you to enter your login credentials. In doing so, data will also be transferred to Twitter. We would like to point out that we have no knowledge of the content of the data transmitted or how it will be used by Twitter. For more information, see Twitter's privacy policy.

        Instagram plugin

        Our Site contains functions of the Instagram service.

        If you are logged into your Instagram account, you can click the Instagram button to link the content of our pages with your Instagram profile. This means that Instagram can associate visits to our pages with your user account. If you are not yet logged into your Instagram account, clicking an Instagram button will show you the Instagram login page for you to enter your login credentials. We expressly point out that we receive no information on the content of the transmitted data or its use by Instagram.

        For more information, see Instagram's privacy policy.

        YouTube plugins

        Our Site uses plugins from YouTube, which is operated by Google. 

        If you visit one of our pages featuring a YouTube plugin, it is a connection to the YouTube servers. Here, the YouTube server is informed about which pages you have visited.

        If you’re logged in to your YouTube account, YouTube allows you to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. If you are not yet logged in, clicking a YouTube button will show you the YouTube login page for you to enter your login credentials.

        For more information, see Google's privacy policy.

      • Social media tools

        LinkedIn Lead Gen Forms

        EY uses LinkedIn Lead Gen Forms for EY sponsored content, and sponsored LinkedIn InMails for recruitment and marketing campaigns. Once LinkedIn members click on EY advertisement, they will see a form that is pre-filled with information from their LinkedIn profile, such as their name, contact information, company name, seniority, job title and location. As soon as a LinkedIn member submits a lead form, they will be connected to EY.

        Please click here for LinkedIn Privacy Policy.

        Google Maps

        Our Site uses the Google Maps map service via an application programming interface (API). 

        To use Google Maps, it is necessary to save your IP address. This information is generally translated to a Google server in the United States and stored there. We have no influence on this data transfer.

        For more information, see Google's privacy policy.

        Legal grounds for processing personal data of visitors to our social media pages, and the use of social media plugins and tools are:

        • Our legitimate interest in promoting EY services and brand
        • Our legitimate interest in attracting, identifying and sourcing talent
        • Our legitimate interest to improve your website experience and to optimize our services
    • Individuals who correspond with EY via email

      When you communicate with EY via email, EY will process your personal data, such as your name, email address, place of work and other contact information provided by you in the email as well as information and data in the email that can be linked to identifiable individuals. EY will also process the email address of other individuals being a recipient of the email or on cc or bcc to the email.

      The personal data may be processed for different purposes, for example for provision of professional services (for further information about the processing and the legal grounds click on Individuals whose personal data we obtain in connection with providing services to our clients), to administrate our supplier contracts (for further information about the processing and legal grounds click on Suppliers), or in connection with recruitment (for further information about the processing and legal grounds click on Job Applicants).

      Further, EY uses a variety of tools to maintain the security of our IT infrastructure, including our email facilities. Examples of such tools are:

      • Systems that scan incoming emails to EY recipients for suspicious attachments and URLs, in order to prevent malware attacks
      • Tools that provide end-point threat detection to detect malicious attacks
      • Tools that block certain content or websites

      Legal grounds for processing personal data of individuals who correspond with EY via email:

      • Our legitimate interest in protecting our IT infrastructure against unauthorized access or data leakage
      • Our legitimate interest in analyzing email traffic
    • Individuals who correspond with EY via voicemail services (only in the countries where these services have been enabled)

      EY’s phone service is hosted internally at EY. When you call EY personnel, only your phone number will be stored on EY servers and will be delivered to the recipient of your call on their handset and via an email. No other personally identifiable information is collected but technical logs and reports may be stored for trouble shooting purposes.

      EY’s voicemail service is provided by Microsoft. When you call EY personnel and leave a voicemail, this voicemail and any personal data contained within it will be stored on global Microsoft Azure servers and will be delivered to the recipient of your call as an MP3 voice clip in an email. Microsoft will not keep call logs in relation to your calls to EY personnel.

      Legal grounds for processing personal data of individuals who correspond with EY via phone and voicemail services:

      Our legitimate interest in maintaining communication networks.

    • Job applicants

      We collect information from and about candidates in connection with available employment opportunities at EY. The information that we collect, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which you apply.  As general matter, the personal data we collect regarding our job applicants includes names, age, gender, email address, telephone number, resumes or CVs, academic records, work history, employment information and references (if provided).

      We use your personal data to match your skills, experience and education with specific roles offered by EY.  This information is passed to the relevant hiring managers and persons involved in the recruitment process to decide whether to invite you for an interview.  EY will collect further information if you are invited to the interview (or equivalent) stage and onward. Such information includes interview notes, references, assessment results, feedback and offer details.

      In connection with our recruitment activities including applications and onboarding, we may also collect sensitive personal data from candidates, however only where we have a legal obligation to do so. This information is collected if it is relevant to the future working environment at EY or the future provision of employment benefits, or with the individual's explicit consent. Once onboarded, this information may need to be used to provide a suitable working environment. We may also conduct, however only if permitted by applicable law, criminal background checks for certain candidates to assess their eligibility to work at EY or for EY clients. 

      Our recruitment tools and websites contain their own Privacy Notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our recruitment tools and websites to refer to the privacy notices available on those tools and websites.

      Depending on the country in which you apply, EY collects personal data about candidates (“you”) from the following sources:

      • Directly from you – for example, information that you have provided when applying for a position directly through the EY careers website (for additional information about the processing of your personal data via our global recruitment management system, please read the data privacy statement available in this system)
      • From recruitment agencies – for example, when a recruitment agency with your details contacts us to suggest you as a potential candidate;
      • Through publicly available sources online – for example, where you have a professional profile posted online (e.g., on your current employer's website or on a professional networking site, such as LinkedIn)
      • By reference – for example, through a reference from a former employee or employer, or from a referee you have identified
      • Results of background checks

       

      Legal grounds for processing personal data of our job applicants are:

      • Explicit consent of the candidate
      • Our legitimate interest in attracting, identifying and sourcing talent
      • Our legitimate interest to process and manage applications for roles at EY, including the screening and selecting of candidates
      • Our legitimate interest to hire and onboard candidates by making an offer to successful candidates, and carrying out pre-employment background checks
      • Our legitimate interest to manage our career websites (including conducting statistical analyses)
      • Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work)
    • Alumni

      EY hopes to maintain a lifelong, mutually beneficial relationship with EY alumni (former member firm partners, employees and contractors). If we invite you to our alumni community, your name, contact details, role, last EY office, rank, service line and country will be used to create a record for you in one of our alumni databases, unless you have indicated that you are not interested in participating in the EY alumni program. You have the opportunity to create a more detailed profile and to decide how much additional information you wish to share with EY and the wider alumni community.

      Our alumni databases contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our alumni databases to refer to the privacy notices available on those applications.

      The legal grounds for processing personal data of our alumni are:

      • Explicit consent of the alumnus
      • Our legitimate interest in maintaining a strong relationship with our alumni, sending publications about EY and our services, inviting alumni to events, and helping alumni keeping in touch with other alumni
    • Suppliers

      We process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and their subcontractors) in order to manage our relationship and contract, and to receive services from our suppliers.

      The personal data we process is generally limited to contact information (name, name of employer, phone, email and other contact details) and if relevant financial information (payment-related information).

      In addition, we also use data about our suppliers to check whether we have a conflict of interest or audit independence restriction to appointing a supplier. Before we take on a new supplier, we also carry out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and financial checks.

      Legal grounds for processing personal data of our suppliers may be:

      • Performance of a contract
      • Compliance with a legal or regulatory obligation
      • Our legitimate interest in managing payments, fees and charges, and to collect and recover money owed to EY
      • Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation
      • Our legitimate interest in safeguarding against EY inadvertently dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities (for example, terrorism)
    • EY/Ethics

      EY/Ethics provides EY people, clients and others outside of EY with a means to confidentially, and either anonymously or on a disclosed basis, report an activity that involves unethical or illegal behavior that is in violation of professional standards or otherwise inconsistent with our EY Global Code of Conduct. Reports can be made either online or via a telephone hotline.

      EY/Ethics contains its own privacy notice and consent form which describes the practices EY follows in relation to EY/Ethics. We encourage individuals using EY/Ethics to refer to the EY/Ethics privacy notice and consent form.

    • Visitors to EY offices

      When you visit an EY office, we process your personal data in order to provide you with certain facilities (such as access to our buildings and conference rooms or Wi-Fi), to control access to our buildings, and to protect our offices, personnel, goods and confidential information (for example, by using CCTV).

      The personal data we collect is generally limited to your name, contact information, location, and the time you enter and leave our office.

      Visitor records and access badges

      We require visitors to our offices to sign in at reception and we keep that record of visitors for a short period of time. Visitors to our offices are provided with a temporary access badge to access our offices. Our visitor records will be used to verify that access badges are returned, to look into a security incident and for emergency purposes (for example, if an office needs to be evacuated).

      Wi-Fi

      We monitor and log traffic on our Wi-Fi networks. This allows us to see limited information about a user’s network behavior but will also include being able to see at least the source and destination addresses the user is connecting from and to.

      CCTV

      EY may use CCTV monitoring when permitted by applicable law. CCTV images are securely stored and only accessible on a need-to-know basis (for example, to look into an incident). As a general rule we are allowed to disclose CCTV images to law enforcement bodies upon their request. CCTV recordings are typically deleted or automatically overwritten after a short period of time unless an issue is identified that requires further investigation. For more specific information, see the CCTV privacy notices below.

      Privacy notice for CCTV at EY's office in Copenhagen

      Privacy notice for CCTV at EY's office in Stockholm

      Legal grounds for processing personal data of visitors to EY offices are:

      Our legitimate interest in protecting our offices, personnel, goods and confidential information

      Our legitimate interest in preventing and detecting crime, and establishing, exercising and defending legal claims

  • Transfers of personal data

    EY member firms operate in more than 150 countries across the globe. Certain aspects of the EY infrastructure are centralized, including information technology services provided to member firms. In addition, where engagements with EY clients span more than one jurisdiction, certain information will need to be accessed by all those within the EY organization who are working on the matter. Therefore, your personal data will be transferred to and stored outside the country in which you are located. This may include countries outside the European Economic Area (EEA) and countries with laws that have not necessarily been determined to provide an adequate level of protection for the processing of personal data under the laws of the EU or other jurisdictions.

    We take appropriate security and legal precautions to safeguard the safety and integrity of personal data that is transferred within the EY organization. EY has implemented binding corporate rules (BCRs) that allow for global transfers within the EY organization of personal data originating in the EEA in accordance with applicable European privacy laws. The BCRs require all EY entities worldwide to use the same standards of protection for personal data.

    You can access our BCRs here.

    Your personal data will also be processed by EY service providers that support our internal ancillary processes. For more information, click the section “Service providers”.

  • Support providers

    We transfer or disclose the personal data we collect to external support providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage support providers to provide (a) general office support including printing, document production and management, archiving, and translation services; (b) accounting, finance and billing support; (c) IT functions including system management and security, data storage, analytics, business applications, voicemail and replication of systems for business continuity/disaster recovery purposes; and (d) conflict checking, risk management and quality reviews.

    It is our policy to only use third-party support providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected. For data collected in the EEA or which relates to data subjects in the EEA, EY requires an appropriate transfer mechanism as necessary to comply with applicable law.

  • Other disclosures

    EY discloses your personal data:

    • Where this is appropriate for the purposes described in the section “Purposes for which we process personal data,” including within the EY organization itself
    • If required, by applicable law
    • In connection with a reorganization or combination of our organization with another organization
    • If we believe that such disclosure is appropriate to enforce or apply terms of engagement, and other agreements or otherwise protect and defend EY rights, property or safety
    • In order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry

      Or

    • With your consent

    We would like to draw particular attention to the fact that in certain jurisdictions, EY has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under anti-money laundering, terrorist financing, insider dealing or related legislation. EY may also report suspected criminal activity to the police and other law enforcement bodies. We are not always permitted by the law to inform you about this in advance of the disclosure, or at all.

    • Third-party recipients of personal data include:
    • Professional advisors, such as law firms, tax advisors or auditors
    • Insurers
    • Audit regulators
    • Tax and customs, and excise authorities
    • Regulatory and other professional bodies
    • Stock exchange and listing authorities
    • Public registries of company directors and shareholdings
    • Providers of identity verification services
    • Credit reference agencies
    • The courts, police and law enforcement agencies
    • Government departments and agencies
    • Support providers 
  • Security

    EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data brochure (pdf).

  • Keeping your personal data up-to-date

    We maintain the accuracy and completeness of the personal data we hold. It is important that you inform us of any updates to your contact details or other personal data so that we have the most up-to-date information about you. Please contact the person you usually deal with at EY. You can also contact the data protection team.

  • Retention

    Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Purposes for which we process personal data.” Note that retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.

    In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights, and for archiving and historical purposes we need to retain information for significant periods of time.

  • Minors

    Our Site is not intended for use by minors under the age of sixteen (16) years.  EY does not knowingly collect, disclose, or otherwise process personal data of minors under 16 years of age. If you are under 16 years old, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parent(s) or legal guardian(s) to notify us and we will delete your personal data.

  • Related policies

    The following EY policies provide additional information on EY’s privacy practices:

  • Changes to this privacy notice

    We will occasionally update this privacy notice to reflect changes in our practices and services. When we post changes to this privacy notice, we will revise the “last updated” date at the top of this privacy notice. If we make any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes on the website. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.

  • Contact us

    If you have questions or you do not feel that your concerns have been addressed in this Privacy statement, please contact us (see contact details below).

EY in Denmark:

EY Godkendt Revisionspartnerselskab (Business ID: 30700228), Dirch Passers Allé 36, 2000 Frederiksberg, Denmark

or through this link: contact us

Privacy notice for CCTV at EY's office in Copenhagen


EY in Finland:

Ernst & Young Oy (Business ID: 2204039-6), EY Advisory Oy (Business ID: 3283705-9), Korkeavuorenkatu 32-34, 00130 Helsinki, Finland

or through this link: contact us


EY in Norway:

Ernst & Young AS (Business ID: 976 389 387), Ernst & Young Advokatfirma AS (Business ID: 984 328 796), Ernst & Young Value Added Tax Services AS (Business ID 946823 465), Stortorvet 7, P.O. Box 1156 Sentrum, 0155 Oslo, Norway, and EY Skye Consulting AS (Business ID: 995655144), Ormerudveien 2c, 1410 Kolbotn, Norway,

or through this link: contact us


EY in Sweden:

Ernst & Young AB (Business ID: 556053-5873), Hamngatan 26, P.O. Box 7850, 111 47 Stockholm, Sweden, EY Law AB (Business ID: 559048-8226), Hamngatan 26, P.O. Box 3455, 103 69 Stockholm, Sweden

or through this link: contact us

Information on Ernst & Young AB’s processing of personal data within audit engagements  

Privacy notice for CCTV at EY's office in Stockholm

 

List of Our Site

Global

https://www.ey.com/en_gl

Denmark    

https://www.ey.com/da_dk  

https://www.ey.com/en_dk  

Finland        

https://www.ey.com/fi_fi  

https://www.ey.com/en_fi  

Norway       

https://www.ey.com/no_no  

https://www.ey.com/en_no  

Sweden       

https://www.ey.com/sv_se   

https://www.ey.com/en_se