Last updated: 20 August 2020 (rewritten text)
This Privacy Notice is intended to describe the practices which EY follows in relation to EY Finance Navigator (hereafter also: “Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity, and each of which can act as a data controller in its own right. The entity that is acting as data controller by providing this Tool on which your personal data will be processed and stored is EY Advisory Netherlands LLP.
The personal data which you provide in the Tool may be shared by EY Advisory Netherlands LLP with one or more member firms of EYG located throughout the world and other third parties (see “Who can access your information” section below).
The Tool is hosted on Microsoft Azure servers that are located in Amsterdam.
3. Why do we need your information?
The purpose of the Tool is to assist you – as an entrepreneur – to build financial models that can help you better assess the financial impact of your business decisions. EY Finance Navigator will help you create a complete financial model presented in financial statement format and dashboards. EY Finance Navigator will help you understand financial terms and provide automatically generated checks and tips to improve the completeness of the information.
If you would like to sign up to the use of EY Finance Navigator functionalities (building financial models dashboard, forecast etc.), we will be processing additional data, such as your name, contact and address details, date of birth, country, password, company details and your IP address. In this case, your personal data will be processed and stored in the EY One Pay Services tool. The Tool is an integrated payment and tax calculation portal for transactions between EY and EY clients and encompasses three applications: Zuora Subscription Management Platform (“Zuora”), Adyen Credit Card Transaction Processing Service (“Adyen”), and the Vertex Indirect Tax O Series (“Vertex”). We will share your personal data with Zuora, Vertex and Adyen.
For additional information see paragraph 5 below.
In addition, we could use your data (in anonymized form) for benchmarking purposes and for creating industry outlook reports. This will help you and other clients of EY Finance Navigator to strengthen the assumptions and assess and compare various aspects of your business to peers. The benchmarking information is displayed in an anonymized way so there is no direct comparison between companies. Industry outlook reports may be shared publicly, but data is shared in an anonymized way.
EY relies on the following basis to legitimize the processing of your personal data in the Tool: Processing is necessary for the performance of your contract with EY allowing you to properly use EY Finance Navigator. In some cases, we also have a legal obligation to collect personal data from you.
In order to provide the payment providers with your personal data we legitimize the processing of your personal data on the lawful basis ‘legitimate interests’. Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the EY or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms of which require protection of personal data. The specific legitimate interest is EY’s internal finance administration, payment process and risk management.
The provision of your personal data to EY is mandatory in order to use EY Finance Navigator. Please be aware that if you do not provide us with all personal data requested, we may not be able to carry out the purposes for processing which are set out above.
4. What type of personal data is processed in the Tool?
The Tool processes the following categories of personal data: first name, last name, date of birth, address, postal code, city, country, IP address, e-mail, location (country and/or state) and password, credit card data (credit card number, expired date, CVC code, card holder name, transaction amount, transaction date, transaction time), transaction ID, information about a purchased item (purchase price and Stock-keeping Unit of purchased item).
If you have already established a company, in addition to your personal details as mentioned above, the following company information may be processed within EY Finance Navigator: company name, address, postal code, city, country of registration, VAT number, the year company was founded, (sub-)sector, currency used, website, Chamber of Commerce number, company description.
This data is sourced from your input within EY Finance Navigator.
5. Payment process
If you subscribe to EY Finance Navigator functionalities you are required to pay a verification fee (for “Know Your Client” purposes) and an access fee. We will provide Zuora, Adyen and Vertex with the data relevant for the payment process. Zuora streamlines the payment management processes and provides a workflow that automates the entire Quote/Invoice to Revenue Process and integrates into Adyen and Vertex. Adyen allows EY to accept credit card payments from EY clients globally, and acts as a payment gateway and payment service provider. It also provides risk management and local acquiring (that is, an acquiring bank service). Vertex calculates taxes on services rendered by various EY applications to EY clients globally.
6. Sensitive Personal Data
We will not be processing sensitive personal data in the Tool. Your bank account and/or credit card information may be processed by our payment providers.
7. Who can access your information?
Your personal data may be accessed in the Tool by the following EY persons/teams:
- EY Finance Navigator team based in The Netherlands will have read-only access;
- EY’s IT department will have access to the Tool for IT support purposes.
In addition, the following parties may have access to your personal data:
- The Tool is hosted by Microsoft on an Azure platform in Amsterdam;
- Zuora, Inc.
- Third party service providers (and their subsidiaries and affiliates) that EY engages to support its internal ancillary processes;
- Any competent law enforcement body, regulatory, government agency, court or other third party if necessary.
The access rights detailed above may involve the transfer of personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com). For data collected in the European Economic Area (EEA) or which relates to individuals in the EEA, EY requires an appropriate transfer mechanism as necessary to comply with applicable law. EY will process your personal data in the Tool in accordance with applicable law and professional regulations. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
8. Data retention
The policies and/or procedures for the retention of data in the Tool are as follows: Your personal data will be deleted within 12 months after your access to EY Finance Navigator has expired and has not been renewed. Please make sure to export and save your data before ending your account with EY Finance Navigator.
The data retained at Zuora will be anonymized when the (business) user is not active for more than one year. Please note that this retention period is not applicable for individual users. When registering as an individual, the name and address of the data subject will remain on the invoice. Consequently, the personal data of these individuals is subject to the legal (fiscal) retention period of 7 years.
Adyen will retain authentication/login data as long as EY has a relationship with Adyen. Upon termination of the relationship, authentication/login data is kept for 5 years. Furthermore, Adyen retains transaction data and credit card data in accordance with local law regarding the retention of financial information.
Vertex will retain the common personal data for 7 years. Log data will be retained for 1 year in accordance with the Logging Policy, where applicable by law. After the end of the data retention period specified in the policies and/or procedures set out above, your data will be deleted.
EY is committed to making sure that your personal data is kept secure. In order to prevent unauthorized access or disclosure, EY has put in place appropriate technical and organizational measures to safeguard and secure your personal data. All EY personnel and any third parties which EY engages to process your personal data are obliged to respect the confidentiality of your data.
10. Controlling your personal data
EY will not sell, distribute or lease your personal data to third parties (other than those parties referred to in section 7 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of the personal data which EY holds about you. If you would like to obtain confirmation as to whether or not your personal data is processed in the Tool or if you would like to access your personal data in the Tool, please contact us via email@example.com.
11. Rectification, erasure or restriction of processing
EY provides you with the ability to make sure your personal data is accurate and up to date. You can request access, object, data portability, rectification, erasure or restriction of processing of your personal data by sending an e-mail to firstname.lastname@example.org. We will use reasonable efforts to contact you regarding your request.
If you are concerned about an alleged breach of privacy law or any other regulation by EY, you can contact EY’s Privacy Officer via email at email@example.com. An EY Privacy Officer will be made available to investigate your complaint and give you information about how it will be handled.
If you are not satisfied with the way in which EY has resolved your complaint, you have the right to complain to the data protection authority in your country. You may also refer the matter to a court of competent jurisdiction.
13. Contact us
If you have questions or you do not feel that your concerns have been addressed in this Privacy Notice, please contact your usual EY representative, or you can reach us via firstname.lastname@example.org.