General Privacy Statement EY Nederland

Version December 2023

This Privacy Statement informs you about the way in which EY processes your personal data and about your privacy rights. Below you will find a summary of the most important points from our Privacy Statement. For more information, click on the headings under the summary. You can also click here to download a PDF of the full Privacy Statement.

Summary of the General Privacy Statement EY Nederland

This Privacy Statement will inform you about the processing of your personal data for which the entities of the EY network of Ernst & Young Global Limited (jointly referred to as "EY", "We", "Us" or "Our") situated in the Netherlands are responsible. You can find a list of the entities via this link.

We process your personal data for:

  • EY Internal processes
    • to control our EY offices with accessories (facilities);
    • for hiring new employees;
    • for various EY activities we want to organise, such as meetings, conferences, events and training sessions; and
    • for performing client acceptance processes such as conflict checks and anti-money laundering and financing of terrorism measures;
  • EY Marketing activities
    • providing, maintaining and improving our websites, our apps and for our social media activities;
    • informing about and promoting provision of EY services;
    • informing about, organising and inviting to various EY activities.
  • Provision of  our professional services in general and specifically within our service lines: (i) Assurance, (ii) Tax, (iii) Consulting, (iv) and Strategy and Strategy and Transactions (SaT);
  • Managing of our business relations: with our clients, the service providers engaged by EY and other commercial contact persons;
  • Maintaining contact with and organising events for former employees (EY alumni), and related processing activities.

You as data subject have various privacy rights with regard to our processing of your personal data. You have the right to:

  1. Withdraw your consent when we process personal data based on your consent (right to withdraw your consent);
  2. Access your personal data (right of access);
  3. Request rectification of your personal data when it is incorrect, incomplete or not relevant (right to rectification);
  4. Request erasure of your personal data when we are not allowed to process your personal data anymore (right to be forgotten);
  5. Receive by yourself or by a party indicated by you certain personal data about you (right to data portability);
  6. Object to the processing of your personal data (right to object);
  7. Keep your personal data at your request even if we are no longer allowed to process it or when this is open for discussion (right to restriction of processing);
  8. In certain circumstances, not to be subject to a decision solely based on automated processing, without human interference (right regarding automated decision making);
  9. Submit a complaint with an authorised supervisory authority when you find out that there is a privacy infringement (right to complain).

Click here for more information about your privacy rights. Find our contact details here.

  • 1. How does this Privacy Statement relate to other documents?

    1.1 Other Privacy Statements of EY

    This Privacy Statement provides a general description of how EY processes personal data it is responsible for, and which rights you have in this respect. This Privacy Statement forms an additional / detailed explanation of the general Privacy Statement of EY on a global level (click here), and prevails over it.

    Certain EY activities are subject to more specific Privacy Statements in addition to this Privacy Statement. For example, when the processing may have a higher impact on your privacy, for example camera surveillance (www.ey.nl/camera surveillance), in relation to recruitment or regarding direct marketing and events (see this link). In that case you will be separately informed about this processing activity. The specific Privacy Statements in principle apply in addition to this general Privacy Statement and prevail over this general Privacy Statement. 

    1.2 Privacy Statements of other parties

    This Privacy Statement is not applicable to provision of services of third parties for which these third parties are responsible themselves. For example, websites of third parties that are linked to our websites via hyperlinks, or our clients who also process personal data that we need for the provision of our services for their own purposes. For information about how these third parties process your personal data, we refer you to the privacy statements and/or other information provided by these parties.

  • 2. Which personal data is used and for what purposes?

    • 2.1 General

      EY can process personal data in various ways. You can click on one or more of the topics below for more information about:

      • The category of persons who we are processing personal data about, per topic;
      • The purpose of the processing;
      • What personal data we process in this respect; and
      • On what legal grounds this processing is based.
      2.1.1 Legitimate interest

      Sometimes we indicate that we process your personal data based on the legal ground "legitimate interest". This means that a balance of interests is performed between the interests that are served by the processing on the one hand and your privacy interests on the other hand, and that the interests of the processing prevail. The related legitimate interests are included below per topic. If you want more information about this, you can contact us directly.

      2.1.2 Minors and other persons with a legal representative

      In principle, we do not focus on provision of our services to and processing of personal data of persons younger than 16 years. We also do not focus on persons who are placed under a legal relationship, such as guardianship or persons who are supervised or administered by someone else. If, in exceptional cases, we do focus on such persons, EY will take into account the vulnerable position of these persons. The manner in which persons are informed about the processing will also be aligned with this group of persons and where necessary, consent of the legal representative will be obtained by EY.

    • 2.2 EY’s internal processes

      • 2.2.1 Visit to EY offices (facilities)
        • The persons involved. We process personal data about visitors of the EY offices
        • The purpose of the processing. When you visit an EY office, we will (when applicable) process your personal data for the following purposes:
          • Offering and optimising certain facilities (among others access to meeting areas or WiFi);
          • Access registration, access control and access management;
          • Network management and network security (when using WiFi);
          • Verification that access badges are returned;
          • Investigating safety incidents;
          • Contacting you in case of emergencies;
          • Security and protection of our buildings, property, employees and data (with regard to camera surveillance) - we refer to https://www.ey.com/en_nl/privacy-statement-camera-surveillance;
          • Investigation, analysis and statistics;
          • Internal control and business operations;
          • Handling any requests, complaints and disputes;
          • Determining, exercising and defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. When you visit a EY office, we may process the following personal data:
          • Name, gender and title;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Business details (organisation, function);
          • Data about presence (location, time of arrival and departure);
          • IP address, websites visited and other information when using WiFi;
          • Information about a visit (type of appointment, EY contact person, any other parties invited);
          • The number of the access pass used to gain access to the EY building and certain areas inside.

        In certain areas we also have movement- and sound sensors, measurement of CO2 quality, sound, temperature, humidity and light.

        Sensitive information:
        In principle, we do not process any sensitive data about visitors of our offices. This could be different when you provide us with sensitive data that we need to meet one of your requests. For example, communicating that a parking space for disabled persons is required.

        • Legal grounds for processing. We base the use of your personal data when you visit an EY office on one of the following legal grounds:
          • Legitimate interests: Our legitimate interest to: protect and secure our offices, staff members, goods and confidential information, and the purposes mentioned above.
          • Consent: Your (explicit) consent for the processing of certain additional information, such as sensitive information provided by you and required for the facilitation of a visit.

         

      • 2.2.2 EY activities (such as: meetings and events)
        • The people involved. We process personal data about (registered) participants of EY activities, such as: meetings, conferences, events and learning sessions.
        • The purpose of the processing. We process personal data about participants to EY activities for the following purposes:
          • The information and communication about the events;
          • The organisation and facilitation of the events;
          • Making video or sound recordings for communication and marketing purposes;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Internal control and business operations;
          • Handling any requests, complaints and disputes;
          • Determining, exercising and defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In the context of event management, we may process the following personal data:
          • Name, gender, title and age / date of birth;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Business details (organisation, function, names of business relations);
          • Financial details (card number, IBAN, bank account number, amount);
          • Communication details about an event;
          • Details about presence at an event (type of event, location, date, other invitees);
          • Any video or sound recordings of the event.

        Sensitive information:
        It is not our intention to process sensitive personal data in the framework of event management. Participants at EY events at external locations are however obliged to bring an identity card with a photo to prevent unauthorised persons from gaining access to these events, and we can use video and sound recordings of events for communication- and marketing purposes, which could lead to accidental disclosure of sensitive personal data. Further, it is possible that you communicate sensitive data to us, for example when you communicate special dietary needs that could be indicative of your religious convictions or food allergies.

        • Legal grounds for processing. We base the use of your personal data in the context of event management on one of the following legal grounds:
          • Consent: Your (explicit) consent, for example when you indicate that you want to be kept up to date about future events or when you communicate special dietary needs.
          • Legitimate interests: Our legitimate interest for the organisation of events and the additional processing of personal data, including the information and communication about it and the other processing purposes mentioned above; and our legitimate interest to prevent unauthorised persons from gaining access to the events, for the protection and security of the persons, goods and data.

         

      • 2.2.3 Client acceptance processes
        In the context of our client acceptance processes, we process personal data for, for example, conflict checks (to prevent a conflict of interest), anti money laundering and financing of terrorism measures, reporting in the public media, sanction lists and independent controls.
        • The persons involved. We process personal data about directors, the key personnel of the organisations concerned, in addition associates and family members of Politically Exposed Persons (PEPs) (e.g. a close associate is someone with a close business relationship with a PEP) and the ultimate beneficial owners of an organisation (‘Ultimate Beneficial Owners’).
        • The purpose of the processing. In the context of our client acceptance processes, we process personal data for the following purposes:
          • To comply with supervisory requirements and legal obligations to which we are subject, including in the field of preventing and combating laundering and financing of terrorism;
          • To prevent conflict of interests;
          • Risk control and quality assessment;
          • Internal financial-administrative purposes, IT purposes and other supporting services with an administrative nature.
        • Personal data that is processed. In the context of our client acceptance processes, we may process the following personal data:
          • Name, gender, title and age / date of birth;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Copy of an identity document (passport, identity card or drivers licence, without national identification number);
          • Business details (organisation, function, names of business relations);
          • Financial details (card number, IBAN, bank account number, amount);
          • Communication data;
          • Log data.

        Sensitive information:
        In the context of our client acceptance processes, we may also process sensitive personal data: For example, data about someone's political preferences with regard to an investigation whether someone was a prominent political figure or processing of criminal data in the framework of compliance with regulations to prevent money laundering and financing of terrorism.

        • Legal grounds for processing. We base the use of your personal data in the context of internal processes on one of the following legal grounds:
          • Legitimate interests: Our legitimate interest in the processing of personal data from our internal processes is extensive and coincides with the aforementioned processing purposes.
          • Legal obligation: Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation we have. This is for example the case when we process personal data to comply with legal obligations to prevent and combat  money laundering and financing of terrorism.

         

    • 2.3 EY Marketing activities

      • 2.3.1 Website, apps and social media
        We process personal data for providing, maintaining and improving our websites, our apps and for our social media activities. The following domains fall under "our websites":
        • The persons involved. We process personal data about persons who visit our websites ("website visitors"), use our apps ("app users") and who use social media buttons on our websites or link with us via social media ("social media users"). 
        • The purpose of the processing. In the context of our websites, apps and social media, we process personal data about website visitors, app users and social media users for the following purposes:
          • Communication, recruitment and selection and marketing;
          • Analysis of website visitors (e.g. benchmarking and to determine to what kind of organisation in what way you are connected);
          • Personalisation of the website content;
          • Support of social media tools and plug-ins;
          • Control and application of applicable user conditions;
          • Maintenance, administration and security of our websites and apps;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Internal control and business operations;
          • Handling any requests, complaints and disputes;
          • Determining, exercising and defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In the context of our website, apps and social media, we could furthermore process the following personal data about you, provided by you, depending on, for example, which web pages you visited and the settings of your device and browser:
          • Name, gender, title and function title;
          • Company or organisation;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Login credentials;
          • Social medium name;
          • Personal preferences and interests.

            Automatically collected information:
          • IP address;
          • Type of device and unique identification number of the device (MAC address);
          • Browser type;
          • Global geographic location (for example location on national or city level);
          • Other technical information, such as regarding to interaction between your device and our website, the web pages that were visited, the links clicked and log data;
          • For automatically collected information cookies and similar tracking technology as explained in the EY Cookie policy is used.

        Sensitive information:
        IIn the context of our website, apps and social media, we do not, in principle, process sensitive information. If we in certain cases do process sensitive information you will be separately informed about this processing and where necessary, we will request explicit consent.

        • Legal grounds for processing. We base the use of your personal data in the context of our website, apps and social media on one of the following legal grounds:
          • Consent. Sometimes we base the processing of personal data on the (explicit) consent of the relevant person. This is for example applicable when you subscribe to a newsletter via our website.
          • Legitimate interest. Our legitimate interest by offering and using our website, apps and social media; and other processing purposes listed above.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation we have. This is for example when we keep personal data for longer period of time to be able to comply with a legal retention obligation.
        • Explanation. EY uses different social media platforms, for example in the context or recruitment and selection and for marketing purposes. EY is also responsible for, among other things, the content of the websites, however, not for the management of the social media platforms. For more information about how your personal data will be used by such social media platforms, we refer to the information already available on the websites of the suppliers of these platforms. Below we have included links to the privacy policy of various suppliers of social media platforms, which we could use:

        On our websites we use the so-called social media plug-ins (such as "Like" and "Share" buttons). When you visit a page with one or more of these buttons, your browser will directly connect to the relevant social network server and load the button from there. At the same time, the social media supplier knows that the relevant page on our website was visited. We have no influence on the data collected by the social media suppliers based on the buttons. If you want to prevent collection of data based on the buttons, log out on your social media accounts before visiting our websites and switch off the storage of cookies in your browser settings.

      • 2.3.2 Information about provision of EY services and invitations to various EY activities

        We process personal data to inform you about and promote the provision of EY services and to inform you about and invite you for various EY activities (e.g. with the use of newsletters) and the organisation of these activities.

        • The persons involved. We process personal data about prospects and clients for the provision of EY services and (potential) participants of the EY activities.
        • The purpose of the processing. We process personal data about prospects and clients with regard to the provision of EY services and (potential) participants of the EY activities for the following purposes:
          • Informing about and promoting provision of EY services ;
          • Informing and communicating about EY activities;
          • Investigation, analysis and statistics;
          • Handling any requests, complaints and disputes;
          • Determining, exercising and defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In this context, we may process the following personal data:
          • Name, gender, title and age / date of birth;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Business details (organisation, function, names of business relations);
          • Details about presence at an event (type of event, location, date, other requirements);
          • Special dietary needs.
        • Legal grounds for processing. We base the use of your personal data in this context on one of the following legal grounds:
          • Legitimate interests: Our legitimate interest in the processing of personal data with regard to provided information about provision of EY services, invitation to various EY activities and the other processing purposes mentioned above (for example in case EY had contact with you for the first time, but there is no relationship yet between you and EY or there is no granted consent yet from your side).
          • Consent: Your (explicit) consent, for example when you indicate that you want to be kept up to date about  the provision of EY services or EY activities for example via our newsletter or when you communicate special dietary needs.

        More detailed information on the processing of personal data in the context of direct marketing and events can be found here.

    • 2.4 Service provision by EY

      • 2.4.1. Service provision general / business relations
        The way in which we process personal data with regard to our service provision depends mostly on the type of service it concerns. See this link for a summary of the services provided by EY.
         Below we will state the way personal data is generally processed with the provision of our service to clients. This is further explained in broad terms for the four main categories (“Service Lines”) within our service provision – Assurance, Tax, Advisory and Strategy and Transactions.
        • The persons involved. In the context of our service provision to clients we generally process personal data about the:
          • Prospect: (contact persons of) a potential client of EY;
          • Client: (contact persons of) a client of EY;
          • Former client: (contact persons of) a former client of EY;
          • Customer-of-the-client: customers of a client of EY;
          • Persons involved with the service provision: other persons involved with the execution of our service provision to the client;
          • Persons connected to the client: other persons of whom the client of EY processes the personal data, which we also require for our service provision to the client.
        • The purpose of the processing. In the context of our service provision we generally process personal data for the following purposes:
          • Approaching, contacting and creating quotations for prospects;
          • Maintaining contact with (former) clients;
          • Providing services to (former) clients;
          • Analysis and evaluation of the frequency and quality of interactions between EY and (contact persons of) (former) clients and prospects;
          • Administrative purposes, including financial;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Handling any requests, complaints and disputes;
          • Determining, exercising or defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In the context of our service provision to clients we generally process the following personal data:
          • Name, gender, title and age / date of birth;
          • Marital status and family composition;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Business details (organisation, function, names of business relations);
          • Financial details (card number, IBAN, bank account number, amounts);
          • Administration number;
          • Communication datas.
            In the context of our service provision, it’s also possible that we process other personal information about the directors and key personnel of the relevant organisations, for example with regard to: the verification of someone's identity (name and address) and the natural persons that are the ultimate beneficiary of the legal entities ("Ultimate Beneficial Owners").

        Sensitive information:
        In the context of our service provision to clients we do not, in principle, intentionally process sensitive information, other than financial details insofar as this is necessary for the execution of our service. This could differ, depending on the specific service provision, for example with the provision of services to hospitals.

        • Legal grounds for processing. We base the use of your personal data for our service provision on one of the following legal grounds:
          • Execution of the agreement. Insofar as the processing of personal data is required for the execution of an agreement that the relevant person is a party to, we base the processing on these grounds. This is for example applicable to the processing of personal data of an individual who directly signed a contract with us.
          • Legitimate interests. Our legitimate interest in the execution of our service provision and striving for the above-mentioned purposes. This is explained below, in more detail, per category of service provision.
          • Consent. On an incidental basis, the processing of personal data is based on the (explicit) consent of the relevant person. If this is the case, you will be separately informed about this.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation. We could also be legally obliged to report suspicious transactions to certain government institutions based on regulations to prevent money laundering, financing terrorism, insider trading or related regulations.

         

      • 2.4.2. Service provision ➟ Assurance
        Our Assurance service provision is focussed on helping our clients to supply reliable and clear information to investors and other stakeholders. The support we offer our clients with the compilation, composition and assessment of the annual financial statements is an example of this. Within this Service Line we also offer advice about impact measurements (natural and social capital), risks in supply chains, compliance matters related to health and safety, stakeholder dialogues and value creation models. We assist our clients with feedback, address important issues and provide audit committees with clear perspectives.
        • The persons involved. In the context of our Assurance service provision to clients we generally process personal data about the:
          • Prospect: (contact persons of) a potential client of EY;
          • Client: (contact persons of) a client of EY;
          • Former client: (contact persons of) a former client of EY;
          • Customer-of-the-client: customers of a client of EY;
          • Persons involved with the service provision: other persons involved with the execution of our service provision to the client;
          • Persons connected to the client: other persons of whom the client of EY processes the personal data, whose personal data we subsequently process for the provision of our service to the client. Examples of these include the client's employees, consumers and suppliers, the client's shareholders and the customer of the customer of the client.
        • The purpose of the processing. In the context of our Assurance service provision we generally process personal data for the following purposes:
          • Approaching, contacting and creating quotations for prospects;
          • Maintaining contact with (former) clients;
          • Providing services to (former) clients, including checking the financial statements and performing an audit;
          • Administrative purposes, including financial;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Handling any requests, complaints and disputes;
          • Determining, exercising or defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. When providing Assurance services, EY processes information that contains personal data, such as salary administration data, reports of the board of directors and other documents related to the audit activities of the client or associated entities. Examples of categories of personal data that are being processed are:
          • Name, gender and title;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Business details (organisation, function, names of business relations);
          • Administration number;
          • License plate of commercial vehicles;
          • Communication data;
          • Data about health and absenteeism, for example medical certificates and information about sick leave, leave or parental leave;
          • Financial details (information about financial requirements, such as bank account details, salary details and other benefits, insurance details and the license plate of a commercial vehicle;
          • Information about insurance and company pension.

        Sensitive information:
        In the context of our Assurance service provision we do not, in principle, intentionally process sensitive information, other than the aforementioned financial details and national identification numbers insofar as this is based on legal grounds. This could differ based on the type of project it concerns, for example with the provision of services to hospitals.

        • Legal grounds for processing. We base the use of your personal data for our Assurance service provision on one of the following legal grounds:
          • Execution of the agreement. Insofar as the processing of personal data is required for the execution of an Assurance agreement that the relevant person is a party to, we base the processing on these grounds. This is for example applicable to the processing of personal data of an individual who directly signed a contract with us.
          • Legitimate interests. Our legitimate interest in the execution of our service provision and striving for the above-mentioned purposes. In case of the Assurance service provision the interest of the client to inform its shareholders and other parties is also a relevant factor.
          • Consent.  On an incidental basis, the processing of personal data is based on the (explicit) consent of the relevant person. If this is the case, you will be separately informed about this.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation.

         

      • 2.4.3. Service provision ➟ Tax service provision
        Our Tax service provision - the fiscal advice- and reporting practice - helps clients to control their tax position and to comply with obligations related to legislation, regulations and reporting. We give advice, for instance, about the fiscal structure that fits best with the profile of clients and supply services related to compliance and fiscal planning. Together with clients, we evaluate, assess and improve tax processes, internal and external controls, risk management and the automation of these processes. In this context, we also help our clients with the selection and implementation of technological upgrades.
        • The persons involved. In the context of our Tax service provision to clients we generally process personal data about the:
          • Prospect: (contact persons of) a potential client of EY;
          • Client: (contact persons of) a client of EY;
          • Former client: (contact persons of) a former client of EY;
          • Customer-of-the-client: customers of a client of EY;
          • Persons involved with the service provision: other persons involved with the execution of our service provision to the client;
          • Persons connected to the client: other persons of whom the client of EY processes the personal data, whose personal data we subsequently process for the provision of our service to the client.
        • The purpose of the processing. In the context of our Tax service provision we generally process personal data for the following purposes::
          • Approaching, contacting and creating quotations for prospects;
          • Maintaining contact with (former) clients;
          • Providing services to (former) clients;
          • Administrative purposes, including financial;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Handling any requests, complaints and disputes;
          • Determining, exercising or defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In the context of our Tax service provision to clients we generally process the following personal data:
          • Name, gender and title and age / date of birth;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Nationality and place of birth;
          • Marital status and family composition;
          • Business details (organisation, function, names of business relations);
          • Financial data (card number, IBAN / bank account number, amount, transactional data; but also salary and other income data, expenses, possessions, debts, rights and obligations, value of the residence, etc.);
          • Administration number;
          • Communication data;
          • Tax details, including national identification numbers and tax return files: claims, data completed and sent, and comments about tax returns;
          • Data regarding tax settlement: claims, data entered, settlement amounts and taxes paid;
          • Archives that are used for the collection of the country-specific information about the income tax of the tax payer (and when necessary the family members), which includes information about education, work, incidentally medical data, legal history and other information required for providing Tax services;
          • Work documents that are used to process client information from archives or other resources; salary data of employers, income source based on assignments and travel data;
          • Current, previous or future travel information about the individual, including the visited locations and the work day activities that took place at each of the locations;
          • Official and personal documents (birth certificates, marriage certificates, training documents and diplomas and passport copies, where possible without national identification number);
          • Financial reporting oversight role (FROR) questionnaires;
          • Investigation data for questionnaires about financial reporting, stating work status, employer and job description;
          • Assignment details: details about the current working and living conditions, including country and city of work assignment, department responsible for the salary and project costs;
          • Immigration details: questionnaires about work permits, status of the work permit, copy of the application form, copy of the work permit, copy of the visa, copy of the passport and other immigration documents.

        Sensitive information:
        In the context of our Tax service, we do not, in principle, intentionally process sensitive information, other than (i) the aforementioned financial data also with regard to the voluntarily disclosure scheme of the tax authority, (ii) national identification numbers in case of tax return activities for natural persons and other reporting obligations that EY has insofar as this is based on legal grounds, and (iii) incidentally also medical information when healthcare costs are included into the tax return activities of natural persons. Depending on the type of project it concerns, other types of sensitive information could also be processed on an incidental basis. In that case it shall be safeguarded that this processing also takes place in accordance with the privacy rules.

        • Legal grounds for processing. We base the use of your personal data for our Tax service provision on one of the following legal grounds:
          • Execution of the agreement. Insofar as the processing of personal data is required for the execution of an agreement that the relevant person is a party to, we base the processing on these grounds. This is for example applicable to the processing of personal data of those who directly signed our contract with the client.
          • Legitimate interests. Our legitimate interest in the execution of our Tax service provision and striving for the above-mentioned purposes. In case of the Tax service provision the interest of the client to control their tax position and to comply with obligations related to legislation and regulations and reporting is also a relevant factor.
          • Consent. On an incidental basis, the processing of personal data is based on the (explicit) consent of the relevant person. If this is the case, you will be separately informed about this.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. 

         

      • 2.4.4. Service provision ➟ Consulting
        Our Consulting services - advice services - are mainly focussed at large, complex strategic changes, growth, optimisation and protection in various business sectors and the public sector. The aim is result improvement. Examples of topics are; setting up an adequate supply chain, better client management or IT transformation.
        • The persons involved. In the context of our Consulting service provision to clients we generally process personal data about the:
          • Prospect: (contact persons of) a potential client of EY;
          • Client: (contact persons of) a client of EY;
          • Former client: (contact persons of) a former client of EY;
          • Customer-of-the-client: customers of a client of EY;
          • Persons involved with the service provision: other persons who are involved with the execution of our service provision to the client;
          • Persons connected to the client: other persons of whom the client of EY processes the personal data, whose personal data we subsequently process for the provision of our service to the client.
        • The purpose of the processing. In the context of our Consulting service provision we generally process personal data for the following purposes:
          • Approaching, contacting and creating quotations for prospects;
          • Maintaining contact with (former) clients;
          • Providing services to (former) clients;
          • Administrative purposes, including financial;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Handling any requests, complaints and disputes;
          • Determining, exercising or defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. When providing Advisory services, EY processes a wide variety of personal data. The type of personal data depends on the specific service and the sector where the client of EY is active. When, for instance, providing cyber security services to a bank, other types of personal data are being processed than when a client in the pharmaceutical sector is assisted in building a better way to keep research data with regard to the health of people up to date. Examples of categories of personal data that EY processes for Consulting service provision are:
          • Name, gender and title and age / date of birth;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Marital status and family composition;
          • Business details (organisation, function, names of business relations);
          • Administration number;
          • Communication data;
          • HR and supplier details of EY clients, including personal data of employees or suppliers of the client, such as the name, contact details, date of birth, national identification numbers, employment contracts and service agreements;
          • Financial details, such as information about wages and salaries, information about pensions, benefits and insurance, but for example also information regarding bank account numbers, transactions and credits in relation to the analysis of payment transactions for a bank;
          • Client details, including with regard to gender, for investigation on the client experience.

        Sensitive information:
        In the context of our Consulting service provision we do not, in principle, intentionally process sensitive information, other than the aforementioned financial details and national identification numbers insofar as this is based on legal grounds. This could differ depending on the type of project; for example, medical data processed on an aggregated level during the audit of a health insurer. In that case it shall be safeguarded that this processing also takes place in accordance with the privacy rules.

        • Legal grounds for processing. We base the use of personal data for our Advisory service provision on one of the following legal grounds:
          • Execution of the agreement. Insofar as the processing of personal data is required for the execution of an agreement that the relevant person is a party to, we base the processing on these grounds. This is for example applicable to the processing of personal data of those who directly signed our contract with the client.
          • Legitimate interests. Our legitimate interest in the execution of our Consulting service provision and striving for the above-mentioned purposes. With the Consulting service provision, the client's interests to optimise or change their services/business operations is also a relevant factor.
          • Consent. Incidentally, we base the processing of personal data on the (explicit) consent of the relevant person. If this is the case, you will be separately informed about this.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation.

         

      • 2.4.5. Service provision ➟ Strategy and Transactions (SaT)
        With our Strategy and Transactions (SaT) we generally help companies to create social and economic value with properly considered decisions about the strategic management of capital and transactions. The focus is on the way in which clients invest, increase, optimise and secure their capital in a fast-changing world in such a manner that the trust of investors and other stakeholders is maintained or increased.
        • The persons involved. In the context of our SaT service provision to clients we generally process personal data about the:
          • Prospect: (contact persons of) a potential client of EY;
          • Client: (contact persons of) a client of EY;
          • Former client: (contact persons of) a former client of EY;
          • Customer-of-the-client: customers of a client of EY;
          • Persons involved with the service provision: other persons who are involved with the execution of our service provision to the client;
          • Persons connected to the client: other persons of whom the client of EY processes the personal data, whose personal data we subsequently process for the provision of our service to the client.
        • The purpose of the processing. In the context of our SaT service provision we generally process personal data for the following purposes:
          • Approaching, contacting and creating quotations for prospects;
          • Maintaining contact with (former) clients;
          • Providing services to (former) clients;
          • Administrative purposes, including financial;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Handling any requests, complaints and disputes;
          • Determining, exercising and defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In the context of our SaT service provision we mainly process information about buyers, sellers and actual or potential targets (party or business that the client could possibly invest or divest in and related service provision). For example, personal data in relation to general salary administration, employment contracts, pension schemes, insurance claims, client lists, consumer contracts and company registers. Examples of categories of personal data that EY processes in connection with the SaT service provision are:
          • Name, gender and title and age / date of birth;
          • Contact details (for example address, telephone number, e-mail address, website, work and/or private);
          • Marital status and family composition;
          • Business details (organisation, function, names of business relations);
          • HR statistics (leave days etc);
          • Financial details (card number, IBAN/bank account number, amount, salary data);
          • Administration number;
          • Communication data.

        Sensitive information:
        In the context of our SaT service provision to clients we do not, in principle, intentionally process sensitive information, other than financial details such as salary data and policy data with regard to pensions, insofar as this is necessary for the execution of our services. However, this could differ depending on the type of project it concerns; for example, projects in the health care sector. Special categories of personal data could also be processed within EY Parthenon in relation to primary research. In such cases it shall be safeguarded that this processing also takes place in accordance with the privacy rules.

        • Legal grounds for processing. We base the use of personal data for our SaT service provision on one of the following legal grounds:
          • Execution of the agreement. Insofar as the processing of personal data is required for the execution of an agreement that the relevant person is a party to, we base the processing on these grounds. This is for example applicable to the processing of personal data of an individual who directly signed a contract with us.
          • Legitimate interests. Our legitimate interest in the execution of our service provision and striving for the above-mentioned purposes. With the SaT service provision, the client's interests in the strategic control of capital and transactions is also a relevant factor.
          • Consent. Incidentally, we base the processing of personal data on the (explicit) consent of the relevant person. If this is the case, you will be separately informed about this.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation.  

         

    • 2.5 Business relations

      • 2.5.1. Service providers engaged by EY
        In order to supply our services and to keep our organisation operational, we deploy the services of various types of service providers. For example, IT service providers in relation to our websites and software tools (EY uses Microsoft as a supplier to a large extent) and a facility service provider in in relation to  the organisation of facilities within our office buildings.
        • The persons involved. When engaging service providers, we process information about the following categories of persons:
          • Candidate service provider: (contact persons of) a service provider that EY will possibly engage;
          • Service provider: (contact persons of) a service provider engaged by EY;
          • Former service provider: (contact persons of) a service provider engaged by EY in the past;
          • Persons involved with the execution of the services: other persons who may be involved with the service provision offered by a service provider, for example sub contractors;
          • Persons who are the subject of a service provision: other persons whose personal data EY processes as described in this Privacy Statement, in which the service provider is involved.
        • The purpose of the processing. When engaging service providers, we process personal data for the following purposes:
          • Approaching potential service providers;
          • Maintaining contact with (potential / former) service providers;
          • Receiving services from (potential / former) service providers;
          • Administrative purposes, including financial;
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Internal control and business operations;
          • Handling any requests, complaints and disputes;
          • Determining, exercising or defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. When engaging service providers, we process personal data such as:
          • Name, gender, title and age / date of birth;
          • Nationality and place of birth;
          • Contact details (e.g. address, telephone number, e-mail address, website, work and/or private);
          • Business details (organisation, function, names of business relations);
          • Financial details (card number, IBAN, bank account number, amounts);
          • Administration number;
          • Communication data.

        Sensitive information:
        We do not intentionally collect sensitive personal data about you.

        • Legal grounds for processing. We base the use of your personal data when engaging service providers on one of the following legal grounds:
          • Execution of the agreement. Insofar as the processing of personal data is required for the execution of an agreement that the relevant person is a party to, we base the processing on these grounds. This is for example applicable to the processing of personal data of an individual who directly signed the service agreement with us.
          • Legitimate interests. Our legitimate interest of receiving a service and in striving for the abovementioned purposes.
          • Consent. Incidentally, we base the processing of personal data on the (explicit) consent of the relevant person. This is for example applicable to service providers who indicated that they want to receive one of our newsletters.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation. 

         

      • 2.5.2. Other commercial contact persons
        Besides the personal data that we process in relation to providing and receiving services, we also process the personal data of other commercial contact persons ("Other commercial contact"). An example of this are visitors to an event that we organised and parties who we collaborate with or had contact with, without them having provided any services to us or vice versa.
        • The persons involved. In relation to "other commercial contact", we process information about the following categories of persons:
          • (Contact persons of) parties who we collaborate with or who we are in contact with without us providing them any services or them providing any services to us;
          • (Contact persons of) parties with whom we have any other commercial contact.
        • The purpose of the processing. In the context of "other commercial contact", we process personal data for the following purposes:
          • Approaching and maintaining contact (relationship management);
          • Marketing and business development;
          • Investigation, analysis and statistics;
          • Internal control and business operations;
          • Handling any requests, complaints and disputes;
          • Determining, exercising or defending our rights;
          • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
        • Personal data that is processed. In relation to "other commercial contact", we process personal data such as:
          • Name, gender, title and age / date of birth;
          • Nationality;
          • Contact details (e.g. address, telephone number, e-mail address, website; both work and/or private);
          • Business details (organisation, function, names of business relations);
          • Marketing preferences;
          • Communication data.

        Sensitive information:
        We do not intentionally collect sensitive personal data about you.

        • Legal grounds for processing. We base the use of your personal data in relation to "other commercial contact" on one of the following legal grounds:
          • Legitimate interests. Our legitimate interest in making and maintaining contact with our commercial contact persons, and in striving for the aforementioned purposes.
          • Consent. Incidentally, we base the processing of personal data on the (explicit) consent of the relevant person. This is for example applicable when keeping a record of a person's preferences with regard to our mailings, such as our newsletters.
          • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation. 

        More detailed information on the processing of personal data in the context of direct marketing and events can be found here.

    • 2.6 Job applicant

      When individuals apply for a job within EY, we process their personal data in the following ways.

      • The persons involved. From job applicants we process personal data for our recruitment activities.
      • The purpose of the processing. We process personal data of job applicants for the following purposes:
        • Organizing recruitment events;
        • Processing, evaluating and managing job applications;
        • Maintaining contact with job applicants;
        • Scheduling and conducting (online) interviews;
        • Making a job offer;
        • Conducting a pre-employment screening.
      • Personal data that is processed. We process personal data of job applicants such as:
        • Name, contact details;
        • CV (resume), work experience, skills and education;
        • Information obtained from job interviews and assessments;
        • Login credentials (username and password) for the application system;
        • Data provided by the applicant on a voluntary basis. 

      Sensitive information:
      During the application process it may be necessary to process sensitive personal data, such as salary data and results of a pre-employment screening.

      • Legal grounds for processing. We base the use of personal data in relation to recruitment and selection on one of the following legal grounds:
        • Legitimate interests. Our legitimate interest to attract new talent, to process and manage applications for jobs at EY, including screening and selecting candidates and hiring successful candidates by making an offer and conducting a pre-employment screening.
        • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation.

      • Retention period
        • If the job applicant is hired, the relevant personal data will be included in the personnel administration.
        • If the job applicant is not hired, we will retain the personal data for a maximum of 4 weeks after completing the application procedure, unless the applicant has given consent to maintain the personal data for a maximum of 1 year;
        • If the job applicant chooses to be included in the talent pool and creates a profile in Yello or SuccesFactors, the personal data will be kept for a maximum period of 1 year, which starts after a period of inactivity.
           

    • 2.7 Alumni

      In case a person has performed work for us (whether or not based on an employment contract), we process their data in the following way.

      • The persons involved. In the context of the processing of personal data of "alumni", we process personal data about the following categories of persons, hereinafter jointly referred to as "alumni":
        • Former EY employees:
          • Former partners at EY;
          • Former employees at EY;
          • Former employees who perform their activities for EY as independent contractors (ZZP’ers);
          • Former employees who work for EY via an outsourcing or placement office;
          • Former interns, working students and volunteers.
        • Data about (former) family members of former EY employees.
      • The purpose of the processing. We process personal data of alumni for the following purposes:
        • Determining, settling and paying financial liabilities;
        • Maintaining contact on an individual level;
        • Maintaining contact on a general level, for example through newsletters for alumni;
        • Organising events and other activities for alumni;
        • Marketing and business development;
        • Investigation, analysis and statistics;
        • Internal control and business operations;
        • Handling any requests, complaints and disputes;
        • Determining, exercising or defending our rights;
        • Complying with legal obligations and professional regulations, and requests of authorised government institutions.
      • Personal data that is processed. We process personal data of alumni such as:
        • Name, gender, title and age / date of birth;
        • Nationality;
        • Contact details (e.g. address, telephone number, e-mail address, website, work and/or private);
        • Business details (organisation, function, names of business relations);
        • Data required with regard to pension and/or other benefits that an alumni is entitled to;
        • Data about general communication (for example newsletters) that alumni wish to receive;
        • Information about events and other activities that alumni wish to participate in;
        • Communication data in case contact is maintained with an alumni.

      Sensitive information:
      We limit the processing of sensitive personal data about alumni as much as possible and only to the extent that we can base this on an applicable legal exception.

      • Legal grounds for processing. We base the use of personal data in relation to alumni on one of the following legal grounds:
        • Legitimate interests. Our legitimate interest with the processing of personal data about alumni as specified in the above mentioned purposes.
        • Legal obligation. Sometimes we do not process personal data on our own initiative, but to comply with a legal obligation to which we are subject. This is for instance when we keep personal data for a longer period of time to comply with a legal retention obligation.
        • Consent. Incidentally, we process personal data about alumni based on their consent. For instance, when alumni register for certain events or communications, the processing of their personal data is based on consent. 

       

  • 3. How do we obtain your personal data?

    • 3.1 Manner of obtainment

      We obtain your personal data in various ways:

      • Provided by you. Some personal data we receive straight from you. Examples include information in your messages to us and information you enter in a web contact form or online portal.
      • Obtained internally. It is possible that we obtain your personal data from other EY systems. An example for clients is the data which is included into our CRM system.
      • Obtained from third parties. We could also obtain personal data about you from other persons or external parties. Examples include your colleagues or other parties who are involved with our mutual relationship, public registers of company directors and participating interests, credit information companies and public media coverage.
      • Automatically obtained. Some personal data we obtain automatically, for example by using cookies and similar techniques. For more information about cookies and similar techniques, go to the EY Cookie policy.
      • Derived. Certain personal data we do not receive directly, but can be derived from the information already in our possession. For example, information about your preferences and interests.

       

    • 3.2 Compulsory provision of personal data

      In principle you are under no obligation to provide any information about yourself to us. However, refusal to supply certain information could have a negative influence on, for example, our service provision to you or the functionality of the services that you use from us. We may, for instance, require your signature to conclude an agreement and certain parts of our websites may function less in case cookies are blocked.

      If the provision of certain personal data is a legal or contractual obligation or an essential requirement for concluding an agreement with us, we will separately provide additional information about this for as far as this is not clear in advance. In this case we will  also inform you about the possible consequences if this information is not provided.

  • 4. Who do we share your personal data with?

    • 4.1 Conditions for sharing your personal data

      Third parties are not allowed to use personal data concerning you, which we share with them, for their own direct marketing purposes. Moreover, we only share your personal data with third parties if:

      • This is necessary for the provision of a service or the involvement of the third party. Sub-contractors will, for example, in principle only get access to the personal data that they require for their part of the service provision.
      • The persons within the third party that have access to the personal data are under an obligation to treat the personal data confidentially. Where necessary this is also contractually agreed on.
      • The third party is obliged to comply with the applicable regulations for the protection of personal data, for instance because we have concluded an agreement with this party or because our General Conditions apply. This includes that the party is obliged to ensure appropriate technical and organisational security measures, and that any transfer of personal data to countries outside the European Economic Area is adequately legitimized. 

       

    • 4.2 Parties with whom we share your personal data

      We could share your personal data on a need-to-know basis with the parties mentioned below. In this context, "need-to-know" means that a party only gets access to personal data if and insofar as this is required for the professional services provided by this party.

      • Authorised persons, employed by the relevant EY entity, who are involved with the processing activity concerned. Such as, the members of the team you are in contact with.
      • Authorised persons, employed by affiliated entities within the EY-network, who are involved with the processing activity concerned. Such as, helpdesk workers.
      • Authorised persons, employed by service providers / sub-contractors engaged by EY, who are involved with the processing activity concerned. Such as, service providers for identity checks.
      • Authorised persons, employed by a party who is also involved with the processing of your personal data. Such as, insurers and professional advisors, such as lawyers, tax advisors or accountants.
      • Authorised government institutions. Such as, courts, police, law enforcement agencies, tax-, customs- and excise duty offices, and audit regulators.

       

  • 5. How do we secure your personal data?

    • 5.1 Security measures

      Protecting your privacy and personal data is very important to us. Therefore, EY has implemented appropriate technical and organisational measures to protect and secure personal data, in order to prevent violations of the confidentiality, integrity and availability of data. All EY employees and other persons engaged by EY for the processing of personal data are obliged to respect the confidentiality of personal data.

    • 5.2 Policy

      EY has internal policies and procedures that describe how we safeguard an appropriate level of technical and organisational security. In addition, a data breach procedure is applicable within EY, in which is explained how to deal with (potential) data breaches. We will, for example, inform the competent supervisory authority and involved data subjects when this is required based on the applicable law.

      More information about how we protect your personal data can be found in the brochure "Protecting your data" (English), see this link.

  • 6. To which countries will we transfer your personal data?

    • 6.1 Transfer

      Parties involved with the processing of your personal data may be situated in a different country. These could be external parties or other entities within the EY network. In case these parties are situated outside the European Economic Area (EEA), the transfer is legitimized in the manner described below.

      See this link for an overview of the EEA countries.

    • 6.2 Transfers outside the EEA, but within the EY network

      We have taken various appropriate technical and organisational measures to ensure the security and integrity of data transferred within the EY network. As such EY has, above all, implemented Binding Corporate Rules; "BCRs" based on which the global transfer of personal data from the EEA within the EY network is legitimized, in accordance with the European Privacy law. Based on the BCRs, the same requirements are applicable with regard to data protection for all entities within the EY network. You can consult the BCRs via this link.

    • 6.3 Transfers outside the EEA and outside the EY network

      The transfer of your personal data to a third party outside the EEA can in the first place be legitimized based on an adequacy decision of the European Committee, in which it is decided that the (part within the) third country in question ensures an adequate level of data protection. See this link for a summary of the applicable adequacy decisions.

      If your personal data is transferred to a country outside the EEA for which there is no adequacy decision, we agree on the applicability of a framework agreement (Standard Contractual Clauses) with the relevant party. This is a standard contract to safeguard the protection of your personal data, which is approved by the European Committee, in which the parties fill out the appendices. See this link for the various framework agreements.

      You can contact us if you want additional information about the way in which we legitimize the transfer of your personal data to countries outside the EEA. Our contact details are stated at the bottom of this Privacy Statement.

  • 7. How do we determine how long we retain your personal data?

    • 7.1 General rule

      In general we do not keep your personal data for longer than what is necessary in relation to the purposes for which we process the personal data. There could however be exceptions applicable to the general retention periods.

    • 7.2 Exception: other retention period

      If you exercise certain privacy rights it is possible that EY will remove your personal data earlier than what is usual based on the retention policy, or retain it for a longer period of time. For more information about this, please refer to the header "What are your privacy rights?"

    • 7.3 Exception: longer retention period

      In certain situations we process your personal data for a longer period of time than what is necessary for the purpose of the processing. This is for instance the case when we have to process your personal data for a longer period of time:

      • Retention obligation. To comply with a minimum retention period or other legal obligation to which we are subject based on EU law or the law of a EU member state;
      • Procedure. Your personal data is necessary in relation to a legal procedure; or
      • Freedom of expression. When further processing of your personal data is necessary in order to exercise the right to freedom of expression and information.

       

    • 7.4 EY retention policy

      In order to safeguard that your personal data is removed within a reasonable term, EY has a retention policy.

  • 8. What are your privacy rights?

    Based on the General Data Protection Regulation ("GDPR"; (EU) 2016/679) you have various privacy rights. To what extent you can exercise these rights could depend on the circumstances of the processing, such as the manner in which EY processes the personal data and the legal basis for the processing. If a specific Privacy Statement is applicable, this could be specified there in more detail. In other cases we will inform you about this separately, for instance when you contact us about this or in response to a request to exercise a privacy right.

    Below we included a summary of your privacy rights under GDPR. For more information about this go to this webpage of the Autoriteit Persoonsgegevens, the supervisory authority in the Netherlands (information only available in Dutch).

    • 8.1 A description of your privacy rights

      • 8.1.1 Right to withdraw the consent

        In case EY asked your (explicit) consent and received it for a certain processing activity of your personal data, you can withdraw the consent at any moment in time. The withdrawal of your consent does not influence the legitimacy of the processing before you withdrew your consent. The result of the withdrawal of your consent is that EY will no longer process this personal data for the purpose that you consented to. It can however be possible that EY still processes the personal data for another purpose, such as for the execution of an agreement with you or in order to comply with a minimum retention period. In that case you will be informed about this.

      • 8.1.2 Right of access

        You have the right to obtain insight into the way in which we process your personal data. In the first place, you are entitled to a copy of the personal data, although in principle not to a copy of the documents where this personal data is included. In the second place you are entitled to further information about the way in which we process your personal data. For example, the purposes for which we process your personal data, where we got it from, and with whom we share it.

      • 8.1.3 Right to rectification

        The right to rectification means that, under conditions, you have the right that EY changes or supplements your personal data. You have this right in case we process personal data about you that:

        • is factually incorrect;
        • is incomplete or not related to the purpose it was collected for; or
        • is in any other way used in a manner that is in conflict with an applicable law.

        The right of rectification is not intended for the correction of professional opinions, findings or conclusions that you do not agree with. EY could in that case however consider adding your opinion about this to the personal data. 

      • 8.1.4 Right to erasure

        Under conditions you have the right to obtain the erasure of the personal data we process about you. You could have this right in the following cases:

        • Consent withdrawn. We processed the personal data based on your (explicit) consent, but you withdrew this consent.
        • Successful appeal. You successfully objected to the processing of this personal data by EY (see the right to object below).
        • Data no longer required. EY no longer needs your personal data for the purposes for which EY processed it.
        • Unlawful processing. EY processed your personal data unlawful, for example because EY doesn’t have (or no longer has) a valid ground to do this.
        • Compulsory erasure. EY must erase the personal data in order to comply with a legal obligation.
        • Apps and websites in case of children. The person whose data is concerned is younger than 16 years of age and the personal data was collected through an app or website ("service of the information company").

         

      • 8.1.5 Right to restriction of processing

        The right to restriction of processing means that EY will continue to store personal data at your request, but may in principle not do anything further with it. In short, you have this right when EY does not have (or no longer has) any legal grounds for the processing of your personal data or if this is open for discussion. This right is specifically applicable in the following situations:

        • Unlawful processing. EY may not (or no longer) process certain personal data, but you do not want EY to erase the data. For example, because you still want to request the data in a later stage.
        • Personal data no longer required. EY no longer needs your personal data for the purposes EY processed this, but you still require the personal data for a legal claim. For example in case of a dispute.
        • Pending an ojection. You objected against the processing of your personal data by EY (see the right to object below). Pending the verification of your objection we shall no longer process this personal data at your request.
        • Contesting the accuracy of personal data. You contest the accuracy of certain personal data that we processes about you (for example via your right to rectification; see above).  During the period in which we assess your contest we shall no longer process this personal data at your request.

         

      • 8.1.6 Right to data portability

        The right to receive data is also referred to as the right to data portability. This right means that in certain circumstances, EY must provide your personal data in a format that is useful to you ("a structured, commonly used and machine readable format"). You can indicate whether you want to personally receive this personal data or whether you prefer that EY directly transmits this personal data to another party appointed by you for this purpose. 

      • 8.1.7 Right to object

        You have the right to object to the  processing of your personal data by EY. Under conditions, EY has to apply to this objection. In this case, EY shall no longer process this personal data for the purpose that you objected against. It can however be possible that EY still processes the personal data for another purpose, such as for the execution of an agreement with you or in order to comply with a minimum retention period. If this is the case, you will be informed about this.

        Where we process your personal information for direct marketing purposes, we will always comply to an objection application. For instance, when unsubscribing to newsletters or other direct marketing communication. 

      • 8.1.8 Right with regard to automated individual decision-making

        Under conditions, data subjects shall have the right not be subject to a decision based solely on automated processing, without human interference. This may include profiling.  The data subjects have this right if an automated decision has legal effects concerning them or similarly significantly affects them. The ban is applicable, regardless whether the data subject actively exercises this right. 

      • 8.1.9 Right to complain

        You always have the right to submit a complaint with an authorised supervisory authority if you feel there has been a privacy infringement. This specifically concerns the supervisory authorities with regard to privacy in the country within the European Economic Area:

        • where you normally live;
        • where you work; or
        • where the alleged privacy infringement occurred.

        The contact details of these supervisory authorities can be found on this web page.

        The right to complain is applicable without prejudice to other options for administrative appeal or a legal remedy. With this, the supervising authority where the complaint is submitted must inform you about the progress and the result of your complaint, and about a possible legal remedy.

    • 8.2 Using your privacy rights

      You can use your privacy rights by contacting us via the contact details below. We request that you state the following information with this:

      • Your full first and last name.
      • A description of your request. Do you want us to erase personal data about you, or do you want us to keep storing the data, but also give you a copy? When describing your request you may refer to the privacy rights we described above, but this is not required. If you do not mention which privacy right you are using, we will fill this in for you.
      • A description of your request. Does it, for example, concern the use of your financial data for various purposes? Or does it concern the use of all your personal data, but only with regards to marketing purposes? The clearer the description of your request, the better we are be able to handle this request.

       

    • 8.3 After you have submitted a request

      After you have submitted a request to us in which you indicate that you want to exercise a privacy right, you will first receive a confirmation of receipt from us. Subsequently, it could be possible that we ask you for additional information, for example to verify your identity. Another possibility is that we immediately respond to your request substantively. In this case we will indicate whether we will meet your request, and if not, why not.

      We handle all privacy requests without delay and generally always within one month after receipt. However, it could be possible that we need more time, for example given the complexity and the number of requests we receive. In that case we will inform you that we need up to a maximum of two months of additional time. We will inform you about this as soon as possible and at least within a month after receipt of your request and will then substantively respond within at least three months after receipt of your request.

  • 9. Who is responsible for the processing of your personal data?

    • 9.1 Responsible EY entity

      This Privacy Statement informs about the processing of your personal data for which the entities of the EY network of Ernst & Young Global Limited (jointly referred to as "EY", "We", "Us" or "Our") situated in the Netherlands are responsible. You can find a list of the entities it concerns via this link. Which entity is (jointly/mainly) responsible for the processing of your personal data depends on the situation. Multiple EY entities are often involved, for example because one EY entity may use systems / services that were developed by another EY entity.

      The following is generally applicable:

      Category processing

      Subjects

      (Main) EY entity responsible

      EY Internal processes

      Visitors of EY offices

      EY entity related to the guest's visit

      Participants of EY activities (meetings, conferences events and training sessions, etc.)

      EY entity that organises an EY activity

      Persons whose personal data are processed in relation to our internal processes

      EY entity responsible for the processing of personal data linked to the processing for internal processes

      EY Marketing activities

      Website visitors

      EY entity who is the domain holder of the website and who controls the website

      App users

      EY entity that has developed and controls the app

      Social media users

      EY entity that controls the social media account or the website / app where the social media button is integrated

      EY Marketing activities

      Prospects, clients or (potential) participants in EY activities

      EY entity that offers or organises an EY activity

      EY service provision

      Prospects and (former) clients

      EY entity with whom a contract is/was (possibly) concluded

      Customer of the client

      EY entity with whom the client concluded an agreement

      Persons involved with the execution of the service provision

      EY entity with whom the client concluded an agreement

      Persons related to the client

      EY entity with whom the client concluded an agreement

      Other business relations

      (Candidate/former) service provider

      EY entity with whom the service provider concluded a contract or will maybe conclude a contract

      Persons involved with the execution of the service provision

      EY entity with whom the service provider concluded a contract

      Persons who are the subject of the execution of the service provision

      EY entity with whom the service provider concluded a contract

      Persons who subscribed to newsletters or other communication

      EY entity in whose name the communication is sent

      (Contact persons at) parties with whom we collaborate or with whom we are in contact without us providing them any services or them providing any services to us

      EY entity who has contact with the relevant party

      (Contact persons at) parties with whom we have other commercial contact

      EY entity who has contact with the relevant party

      Alumni

      Former EY employees and (former) family members of former EY employees

      EY entity who maintains/organised the contact with the alumni

      When submitting questions or requests, you do not need to first find out which EY entity is responsible for the processing your personal data. If you submit your request via the contact form below, we will ensure that it is sent to the correct contact person.

    • 9.2 EY as processor

      Sometimes we also process personal data in the context of our service provision on behalf of a client. In that case this client is responsible for the processing of your personal data, not us. We will however, remain responsible for the processing of your personal data in the context of our internal processes.

  • 10. How can you contact us?

    If you have questions or remarks about our processing of your personal data, you can contact our Data Protection Officer (DPO) via email at privacy.nl@nl.ey.com or by telephone via 088-4078895. The DPO is our "internal supervisor" in the field of data protection. See this web page of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) for further explanation about the role and function of the DPO (information only available in Dutch). 

  • 11. Changes

    We may change this Privacy Statement from time to time. The latest version can always be consulted via this page. Important changes will always be communicated.