Ernst & Young LLP Data Privacy Framework statement

EY (as defined below) complies with the EU-U.S. Data Privacy Framework (EU‑U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. EY has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. EY has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit dataprivacyframework.gov/.

Please see the EY Privacy statement for more information on how EY conducts cross-border transfers of personal data and the measures we take to safeguard personal data in accordance with applicable legal requirements.

Ernst & Young LLP and its affiliated US entities adhere to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF published by the U.S. Department of Commerce (Principles, EU-U.S. DPF Program). Ernst & Young LLP is subject to the authority of the Federal Trade Commission.

As they are used in this statement, the terms “EY,” “the firm,” “we,” “us” and “our” shall mean, collectively, the following US-based EY entities:

  • Ernst & Young LLP
  • Ernst & Young US LLP
  • Ernst & Young Capital Advisors, LLC
  • Ernst & Young Infrastructure Advisors, LLC
  • Ernst & Young Investment Advisers LLP
  • Ernst & Young Product Sales LLC
  • Ernst & Young Puerto Rico LLC
  • EY Government Services LLC
  • EY Turnaround Management Services LLC
  • Pangea3 US LLC

This statement outlines our general policy and practices for implementing the EU‑U.S. DPF Program (refers collectively to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF), including the types of personal data that the firm gathers; how we use it; and the choices that affected individuals have regarding our use of, and their ability to correct, the personal data relating to them. If there is any conflict between this statement and the Principles, the Principles will govern. To learn more about the EU-U.S. DPF Program and to view the firm’s certification, please visit dataprivacyframework.gov/s/participant-search.

This statement applies to personal data that we handle. For purposes of this statement, “personal data” means information that:

  • Is transferred from the European Economic Area (EEA), Switzerland and/or the United Kingdom to the United States, in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF
  • Is about, or pertains to, a specific individual
  • Can be linked, either directly or indirectly, to that individual

Principles protecting individuals’ privacy notice and choice

  • We notify individuals about the personal data that we collect from them, how we use it and how to contact us with privacy concerns.
  • We provide such notice through this statement, our engagement letters or other similar documents, and direct communication with individuals from whom we collect personal data.
  • We collect and process personal data about EY personnel for the purpose of human resources administration and recruitment following the EU-U.S. DPF Program.
  • We collect and process personal data about our prospective and current clients, clients’ customers and/or clients’ personnel for the purpose of rendering professional services to our clients.
  • We collect personal data from individuals only as permitted by the EU‑U.S. DPF Program.
  • Consent for personal data to be collected, used and/or disclosed in certain ways (including opt-in consent for sensitive data) may be required in order for an individual to obtain or use our services. Such consent is provided through our engagement letters, employment agreements and other similar documents.

Disclosures and transfers

We do not disclose an individual’s personal data to third parties, except when one or more of the following conditions is true:

  • We have the individual’s permission to make the disclosure.
  • The disclosure is required by lawful request by public authorities, including to meet national security or law enforcement requirements.
  • The disclosure is required by law or mandatory professional standards.
  • The disclosure is reasonably related to the sale or other disposition of all or part of our business.
  • The information in question is publicly available.
  • The disclosure is reasonably necessary for the establishment of legal claims.
  • The disclosure is to another EY entity or to persons or entities providing services on our or the individual’s behalf (each a transferee), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
    • Is subject to law providing an adequate level of privacy protection
    • Has agreed to provide an adequate level of privacy protection

We may transfer personal data from one jurisdiction to another. Privacy laws vary by jurisdiction, and some may provide less or different legal protection from others. However, EY will protect personal data in accordance with the EU-U.S. DPF Program regardless of the jurisdiction in which the data resides.

EY is responsible for the third-party acts within its control that result in the processing of personal data inconsistent with the EU-U.S. DPF Program.

Data, security, integrity and access

We employ various physical, electronic and managerial measures, including education and training of our personnel, that are designed to reasonably protect personal data from loss, misuse or unauthorized access, disclosure, alteration or destruction. Personal data collected or displayed through a website is protected in transit by standard encryption processes. However, we cannot guarantee the security of information on, or transmitted via, the internet.

We process personal data for only the limited and specific purpose for which it was originally collected or authorized by the individual. To the extent necessary for such purposes, we take reasonable steps so that personal data is accurate, complete, current and otherwise reliable with regard to its intended use.

An individual has the right to access personal data that EY holds about that person as specified by the EU-U.S. DPF Program. An individual may contact us by completing this form to either:

  • Correct, amend or delete information where it is inaccurate or has been processed in violation of the Principles

Or

  • Restrict or object to the processing or disclosure of personal data (in certain circumstances and subject to applicable law)

The individual will need to provide sufficient identifying information, such as name, address, and birth date. We may request additional identifying information as a security precaution, such as a national identifier (e.g., a Social Security number). In addition, we may limit or deny access to personal data where providing such access would be unreasonably burdensome or expensive in the circumstances or where the rights of persons other than the individual would be violated. In some circumstances, we may charge a reasonable fee for access to personal data.

Accountability and enforcement

We have established a program to monitor our adherence to the EU-U.S. DPF Program and to address questions and concerns regarding our adherence. This program will include a statement, at least once a year, signed by an authorized representative of EY, verifying that this statement is accurate, comprehensive for the information that is intended to be covered, prominently displayed, completely implemented and accessible. We encourage interested persons to raise any concerns with us using the contact information below.

Individuals may file a complaint with our US Privacy Office in connection with the firm’s processing of their personal data under the EU-U.S. DPF Program. With respect to any dispute relating to this statement that cannot be resolved through our internal processes:

  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, EY commits to cooperate and comply respectively with the advice of the panel established by EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, EY commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU‑U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss‑U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit JAMS EU‑U.S. Data Privacy Framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.
  • Personnel who violate our privacy policies will be subject to disciplinary process.
  • An individual may, under certain conditions, invoke binding arbitration. Please see the EU-U.S. DPF website for more information on conditions giving rise to binding arbitration.

Amendment

We may amend this statement from time to time by posting a revised statement on this website or a similar website that replaces this website. If we amend the statement, the new statement will apply to personal data previously collected only insofar as the rights of the individual affected are not reduced. So long as we adhere to the EU-U.S. DPF Program, we will not amend our statement in a manner inconsistent with the EU-U.S. DPF Program.

Information subject to other policies

We are committed to following the Principles for all personal data within the scope of the EU-U.S. DPF Program. However, certain information is subject to policies of the firm that may differ in some respects from the general policies set forth in this statement.

Certain EY websites have their own privacy policies that apply to those sites. These policies may be accessed through the websites in question.

Information relating to present or former EY personnel is subject to our policies concerning personnel data privacy, which are available to current EY personnel on the EY intranet site and to former EY personnel upon request.

Information obtained from, or relating to, clients or former clients is further subject to the terms of any privacy notice to the client, any engagement letter or other similar letters or agreements with the client, and applicable laws and professional standards.

Contact information

For further information or to file a complaint, please contact us:

US Privacy Office
Ernst & Young LLP
One Manhattan West
395 9th Avenue
New York, NY 10001