Terms of Business and Privacy statement

Privacy Statement PwC Norway

Proper treatment of business related information and personal data is most important to PwC. Our internal routines for processing of personal data have been established to enable compliance with relevant legislation. The Norwegian PwC firms are part of the PwC network, a global network of legally independent companies. Through the PwC network we are also committed to the internal standards of the network for processing of business information and personal data. We only permit processing of personal data in cases where there is a legitimate purpose and a legal basis for the processing.

In PwC we have long experience in processing personal data for clients who make stringent demands to internal control related to business information and personal data.

PwC’s processing of personal data related to our clients

PwC processes two types of personal data related to our clients.

Firstly, PwC processes contact information for all our clients. This is information related to name, address, telephone number, e-mail address and position with the client. PwC is acting as controller for this information. We record the information in our client register. Usually the information is provided by the client, but may also be provided by external sources. The information is used to perform risk and independent controls, for managing the engagement and for marketing and improvement of our services.

Secondly, PwC processes personal data in connection with the accomplishment of our engagements, e.g. in cases where part of the engagement involves processing of personal data. What kind of personal data that is processed depends on the engagement. Normally these personal data will be received from our client, but may also be provided by external sources, such as public portals, if we have permission to use these sources. PwC can act as both controller and processor for this information, this has to be decided based on an assessment of the individual engagement. For audit and legal engagements PwC will normally act as a controller. PwC will normally act as processor for advisory and accounting engagements.

The purpose of processing personal data in connection with the accomplishment of our engagements will normally be that PwC shall be able to conduct the assignment in accordance with the agreement entered into with the client, or in accordance with legal requirements.

If PwC makes use of sub-suppliers for an engagement, to whom personal data is transferred, this will appear in the engagement letter. In addition to any sub-suppliers for engagements, PwC also uses suppliers of IT services and IT infrastructure, as supporting service to all our work. PwC enters into data processing agreements with all suppliers and sub-contractors who deliver services where personal data are processed.

PwC’s work with information security

The handling of information security is a prioritized task for PwC, and we work continuously to protect information about our clients, collaborators and employees. Therefore we practice very strict routines related to information security. The PwC management of each country has the superior responsibility for the information security. This responsibility is, among other things, ensured by approving governing documents and supporting guidelines. The documents and guidelines are based on superior requirements in accordance with international and generally accepted standards, among others ISO/IEC 27002:2007. PwC has prepared an “Information Security Policy - ISP” that all PwC-firms have to act in accordance with.

Our Norwegian IT-department relies on the PwC international framework (which in turn is rooted in international standards) for information security, and the department is periodically reviewed by international expert teams in the PwC network. All PCs in PwC are set up according to demands defined by our global IT-management. Among others this involves that all PCs have a strong encryption protection and mechanisms have been implemented that makes the use of non standardized auxiliary equipment impossible. Encryption protection on approved auxiliary equipment has also been implemented. Wireless networks are subject to particularly high protection.

All employees annually sign a data discipline declaration, and violation of the rules may have consequences for the employment. Further on, we carry out regular training of our employees  in information security.