1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to the TP Benchmark (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing this Tool on which your personal data will be processed and stored is EYGM Limited an EY global entity.
The personal data you provide in the Tool is shared by EYGM Limited with one or more member firms of EYG (see “Who can access your information” section below).
The Tool is hosted on servers in the EY IT infrastructure and is hosted externally by the vendor or its third party hosting provider. The intent is to host the system in one or more Microsoft Azure data centres. The exact locations have not yet been determined, but will likely span an Americas (US) site, a Europe site and an Asia Pacific site.
3. Why do we need your information?
The Tool enables EY employees to filter databases when conducting a transfer pricing analysis. A transfer pricing analysis is used to compare similar prices for similar industries from publicly available databases. After the filtering, EY employees prepare benchmark studies.
Your personal data processed in the Tool is used as follows:
- EY employees insert their personal data to grant them access to the system and they are then able to use certain capabilities available in the Tool (e.g. notifications, review, approval workflow, etc.).
EY relies on the following basis to legitimize the processing of your personal data in the Tool:
- Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interests are to conduct client engagements and comply with regulatory and legal obligations.
The provision of your personal data to EY is optional. However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing.
4. What type of personal data is processed in the Tool?
The Tool processes these personal data categories:
- EY employee's login credentials (Active Directory);
- EY employee's email address;
- EY employee's first name;
- EY employee's last name;
- EY employee's job title
- EY employee's rank
- EY employee's location data IP address and ID based on region
This data is sourced from a feed from other EY systems (GHRDB and GHRS). The Tool will use the EY Active Directory (EYAD) to get login details of EY employees.
5. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool’s intention is not to process such information. Accordingly, you should not enter any unnecessary personal information or any sensitive personal data (including government identifiers such as tax file numbers or social security numbers/national identification numbers), client confidential information (except client entity names), audit secrets, state secrets, trade secrets, or anything that would violate professional secrecy or confidentiality rules or that would be considered abusive/irrelevant in the Tool.
6. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Only EY personnel will have access to the Tool, specifically:
- EY International Tax Services (ITS) professionals;
- Tool development / support staff
They will have access to read the data sourced from 3rd party vendor databases and view the aforementioned personal data of EY employees (name, email address, job title, rank, location).
Access rights are determined on a hierarchical basis as shown in the following table:
| User Role | Description | Located |
|---|---|---|
| Study Analyst | Initiate project set up, perform search/review comparable data, add filters, update filters, select database, update database, export data, import data, create reports, leverage existing search. | Globally |
| Study Admin | Access to the entire system, add/remove users to/from studies (does not have to be assigned to study), Lock/unlock a study. | Globally |
| Viewer | View access only | Globally |
| System Admin | Unrestricted access to the tool and all the studies. (system logs, security, etc.) | Globally |
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations ). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY's Binding Corporate Rules (www.ey.com/bcr).
7. Data retention
The policies and/or procedures for the retention of personal data in the Tool are:
- personal data will be retained and disposed is in accordance with EY Records Retention Global Policy;
- personal data will only be retained in line with EY's business need;
- personal data is deleted by an automatic process; and
- personal data will be retained in a separate archive system before it is permanently deleted.
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted.
8. Security
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data's confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY's personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY's Global Privacy Officer, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Officer will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country's data protection authority. You can also refer the matter to a court of competent jurisdiction.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.