Privacy statement

When you engage us to provide you with professional services, we collect and use personal data when we have a valid business reason to do so in connection with those services. For an overview of our services, click here .

In the context of providing professional services to clients, EY also processes personal data of individuals who are not directly our clients (for example, employees, customers or suppliers of our clients). See the section “Individuals whose personal data we obtain in connection with providing services to our clients ” for additional information.

The majority of the personal data we collect and use to provide our services is supplied voluntarily by (or collected by us from third-party sources at the request of) our clients. Because of this, if you are a client of EY, then it will generally be obvious to you what personal data we collect and use. This information can include:

• Basic information, such as your name, the company you work for, your position and your relationship to a person
• Contact information, such as your postal address, email address and telephone numbers
• Financial information, such as payment-related information
• Any other personal data relating to you or other third parties which you provide to us for the purpose of receiving our services

We use this information:
 

• To provide services to you
• To administer our relationship and maintain contractual relations
• For accounting and tax purposes 
• For marketing and business development
• To comply with our legal and regulatory obligations
• To establish, exercise or defend legal rights
• For historical and statistical purposes

Given the diversity of the services we provide, we process many categories of personal data. Please see below (non-exhaustive) examples of personal data categories for our four main service lines:

In addition, we also process identification and background information as part of our client acceptance, finance, administration and marketing processes, including audit independence, anti-money laundering, conflicts, reputational and financial checks, and to fulfill any other legal or regulatory requirements to which we are subject.

The checks could include the following:

• Identity verification: proof of name and address
• Ultimate beneficial ownership of corporate and other legal entities
• Conflicts checks: to avoid a conflict of interest with any other client
• Anti-money laundering, proceeds of crime and terrorist financing checks
• Politically exposed persons (PEP) checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates
• Adverse media checks
• Government sanctions list checks
• Independence checks

These checks are made for legal, regulatory or business reasons and need to be repeated during the course of our engagement. As part of these checks, we are required to process special category data (for example, to verify if you are a politically exposed person or to collect information about criminal convictions where this is required for anti-money laundering laws). It is important you provide us with all necessary information and documents as this affects our ability to provide services to you.

Legal grounds for processing personal data of our clients are:

Performance of a contract

• Compliance with a legal or regulatory obligation
• Our legitimate interest in providing you with seamless, consistent, high-quality services and securing prompt payment of any fees, costs and debts in respect of our services
• Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation
• Our legitimate interest in safeguarding EY against inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism)

As part of the professional services EY provides to clients, EY processes personal data of individuals with whom we do not have a direct (contractual or other) relationship. For example, if we perform a statutory audit, our engagement team will be required to audit our client’s books, which could include payroll data for employees of the client, supplier data, financial administration, data regarding claimants and legal proceedings. To take another example: if we undertake a due diligence review of an acquisition of a target on behalf of a client, EY obtains personal data concerning the target’s employees, management and customers.

We seek confirmation from our clients that they have the authority to provide personal data to us in connection with the performance of the services and that any personal data they provide to us has been processed in accordance with applicable law.

Given the diversity of services we provide, we process many categories of personal data such as:

• Personal details (such as name, age, data of birth, gender, marital status and country)
  
• Contact details (such as phone numbers, email address and postal address)
• Financial details (such as salary, payroll, income, investments, benefits and tax status)
• Employment details (such as role, rank, experience, performance data and employment numbers)

For certain services, we also process special category data. For example, in certain countries performing tax return services involves the processing of details of payments made by our client, his or her spouse and dependents with respect to a trade union membership, to a political party, for medical treatments or to a religious charity. Such data is collected intentionally and will be used only where necessary in connection with the provision of the service for which the data was collected, such as determining the correct taxation of our client’s income and for claiming the correct tax deduction with respect to such payments.

Legal grounds for processing personal data of individuals whose personal data we obtain in connection with providing services to our clients are:

• Compliance with a legal or regulatory obligation
  
• Our legitimate interest in making sure our clients are provided with seamless, consistent and high-quality services worldwide

Once a company undergoes an insolvency, one or more EY insolvency practitioners (i.e., administrators and liquidators) could be appointed to manage the company’s affairs, business and property. Similarly, when a debtor is subject to insolvency or a restructuring regime, one or more EY insolvency practitioners could be appointed to manage the debtor’s affairs, business and property.

In this section:

• Office holder refers to the EY insolvency practitioners.
  
• Company refers to the insolvent entity for which the office holders have been appointed.
• Debtor refers to the individual who is subject to an insolvency or restructuring regime.
• “You” refers to the data subjects concerned by the insolvency procedure of the company or debtor.

In providing insolvency services, EY processes your personal data for the legitimate interests of assisting the office holders in the performance of their legal and regulatory obligations with regard to the insolvency procedures. For clarity purposes, the company or debtor remains data controller of your personal data processed for purposes that are not related to the legal and regulatory obligations of the office holders.

Most of the personal data we process is obtained from you directly, but we also indirectly obtain personal data about you.

The office holders and EY process your personal data for the following (non- exhaustive) purposes:

• Communicating with the company or debtor’s creditors and individual creditors: specific information essential in order to carry out statutory duties (this information is to be used to assess, for example, an entitlement to any dividend should one be payable)
  
• Provision of references or reports to government departments, regulatory authorities and appropriate bodies in connection with the holding of public office or responding to requests
• Provision of statutory returns
• Case administration purposes, including the realization of assets, agreement of claims and payment of distributions
• Processing for personal purposes of employees in accordance with the law and the company’s own policies
• Administration of payroll, raising invoices, credit control and other data relating to the company’s finances
• The reasonable and lawful provision of information to interested parties
• The prevention and detection of crime or fraud
• Establishing, exercising or defending legal rights, taking legal advice, taking or defending legal proceedings
• Complying with legal obligations to which the company or debtor is subject
• Quality and risk management purposes

The types of personal data processed for the above purposes include (but are not limited to) name, address, identifying information, payroll information, as well as any information with your dealings with the company or debtor that are necessary for the performance of the office holders’ statutory obligations during the insolvency procedure.

You have certain rights in relation to your personal data. If you have a query or wish to exercise your rights, please make a written request to the party responsible for your personal data (the company, debtor or the office holder) using the contact details provided in communications about the insolvency.

We process personal data about contacts (former, existing and potential clients and individuals employed by, or associated with, such clients and other business contacts, such as alumni, consultants, regulators and journalists) in our CRM systems. These CRM systems support the marketing operations of EY. Contacts in our CRM systems will be sent EY Thought Leadership materials, newsletters, marketing materials, learning opportunities, surveys and invitations to events.

In our CRM systems, we process the following categories of personal data:

• Name, job title, address, email address, phone and fax numbers
• Name of employer or organization the individual is associated with
• Marketing and user preferences including whether the individual has opted in to marketing communications
• Invitation responses, reading activity and event attendance confirmations via the use of cookies and similar technologies to tailor our communications

We do not intentionally collect sensitive category data, unless you provide us with such data (for example, special dietary requirements which reveal your religious affiliation or any food allergies), if you attend one of our events.

Data of business contacts in our marketing databases who have not been actively engaged with EY will be periodically deleted in accordance with applicable regulatory requirements. If you have opted out of receiving future EY publications, your basic contact details may remain on our opt-out list.

Legal grounds for processing personal data of business contacts are:

• Explicit consent of the business contact
• Our legitimate interest in managing the relationship with our business contacts and providing information about EY, our services and events we organize

We process personal data about participants in EY meetings, conferences, events and learning sessions (events). We use various applications to manage event registration processes, which applications will contain their own privacy notices explaining why and how personal data is collected and processed by these applications. We encourage participants to refer to the privacy notices available on those applications.

As part of our event management processes, we process the following personal data (but only to the extent required for a specific event):

• Name, age or date of birth
• Client personnel information (home, office and business information)
• Credit or debit card number
• Customer information (home, office and business information)
• Email address
• Gender
• Home or other physical address
• Names of employers (EY or company)
• Occupation (job title)
• Passport number
• Personal web URL (if you have a personal website that you would like to share)
• Telephone or fax numbers
• Event-related data such as: Dietary restrictions or special requirements, registration status, participant status/type, media interview attendance, previous event experience, arrival time/departure time, hotel check-in/check-out time, flight information (airline, arrival and departure dates)

We do not intentionally collect sensitive category data, unless you provide us with such data (for example, special dietary requirements which reveal your religious affiliation or any food allergies or other data relating to your health necessary to provide support to participants, if needed, for example, if a wheelchair will be required).

Attendees of EY events hosted at external venues are required to bring a photo ID for identification purposes to safeguard our people, assets and information, and to prevent unauthorized people gaining access to off-site EY events.

EY is allowed to take photographs and make audio or video recordings in public areas of the EY events. We use such media in our marketing materials. Images and voices of attendees will be recorded. Recordings will be edited, copied, exhibited, published or distributed.

Legal grounds for processing personal data of participants are:

• Explicit consent of the participant
• Our legitimate interest in organizing events and managing the registration process for such events.
• Our legitimate interest in protecting our people, assets and information, and to prevent unauthorized people gaining access to off-site EY events.
• Our legitimate interest in providing information about EY, our services and events we organize

We provide external users access to various applications managed by us (such as the EY Client Portal and the My EY platform). In instances where such applications process personal data that goes beyond basic contact information used for application authentication purposes, such applications will contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our applications to refer to the privacy notices available on those applications.

EY uses a variety of tools to maintain the security of our IT infrastructure, including our email facilities. Examples of such tools are:

• Systems that scan incoming emails to EY recipients for suspicious attachments and URLs, in order to prevent malware attacks
• Tools that provide end-point threat detection to detect malicious attacks
• Tools that block certain content or websites

If you correspond via email with an EY recipient, your emails will be scanned by the tools EY operates to maintain the security of its IT infrastructure, which could result in content being read by authorized EY persons other than the intended recipient.

Legal grounds for processing personal data of individuals who correspond with EY via email:

• Our legitimate interest in protecting our IT infrastructure against unauthorized access or data leakage
• Our legitimate interest in analyzing email traffic

EY’s phone service is hosted internally at EY. When you call EY personnel, only your phone number will be stored on EY servers and will be delivered to the recipient of your call on their handset and via an email. No other personally identifiable information is collected but technical logs and reports may be stored for trouble shooting purposes.

EY’s voicemail service is provided by Microsoft. When you call EY personnel and leave a voicemail, this voicemail and any personal data contained within it will be stored on global Microsoft Azure servers and will be delivered to the recipient of your call as an MP3 voice clip in an email. Microsoft will not keep call logs in relation to your calls to EY personnel.

Legal grounds for processing personal data of individuals who correspond with EY via phone and voicemail services:

• Our legitimate interest in maintaining communication networks

We collect information from and about candidates in connection with available employment opportunities at EY. The information that we collect, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which you apply. As general matter, the data we collect regarding our job applicants includes resumes or CVs, identification documents, academic records, work history, employment information and references.

We use your personal data to match your skills, experience and education with specific roles offered by EY. This information is passed to the relevant hiring managers and persons involved in the recruitment process to decide whether to invite you for an interview. EY will collect further information if you are invited to the interview (or equivalent) stage and onward. Such information includes interview notes, assessment results, feedback and offer details.

In connection with our recruitment activities including applications and onboarding, we also collect special category data from candidates where we have an employment law obligation to do so. This information is relevant to their future working environment at EY or the future provision of employment benefits, or with the individual's explicit consent, where collecting such information is permitted by law. For example, where allowed under applicable law, we will collect information about an individual’s disabilities in order to analyze the diversity of our workforce. Once onboarded, an individual’s provision of information regarding disabilities will also be used to provide a suitable working environment. We will also need to conduct criminal background checks for certain candidates to assess their eligibility to work at EY or for EY clients. In certain countries, we will also ask candidates to provide diversity information about their race and ethnicity, and sexual orientation for diversity monitoring purposes, although the provision of this information will be entirely voluntary. However, where a candidate does not voluntarily provide such information, we could be required by law to make our own assessment of such criteria.

Our recruitment tools and websites contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our recruitment tools and websites to refer to the privacy notices available on those tools and websites.

Depending on the country in which you apply, EY collects personal data about candidates (“you”) from the following sources:

• Directly from you – for example, information that you have provided when applying for a position directly through the EY careers website (for additional information about the processing of your personal data via our global recruitment management system, please read the data privacy statement available in this system)
• From recruitment agencies – for example, when a recruitment agency with your details contacts us to suggest you as a potential candidate;
• Through publicly available sources online – for example, where you have a professional profile posted online (e.g., on your current employer's website or on a professional networking site, such as LinkedIn)
• By reference – for example, through a reference from a former employee or employer, or from a referee you have identified
• Results of background screening checks

Legal grounds for processing personal data of our job applicants are:

• Explicit consent of the candidate
• Our legitimate interest in attracting, identifying and sourcing talent
• Our legitimate interest to process and manage applications for roles at EY, including the screening and selecting of candidates
• Our legitimate interest to hire and onboard candidates by making an offer to successful candidates, and carrying out pre-employment screening checks
• Our legitimate interest to manage our career websites (including conducting statistical analyses)
• Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work)

EY hopes to maintain a lifelong, mutually beneficial relationship with EY alumni (former member firm partners, employees and contractors). If we invite you to our alumni community, your name, contact details, role, last EY office, rank, service line and country will be used to create a record for you in one of our alumni databases, unless you have indicated that you are not interested in participating in the EY alumni program. You have the opportunity to create a more detailed profile and to decide how much additional information you wish to share with EY and the wider alumni community.

Our alumni databases contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our alumni databases to refer to the privacy notices available on those applications.

The legal grounds for processing personal data of our alumni are:

• Explicit consent of the alumnus
• Our legitimate interest in maintaining a strong relationship with our alumni, sending publications about EY and our services, inviting alumni to events, and helping alumni keeping in touch with other alumni

We process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and contractors) in order to manage our relationship and contract, and to receive services from our suppliers.

The personal data we process is generally limited to contact information (name, name of employer, phone, email and other contact details) and financial information (payment-related information).

In addition, we also use data about our suppliers to check whether we have a conflict of interest or audit independence restriction to appointing a supplier. Before we take on a new supplier, we also carry out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.

Legal grounds for processing personal data of our suppliers are:

• Performance of a contract
• Compliance with a legal or regulatory obligation
• Our legitimate interest in managing payments, fees and charges, and to collect and recover money owed to EY
• Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation
• Our legitimate interest in safeguarding against EY inadvertently dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities (for example, terrorism)

EY/Ethics provides EY people, clients and others outside of EY with a means to confidentially, and either anonymously or on a disclosed basis, report an activity that involves unethical or illegal behavior that is in violation of professional standards or otherwise inconsistent with our EY Global Code of Conduct. Reports can be made either online or via a telephone hotline.

EY/Ethics contains its own privacy notice and consent form which describes the practices EY follows in relation to EY/Ethics. We encourage individuals using EY/Ethics to refer to this EY/Ethics notice and consent form.

When you visit an EY office, we process your personal data in order to provide you with certain facilities (such as access to our buildings and conference rooms or Wi-Fi), to control access to our buildings, and to protect our offices, personnel, goods and confidential information (for example, by using CCTV).

The personal data we collect is generally limited to your name, contact information, location, and the time you enter and leave our office.

Visitor records and access badges

We require visitors to our offices to sign in at reception and we keep that record of visitors for a short period of time. Visitors to our offices are provided with a temporary access badge to access our offices. Our visitor records will be used to verify that access badges are returned, to look into a security incident and for emergency purposes (for example, if an office needs to be evacuated).

Wi-Fi

We monitor and log traffic on our Wi-Fi networks. This allows us to see limited information about a user’s network behavior, but will also include being able to see at least the source and destination addresses the user is connecting from and to.

CCTV

EY uses CCTV monitoring where permitted by law. CCTV images are securely stored and only accessible on a need-to-know basis (for example, to look into an incident). We are allowed to disclose CCTV images to law enforcement bodies. We will also share CCTV images with our insurers for purposes of processing an insurance claim as a result of an incident. CCTV recordings are typically deleted or automatically overwritten after a short period of time unless an issue is identified that requires further investigation.

Legal grounds for processing personal data of visitors to EY offices are:

• Our legitimate interest in protecting our offices, personnel, goods and confidential information
• Our legitimate interest in preventing and detecting crime, and establishing, exercising and defending legal claims