Data privacy notice confirmation

1. Introduction
The Ernst & Young Business Services GmbH („EY“) was engaged by our Client ( “EY Client”) with the provision of Tax Advisory Services. As part of these services EY grants EY Client access to the Tax Management Suite (“Tool”). In the context of the provision of Tax Advisory Services with the Tool, EY is acting as data processor for the EY Client that is acting as Data Controller.
This Privacy Notice is intended to describe the practices which EY follows in relation to the Tax Management Suite (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the ey.com Privacy Statement, and in case of any conflict with the ey.com Privacy Statement, the terms of this Privacy Notice will prevail.  Please read this Privacy Notice carefully.
 
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity. The personal data which you provide in the Tool may be shared by EY with one or more member firms of EYG located throughout the world (see “Who can access your information” section below) in accordance with the corresponding Engagement Letter with the EY Client.
The Tool is hosted in a Microsoft Azure Environment administrated by the All For One Group SE on behalf of EY in Germany.
 
3. Why do we need your information?
The purpose of the Tool is to ensure the correct and timely fulfilment of tax obligations in several ways:
-          Identification, evaluation and mitigation of tax risks
-          Implementation, execution and documentation of tax processes
-          Support of tax audits
-          Documentation and reporting of tax relevant information, data, tasks and processes 
EY relies on the following basis to legitimize the processing of your personal data in the Tool: 
Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
The specific legitimate interests are the provision of services for EY Client with the Tool.
 
4. What type of personal data is processed in the Tool and for what purpose?
The Tool processes the following categories of personal data:
Mandatory:
-          User ID
-          Surname
-          First name
-          Password
 
    This data is necessary for authentication and authorisation of the user, i. e.
-          to log into the tool and
-          to apply role-based access restrictions.
 
The user’s ID and/or name will also be used by the tool to document specific (technical or functional) actions and events, e. g. 
-          successful or failed login attempts
-          creating, changing or deleting records
-          starting or finishing a task and/or process
 
Collecting, processing and storing of this data is necessary for the tool to function properly; it will not be used to monitor individuals or groups of people in regard to their work, performance or results.
 
Optional (functional):
-          Email address
-          Telephone number
 
This data may be used to receive notifications from the system (like Emails or text messages).
 
Optional (informational):
Contact details, e. g.
-          Name of contact person at custom office
-          Name of contact person at tax office
-          Name of GDPdU/GoBD delegate
-          Name of data protection officer
 
This data may be used for information only.
 
5. Sensitive Personal Data
Sensitive personal data is data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool, and it is not the intention of the Tool to collect, process or store such data.
 
6. Cookies
Cookies are used within the scope of providing the tool. These are small files that are stored on your end device with the help of your Internet browser in order to offer you a large range of functions and to make the use of the tool more comfortable.
There are two main types of cookies: "first party cookies", which provide information directly to us, and "third party cookies", which provide the information on our behalf from third parties.
The cookies used in the tool are limited to the following technically required cookies:
Name of the cookie

 
Purpose of the cookie 
Type of the cookie 
.cubus.auth

 
This is an authentication token that includes the user name in encrypted form.

 
First Party Cookie 
.cubus.csrf

 
Cookie using a random token and in a security mechanism

 
First Party Cookie 
.cubus.session

 
This is a random token that is linked to user data stored on the server

 
First Party Cookie 
_UIculture

 
This is the language preference selected by the user

 
First Party Cookie 
 
The use of technically required cookies is necessary to guarantee the correct and safe use of the tool and its functionalities and to make them available as a total.
Data processing via technically required cookies is based on our legitimate interest in accordance with Art. 6 Para. 1 lit. f GDPR. Our legitimate interest results from the described purposes of use of the respective technically required cookie, the securing of the technical operation of the tool with certain basic functionalities and the conduction of client engagements.
These technically required cookies are set automatically when you use the tool or a specific function, unless you have blocked the setting of cookies by changing settings in your end device and/or Internet browser. Please note that the functionality and scope of the tool may be limited if you do not accept technically required cookies.
 
7. Who can access your information?
Your personal data may be accessed in the Tool by users who have the appropriate permissions. Please refer to the manual for further details. In general, the following kinds of roles are set in the application:
-          Administrator: has read and write access to all the data in the system; manages and grants permissions for regular users.
-          (regular) User: has read and write access to specific objects and entities in the system (e.g. modules, clients, reports).
-          Reader: has read-only access to specific objects and entities in the system (e. g. modules, clients, reports); does not have the permission to create, edit or delete any records.
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at https://www.ey.com/en_gl/locations). An overview of EY network entities providing services to external clients is accessible here (See Section 1 (About EY) - “View a list of EY member firms and affiliates”). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules. 
 
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.  
 
 
8. Data retention
A user account and all attendant personal data can be manually deleted by an Administrator of the system. However, this does not apply to records held for documentation purposes and functional reasons (e. g. timestamp and name is stored when a task is done; the name will stay visible in the system even if the user account is deleted).
After the end of the retention periods your data will be deleted. 
 
9. Security
EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data brochure.
 
10. Controlling your personal data
EY will not sell, distribute or lease your personal data to third parties (other than those parties referred to in section 7 above) unless we have your permission or are required by law to do so.  
You are legally entitled to request details of the personal data which EY holds about you.
If you would like to obtain confirmation as to whether or not your personal data is processed in the Tool or if you would like to access your personal data in the Tool, please contact your usual EY Client representative or e-mail your request to datenschutz@de.ey.com. If you contact EY, we will forward your request to the Controller to ensure that your request is taken care of in a timely manner.
 
11. Rectification, erasure or restriction of processing
EY provides you with the ability to make sure your personal data is accurate and up to date. You can request rectification, erasure or restriction of processing of your personal data by contacting your usual EY Client representative or by sending an e-mail to datenschutz@de.ey.com. If you contact EY, we will forward your request to the Controller to ensure that your request is taken care of in a timely manner.
 
12. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation by EY, you can contact our Data Privacy Officer, Office of the General Counsel, Flughafenstraße 61, 70629 Stuttgart, Germany or via email at datenschutz@de.ey.com. Our Data Privacy Officer will investigate your complaint and give you information about how it will be handled and resolved.
If you are not satisfied with the way in which EY has resolved your complaint, you have the right to complain to the data protection authority in your country. You may also refer the matter to a court of competent jurisdiction.
 
13. Contact us
If you have questions or you do not feel that your concerns have been addressed in this Privacy Notice, please contact your usual EY Client representative, or send an e-mail to datenschutz@de.ey.com.