Data Use Principles

A secondary use of Data in accordance with the Policy can only be performed with the client’s consent. This consent is usually collected through the engagement letter entered into with the client or through the data collection tool or project’s documentation.

The client can  withdraw its consent after providing them with respect to future secondary uses of the data (excluding past or on-going reuse performed in accordance with PwC data use policy).

Please address withdrawn requests to :  lu-data-use-consent@pwc.lu

PwC Luxembourg does not authorise the secondary use of Data in violation of the law (especially GDPR), the policy or the contracts entered into with the concerned client. In addition, some Data that PwC Luxembourg assesses as highly sensitive are excluded from secondary use.

As a general rule, PwC Luxembourg does not sell or provide Data to third parties. PwC Luxembourg Risk Management Team may grant exceptions to this general rule subject to specific safeguards.

Cases of secondary use of Data currently authorised within our firm are limited to:

• Performance of a new service for the same client;
• Benchmarking or statistics;
• Development, testing and maintenance of our systems or services.

Data secondary use cases are subject to an assessment and are monitored by the PwC Luxembourg Data Governance Unit and subject to the final approval of PwC Luxembourg Risk Management Team.

The purpose of the secondary use case and its legitimacy are assessed during the governance process.

In case of authorised secondary use, confidentiality of Data is protected. Only teams that are rendering a service to a client or work on a project may access the raw Data of said client. In other cases of authorised secondary use of Data, Data are de-identified and/or aggregated.

The Policy defines a Data Owner, who is accountable for the use of the Data. He/she is accountable for safeguarding the confidentiality, integrity, availability, reliability, traceability and ultimately the disposal of Data.