Privacy Policy (as of 07/2023)

Privacy Policy (as of 07/2023)

The following Privacy Notice is intended to explain to you in a comprehensible, transparent and clear manner how your personal data is processed by us. Personal data are all data which directly or indirectly allow an inference to your person ("data"). Should you nevertheless have questions of understanding or other queries regarding data protection at oehner & partner rechtsanwaelte gmbh (PwC Legal), please feel free to contact at_datenschutz@pwc.com.

This information refers to the data that you make available to us, for example, within the by filling out forms on our website (e.g., newsletter or document downloads), data that we collect during your visit to our website by means of cookies and data that we process within the framework of our service provision.

Information on the processing of your data as part of your application can be found here.

You will find more details on the use of cookies in our Cookie Notice.

Data Controller

Controller of your data in accordance with Article 4(7) General Data Protection Regulation ("GDPR") is the following PwC network firm in Austria (hereinafter also referred to as "us", "we")

oehner & partner rechtsanwaelte gmbh (PwC Legal)
Donau-City-Straße 7, 1220 Wien
at_datenschutz@pwc.com
+43 1 384 0550

We process your data for the following purposes

1. Website

1.1 Cookies

Cookies are files that collect certain information from your terminal device. In order to make it easier for you to access our website and to enable evaluations of visits to our website, we store cookies on your terminal device. Our cookies enable us to record the IP address of your terminal device and, in connection with this, your visits to our website. However, this is only done if you have given us your prior consent in the cookie banner.

Legal basis: Consent as per Art 6(1)(a) GDPR and Section 165(3) TKG 2021

Categories of data: This depends on the cookie.

Storage duration: This depends on the cookie.

In our Cookie Notice you will find further details on the individual cookies, such as provider, function and lifetime. You will also find tips on how to decide whether to use cookies.

2. Business relationship

While your specific contractual relationship is concluded with PwC Legal, PwC Legal cooperates with the other PwC firms in Austria in certain areas as joint controllers (e.g., in the context of IT services or marketing). If you have any questions regarding this joint controllership, please direct them to at_datenschutz@pwc.com.

2.1 Contacting us for consultation purposes

On our website, we offer you the opportunity to leave your contact details on specific topics in order to be contacted directly by our experts. We process the data provided here on the basis of pre-contractual measures requested by you.

Legal basis: fulfilment of pre-contractual measures based on your request in accordance with Art 6(1)(b) GDPR.

Categories of data: First name, last name, e-mail, company, information provided by you

Storage period: Until completion of the pre-contractual measures or a resulting assignment 

2.2. Provision of services to corporate clients

In the course of our business relationship with our corporate clients, it is essential that we process the personal data of contact persons, managing directors, employees or, if applicable, customers or other third parties. The respective scope of data processing depends on the specific services to be provided, which is defined in the Engagement Letter. In our work for you, we also make use of innovative cloud solutions, which enable video conferences, data rooms or joint work on a document. Video and audio conferences may occasionally be recorded or streamed if necessary to foster collaboration or knowledge sharing. We only process personal data here if this is necessary for the fulfilment of our contractual obligations or if there is an overriding interest on our part in the processing. This is particularly the case when we process personal data of your employees and/or suppliers, customers for the purpose of providing you with services (e.g., in connection with legal proceedings).
If you do not provide us with this data or not to the extent required, we may not be able to provide the services you request. Please note that this would not be considered a contractual non-fulfilment on our part. If we receive personal data from you, we assume that you are entitled to transmit them to us.

Legal basis: Performance of contract according to Art 6(1)(b) and legitimate interest according to Art 6(1)(f) GDPR

Categories of data: The data varies according to the service provided, but generally includes at least the following categories of data: first name, last name, e-mail, telephone number, academic title, company affiliation and function, employee salary data, employee social insurance data, contract data with third parties.

Storage period: Until the end of service provision. After completion of the service provision, we are subject to different professional and tax retention regulations.

Recipients: Cloud service provider, IT service provider, PwC network companies

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees. 

2.3 Provision of services to private customers

In the course of our business relationship with you it is essential that we process your personal data. The respective scope of data processing depends on the specific services to be provided, which is defined in the Engagement Letter. In our work for you, we also make use of innovative cloud solutions which, among other things, enable video conferences, data rooms or joint work on a document. Video and audio conferences may occasionally be recorded or streamed if necessary to foster collaboration or knowledge sharing. We only process personal data here if this is necessary for the fulfilment of our contractual obligations or if there is an overriding interest on our part in the processing. This is particularly the case if we process personal data of your family members, possible employees and/or suppliers, customers in order to provide you with a service (e.g., to determine shareholding relationships, legal relationships, etc).

If you do not provide us with this data or not to the extent required, we may not be able to provide the services you requested. Please note that this would not be regarded as a contractual non-fulfilment on our part. If we receive personal data from you which are not your own, we assume that you are entitled to transfer them to us.

Legal basis: Performance of contract according to Art 6(1)(b) and legitimate interest according to Art 6(1)(f) GDPR

Catagories of data: The data varies according to the service provided, but usually includes at least the following categories of data: contact details, business activity, family members, income and other tax-related information, investments and other financial information.

Duration of storage: Until the end of the service provision. After completion of the service provision, we are subject to different professional and tax retention regulations.

Recipients: Cloud service provider, IT service provider, PwC network companies

Transfer to third countries: Some of our service providers are located in non-EEA countries. For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees.

2.4 Customer Relations Management

PwC Legal processes personal data about contacts (existing and potential clients and/or people associated with them) using a customer relationship management tool and a marketing tool. The collection of personal data from contacts and the completion of this personal data in these systems is carried out by our staff. As a matter of principle, your personal data will not be disclosed to third parties. Companies in the PwC network are excluded from this. You can revoke the consent you have given us at any time with effect for the future. To do so, please send an appropriate request to at_datenschutz@pwc.com.

The systems are provided by Salesforce and hosted in Salesforce's European data centres.

Legal basis: Consent in accordance with Art 6(1)(a) GDPR and Section 174 TKG 2021

Catagories of data: First name, last name, e-mail, telephone number, academic title, company affiliation and function.

Storage period: Until you withdraw your consent.

Recipient: Cloud service provider, PwC network companies, IT service providers

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees. 

2.5 Prevention of money laundering and measures against terrorist financing

PwC Legal is legally obliged to process personal data of its clients and, in the case of corporate clients, of the beneficial owners and other corporate representatives on the basis of national laws arising from EU money laundering and anti-terrorist financing regulations. After carrying out these checks with a compliance tool, the underlying documents must be retained for at least 5 years in accordance with professional regulations.

In order not to prevent effective measures from being taken, it may be that at certain points in time the rights of data subjects (in particular the right to information, correction, deletion or data transferability) cannot be implemented. This is always the case if the response to requests from data subjects results in the measures being thwarted or jeopardised.

Legal basis: Compliance with a legal obligation in accordance with Art 6(1)(c) GDPR (Section 8(a) Austrian Attorney’s Code)

Catagories of data: key data, tax information, company investments, account information

Storage period: at least 5 years after completion of the checks

Recipients: Cloud service providers, PwC network companies, IT service providers

Transfer to third countries: Some of our service providers are located in non-EEA countries.  For some countries, there is an adequacy decision of the European Commission in place. In other cases, an adequate level of data protection has been achieved by concluding standard contractual clauses and, where applicable, additional guarantees.  

3. Events

3.1 Holding events

PwC Legal offers events such as lectures, seminars on various specialist areas and networking events. Your personal data is required for organising the event (sending invitations and links for online events).

Legal basis: fulfillment of pre-contractual obligations, or fulfillment of contract (Art 6(1)(b) GDPR).

Catagories of data: Name, address, e-mail address, if applicable employer/company and function.

Storage period: For the implementation of the event (including follow-up reporting or sending of presentation documents).

Recipient categories: If applicable, event organisers and video conference operators (e.g. WebEx, Google, Microsoft).

Transfer to third countries: Some of our service providers are located in third countries. For some of these countries, the European Commission has issued an adequacy decision. If such a decision does not exist, an adequate level of data protection has been achieved through the conclusion of standard contractual clauses and, where applicable, additional guarantees. 

3.2 Photos and videos

It may also be the case that photos or videos are taken in the course of events, which may also constitute personal data, as persons are recognisable on them.

Legal basis: Our legitimate interest in public relations and presentation of our activities to the public as per Art 6(1)(f) GDPR.

Catagories of data: Photos, videos

Storage period: 5 years

Recipient categories: Social media platforms (e.g. LinkedIn, Meta)

Transfer to third countries: Some of our service providers are located in third countries. For some of these countries, the European Commission has issued an adequacy decision. If such a decision does not exist, an adequate level of data protection has been achieved through the conclusion of standard contractual clauses and, where applicable, additional guarantees.

4. Marketing

4.1 Newsletter

You can subscribe to one or more of our newsletters on our website. We process the data you enter in the registration form to send you the newsletter. After entering your data, you will receive an email in which you confirm your consent to receive the newsletter. Only after we have received this confirmation will we send you the desired newsletter. We may insert small pixel tags (small image files) into our newsletters to determine whether they are opened and/or whether the hyperlinks in our newsletters are clicked. We may also collect the browser, location and device you use to access our email communications. This information allows us to better understand whether we are meeting the needs of our newsletter recipients and how we can improve our communications.

You can revoke this consent at any time by unsubscribing in the respective newsletter or by sending an e-mail to at_datenschutz@pwc.com.

Legal basis: Consent as per Art 6(1)(a) GDPR and Section 174 TKG 2021 (Austrian Telecommunications Act 2021)

Catagories of data: First name, last name, e-mail, telephone number, academic title, company affiliation and function.

Storage period: Until you withdraw your consent or the newsletter service is discontinued.

Recipient: Cloud-Service Provider, IT-Service Provider, PwC network companies

4.2 Raffles

Occasionally, we are holding raffles on our website or different social media platforms. To carry out these raffles, notify the winners and provide the prize, it is necessary that we process certain basic data from you.

Legal basis: Performance of contract according to Art 6(1)(b) GDPR

Categories of data: The data depends on the specifics of the raffle, but generally it includes at least the following categories of data: first name, last name, e-mail address, address

Storage period: The data will be deleted after notification of the winners and provision of the prize.

Recipients: delivery service providers, IT service provider, PwC network companies

Your rights as a data subject

You have the following rights vis-à-vis PwC Legal in respect of personal data concerning you. In order to exercise these rights against us, please send us a letter containing a specific request.

Right to information: You can request information from us at any time about whether and which personal data we store about you. The provision of information by us is free of charge for you.

The right to information does not exist or exists only to a limited extent if and to the extent that the information would reveal information requiring secrecy, eg information subject to professional secrecy.

Right to rectification: If your personal data processed by PwC Legal is incorrect or incomplete, you have the right to demand that we correct it at any time. Until they are corrected, you may also request that processing be restricted.

Right to erasure: You have the right to demand that we delete your personal data if and to the extent that the data are no longer needed for the purposes for which they were collected or, if processing is based on your consent, you have revoked your consent. In this case we must stop processing your personal data and remove it from our IT systems and databases.

A right to erasure does not exist, as far as the data may not be deleted due to a legal obligation or must be processed due to a legal obligation or the data processing is necessary for the assertion, exercise or defence of legal claims.

Right to limit processing: You have the right to request that we limit the processing of your personal data.

Right to data transferability: You have the right to obtain from us your personal data in a common and machine-readable format and the right to have such data transferred directly to another controller.

This right exists only if

  1. you have provided us with the data on the basis of a consent or on the basis of a contract concluded with you;
  2. the processing is carried out by means of automated procedures.

Right to object to processing: If the processing of your data by PwC Legal is based on Art. 6(1)(f) GDPR (our legitimate interest), you can object to the processing at any time.

Right to withdraw consent: You have the right to withdraw your consent for the processing of your personal data at any time. However, this does not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority

According to Art 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates data protection law.  The supervisory authority in Austria is

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna
dsb@dsb.gv.at  

Data security

Even if trade and business secrets are not directly covered by the term personal data, we nevertheless give such information the same protection and we expect the same from our service providers.

As a legally obliged professional secrecy holder, the security of your data is of particular concern to us. It goes without saying that all data traffic within the PwC network is encrypted. We also have encryption options for external data traffic, provided that you, as the recipient of our communications, have the technical requirements for decryption.

Please note that electronic communication using standard mail programs (such as MS Exchange) does not offer absolute protection against unauthorized access by third parties and that non-European servers may also be switched on for this form of communication.

It is also a matter of course for us to ensure that our PwC network's own data centres meet all ISO/IEC 27001 security standards. Our understanding of security also extends to the service providers we use, whom we have obliged to comply with similar or equivalent security measures.

If data is stored on servers outside Europe within the framework of the cloud services we use, we ensure that this data is stored exclusively in fragmented and encrypted form using the highest encryption technologies. The storage of client files and client documents always remains in PwC's internal data centres.

If you have any questions about our data security measures specifically relating to your business case, please contact at_datenschutz@pwc.com.

Follow PwC Legal
Follow PwC Austria