Privacy Statement EY/Ethics
Version August 2024
This Privacy Statement informs you about the way in which EY processes your personal data in the context of EY/Ethics for which the following entities of the EY network of Ernst & Young Global Limited (jointly referred to as "EY", "We", "Us" or "Our") situated in the Netherlands are responsible, and how the implementation of applicable data protection legislation such as the General Data Protection Regulation ((EU) 2016/679; the GDPR) is ensured. More general information can be found in the General Privacy Statement of EY Nederland (available via this link).
EY/Ethics is a confidential online reporting system operated on behalf of EY by NAVEX Global, Inc. and provided by EY to allow people to ask questions or to report suspected violations of law, professional standards, and/or the EY Global Code of Conduct.
-
1. Which personal data is processed for what purposes?
In the context of EY/Ethics we process your personal data for the following purposes:
- to enable you to ask questions;
- to report suspected violations of law, professional standards, and/or the EY Global Code of Conduct; and/or
- where relevant, for the establishment, exercise or defense of legal claims.
When submitting a question we may process the following personal data:
- name
- email address
- relationship to EY
- password for the question
When you make a report we may process the following personal data:
- name
- email address
- relationship to EY
- password for the report
- identification details, function, contact details, behavior, and other personal data of the person(s) involved in the suspected violation
- identification details, function, contact details, and other personal data of individuals who have knowledge of the suspected violation
Please note that it is also possible to submit your question or report anonymously. If you would like to receive an email when EY posts follow-up responses to you, you may provide a personal email address. Your e-mail won't be included with your report to EY, but will be held by NAVEX, subject to NAVEX's Terms and Conditions. Providing an email address isn't required to make a report, but enables NAVEX to notify you by email of updates or follow-ups to your report.
For more information on how EY/Ethics works, please consult the FAQs here.
We obtain your personal data in various ways:
- Provided by you. Some personal data we receive directly from you. An example of this is the information that you provide us with when submitting a question or report.
- Obtained from third parties. We may obtain personal data about you from other persons or external parties. Examples include information provided by other reporters, managers, and other authorized persons involved in investigations.
Sensitive personal data
It is not required to submit sensitive personal data (such as race or ethnic origin, sexual orientation or religious or other beliefs), and including criminal offence data, in connection with EY/Ethics. We strongly encourage individuals not to include any sensitive personal data in their report unless necessary to support the report. However, we might receive sensitive personal data because this is included in a report. We only use personal data as necessary to investigate a report and we will promptly delete any sensitive personal data that is not necessary to investigate a suspected violation.
-
2. What is the legal ground for the processing?
The processing of your personal data is necessary for:
- purposes of the legitimate interests pursued by EY and the report, but also of third parties, such as clients. The specific legitimate interest(s) pursued is to enable individuals to raise concerns and/or ask questions to us in a confidential manner, or where relevant, for the establishment, exercise or defense of legal claims; and
- pcompliance with our legal obligation under EU Directive 2019/1937 on the protection of persons who report breaches of Union law and the Dutch Whistleblowers Protection Act (Wet bescherming klokkenluiders.
To the extent we process sensitive personal data in connection with EY/Ethics, we do so because this is:
- for reasons of substantial public interest;
- for the establishment, exercise or defense of legal claims; or
- insofar it concerns criminal offence data, to protect EY’s interests.
-
3. Recipients of your personal data
If and insofar required to conduct and conclude the investigation into the reported suspected violation, and if we are entitled to do so under applicable laws and regulations, we can provide access to or transfer your personal data to other parties.
Personal data may be accessed by or transferred to:
- The Local Member Firm – if you have selected restricted access to your report to the local member firm only, your personal data is only accessible to authorized person(s) within the Local Member Firm (e.g. EY Nederland B.V.);
- EY/Ethics team – if you have selected to direct you report to the EY/Ethics team for action, both the EY/Ethics team as well as the Local Member Firm have access to your personal data;
- Other third parties that are involved with the processing of personal data in the context of the EY/Ethics. Such as NAVEX Global, Inc., that operates the confidential online reporting system on behalf of EY. But also, law firms or law enforcement and other public authorities.
In order to provide the services, EY may be required to transfer personal data to other countries, within or outside the European Economic Area (EEA). In case these parties are situated outside the European Economic Area (EEA), EY has conducted Transfer Impact Assessments and has legitimized the transfer in a manner described below.
-
3.1. Transfers outside the EEA, but within the EY network
We have taken various appropriate technical and organizational measures to ensure the security and integrity of data that is transferred outside the EEA, but within the EY network. To this regard, EY has implemented Binding Corporate Rules; "BCRs", based on which the global transfer of personal data out of the EEA within the EY network is legitimized, in accordance with the GDPR and specifically article 47 of the GDPR. Based on the BCRs, the same requirements regarding data protection are applicable for all entities within the EY network. You can consult the BCRs via this link.
-
3.2. Transfers outside the EEA and outside the EY network
The transfer of your personal data to a third party outside the EEA can in the first place be legitimized based on an adequacy decision of the European Commission, in which it is decided that the (part within the) third country in question ensures an adequate level of data protection. See this link for a summary of the applicable adequacy decisions.
The information you provide will be stored on EY’s behalf on servers hosted by NAVEX Global, Inc. in the United States. NAVEX participates in and has certified its compliance with the EU-U.S. Data Privacy Framework (see the Navex Global Privacy Statement for additional information: http://www.navexglobal.com/en-us/privacy-statement). Additionally, EY and NAVEX Global, Inc. have concluded an agreement that includes standard data protection clauses adopted by the European Commission.
You can contact us if you wish to receive additional information about the way in which we legitimize the transfer of your personal data to countries outside the EEA.
-
4. Retention period
In general, we do not retain your personal data for longer than necessary in relation to the purposes for which we process the personal data. If you have submitted a question or a report via the EY/Ethics Hotline and in case no further legal grounds for longer retention prevail, your personal data will be retained for a maximum of 2 years after the EY/Ethics report has been closed.
In certain situations, we process your personal data for a longer period of time than what is necessary for the purpose of the processing. This is for instance the case when we have to process your personal data (i) to comply with a minimum retention period or other legal obligation to which we are subject based on EU law or the law of a EU member state, or (ii) when your personal data is necessary in relation to a legal procedure.
-
5. Rights of individuals
In the context of EY/Ethics, the privacy rights as mentioned in the following paragraphs are relevant.
For more information about your privacy rights and how to exercise them, please refer to our General Privacy Statement which is available via this link.
-
5.1. Right of access
You have the right to obtain insight into the way in which we process your personal data. In the first place, you are entitled to an overview of your personal data. In the second place, you are entitled to further information about the way in which we process your personal data. For example, the purposes for which we process your personal data, how we obtained it, and with whom we share it.
-
5.2. Right to rectification
The right to rectification means that, under conditions, you have the right that EY changes or supplements your personal data. You have this right in case we process personal data about you that:
- is factually incorrect;
- is incomplete or not related to the purpose it was collected for; or
- is in any other way used in a manner that conflicts with an applicable law.
The right of rectification is not intended for the correction of professional opinions, findings or conclusions that you do not agree with.
-
5.3. Right to erasure
Under certain conditions you have the right to obtain the erasure of the personal data we process about you. You could have this right in the following cases:
- Data no longer required. EY no longer needs your personal data for the purposes for which EY processed it.
- Unlawful processing. EY processed your personal data unlawful, for example because EY doesn’t have (or no longer has) a valid ground to do this.
- Compulsory erasure. EY must erase the personal data in order to comply with a legal obligation.
-
5.4. Right to restriction of processing
The right to restriction of processing means that EY will continue to store personal data at your request, but may in principle not do anything further with it. In short, you have this right when EY does not have (or no longer has) any legal grounds for the processing of your personal data or when this is disputed. This right is specifically applicable in the following situations:
- Unlawful processing. EY may not (or no longer) process certain personal data, but you do not want EY to erase the data. For example, because you still want to request access to this data in a later stage.
- Personal data no longer required. EY no longer needs your personal data for the purposes EY processed this, but you still require the personal data for a legal claim. For example, in case of an employment law dispute.
- Pending an objection. You objected against the processing of your personal data by EY (see the right to object below). Pending the verification of your objection we may no longer process this personal data at your request.
- Contesting the accuracy of personal data. You contest the accuracy of certain personal data that we process about you (for example through your right to rectification; see above). While we assess your claim we may no longer process this personal data at your request.
-
5.5. Right to object
You have the right to object to the processing of your personal data by EY. Under conditions, EY has to apply to this objection. In this case, EY shall no longer process this personal data for the purpose that you objected against. It can however be possible that EY still processes the personal data for another purpose, such as for the execution of an agreement with you or in order to comply with a minimum retention period. If this is the case, you will be informed about this.
-
-
6. Contact and complaints
If you have any questions, remarks or complaints about our processing of your personal data, you can contact our Data Protection Officer (DPO) via email at privacy.nl@nl.ey.com, by telephone via 088-4078895 or by sending a letter to EY Nederland B.V., attn. Data Protection Office (Boompjes 258, 3011 XZ Rotterdam).
You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work or the country in which the alleged privacy infringement occurred within the EU. In the Netherlands, the Autoriteit Persoonsgegevens (“AP”) is the supervisory authority. For more information on how to lodge a complaint, please refer to the website of te AP.
-
7. Changes
We may change this Privacy Statement from time to time. The latest version can always be consulted via this page. Material changes will be communicated.