EY My Day App privacy notice
12 November 2019
Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to the EY My Day application (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool.
-
Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing this Tool on which your personal data will be processed and stored is the local EY member firm that employs you or that is your host.
The Tool communicates with a system that manages services into other EY and vendor business systems. This integration system is hosted in Amazon Web Services Private Cloud in Ireland.
-
Why do we need your personal data?
The purpose of the tool is to transform your EY Workplace experience by providing easy access to a number of building and facility related services.
Your personal data processed in the Tool is used as follows:
- Get access to the office by simply presenting your phone
- Find workspaces and colleagues
- Reserve meeting spaces and check in/out automatically
- Indoor Positioning to enable 2D navigation and location-based services
- Pre-order food and beverages at restaurant
- Raise tickets for assistance/maintenance for issues within the building
EY relies on the following basis to legitimise the processing of your personal data in the Tool:
- You have given consent to the processing of your personal data for the purposes described in this Privacy Notice.
- Processing is necessary for the purposes of the legitimate interests pursued by EY, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest pursued is the interest of EY to efficiently manage the facilities of EY offices in an innovative way and therefore also for providing transformational workplace services to employees and guests via a simple to use application.
Use of the Tool and the provision of your personal data to EY is optional. However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing.
-
What type of personal data is processed in the Tool?
Default:
- First Name
- Last Name
- EY Email Address
- Department
- Current Location (geo-position and floor) – this is an “opt in” option
Recent choices – to increase usability of the Tool. This includes:
- Catering Menu Choices
- Meeting Rooms
App Usage Statistics – general usage statistics to enable future improvements
-
Sensitive personal data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool’s intention is not to process such information.
The Tool contains a chatbot functionality. Please do not enter any sensitive personal data into the chatbot.
-
Who can access your personal data?
Your personal data is accessed in the Tool by the following persons/teams:
For the purpose of supporting the Tool and its back-end systems, support personnel with administrative or elevated rights from Spica Technologies (UK based) and ISS will have access to your personal data.
Since most of the functionality in the Tool is to provide assisted availability to existing EY and ISS systems, data collected or provided in the Tool will flow to such systems and can be seen by the administrators and elevated users of these system as given below:
- Meeting Rooms booked through the Tool will be available to users with the appropriate rights to the EY’s room booking system called Enterprise Reservation System (ERS);
- Meal ordering through the Tool will be available in the ISS Symphony catering system, so the ISS catering staff can prepare those meals;
- Facility service requests raised via the Tool will be available in ISS TRIRIGA CAFM system and can be seen by ISS facility service staff providing service in EY offices so that they can respond to those tickets.
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). An overview of EY network entities providing services to external clients is accessible here (See Section 1 (About EY) - “View a list of EY member firms and affiliates”). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules.
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
-
Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.
If you are an employee of EY, your personal data will be deleted once you leave EY.
-
Security
EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data brochure.
-
Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool or (where applicable) to withdraw your consent, contact your usual EY representative or email your request to data protection team.
-
Rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to data protection team.
-
Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at data protection team or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
-
Contact us
If you have additional questions or concerns, contact your usual EY representative or email data protection team.