EY Singapore Personal Data Protection Notice
December 2023
Introduction
This Data Protection Notice “Notice” sets out the basis upon which Ernst & Young LLP, Ernst & Young Solutions LLP, Ernst & Young Holdings Pte. Ltd., The Parthenon Group, Singapore Pte Ltd, EY Corporate Services Pte Ltd, Ernst & Young Advisory Pte Ltd, EY Corporate Advisors Pte Ltd, Ernst & Young Corporate Finance Pte Ltd and Atlas Asia Law Corporation (referred to as “EY”, “we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data you have in accordance with the Personal Data Protection Act 2012 (“PDPA”). This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data on our behalf and for our purposes.
The purposes listed in the clauses may continue to apply even in situations where your relationship with us (for example, pursuant to your employment contract should you be hired) has been terminated or altered in any way for a reasonable period, thereafter, including where applicable, a period to enable us to enforce our rights under a contract with you.
-
Application of this notice
This Notice applies to all EY personnel, our prospective and current clients, clients’ customers and/or clients’ personnel for the purpose of rendering professional services to our clients.
-
Personal data
As used in this Notice, “personal data” means data, whether true or not, about an individual who can be identified:
- From that data
- From that data and other information to which we have or are likely to have access.
Other terms used in this Notice shall have the meanings given to them in the PDPA (where the context so permits).
-
Collection, use and disclosure of personal data
EY processes personal data for a variety of purposes. We collect this personal data directly from you, for example, if you engage us to prepare your tax return, if you visit ey.com “our Site”, if you submit your contact details to receive marketing communications from us, if you submit event-related data to attend EY events or submit a job application via the EY careers website. Alternatively, we process your personal data in the context of providing professional services to your employer or service provider, for example, conducting an audit of your bank or payroll for the company you work for. Finally, we obtain your personal data via publicly available sources, such as LinkedIn. This Notice is intended to cover all the above-mentioned scenarios.
Your personal data will be collected, used or disclosed to third parties by us for the purposes below if you fall within any of the following categories of data subjects:
-
Visitors to ey.com
Effective delivery of information and services to you, and the effective and lawful operation of our businesses
Developing and improving our site and your user experience
-
Entrepreneur Of The Year program participants
Nominations require personal and financial data shared with program sponsors and judges. Refer to the program's privacy notice for more details
-
Clients
We use this information:
- To provide services to you
- To manage our relationship and contracts
- For accounting and tax purposes
- For marketing and business development, with your consent
- To comply with our legal and regulatory requirements
- To establish, exercise or defend legal rights
- For historical and statistical purposes
-
Individuals whose personal data we obtain in connection with providing services to our clients
Individuals whose personal data we obtain in connection with providing services to our clients
- Personal, contact, financial and special category data as needed for services
- Ensuring consistent and quality services for clients
-
Insolvency services
To assist in insolvency procedures, including communication with creditors, statutory returns and legal obligations.
-
Contacts in our customer relationship management and marketing (CRM) systems
For marketing and communication purposes To manage relationships with business contacts and provide information about EY, our services and events
-
Participants in EY meetings, conferences, events and learning sessions
To manage event registration, including names, contact info, dietary restrictions and more
To provide information about EY, our services and events we organize
-
Individuals who use our applications
In instances where processed personal data goes beyond basic contact information used for application authentication purposes, such applications will contain their own privacy notices. Users should consult the application's privacy notice for details
-
Individuals who use our social media sites, plugins and tools:
-
Social media sites
EY uses social media to:
- Provide you with easy access to relevant information regarding job opportunities at EY and events we organize and to promote our services and brand.
- Assess aggregate data relevant for our pages, such as statistical and analytical data triggered by our content. Users should consult the platform's privacy notice for details.
-
Social media plugins (e.g., like and share buttons)
Our site includes plugins for Facebook and YouTube, and the functions of Twitter and Instagram services. Users should consult the platforms’ privacy notices for details.
-
Social media tools:
EY uses LinkedIn Lead Gen Forms for EY sponsored content and sponsored LinkedIn InMails for recruitment and marketing campaigns. Users should consult the platform's privacy notices for details.
Our site uses the Google Maps map service via an application programming interface (API). Users should consult the platform's privacy notices for details.
Promoting EY services and brand, in attracting, identifying and sourcing talent, and to improve your website experience and to optimise our services.
-
-
Individuals who correspond via email
Legal ground for processing personal data of individuals who correspond with EY via email:
- To maintain the security of our IT infrastructure.
- Analysing email traffic.
-
Individuals who correspond via phone and voicemail
Maintaining communication networks.
-
Job applicants
EY collect personal data from the following sources:
- To process and manage applications for roles at EY, including the screening and selecting of candidates.
- To hire and onboard candidates by making an offer to successful candidates and carrying out pre-employment screening checks.
- To manage our career websites, including conducting statistical analyses.
- Compliance with a legal or regulatory obligation when carrying out background checks to warrant a candidate is eligible to work.
-
Alumni
Maintaining a strong relationship with our alumni, sending publications about EY and our services, inviting alumni to events and helping alumni keeping in touch with other alumni
-
Suppliers
Legal grounds for processing personal data of our supplier are:
- In order to manage our relationship and contract, and to receive services from our suppliers.
- To understand any conflict of interest or challenge with regard to independence legislation.
- To safeguard against EY inadvertently dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities (for example, terrorism).
-
EY/Ethics
EY/Ethics offers a confidential platform to report unethical or illegal behaviour violating our Code of Conduct. Please review the EY/Ethics privacy notice and consent form for details.
-
Visitors to EY offices
To provide you with certain facilities, to control access to our buildings, and to protect our offices, personnel, goods and confidential information.
-
-
Reliance on legitimate interests exception
In compliance with the PDPA, we may collect, use or disclose your personal data without your consent for the legitimate interests of EY or another person. Before relying on the legitimate interests exception under the PDPA, EY will assess the likely adverse effects on you and determine whether its legitimate interests outweigh any adverse effect.
In line with the legitimate interests exception, we will collect, use or disclose your personal data for the following purposes:
- Fraud detection and prevention.
- Detection and prevention of misuse of services.
- Network analysis to prevent fraud and financial crime and perform credit analysis.
- Collection and use of personal data on company-issued devices to prevent data loss.
The purposes listed in the above clause may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter.
-
Withdrawing your consent
The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. To the extent that you have consented to the collection, use or disclosure of your personal data for any of the purposes listed above, you may withdraw consent and request us to stop collecting, using or disclosing your personal data by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.
Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process and effect your request within ten (10) business days of receiving it.
Whilst we respect your decision to withdraw your consent, please note that depending on the nature and extent of your request, we may not be in a position to provide you the service or process your initial request for which you shared your personal data. We shall, in such circumstances, notify you before completing the processing of your request (as outlined above). Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in the section titled “Data Protection Officer”.
Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.
-
Access to and correction of personal data
If you wish to make:
- An access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data
- A correction request to correct or update any of your personal data which we hold, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.
Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.
We will respond to your request as soon as reasonably possible. In general, our response will be within thirty (30) days. Should we not be able to respond to your access request within thirty (30) days after receiving your access request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).
-
Protection of personal data
- EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data (pdf).
- To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as minimized collection of personal data, authentication and access controls (such as good password practices, need-to-basis for data disclosure, etc.), encryption of data, data anonymisation, up-to-date antivirus protection, regular patching of operating system and other software, securely erase storage media in devices before disposal, web security measures against risks, and security review and testing performed regularly.
-
Accuracy of personal data
We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer in writing or via email at the contact details provided below.
-
Retention of personal data
We may retain your personal data for as long as it is necessary to fulfil the purposes for which they were collected, or as required by EY’s internal policies and processes or permitted by applicable laws.
We will cease to retain your personal data or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data were collected and are no longer necessary for legal or business purposes.
-
Minors
Our Site is not intended for use by minors under the age of sixteen (16) years. EY does not knowingly collect, disclose, or sell the personal data of minors under 16 years of age through our Site. If you are under 16 years old, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parents or legal guardians to notify us and we will delete your personal data.
-
Transfer of personal data outside of Singapore
EY member firms operate in more than 150 countries across the globe. Certain aspects of the EY infrastructure are centralized, including information technology services provided to member firms. In addition, where engagements with EY clients span more than one jurisdiction, certain information will need to be accessed by all those within the EY organization who are working on the matter. Therefore, your personal data will be transferred to and stored outside the country in which you are located, including countries with differing privacy laws.
We will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA.
-
Data Protection Officer
You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request in the following manner:
Contact No.
: 65357777
Email Address
: dpo@sg.ey.com
Address
: Level 18 One Raffles Quay Singapore 048583
-
Effect of notice and changes to notice
This Notice applies in conjunction with any other policies, notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
We may revise this Notice from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Notice was last updated.
Effective date
: 11/12/2023
Last updated
: 11/12/2023