External Service Providers
In the course of providing services to clients PwC and its subsidiaries may use the services of the following cloud services providers. Please notice, that, if required, the list of cloud service providers can be extended at any time:
Cloud Service Provider
Place of data storage
Microsoft Corporation, Redmond, USA
Netherlands and Ireland
Google LLC, Mountain View, California, USA
Netherlands, Finland, Ireland and Belgium
Legal Obligations Regarding Confidentiality and Data and Information Security
PwC Legal AG places particularly high demands on data and information security and the protection of the confidentiality of all information obtained in the course of our professional activities. As one of the companies listed in accordance with §§ 59c et seq. Bundesrechtsanwaltsordnung (BRAO) (Federal Lawyers’ Act), we must maintain secrecy with regard to all knowledge acquired in the course of our professional activities in accordance with § 43a Para. 2 BRAO. This applies both to the lawyers employed by us and to all other employees of the law firm. This general standard is specified in more detail in the Professional Code of Conduct for Lawyers. According to § 2 of this professional statute, issued by the Rechtsanwaltskammer (Bar Association) on a statutory basis and binding for all lawyers, lawyers may not disclose facts and circumstances in particular which are entrusted or known to them in the course of their professional activity without authorisation. This does not only apply to external third parties, but already applies to PwC-Internals, but colleagues who are not directly concerned with the respective assignment. The statutory duty of confidentiality extends to all employees of our company. Each employee is bound to secrecy with employment contract separately and furthermore for the time beyond his departure from the services of our company.
Violation of the statutory duty of confidentiality is a punishable offence under Section 203 of the German Criminal Code. In addition to the professional law, which is more specific in many respects, our company naturally also ensures compliance with the provisions of the General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG neu). In particular, all data is protected with the necessary technical and organizational security measures in accordance with Art. 32 GDPR. In addition, each employee hired by us is subject to a separate employment contract and is obliged to maintain data secrecy even after leaving the services of our company.
For this reason, the topics of data security and data protection are particularly important to us and we train our employees regularly.
PwC Network Standards for Information and Data Security
PwC Legal AG is a member of the global PwC network, which consists of the individual legally independent PwC companies.
In addition to the legal requirements of German professional law and data protection law, which PwC Legal AG, as a legally independent company, has to guarantee on its own responsibility, the network-wide standards for information and data security also apply to PwC Legal AG. These PwC network standards for information and data security are internal guidelines that define a uniform, high level of information and data security throughout the network beyond the legal obligations of the respective PwC companies.
Our global information security policy for the PwC network is based on the recommendations of ISO/IEC 27002. All companies in the PwC network have undertaken to comply with the requirements of the information security policy. This is regularly reviewed by the Information Security Compliance Team of the global PwC Risk & Quality Organization.
The Information Security Compliance Team’s data security procedures and methods have been independently reviewed by the British Standards Institution (BSI) to ensure compatibility and compliance with ISO/IEC 27001. Annual audits are carried out by the BSI.
Furthermore, we have had our entire IT division of the German PwC companies – including all the services they offer – certified in accordance with ISO/IEC 27001. This certification is confirmed within the scope of annual audits by the certifier DQS.
Information on the Use of Google Services by the PwC Legal AG
Scope of use of Google services by the PwC Legal AG
The PwC Legal AG uses Google services for the purpose of internal communication and communication with clients as well as a platform for internal cooperation. The cloud services used by PwC Legal AG essentially include the Google G-Suite applications for e-mail traffic, scheduling and video conferencing, as well as applications for collaboration between PwC employees (word processing, spreadsheets, presentation for joint editing) and for shared file storage.
The use of Google services does not affect the storage and archiving of client files and other mandate-related documents, records and information of the PwC Legal AG. Such documents are not transferred to Google cloud services, but remain stored unchanged on the systems and servers of PwC’s own data centres in Germany.
The use of Google cloud services as part of client work is limited to contact data (name and e-mail address) and e-mail communication with clients.
Guarantee of the Legally Required Level of Data Protection in Accordance with the GDPR
The use of Google services by PwC Legal AG ensures a high level of data protection in accordance with the legal requirements of the GDPR.
Art. 44 GDPR requires safeguarding an adequate level of data protection for the processing and storage of data in computer centres outside EU states. Since not every country has a data protection level that is comparable with German and EU law, Art. 44 GDPR stipulates that an adequate level of data protection must be guaranteed when data is transferred to such countries. For the use of the Google cloud services by PwC Legal AG, an adequate level of data protection within the meaning of Art. 44 GDPR is guaranteed by utilizing the EU standard contractual clauses (EU Model Clauses) developed by the EU Commission, which have been agreed upon pursuant to Art. 46 (2) (c) in conjunction with Art. 46 (5) sentence 2 GDPR. The EU standard contractual clauses are a recognised means of contractually ensuring an adequate level of data protection for data transfers outside Europe. These contain the requirements of European data protection law in the form of contractual clauses and may not be changed by the contracting parties without prior approval by the EU Commission. The EU Model Clauses used by Google can be found under the following link: https://cloud.google.com/terms/eu-model-contract-clause.
For the EU standard contract clauses used by Google for the Google cloud platform and for the application programs of the Google G suite, there is a so-called Common Opinion of the Art. 29 Working Party (Association of European Data Protection Supervisory Authorities), which confirms conformity with the requirements of EU data protection law.
In addition, technical and organisational measures to ensure data security have been contractually agreed which comply with the requirements of Art. 32 GDPR. Compliance with the technical and organisational measures is proven by recognised certificates and is subject to regular monitoring by PwC Legal AG. In addition, the special professional confidentiality obligations to which PwC Legal AG as an auditing company is subject in addition to data protection law are also reflected in the contracts with Google. In particular, rights to issue instructions were agreed and strict confidentiality obligations were imposed.
High IT Security Standards
The data transport as well as the data storage takes place in encrypted form on Google systems in Google data centers. These are globally organized and are characterized by high security standards and the use of modern encryption technology (e.g. HTTPS/TLS/PFS).
Among other things, all data and information is broken down into small parts, additionally encrypted and stored distributed over the data center infrastructure. Access to plain data or even the use of data by Google or its system administrators in the respective data centers is explicitly excluded by contract.
This and further information on IT security can be found at https://cloud.google.com/security/
Google currently maintains data centers in the Netherlands, Finland, Belgium, Ireland, Taiwan, Singapore and the USA. The directory of all data centers is published and updated on Google ‘s homepage at https://www.google.com/about/datacenters/inside/locations/index.html. The Google infrastructure, services and operations are regularly audited by external independent certification bodies and the high IT security standards are audited and confirmed by internationally recognized certificates. Google publishes the ISO certificates and the SOC 3 audit report on its website (https://cloud.google.com/security/compliance) and updates these at regular intervals. The most important certifications available to Google with regard to data security and data protection include ISO 27001, ISO 27017 and ISO 27018.
Encryption of Data
All communication and data traffic within the PwC Google domain is TLS (in transit) and AES256- (at rest) encrypted. Forward Secrecy is also supported. This ensures that a broken key can never be used to decrypt future communication or data. The external data traffic (mail, calendar entries and attachments) with TLS-enabled recipient systems can also be encrypted automatically in consultation with your IT department.
Deletion of Data Google supports compliance with legal retention requirements systemically and provides tools and processes to ensure that data and emails are held in accordance with legal requirements. At the end of the retention period, both e-mails and data are irretrievably deleted immediately – but no later than 30 days after the end of the retention period.