Deloitte Central Europe Privacy Statement

Deloitte Central Europe Privacy Statement

Definitions

“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. “Deloitte Central Europe” (“Deloitte CE”) is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.

“Controller” (“we”, “us” or “our”) means a controller or data controller determining the purposes of personal data processing (as further defined in the Data Protection Legislation).

“Processor” means a data processor or processor processing the personal data on behalf of the controller (as further defined in the Data Protection Legislation).

“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; and (c) any other similar national privacy law.

“GDPR” means the General Data Protection Regulation (EU) (2016/679).

“Personal Data” means any personal data (information relating to an identified or identifiable natural person / data subject) processed in connection with or as part of the services provided to our clients or in relation of the contractual relationships with our vendors, contractors or sub-contractors or as necessary for activities that are part of our standard business operations.

“Processing” means any operation or set of operations on personal data (manual or automated) such as collection, recording, structuring, storage, use, disclosure, restriction, erasure or destruction (as further defined in the Data Protection Legislation).

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).

Summary

This Privacy Statement is applicable to processing of your personal data (“data”) by us and explains:

· what personal data we process about you;
· why (for what purposes) we process your personal data (including the legal grounds for your data processing);
· how and in what locations we process your personal data (where we transfer your personal data and with whom we share your data);· what are your rights.

This Privacy Statement applies from the date specified at the top of this page. We may modify or amend this Privacy Statement from time to time therefore, we encourage you to review this statement periodically.

What personal data we process

We process the personal data that you provide to us, that we obtain from your employer or contractual partner, advisor or third party, that you explicitly made publicly available or is publicly available otherwise (e.g. online media).

This personal data may include:

· your name, surname and gender;· your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number;
· history and details of your business contacts with Deloitte;· your bank account number (in case that our client/contractor/vendor and sub-contractor is a natural person);
· IP address;· your personal data provided in connection with the execution of your rights in accordance with this Privacy Statement;
· CCTV images and other information we collect when you access our premises (the specific and customized information on this personal data processing is available in the respective Deloitte CE premise if applicable – the CCTV images may be also processed by the building owner or the authorized third party).

For the purposes specified here-below we do not collect or process any ‘sensitive’ or ‘special categories’ of personal data as defined in the Data Protection Legislation. The additional types and categories of your personal data that are processed directly for the purposes of provision of our services are described in the Deloitte CE entities providing services as data controllers and Deloitte CE entities providing services as data processors privacy statements.

Purposes of your data processing (the “Purposes”)

· compliance with the applicable legal, regulatory or professional requirements (anti money laundering);
· addressing requests and communications from competent authorities;
· general contract administration, financial accounting (invoicing) and statistics;· internal compliance and risk analysis (including investigating or preventing security incidents);
· protecting our rights and legitimate interests;
· general client, vendor, contractor or sub-contractor relationship purposes (including the feedback and complaints, as well as assessment and development of business opportunities);
· utilization of internal or hosted (cloud) information technology systems, services and applications (for communication, data sharing and archiving purposes).

Please note that this Privacy Statement does not include the information on processing of personal data for the purposes of marketing, direct mailing and recruitment. The processing of personal data for such purposes is described in the specific privacy statements that may be also part of your consent with such personal data processing (where relevant). We do not process your personal data for direct mailing and marketing purposes without your explicit consent. However, we may ask you for such consent in the course of personal data processing for the Purposes.

Legal basis for your data processing:

We process your personal data only when the processing is necessary in the following cases:

· to administer the contract, we have with you personally or to take steps to enter into the contract with you;
· for compliance with a legal obligation we are subject to;
· for the purposes of our legitimate interest which might be:

- to execute and fulfil contracts with our vendors, contractors or sub-contractors,
- to protect our business interests (including to conduct our risk and quality assessments),
- to ensure that the complaints or requests delivered to us are properly addressed.

Retention of your personal data

Your personal data shall be retained by us for a period of 10 years following the provision of services to our clients or the expiration of our contractual relationships with our vendors, contractors or sub-contractors or as required by the applicable laws or relevant regulations or for Deloitte legitimate interest.

Personal data controller

In the context of this Privacy Statement the data controller is the Deloitte CE entity that is party to the client, vendor, contractor or sub-contractor contract.

Sharing and transferring your personal data

Your personal data may be disclosed/transferred to and processed by the following recipients for the Purposes:

Deloitte group of entities listed here. If applicable, your personal data will be processed only to the extent allowed for the Purposes and in accordance with the Data Protection Legislation. Each of the recipient(s) shall be responsible for ensuring the appropriate protection of your data, providing information on your data processing and obtaining additional consents if required. In case your data is transferred across country borders (including the territories outside of the European Union), then such transfers will take place only in the case that the obligations as stipulated by the Data Protection Legislation for when such transfers are fulfilled.

Processors

Our approved administrative and IT service suppliers:

Adastra s.r.o., Karolinská 654/2, 186 00 Prague8, Czech Republic con4PAS, s.r.o., Novodvorská 1010/14, 142 01 Prague 4 – Lhotka, Czech Republic Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Digital Resources a.s., Poděbradská 520/24, 190 00 Prague 9, Czech Republic
MobileXpense, Koning Albert II-laan 7, 1210Brussels, Belgium
Mobitouch sp. z o.o., Litewska 10/1, 35-302 Rzeszow, Poland
Sabris CZ s.r.o., Pekařská 621, 155 00 Prague 5, Czech Republic
SI- Consulting sp. z o.o.- ul. A. Słonimskiego 1A ZITA, wejście B, 50-304 Wrocław, Poland
Uniwise s.r.o., Studentská 6202/17, 708 00 Ostrava-Poruba, Czech Republic
Wookie.apps s.r.o., Josefa Kočího 1556, 153 00 Radotín, Czech Republic

Non-EU based (all non-EU based data processors have concluded the EU approved Standard Contractual Clauses with us ensuring an adequate level of Personal Data protection as required by the Data Protection Legislation).

Deloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India
Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

Their access rights are strictly limited to the extent that it is only for necessary technical, administrative and help desk support services.

Security of processing

We and our data processors established technological, physical, administrative andprocedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with Deloitte CE policies and Data Protection Legislation. Deloitte CE is a holder of ISO 27001 certification – widely recognized global information standard.

Your rights

You have your right to:

· request access to your personal data (and request a copy of the personal data that we process),
· request us to update and correct your personal data (right to rectification),· request us to delete your personal data (where possible), or
· require a restriction on the processing of your data.

You may object to the processing (in certain cases as specified by GDPR), as well as execute your right to data portability (receive a copy of personal data which you provided to us in a structured machine –readable format and request us to transmit such data to another data recipient).

You can enforce all rights described here by sending an e-mail to: CEprivacy@deloittece.com or a written notice to: Deloitte CE Data Protection Leader, Deloitte Central Europe Service Centre, Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic.

You can also use the above contacts for any questions related to processing your personal data including the security safeguards when transferring the data outside of the EU region.

It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence or to an independent dispute resolution body in case you are of the opinion that the processing of your personal data infringes the GDPR.

Deloitte Central Europe Service Specific Privacy Statement

Deloitte Central Europe entities providing services as data controllers

Applicable to the following services: Audit, Tax Advisory, Global Employment Services, Legal, Risk Advisory, Financial Advisory, Consulting.

What personal data we process

As controller, we process the personal data that you provide to us, including the personal data on your family members and dependents if needed given the nature of service provided, or the data that we obtain from your employer or contractual partner, advisor or third party, under the condition that such data were collected lawfully.

Depending on the given type of services this personal data may include:

· your name, surname and gender, date of birth, your ID or passport details, tax ID number, social security and national insurance number,
· your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number, education certificates),
· other data necessary for the provision of the certain type of service to your contractor or employer (marital status, number of children, information about your family members, their names, surnames, dates of birth, as appropriate),
· financial data (including bank account details, credit history, employment income and personal investment income/gains),
· data related to your relationship with our client (purchased goods or services).

Purposes of your data processing (“Purposes”)

Provision of services to you personally or to our clients (being your employer or your contractual partner) as agreed in the respective contract.

Processing tools

For some type of services, the special tools are utilized for personal data processing

Legal basis for your data processing

· the performance of the contract to which you are a party, or if you are not a party to the contract, then
· our legitimate interest in providing the services based on the contract to your employer or contractual partner, or
· compliance with legal obligations which Deloitte is subject to when providing the services to you or to your employer/contractual partner (i.e. the applicable laws (if any) regulating the provided services explicitly determine that while providing the service we process your personal data as a personal data controller).

The provision and processing of your personal data (including use of certain tools for data processing as indicated here-above) is necessary for the Purposes.

Retention of your personal data

Your personal data shall be retained by us for a period of 10 years following the provision of services to you or to our clients or as required by the applicable laws or relevant regulations or for Deloitte legitimate interest.

Sharing and transferring your personal data

Your personal data may be disclosed/transferred to and processed by the following recipients for the Purposes:

Recipients

Deloitte group of entities listed here. If applicable, your personal data will be processed only to the extent allowed for the Purposes and in accordance with the Data Protection Legislation. Each of the recipient(s) shall be responsible for ensuring the appropriate protection of your data, providing information on your data processing and obtaining additional consents if required. In case your data is transferred across country borders (including the territories outside of the European Union), then such transfers will take place only in the case that the obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled. Deloitte group of entities is bound by the Binding Corporate Rules for ensuring the Data Protection Legislation requirements for when data transfers.

Processors

Our subcontractors (approved by the client in the contract or otherwise) and our approved administrative and IT service suppliers:

EU based

Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Digital Resources a.s., Poděbradská 520/24, 190 00 Prague 9, Czech Republic
Sabris CZ s.r.o., Pekařská 621, 155 00 Prague 5, Czech Republic
SI- Consulting sp. z o.o. - ul. A. Słonimskiego 1A ZITA, wejście B, 50-304 Wrocław, Poland

Audit Services: Deloitte Group Support Centre BV, a private limited liability company established in The Netherlands, Gustav Mahlerlaan, 2970 Amsterdam, The Netherlands

In order to procure proper administrative, technical and operational support, we may also contract local service providers (in the countries that we operate in) that will process your personal data as personal data processors. Such local service providers are our entrustedpartners providing mainly local archiving, currier, translation, IT support or reprographic services. Any such local services provider, prior to the provision of the services, concludes a data processing agreement in line with requirement of Data Protection Legislation. You can obtain full list of such local personal data processor directly upon your request to us.

Non-EU based

Since the processing of Personal Data may include transfer of personal data outside of the European Union (EU), all of the below entities have concluded the EU approved Standard Contractual Clauses with Deloitte entity providing the services under the Engagement to ensure an adequate level of Personal Data protection as required by the Data Protection Legislation.

Tax/Global Employment Services:

Deloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India Deloitte Tax LLP, 30 Rockefeller Plaza, New York, 10112 – 0015, USA (the owner and administrator of GA Organizer)
Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

Their access rights are strictly limited to the extent that it is only for necessary technical, administrative and help desk support services.

Processing tools

For some type of services, the special tools are utilized for your personal data processing - find more information about the processing of your personal data under the links below.

Global Employment Services:
GA Organizer Tool

Audit Services:
Deloitte Connect
Deloitte iCount
Deloitte iConfirm

Security of processing

Deloitte and its data processors established technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach.

Your rights

Please refer to the Deloitte Central Europe Privacy Statement.

Deloitte Central Europe Service Specific Privacy Statement

Deloitte Central Europe entities providing services as data processors

Applicable to the following services: Payroll, Immigration, Forensics (other than advisory), certain services in the area of IT Consulting.

What personal data we process

As processors, we process the personal data that you provide to us, including the personal data on your family members and dependents if needed given the nature of service provided, or the data that we obtain from your employer or contractual partner, advisor, third party, that you explicitly made publicly available or is publicly available otherwise (e.g. online media)

This personal data may include:

· your name, surname and gender, date of birth, your ID or passport details, tax ID number, social security and national insurance number,
· your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number, education certificates,
· other data necessary for the provision of the certain type of service to your contractor or employer (marital status, number of children, information about your family members, their names, surnames, dates of birth, as appropriate),
· financial data (including bank account details, employment income and personal investment income/gains),
· data related to your professional activities, work performance and evaluation.

Purposes of your data processing

Provision of the services to you personally or to our clients (your employer or contractual partner) as determined in the respective contract based on the instruction of the controller (you, your employer or contractual partner).

Your personal data processing is done based on the instructions of our clients – personal data controllers that are also responsible for delivering the information on your personal data processing to you including the information how to execute your rights – please contact your employer/contractual partner directly to:

· request access to your personal data (and request a copy of the personal data that is processed),
· request to update and correct your personal data (right to rectification),
· request to delete your personal data (where possible), or
· request to a restriction on the processing.