Deloitte CE Privacy Statement for Clients
English version below, versions in local languages available as PDF:
Albania, Bulgaria, Czech Republic, Estonia, Kosovo, Latvia, Lithuania, Macedonia, Montenegro, Poland, Republic of Srpska, Romania and Moldova, Slovak Republic, Serbia
Note: The below information is applicable also for personal data processing in supplier, contractor and sub-contractor relationships.
Information on processing of personal data in client relationships:
“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients.
“Deloitte Central Europe (Deloitte CE)” is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.
“Controller” means a controller or data controller (as defined in the Data Protection Legislation).
“Processor” means a data processor or processor (as defined in the Data Protection Legislation).
“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Data Protection Directive (95/46/EC) and the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; and (c) any other similar national privacy law.
“GDPR” means the General Data Protection Regulation (EU) (2016/679).
“Personal Data” means any personal data (as defined in the Data Protection Legislation) processed in connection with or as part of the Services.
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).
The Personal Data provided by the Deloitte CE clients (“clients”) or obtained directly from their staff members and representatives are processed by the Deloitte CE entity that is in contractual relationship with the respective client, for the purpose of, or in connection with the following:
- provision of the services as agreed in the respective contract with the client;
- compliance with the applicable legal, regulatory or professional requirements;
- addressing requests and communications from competent authorities;
- contract administration, financial accounting, internal compliance and risk analysis, and client relationship purposes;
- utilization of systems applications (hosted or internal) for information technology and information system services (e-mail/archiving and similar) – this may also include cloud hosted applications provided that the data security and data transfer obligations as set by the applicable Data Protection Legislation are met. (the “Purposes”).
The Personal Data may include data regarding the client’s representatives, personnel, project team members, suppliers and contractors (“Personal Data subjects”), as well as the Personal Data included in the information obtained in relation to the contract.
The Controller is primarily the Deloitte CE entity that is party to the client contract.
For the Purposes indicated above, the Personal Data may be disclosed/transferred to and processed by the following Recipients of Personal Data:
Deloitte group of entities:
In line with the Purposes specified here-above and to the extent necessary for the provision of Services, the Personal Data may be disclosed to another Controller within the Deloitte group of companies (http://www2.deloitte.com/global/en/get-connected/global-office-directory.html)
If the transfer of Personal Data across country borders (including the territories outside of the European Union) is also required, (the Deloitte entity will act as another Controller) then the transfer will take place only in the case that the obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled.
The following Processors process the Personal Data on behalf of the Controller in line with the Purposes:
Subcontractors (approved by the client in the contract or otherwise)
Deloitte CE standard service suppliers:
EU based service suppliers:
Billigence Europe Limited, with registered seat at 12 Gough Square, London, EC4A 3DW, United Kingdom
Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CZ Services s.r.o., Karolinská 654/2, 186 00 Prague 8, Czech Republic
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Karolinská 654/2, 186 00, Prague 8, Czech Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom
4C Hungary Kft., Budafoki út 14. I/1, Budapest, 1111, Hungary
con4PAS, s.r.o., Novodvorská 1010/14, 142 01 Prague 4 – Lhotka, Czech Republic
MobileXpense, Rue des Colonies 11, 1000 Brussels, Belgium
SI-Consulting Sp. z o.o., Slezna Str. 118, 53-111 Wroclaw, Poland
Non-EU based service suppliers:
Since the processing of Personal Data includes transfer outside of the European Union (EU), all of the below entities have concluded the EU approved Standard Contractual Clauses with the Deloitte entity which the client entered into the contractual relationship with, thus ensuring an adequate level of Personal Data protection as required by the Data Protection Legislation.
Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA
Deloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India
Deloitte Tax LLP, 30 Rockefeller Plaza, New York, 10112 – 0015, USA (Applies to Tax and GES services only)
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
The personal data controller(s) and data processor(s) shall establish technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of the Personal Data processed. The safeguards will prevent the unauthorized use of or unauthorized access to the Personal Data or prevent a personal data breach (security incident) in accordance with Deloitte CE instructions, policies and applicable Data Protection Legislation. Deloitte CE entities processing client data are also ISO 27001 certified (ISO/IEC 27001 Information security management).
The processing of Personal Data is necessary for the provision of services under the contract.
The individuals have the right to request access to their Personal Data and rectification or erasure of their Personal data (where possible), or request a restriction on the processing or to object to the processing, as well as the right to data portability. All rights described in this paragraph can be enforced by sending an e-mail request to the data controller at: CEprivacy@deloitte.com. Individuals may also address their questions related to Personal Data collection and processing within Deloitte CE to the above e-mail address. They have the right to lodge a complaint with a supervisory authority in the country of their residence if they consider that the processing of personal data relating to them infringes the Data Protection Legislation.