Privacy Notice for individual Deloitte Clients
Last updated: May 2018
In connection with your contractual relationship with Deloitte, Deloitte will, as a data controller, collect and process personal data of data subjects for the purposes specified below. Deloitte processes personal data in accordance with the principles in EU’s General Data Protection Regulation (GDPR) and Finnish data protection legislation.
- Data we may collect about you and for which purposes
- From whom do we collect your personal data?
- The legal basis for the collection and processing of your personal data
- Who do we share your personal data with and why?
- Who do we transfer your personal data to?
- How long do we store your data?
- Your rights
- Revision of our privacy notice
1. Data we may collect about you and for which purposes
We may collect and process the following types of personal data for the purposes of delivery services to you and for the purposes of compliance with applicable legal or regulatory requirements and/or internal policies; documentation requirements; handling inspections and queries by supervisory authorities; external auditors and legal advisors:
- Your name; age; date of birth; national identification number; gender; phone number, home address; country of residence; passport; visa; family circumstances (e.g. civil status and contact details on dependents) and close relatives; photo; e-mail address; title; employee identification number; employment and education details (e.g. previous employment and education details); salary and pension information; leaves of absence; bank account details; tax-related information; investments;
We may also collect the following types of special categories of personal data for the purposes specified above:
- Trade union membership
- Data concerning health
2. From whom do we collect your personal data?
We collect your personal data from you, as well as from public authorities; pension companies, insurance provider, bank, legal and other third party advisors and other Deloitte entities depending on the nature of engagement.
3. The legal basis for the collection and processing of your personal data
We collect and process your data based on the following articles of GDPR:
- Art. 6.1 (a) consent
- Art. 6 paragraph 1 (b) performance of a contract
- Art. 6 paragraph 1 (c) legal obligation to which Deloitte is subject
- Art. 6 paragraph 1 (f) the legitimate interests of Deloitte.
The legitimate interests pursued by Deloitte include the following purposes: Performance of our contractual obligations to the client; staffing and resource allocation; provision of access to relevant systems; compliance with internal policies and documentation requirements.
These processes are necessary for the effective operation of our business and require collection and processing of your personal data.
4. Who do we share your personal data with and why?
In connection with one or more purposes outlined above, your personal data may be disclosed to and shared with the following recipients: Public authorities, our professional advisors (e.g. auditor and legal advisors), service and IT vendors; and other Deloitte entities.
5. Who do we transfer your personal data to?
Transfer of personal data to data processors
We may transfer your personal data to other Deloitte entities. We may also transfer your personal data to IT providers, including cloud service providers, or to external service vendors, who process and /or store the personal data on our behalf.
Transfer of personal data to recipients in countries outside the EU/EEA
We may transfer your personal data to recipients located in countries outside the EU/EEA for the purposes listed in section 1. In such case, the legal basis for the international transfer is either EU’s Model Clause Agreement, the US Privacy Shield Certification, or Deloitte’s Binding Corporate Rules when applicable.
6. How long do we store your data?
We store the personal data for as long as necessary to fulfil the purposes above, however, for no longer than necessary for the purposes and to meet legal requirements.
7. Your rights
Subject to the conditions set out in the applicable data protection legislation, the data subject enjoy the following rights:
- The right to request access to your personal data
- The right to rectification of your personal data
- The right to erasure of your personal data
- The right to restriction of processing
- The right to data portability
- The right to objection to the processing of your personal data
Please note that these rights are not absolute, as they should be balanced against legal requirements and Deloitte’s legitimate interest.
You also have the right to lodge a complaint with the competent supervisory authority: Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman).
Please contact us at firstname.lastname@example.org if you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights.
Porkkalankatu 24, PL 122, 00181 Helsinki
9. Revision of our privacy notice
We keep our privacy notice under regular review and thus the notice may be subject to changes. The date of the last revision of the privacy notice can be found on the top of the page.