Article
Deloitte Central Europe Privacy Statement
(information on your personal data processing) applicable to our client, vendor, contractor and sub-contractor relationships
Updated 26 April 2021
English version below, versions in local languages available in PDF format:
Albania and Kosovo, Bulgaria, Croatia, Czech Republic, Estonia, Hungary, Latvia, Lithuania, North Macedonia, Montenegro, Poland, Republic of Srpska, Romania and Moldova, Slovak Republic, Slovenia, Serbia, Ukraine
Definitions
“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. “Deloitte Central Europe” (“Deloitte CE”) is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.
“Controller” (“we”, “us” or “our”) means a controller or data controller determining the purposes of personal data processing (as further defined in the Data Protection Legislation).
“Processor” means a data processor or processor processing the personal data on behalf of the controller (as further defined in the Data Protection Legislation).
“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; and (c) any other similar national privacy law.
“GDPR” means the General Data Protection Regulation (EU) (2016/679).
“Personal Data” means any personal data (information relating to an identified or identifiable natural person / data subject) processed in connection with or as part of the services provided to our clients or in relation of the contractual relationships with our vendors, contractors or sub-contractors or as necessary for activities that are part of our standard business operations.
“Processing” means any operation or set of operations on personal data (manual or automated) such as collection, recording, structuring, storage, use, disclosure, restriction, erasure or destruction (as further defined in the Data Protection Legislation).
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).
Summary
This Privacy Statement is applicable to processing of your personal data (“data”) by us and explains:
- what personal data we process about you;
- why (for what purposes) we process your personal data (including the legal grounds for your data processing);
- how and in what locations we process your personal data (where we transfer your personal data and with whom we share your data);
- what are your rights.
This Privacy Statement applies from the date specified at the top of this page. We may modify or amend this Privacy Statement from time to time therefore, we encourage you to review this statement periodically.
What personal data we process
We process the personal data that you provide to us, that we obtain from your employer or contractual partner, advisor or third party, that you explicitly made publicly available or is publicly available otherwise (e.g. online media).
This personal data may include:
- your name, surname and gender;
- your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number;
- history and details of your business contacts with Deloitte;
- your bank account number (in case that our client/contractor/vendor and sub-contractor is a natural person);
- IP address;
- your personal data provided in connection with the execution of your rights in accordance with this Privacy Statement;
- CCTV images and other information we collect when you access our premises (the specific and customized information on this personal data processing is available in the respective Deloitte CE premise if applicable – the CCTV images may be also processed by the building owner or the authorized third party).
For the purposes specified here-below we do not collect or process any ‘sensitive’ or ‘special categories’ of personal data as defined in the Data Protection Legislation. The additional types and categories of your personal data that are processed directly for the purposes of provision of our services are described in the Deloitte CE entities providing services as data controllers and Deloitte CE entities providing services as data processors privacy statements.
Purposes of your data processing (the “Purposes”)
- compliance with the applicable legal, regulatory or professional requirements (anti money laundering);
- addressing requests and communications from competent authorities;
- general contract administration, financial accounting (invoicing) and statistics;
- internal compliance and risk analysis (including investigating or preventing security incidents);
- protecting our rights and legitimate interests;
- general client, vendor, contractor or sub-contractor relationship purposes (including the feedback and complaints, as well as assessment and development of business opportunities);
- utilization of internal or hosted (cloud) information technology systems, services and applications (for communication, data sharing and archiving purposes).
Please note that this Privacy Statement does not include the information on processing of personal data for the purposes of marketing, direct mailing and recruitment. The processing of personal data for such purposes is described in the specific privacy statements that may be also part of your consent with such personal data processing (where relevant). We do not process your personal data for direct mailing and marketing purposes without your explicit consent. However, we may ask you for such consent in the course of personal data processing for the Purposes.
Legal basis for your data processing:
We process your personal data only when the processing is necessary in the following cases:
- to administer the contract, we have with you personally or to take steps to enter into the contract with you;
- for compliance with a legal obligation we are subject to;
- for the purposes of our legitimate interest which might be:
- to execute and fulfil contracts with our vendors, contractors or sub-contractors,
- to protect our business interests (including to conduct our risk and quality assessments),
- to ensure that the complaints or requests delivered to us are properly addressed.
Retention of your personal data
Your personal data shall be retained by us for a period of 10 years following the provision of services to our clients or the expiration of our contractual relationships with our vendors, contractors or sub-contractors or as required by the applicable laws or relevant regulations or for Deloitte legitimate interest.
Personal data controller
In the context of this Privacy Statement the data controller is the Deloitte CE entity that is party to the client, vendor, contractor or sub-contractor contract.
Sharing and transferring your personal data
Your personal data may be disclosed/transferred to and processed by the following recipients for the Purposes:
Deloitte group of entities listed here. If applicable, your personal data will be processed only to the extent allowed for the Purposes and in accordance with the Data Protection Legislation. Each of the recipient(s) shall be responsible for ensuring the appropriate protection of your data, providing information on your data processing and obtaining additional consents if required. In case your data is transferred across country borders (including the territories outside of the European Union), then such transfers will take place only in the case that the obligations as stipulated by the Data Protection Legislation for when such transfers are fulfilled.
Processors
Our approved administrative and IT service suppliers:
Adastra s.r.o., Karolinská 654/2, 186 00 Prague8, Czech Republic
con4PAS, s.r.o., Novodvorská 1010/14, 142 01 Prague 4 – Lhotka, Czech Republic
Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Deloitte CZ Services s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady Czech, Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom
Digital Resources a.s., Poděbradská 520/24, 190 00 Prague 9, Czech Republic
MobileXpense, Koning Albert II-laan 7, 1210Brussels, Belgium
Mobitouch sp. z o.o., Litewska 10/1, 35-302 Rzeszow, Poland
Sabris CZ s.r.o., Pekařská 621, 155 00 Prague 5, Czech Republic
SI- Consulting sp. z o.o.- ul. A. Słonimskiego 1A ZITA, wejście B, 50-304 Wrocław, Poland
Uniwise s.r.o., Studentská 6202/17, 708 00 Ostrava-Poruba, Czech Republic
Wookie.apps s.r.o., Josefa Kočího 1556, 153 00 Radotín, Czech Republic
Non-EU based (all non-EU based data processors have concluded the EU approved Standard Contractual Clauses with us ensuring an adequate level of Personal Data protection as required by the Data Protection Legislation).
Deloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India
Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
Their access rights are strictly limited to the extent that it is only for necessary technical, administrative and help desk support services.
Security of processing
We and our data processors established technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with Deloitte CE policies and Data Protection Legislation. Deloitte CE is a holder of ISO 27001 certification – widely recognized global information standard.
Your rights
You have your right to:
- request access to your personal data (and request a copy of the personal data that we process),
- request us to update and correct your personal data (right to rectification),
- request us to delete your personal data (where possible), or
- require a restriction on the processing of your data.
You may object to the processing (in certain cases as specified by GDPR), as well as execute your right to data portability (receive a copy of personal data which you provided to us in a structured machine –readable format and request us to transmit such data to another data recipient).
You can enforce all rights described here by sending an e-mail to: CEprivacy@deloittece.com or a written notice to: Deloitte CE Data Protection Leader, Deloitte Central Europe Service Centre, Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic.
You can also use the above contacts for any questions related to processing your personal data including the security safeguards when transferring the data outside of the EU region.
It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence in case you are of the opinion that the processing of your personal data infringes the GDPR.