Revision date: December 2023
This Privacy Notice applies to Deloitte Greece Entities, which are:
1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS SA”,
2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.” and
3. “Deloitte Alexander Competence Center Single-Member Societe Anonyme of Business Consultans” with the distinctive title “DACC SA”
(collectively “Deloitte” or the “Firm”), in compliance with applicable national and European legislation on data protection, hereby informs you, in its capacity as a data controller, for the collection, processing and storage of your personal data.
Deloitte maintains personal information that you voluntarily submitted during one of our marketing activities or websites or have come to our possession through the performance of a relevant service in the near past. If at any time you would like to withdraw your consent for receiving communications from Deloitte, you can send your request via email to DataPrivacyOfficer@deloitte.gr.
Please read the following information carefully and let us know if you have any questions by contacting the Firm’s DPO at DataPrivacyOfficer@deloitte.gr.
Useful Definitions:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Purposes regarding the processing of your personal data:
The processing of your personal data will take place for the fulfilment of the purpose of conducting Deloitte’s marketing & communications activities. Related initiatives may include business insights, industry trends, reports, invitations to events we organise or sponsor, newsletters or other marketing communications related to the various services offered by Deloitte worldwide. Such communications could be shared by post, email, telephone, text messages or recorded calls. Additionally, we may process your personal data, collected during events (pictures and/or videos of you) for the purpose of further promoting Deloitte events.
Categories of personal data that we process:
Deloitte, indicatively, processes the following personal information that you may voluntarily submit, such as full name, e-mail address, phone number, company name, job position, work and/or home address.
You are responsible for ensuring that any personal information submitted by you is accurate, complete and up-to-date.
Also, Deloitte may process footage of you (pictures and videos) taken during events. Deloitte may use the aforementioned material for posts in our Social Media Accounts (Facebook, Instagram, LinkedIn, YouTube) and our Intranet site.
Kindly note that in case you do not wish to be filmed and/or photographed during any event, Deloitte will always provide a discrete space where you may choose to be seated. The provision of your personal data is not mandatory and if you do not consent to the processing there are not any negative consequences for you.
We do not collect and process special categories of personal data, such as data relating to your race or ethnic origin, religious conviction, criminal record, physical and mental health status or sexual orientation.
Legal bases for the processing:
The legal basis for the processing of your personal data for the purposes outlined above are:
a) Your consent that you provided to us for the purpose of participating in Deloitte’s marketing & communications activities (art. 6 par.1a GDPR). Your consent is the legal basis also for the processing of pictures and/or videos of you for the purpose of promoting Deloitte events.
In such case, you may revoke your consent at any time, by sending an email to the Firm’s DPO at: DataPrivacyOfficer@deloitte.gr, as it is clearly stated in the consent form. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
b) Our legitimate interests to promote our services as outlined in Law 3471/2006 and subsequent amendments, except where such interests are overridden by your interests or fundamental rights and freedoms, which require protection of personal data (article 6 par. 1f GDPR). This legal basis applies to the processing of your personal data for Deloitte’s electronic communications to you in the context of conducting marketing & communications activities. You have the right to object at any time to the processing of your personal data for such activities. Also, you may opt-out of receiving further communications at any time, by following the instructions included in the communications.
It is noted that data processing will be reduced to the minimum and every operation made will be done with the strict necessary means due to purposes mentioned above, adopting any measure to mitigate or reduce the extent and impact of data processing.
Who we disclose your information to?
When it is necessary to perform one or more of the purposes outlined above by use of appropriate partners, we may disclose your personal data to:
Kindly note that your personal data collected during Deloitte events (pictures and/or videos) are processed only by authorized personnel through our Social Media Accounts (Facebook, Instagram, LinkedIn, YouTube) and our Intranet site;
Please also note that some of the recipients of your personal data mentioned above may be based in countries outside the European Economic Area. In such cases, we will ensure there are adequate safeguards in place, as provided for in Chapter V of GDPR, to protect your personal data.
In all cases, we may be requested to disclose your personal data if required to do so by law, a regulator or during legal proceedings.
Protection of your personal information:
We have in place reasonable commercial standards of technology and operational security to protect all personal information provided by individuals from loss, misuse and unauthorized access, disclosure, alteration, or destruction. Only authorized personnel, who have been made appropriately aware of our privacy obligations, are provided access to personal information.
How long we keep your information for?
We will hold your personal data on our systems for a period of two (2) years, commencing either from the provision of your personal information to us or from the completion of a Marketing & Communications activity, where applicable.
Your rights:
According to articles 12-22 of the General Data Protection Regulation (GDPR), you have the following rights:
(a) Right to obtain from the Firm transparent information as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the following information: The purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the Firm rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority. Where the personal data are not collected from the data subject, any available information as to their source.
(b) You have the right to obtain from the Firm without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(c) You have the right to obtain from the Firm the erasure of personal data concerning you without undue delay and the Firm shall have the obligation to erase personal data without undue delay, where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, when you withdraw your consent on which the processing is based and where there is no other legal ground for the processing, when you object to the processing and there are no overriding legitimate grounds for the processing, when your personal data have been unlawfully processed, when the personal data have to be erased for compliance with a legal obligation to which the Firm is subject.
(d) You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Firm and override those for which you oppose to the processing.
(e) You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to the Firm and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.
(f) You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, in cases when processing is necessary for the performance of a task carried out in the public interest; or processing is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, including profiling based on those provisions. The Firm shall no longer process the personal data unless the Firm demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(g) If the processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
(h) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The Firm would like to inform you that, even though we are committed to respecting your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.
To exercise any of your rights or make a complaint to us relating to your privacy or if you have any other questions about our use of your personal data, please send an email to the Firm’s DPO, to the following email address DataPrivacyOfficer@deloitte.gr. We will make every possible effort to respond as soon as possible and in any case within the 30 day time limit or as set out in law.
You always have the right to file a complaint before the competent supervisory authority, which in Greece is the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.
However, should you have a complaint or question, it is advisable to contact the Firm first, in order to try and solve the matter amicably.