Privacy Statement

Last revised: April 2020

This Privacy Notice applies to Deloitte Greece Entities, which are:

1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS SA”,

2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.”,

3. “Deloitte Business Process Solutions Single-Member Societe Anonyme for the Provision of Accounting Services” with the distinctive title “DELOITTE BPS”,

4. “Deloitte Alexander Competence Center Single-Member Sosiete Anonyme of Business Consultans” with the distinctive title “DACC SA” and

5. “Koimtzoglou-Bakalis-Venieris-Leventis & Associates Law Partnership” with the distinctive title “KBVL Law firm”,

(collectively “Deloitte” or the “Firm”), in compliance with applicable national and European legislation on data protection, hereby informs, in its capacity as a data controller, with respect to the collection, processing and storage of data subjects’ personal data.

This privacy statement explains what information we gather about you, what we use that information for and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries.

Please read the following information carefully and let us know if you have any questions by contacting the Firm’s DPO at DataPrivacyOfficer@deloitte.gr.

Useful Definitions:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

This privacy statement sets out how we will collect, handle, store and protect information about you when you use “our Website” or when performing any other activities that form part of the operation of our business.

When we refer to “our Website” or “this Website” in this statement we mean the specific webpages of deloitte.com designated as “Greek” in the upper right hand corner and to specific webpages with a URL commencing ‘http://www.deloitte.com/gr

Deloitte.com is comprised of various global, country, regional and practice specific websites, each of which is provided by Deloitte Touche Tohmatsu Limited (“DTTL”) or one of its independent member firms or their related entities (collectively, the “Deloitte Network”). Such websites, as well as other websites that may be linked to this Website, are not governed by this privacy statement. We encourage visitors to review the privacy statements on each of these other websites before disclosing any personal information. To learn more about DTTL, the member firms of DTTL and their related entities, please see About Deloitte 

This privacy statement also contains information about when we share your personal data with other members of the Deloitte Network and other third parties (for example, our service providers).

Purposes regarding the processing of your personal data:

The personal information you submit to us may be used to:

·         manage our relationship with you, including any of your requests

·         customize or improve the Website and related services offered to you

·         protect our rights or property and that of our users

·         to comply with legal process, where appropriate.

Categories of personal data that we process:

As a visitor, you do not have to submit any personal information in order to use the Website, however, we may collect personal data from you when you voluntarily interact with this Website. We may also collect or obtain personal data from you because we observe or infer that data about you from the way you interact with us. For example, to improve your experience when you use this Website and ensure that it is functioning effectively, we (or our service providers) may use cookies (small text files stored in a user’s browser) and web beacons which may collect personal data. Additional information on how we use cookies and other tracking technologies and how you can control these can be found in our cookie notice.

The personal data that we collect or obtain may include: your name; age; date of birth; gender; e-mail address; home address; country of residence; employment and education details (for example, the organization you work for, your job title and your education details); your postings on any blogs, forums, wikis and any other social media applications and services that we provide; your IP address; your browser type and language; your access times; complaint details; details of how you use our products and services; details of how you like to interact with us and other similar information.

We do not usually seek to collect sensitive personal information (i.e., data relating to race or ethnic origin, religious or philosophical beliefs, trade union memberships, political opinions, medical or health conditions or information specifying the sex life or sexual orientation of an individual) from users. We will, where necessary, obtain your explicit consent to collect and use such information.

We do not engage in the collection of personal information about your online activities across third-party websites or online services and we do not allow third parties to collect such personal information when you use the Website.

We understand the importance of protecting children's privacy. Our Website and services are not designed for, or intentionally targeted at, children. It is not our policy to intentionally collect or store information about children.

 

Legal bases for the processing:

The legal bases for the processing of your personal data for the purposes outlined above are:

a) Your consent that you provided to us for the purpose of Deloitte’s marketing & communications activities (art. 6 par.1a GDPR).

In such case, you may revoke your consent at any time, by sending an email to the Firm’s DPO at: DataPrivacyOfficer@deloitte.gr, as it is clearly stated in the consent form.

b) Our legitimate interests in the effective delivery of our services to you and in the effective and lawful operation of our business, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data (article 6 par. 1f GDPR).

It is noted that data processing will be reduced to the minimum and every operation made will be done with the strict necessary means due to purposes mentioned above, adopting any measure to mitigate or reduce the extent and impact of data processing.

Who we disclose your information to?

When it is necessary to perform one or more of the purposes outlined above by use of appropriate partners, we may disclose your personal data to:

·         other members of the Deloitte Network;

·         entities that provide services to us and/or the Deloitte Network;

·         competent authorities (including courts, tax authorities, social security authorities and regulatory authorities overviewing the Firm and/or the Deloitte Network);

·         other entities within the Deloitte Network and other third parties, as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition, and only provided that the law permits such disclosure.

Our Website hosts various blogs, forums, wikis and other social media applications or services that allow you to share content with other users (collectively “Social Media Applications”). Importantly, any personal information that you contribute to these Social Media Applications can be read, collected and used by other users of the application. We have little or no control over these other users and, therefore, we cannot guarantee that any information that you contribute to any Social Media Applications will be handled in accordance with this privacy statement.

Please note that some of the recipients of your personal data mentioned above may be based in countries outside the European Economic Area, In such cases, we will ensure that there are adequate safeguards in place to protect your personal data, which comply with our legal obligations and applicable legislation and we also commit to inform you before any data transfer outside the EU.

In all cases, we may be requested to disclose your personal data if required to do so by law, a regulator or during legal proceedings.

Protection of your personal information:

We have in place reasonable commercial standards of technology and operational security to protect all personal information provided by individuals from loss, misuse and unauthorized access, disclosure, alteration or destruction. Only authorized personnel, who have been made appropriately aware of our privacy obligations, are provided access to personal information.

How long we keep your information for?

We will hold your personal data on our systems for the longest of the following periods: (i) as long as is necessary for the relevant purpose of collection; (ii) any retention period that is required by law; (iii) the end of the period in which litigation or investigations might arise in respect of services provided to you.

Your rights:

According to articles 12-22 of the General Data Protection Regulation (GDPR), you have the following rights:

(a)  Right to obtain from the Firm transparent information as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the following information: The purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the Firm rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority. Where the personal data are not collected from the data subject, any available information as to their source.

(b)  You have the right to obtain from the Firm without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(c)   You have the right to obtain from the Firm the erasure of personal data concerning you without undue delay and the Firm shall have the obligation to erase personal data without undue delay, where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, when you withdraw your consent on which the processing is based and where there is no other legal ground for the processing, when you object to the processing and there are no overriding legitimate grounds for the processing, when your personal data have been unlawfully processed, when the personal data have to be erased for compliance with a legal obligation to which the Firm is subject.

(d)  You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Firm and override those for which you oppose to the processing.

(e)  You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to the Firm and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.

(f)   You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, in cases when processing is necessary for the performance of a task carried out in the public interest; or processing is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, including profiling based on those provisions. The Firm shall no longer process the personal data unless the Firm demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(g)  If the processing is based on consent you have the right to withdraw your consent at any time.The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

(h)  You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The Firm would like to inform you that, even though we are committed to respect your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.

To exercise any of your rights or make a complaint to us relating to your privacy or if you have any other questions about our use of your personal data, please send an email to the Firm’s DPO, Mr. Dimitrios Vosikas, to the following email address DataPrivacyOfficer@deloitte.gr. We will make every possible effort to respond as soon as possible and in any case within the 30 day time limit or as set out in law.

You always have the right to file a complaint before the competent supervisory authority, which in Greece is Hellenic Data Protection Authority (HDPA), by sending an email to the email address: complaints@dpa.gr.

However, should you have a complaint or question, it is advisable to contact the Firm first, in order to try and solve the matter amicably.