Privacy Notice for Deloitte Alumni 

Revision date: November 2019

This Privacy Notice applies to Deloitte Greece Entities, which are:

1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS SA”,

2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.”,

3. “Deloitte Business Process Solutions Single-Member Societe Anonyme for the Provision of Accounting Services” with the distinctive title “DELOITTE BPS”,

4. “Deloitte Alexander Competence Center Single-Member Societe Anonyme of Business Consultants” with the distinctive title “DACC SA” and

5. “Koimtzoglou-Bakalis-Venieris-Leventis & Associates Law Partnership” with the distinctive title “KBVL Law firm”

(collectively the “Firm”), in compliance with applicable national and European legislation on data protection, hereby informs, in its capacity as a data controller, its former employees with respect to the collection, processing and storage of their personal data.

This Privacy Notice is intended to adequately inform our former employees. Please, read the following information carefully and let us know if you have any questions by contacting the Firm’s DPO at DataPrivacyOfficer@deloitte.gr.

The Privacy Notices are available in hardcopy at the office of the DPO. For data processed during your employment relationship, please refer to the Privacy Notice for Deloitte Employees and for our retention policy, please refer to Deloitte’s Retention Policy for Employee’s Data.

Useful Definitions

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Purposes regarding the processing of your personal data:

The Firm respects and protects the personal data of its former employees. As your former employer, the Firm needs to maintain and process personal data for the purposes described below.

1.     Purposes directly related and necessary to the employment termination, voluntary departure, pension

We retain and process your personal data necessary for administering your former employment, namely the issues related to the termination of the employment contract (remuneration, compensation, benefits,, social security, leave compensations and allowances) and pension.

2.   Purposes directly related to the Firm’s and former employee’s tax, social security, and other legal obligations

We retain and process your personal data for the purposes of reporting termination of your employment and other important facts as to your employment to competent authorities, to pay taxes and social security contributions, to respond to regulatory and/or judicial requests as provided in the law. 

3.    Exercise and support of legal claims and defense of rights

The Firm shall also process your data when this is necessary for the establishment, exercise and support of legal claims or the defense of its rights before Courts, administrative or judicial Authorities or in the context of an extrajudicial procedure.

4.   Alumni Club

In case that you are a member of the Firm’s Alumni Club, the firm use your contact details in order to send you newsletters and invitations for alumni events organized by the Firm and may also take photographs or videos of you when you attend various social events and parties organized by the Firm. In any case, we shall request your consent for the above processing activities by completion of a form at the time of your departure from our Firm. If you provide your consent, you may revoke your consent at any time by sending an email to the Firm’s DPO at DataPrivacyOfficer@deloitte.gr, as it is also clearly stated in the consent form.

Categories of personal data that we process:

The personal data that we process are collected from you and may be categorized as follows:

(a)  Basic identification information (such as full name, date of birth, gender, marital status, home address, household information, nationality, telephone number, cell phone number, emergency contact details, email address, TIN, Tax Office, ID card, social insurance number, vehicle number of corporate car) for the purposes directly related to the employment, to the Firm’s and former employee’s tax, social security, and other legal obligations, for the exercise and support of legal claims and defense of the rights of the Firm and/or the former employee;

(b)  Information relating to your education, qualifications, certifications relating to your employment, as well as your employment performance (such as curriculum vitae details, letters of recommendation, job description, qualifications and areas of expertise, photographs, hiring data, work history, records of holiday or absence, appraisals, other performance measures and, where appropriate, disciplinary and grievance records, training records, records of technical skills tests, participation in professional or academic organizations, seminar’s attendance lists, learning history and certificates of completion of e-learning courses) for the purposes directly related and necessary to your former employment and for the exercise and support of legal claims and defense of the rights of the Firm and/or the former employee;

(c)   For data processed during your employment relationship, please refer to the Privacy Notice for Deloitte Employees and for our retention policy, please refer to Deloitte’s Retention Policy for Employee’s Data.

Legal bases for the processing:

Processing of your personal data is based on the following legal bases:

(a)  Processing for purposes of employment termination, voluntary departure, pension is necessary for the performance of the employment contract (art. 6 par.1b GDPR);

(b)  Processing directly related to the Firm’s and former employee’s tax, social security, and other legal obligations is necessary for compliance with a legal obligation to which the Firm is subject (art. 6 par. 1c GDPR);

(c)   Processing relating to the exercise and support of legal claims is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (article 6 par. 1f GDPR);

(d)  In case that you provide your consent for communications regarding newsletters and invitations to events, as well as for photographs and videos to be taken during social events, the legal basis for the processing is your consent to the processing of your personal data for this specific purpose (art. 6 par.1a GDPR). In such case, you may revoke your consent at any time, by sending an email to the Firm’s DPO at: DataPrivacyOfficer@deloitte.gr, as it is clearly stated in the consent form.

Who we disclose your information to?

When it is necessary to perform one or more of the purposes outlined above by use of appropriate partners, we may disclose your personal data to:

·         other members of the Deloitte Network;

·         entities that provide services to us and/or the Deloitte Network;

·         competent authorities (including courts, tax authorities, social security authorities and regulatory authorities overviewing the Firm and/or the Deloitte Network);

·         other entities within the Deloitte Network and other third parties, as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition, and only provided that the law permits such disclosure.

Please note that some of the recipients of your personal data mentioned above may be based in countries outside the European Economic Area, In such cases, we will ensure that there are adequate safeguards in place to protect your personal data, which comply with our legal obligations and applicable legislation and we also commit to inform you before any data transfer outside the EU.

In all cases, we may be requested to disclose your personal data if required to do so by law, a regulator or during legal proceedings.

Protection of your personal information:

We use a range of physical, electronic and organizational measures to ensure that we keep your personal data secure, accurate and up to date. These measures include:

•    Awareness and training to relevant staff to ensure that it is aware of our privacy obligations, when handling personal data;

•    Administrative and technical controls to restrict access to personal data on a ‘need to know' basis;

•    Technological security measures, including fire walls, encryption and anti-virus software;

•    Physical security measures, such as staff security passes to access our premises.

Although we use appropriate security measures once we have received your personal data, the transmission of data over public networks (including by e-mail) is never completely secure. We shall endeavour to protect your personal data by all appropriate measures.

We always bind our partners with privacy agreements and/or confidentiality clauses.

How long we keep your information for?

You will find detailed information about the retention period for each category of data in our Firm’s retention policy here.

Your rights:

According to articles 12-22 of the General Data Protection Regulation (GDPR), you have the following rights:

(a) Right to obtain from the Firm transparent information as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: The purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the Firm rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority. Where the personal data are not collected from the data subject, any available information as to their source.

(b)  You have the right to obtain from the Firm without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(c)  You have the right to obtain from the Firm the erasure of personal data concerning you without undue delay and the Firm shall have the obligation to erase personal data without undue delay, where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, when you withdraw your consent on which the processing is based and where there is no other legal ground for the processing, when you object to the processing and there are no overriding legitimate grounds for the processing, when your personal data have been unlawfully processed, when the personal data have to be erased for compliance with a legal obligation to which the Firm is subject.

(d)   You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Firm and override those for which you oppose to the processing.

(e)  You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to the Firm and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.

(f)   You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, in cases when processing is necessary for the performance of a task carried out in the public interest; or processing is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, including profiling based on those provisions. The Firm shall no longer process the personal data unless the Firm demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 

(g)  If the processing is based on consent you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

(h) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Firm would like to inform you that, even though we are committed to respect your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.

To exercise any of your rights or make a complaint to us relating to your privacy or if you have any other questions about our use of your personal data, please send an email to the Firm’s  DPO, Mr. Dimitrios Vosikas, to the following email address DataPrivacyOfficer@deloitte.gr. We will make every possible effort to respond as soon as possible and in any case within the 30-day time limit or as set out in law.

You always have the right to file a complaint before the competent supervisory authority, which in Greece is Hellenic Data Protection Authority (HDPA), by sending an email to the email address: complaints@dpa.gr.

However, should you have a complaint or question, it is advisable to contact the Firm first, in order to try and solve the matter amicably.