Privacy Notice regarding the processing of Personal Data in the context of the Deloitte innovation survey.
This Privacy Notice applies to “Deloitte Business Solutions Societe Anonyme of Business Consultants”, with the distinctive title “DELOITTE BUSINESS SOLUTIONS SA” (hereinafter “Deloitte” “us”, “our” or the “Firm”), which, in compliance with applicable national and European legislation on data protection, hereby informs, in its capacity as a data controller, with respect to the collection, processing and storage of data subjects’ personal data, for the purposes of conducting a survey on Greek businesses’ perception of the level of innovation in Greece, as well as its potential to act as a driver of competitiveness (hereinafter “the survey”).
This privacy statement explains what information we gather about you, what we use that information for and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries.
The survey will be conducted in the form of a questionnaire, the answers to which will be submitted by the participants via an electronic platform provided by Qualtrics LLC.
In this context, the information necessary to conduct the survey will be collected directly from the individuals who enter this platform and submit their answers to the questionnaire.
Please read the following information carefully and let us know if you have any questions by contacting the Firm’s DPO at DataPrivacyOfficer@deloitte.gr.
Useful Definitions:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
This privacy statement sets out how we will collect, handle, store and protect information about you. You are responsible for ensuring that any personal information submitted voluntary by you in the course of your participation to the survey is accurate, complete and up to date.
Purposes regarding the processing of your personal data:
The collection will take place for the fulfilment of the sole purpose, which is carrying out the abovementioned survey.
Categories of personal data that we process:
Deloitte processes the following personal information that you may voluntarily submit in the course of your participation to the survey: your position/job title in the company in combination with the name and business sector of said company, your responses to the survey questions as well as internet identifiers (such as IP address and cookies).
You are responsible for ensuring that any personal information submitted by you as part of the survey is accurate, complete and up to date.
Kindly note that we do not collect special categories of personal data, such as information about an individual's ethnic or racial origin, religious beliefs, criminal convictions, information regarding physical and mental health or information about an individual's sexual orientation.
Legal bases for the processing:
The legal basis for the processing of your personal data is the consent that you provided to us by voluntarily participating in the survey, as described above (art. 6 par.1a GDPR).
In such case, you may revoke your consent at any time, by sending an email to the Firm’s DPO at DataPrivacyOfficer@deloitte.gr.
Kindly note that the processing of personal data is limited to the strict minimum and is proportionate to the intended purpose of the processing, whilst at the same time adequate and appropriate safeguards have been adopted to limit and/or eliminate the scope and impact of the processing of said personal data.
Who we disclose your information to?
When it is necessary to perform the purpose of processing outlined above by use of appropriate partners, we may disclose your personal data to:
- other members of the Deloitte Network;
- entities that provide services to us and/or the Deloitte Network;
- competent authorities (including courts, tax authorities, social security authorities and regulatory authorities overviewing the Firm and/or the Deloitte Network).
It is important to note that the processing of your personal data, including the storage thereof, is carried out in computer centres located within the European Economic Area (EEA). However, your data may be accessed remotely from the United States by the staff of Deloitte Global Solutions Limited (DGSL), which is part of the Deloitte network, as well as by the personnel of Qualtrics LLC, i.e. the supplier of the survey platform, for technical support of the application. In such cases, in order to safeguard the data transfer, contractual agreements based on the standard contractual clauses issued by the European Commission have been signed between the parties, and adequate safeguards have been put in place to protect your personal data, in accordance with our legal obligations.
Your responses to the questions in this survey are also accessible to authorized employees in our Clients and Industries team. In addition, aggregated data will be shared to senior leaders and nominated individuals. Your personal information and responses will not be provided to other employees or partners at Deloitte on an individual basis. Please note that your identity is protected and will not be visible to those accessing the aggregated results.
In all cases, we may be requested to disclose your personal data if required to do so by law, a regulator or during legal proceedings.
Protection of your personal information:
We have in place reasonable commercial standards of technology and operational security to protect all personal information provided by individuals from loss, misuse and unauthorized access, disclosure, alteration or destruction. Only authorized personnel, who have been made appropriately aware of our privacy obligations, are provided access to personal information.
How long we keep your information for?
We will retain your personal data in our system until the completion of the survey. Upon its conclusion, your personal data will be deleted.
Your rights:
According to articles 12-22 of the General Data Protection Regulation (GDPR), you have the following rights:
(a) Right to obtain from the Firm transparent information as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: The purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the Firm rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority. Where the personal data are not collected from the data subject, any available information as to their source.
(b) You have the right to obtain from the Firm without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(c) You have the right to obtain from the Firm the erasure of personal data concerning you without undue delay and the Firm shall have the obligation to erase personal data without undue delay, where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, when you withdraw your consent on which the processing is based and where there is no other legal ground for the processing, when you object to the processing and there are no overriding legitimate grounds for the processing, when your personal data have been unlawfully processed, when the personal data have to be erased for compliance with a legal obligation to which the Firm is subject.
(d) You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Firm and override those for which you oppose to the processing.
(e) You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to the Firm and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.
(f) You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, in cases when processing is necessary for the performance of a task carried out in the public interest; or processing is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, including profiling based on those provisions. The Firm shall no longer process the personal data unless the Firm demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(g) As the processing is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The Firm would like to inform you that, even though we are committed to respecting your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.
To exercise any of your rights or make a complaint regarding your privacy, or if you have any other questions about our use of your personal data, please contact Deloitte's Data Protection Officer by telephone at +30 210 6781180 or by email at DataPrivacyOfficer@deloitte.gr. We will make every possible effort to respond as soon as possible and in any case within the 30-day time limit or as set out in law.
You always have the right to file a complaint before the competent supervisory authority, which in Greece is the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.
However, should you have a complaint or question, it is advisable to contact the Firm first, in order to try and solve the matter amicably.