1. What is the purpose of this Privacy Notice?
Thank you for your interest in exploring career opportunities with Deloitte.
Deloitte Greece is committed to protecting the privacy and security of your personal data. This privacy notice describes the processing of your personal data as part of our recruitment activities, in accordance with the applicable Data Protection Legislation[1] and all the applicable data protection laws and regulations. It provides evidence of the nature of the personal data - where personal data means any information relating to an identified or identifiable natural person (“Data Subject”) - collected by the Data Controller, the purposes of the processing and indicates your rights in relation to the data processed and who to contact for further information or to send any requests.
[1] Means (a) the General Data Protection Regulation (GDPR); (b) national law 4624/2019, as applicable; (c) national law implementing the Directive on Privacy and Electronic Communications (2002/58/EC); and (d) any other similar national privacy law.
2. What is the identity and contact details of the Data Controller?
The Data Controller is each Deloitte Greece Entity (hereinafter referred to as “Data Controller” or “we” or “us”) in relation to which you have the status of candidate. Deloitte Greece Entities are:
Deloitte Business Solutions S.A., Deloitte and KBVL Law Firm are based in 3a Fragkokklisias & Granikou str., Marousi, Athens, P.O. 151 25. DACC S.A. is based in Pempti and Triti 6th Industrial Area Block of Technopolis Thessaloniki, Municipality of Pylaia Chortiatis, D.E. Pylaia, P.E. Thessaloniki.
3. What are the contact details of the Data Protection Officer?
The Data Protection Officer can always be contacted at the following e-mail address: DataPrivacyOfficer@deloitte.gr.
4. Which data do we collect about you, for which purposes and what are the sources of your data?
We process different types of personal data provided:
The personal data we process may be categorized as follows:
Your data are processed for the purposes listed below:
a. Purposes directly related and necessary to recruitment process: We will use the personal information that we collect or obtain about you in order to (i) manage your application for employment; (ii) contact you during your candidacy, send you announcements or request additional information as required; (iii) create a candidate profile for you in our Recruitment System;
b. Use of personal information upon hiring: Should you be hired by a Deloitte Greece Entity, your personal information may be used in connection with the employer-employee relationship, as permitted by applicable laws. If you are employed by the Firm, the information collected will be a part of your employment record.
c. Exercise and support of legal claims and defense of rights: We may process your data when this is necessary for the establishment, exercise and support of legal claims or the defense of our rights before courts, administrative or judicial authorities or in the context of an extrajudicial procedure.
d. Processing of personal data for sending communications of interest to you: We may also process your personal data as a result of your optional registration to the Deloitte Talent Community, in order to inform you about new job opportunities and Deloitte news, events and initiatives related to our recruitment process.
We do not carry out any automated decision-making processes, including profiling, that produce legal effects concerning you or significantly affecting you.
4.1 Referred Candidate
If you are providing personal information about an individual other than yourself (such as a referred candidate), you must obtain the consent of the individual before submitting any of their personal information.
5. What is the legal basis on which we process your personal data?
We will use your personal data for the purposes indicated above on the assumption of the following conditions of legitimacy (legal basis):
6. Who has access to your personal data and to whom is it disclosed?
Your data may be communicated – for the purposes referred to in paragraph 4 of this privacy notice – to the following categories of recipients:
7. Are your data transferred abroad?
If necessary for the purposes stated above, the data collected may be transmitted or made accessible to other companies in the Deloitte network according to our Interfirm Privacy and Confidentiality Agreement, to entities that provide services to us and/or the Deloitte network (e.g., vendors, suppliers), to competent authorities (e.g., courts, tax authorities, regulatory authorities) including those based in other countries, which may include countries outside the European Economic Area (EEA[2]). Third parties to whom your personal data are transferred, are bound by specific agreement, and are required to keep your data securely.
In such cases, we guarantee that the transfer will take place in accordance with the provisions of Chapter V of the GDPR through the adoption of appropriate safeguards that ensure a level of data protection, as provided for in the applicable legal framework.
For further information about the third parties, how we work with them and their processing of your personal data, or for information about the adequate safeguards adopted by us in respect of data transfers please send an e-mail to DataPrivacyOfficer@deloitte.gr.
[2] The EEA includes EU countries and also Iceland, Liechtenstein, and Norway.
8. What is the data retention period, or if not possible, the criteria used to determine it?
The personal data you have provided to us will be processed and stored for one (1) year after the career opportunity you applied for is closed. After elapsing this time period, we will proceed to the permanent erasure of your personal data, without keeping any copy. In relation to your registration in Deloitte Talent Community, personal data will be stored until you decide to revoke your consent and in any case no longer than two years. Once these terms have expired, Deloitte will automatically delete your collected personal data, or transform it into anonymous form in an irreversible manner.
The above-mentioned data retention period may, however, be affected by other legal requirements which may extend minimum data retention requirements. Additionally, one general consideration when determining data retention periods (including archiving periods) is the possibility that this data may be needed to pursue or defend legal claims.
9. How do we protect and safeguard your personal data?
We will process your data with the utmost care and respect.
Your personal data are processed with the aid of electronic tools, ensuring the use of appropriate measures for the security of the processed data and guaranteeing their confidentiality, in accordance with the principles applicable to the processing of personal data pursuant to Article 5 of the GDPR, such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These measures can include:
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any possible data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Third parties will only process your personal data where they have agreed to treat the data confidentially and to keep it secure in compliance with the applicable law.
10. What are your rights and how can you exercise them?
In relation to the processing of your personal data, you have specific rights according to articles 12-22 of the GDPR:
Processing activities are carefully evaluated to ensure a fair balance between your rights, which are assessed on a case-by-case basis (e.g., by considering the respective legal basis in each case and the purposes of the processing) and our interests. We would like to inform you that, even though we are committed to respecting your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.
To exercise these rights, you can contact our Data Protection Officer by sending an e-mail to DataPrivacyOfficer@deloitte.gr .
The time limit for the Deloitte Greece Entities to address your request is 1 month, which may be extended up to 2 further months in cases of particular complexity.
We also inform you that you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.
11. Changes to this Privacy Notice
We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. We therefore invite you to regularly consult our Privacy Policy in order to stay up to date with any changes made since your last consultation.