Privacy Notice for Deloitte candidates

1.  What is the purpose of this Privacy Notice?

Thank you for your interest in exploring career opportunities with Deloitte.

Deloitte Greece is committed to protecting the privacy and security of your personal data. This privacy notice describes the processing of your personal data as part of our recruitment activities, in accordance with the applicable Data Protection Legislation[1] and all the applicable data protection laws and regulations. It provides evidence of the nature of the personal data - where personal data means any information relating to an identified or identifiable natural person (“Data Subject”) - collected by the Data Controller, the purposes of the processing and indicates your rights in relation to the data processed and who to contact for further information or to send any requests.

[1] Means (a) the General Data Protection Regulation (GDPR); (b) national law 4624/2019, as applicable; (c) national law implementing the Directive on Privacy and Electronic Communications (2002/58/EC);  and (d) any other similar national privacy law.

2. What is the identity and contact details of the Data Controller?

The Data Controller is each Deloitte Greece Entity (hereinafter referred to as “Data Controller” or “we” or “us”) in relation to which you have the status of candidate. Deloitte Greece Entities are:

  1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS S.A.”;

  2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.”;

  3. “Deloitte Alexander Competence Center Single-Member Societe Anonyme of Business Consultants” with the distinctive title “DACC S.A.”;

  4. “Koimtzoglou-Bakalis-Venieris-Leventis & Associates Law Partnership” (“KBVL Law Firm”);

Deloitte Business Solutions S.A., Deloitte and KBVL Law Firm are based in 3a Fragkokklisias & Granikou str., Marousi, Athens, P.O. 151 25. DACC S.A. is based in Pempti and Triti 6th Industrial Area Block of Technopolis Thessaloniki, Municipality of Pylaia Chortiatis, D.E. Pylaia, P.E. Thessaloniki.

3. What are the contact details of the Data Protection Officer?

The Data Protection Officer can always be contacted at the following e-mail address: DataPrivacyOfficer@deloitte.gr.

4. Which data do we collect about you, for which purposes and what are the sources of your data?

We process different types of personal data provided:

  • directly from you, as a Data Subject, in response to Deloitte's recruitment announcements and/or when you send us an application not related to a specific job posting by us;
  • directly from you, in relation to your membership in the Deloitte Talent Community;
  • by third parties who have referred your profile to us, either as a headhunter, recruitment company or other Deloitte employee or contractor, for example as part of the so-called "Referral Program";

The personal data we process may be categorized as follows:

  • Basic identification information (such as full name, date of birth, gender, nationality);
  • Contact information (such as home address, telephone number, cell phone number, email address);
  • Information relating to your education, qualifications, certifications relating to your employment, as well as your employment performance (such as curriculum vitae details, letters of recommendation, job description, qualifications and areas of expertise, work history, other performance measures and, where appropriate, training records, records of technical skills tests, participation in professional or academic organisations, seminar’s attendance lists, learning history and certificates of completion of e-learning courses);

Your data are processed for the purposes listed below: 

a. Purposes directly related and necessary to recruitment process: We will use the personal information that we collect or obtain about you in order to (i) manage your application for employment; (ii) contact you during your candidacy, send you announcements or request additional information as required; (iii) create a candidate profile for you in our Recruitment System;

b. Use of personal information upon hiring: Should you be hired by a Deloitte Greece Entity, your personal information may be used in connection with the employer-employee relationship, as permitted by applicable laws. If you are employed by the Firm, the information collected will be a part of your employment record.

c. Exercise and support of legal claims and defense of rights: We may process your data when this is necessary for the establishment, exercise and support of legal claims or the defense of our rights before courts, administrative or judicial authorities or in the context of an extrajudicial procedure.

d. Processing of personal data for sending communications of interest to you: We may also process your personal data as a result of your optional registration to the Deloitte Talent Community, in order to inform you about new job opportunities and Deloitte news, events and initiatives related to our recruitment process.

We do not carry out any automated decision-making processes, including profiling, that produce legal effects concerning you or significantly affecting you.

4.1 Referred Candidate

If you are providing personal information about an individual other than yourself (such as a referred candidate), you must obtain the consent of the individual before submitting any of their personal information.

5. What is the legal basis on which we process your personal data? 

We will use your personal data for the purposes indicated above on the assumption of the following conditions of legitimacy (legal basis): 

  • With reference to the purposes (a) & (b) of par. 4, in order to take steps at the request of the data subject prior to entering into a contract (art. 6 par.1b GDPR);
  • With reference to the purpose (c) of par. 4, the legitimate interests pursued by us or by a third party, and in particular to safeguard our legal rights, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (article 6 par. 1f GDPR);
  • With reference to the purpose (d) of par. 4, your consent for enrolling to the Deloitte Talent Community (article 6 par. 1a GDPR); Provision of consent to the processing of your personal data is optional and, therefore, any refusal to provide such consent will not prejudice in any way your application process. You may revoke your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal. 

6. Who has access to your personal data and to whom is it disclosed? 

Your data may be communicated – for the purposes referred to in paragraph 4 of this privacy notice – to the following categories of recipients:

  • Companies belonging to the Deloitte Network;
  • Companies that provide services to us and/or the Deloitte Network;
  • Public Administrations, within the limits established by law and regulations;
  • Οther entities within the Deloitte Network and other third parties, as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition, and only provided that the law permits such disclosure.

7. Are your data transferred abroad?

If necessary for the purposes stated above, the data collected may be transmitted or made accessible to other companies in the Deloitte network according to our Interfirm Privacy and Confidentiality Agreement, to entities that provide services to us and/or the Deloitte network (e.g., vendors, suppliers), to competent authorities (e.g., courts, tax authorities, regulatory authorities) including those based in other countries, which may include countries outside the European Economic Area (EEA[2]). Third parties to whom your personal data are transferred, are bound by specific agreement, and are required to keep your data securely.

In such cases, we guarantee that the transfer will take place in accordance with the provisions of Chapter V of the GDPR through the adoption of appropriate safeguards that ensure a level of data protection, as provided for in the applicable legal framework.

For further information about the third parties, how we work with them and their processing of your personal data, or for information about the adequate safeguards adopted by us in respect of data transfers please send an e-mail to DataPrivacyOfficer@deloitte.gr.

[2] The EEA includes EU countries and also Iceland, Liechtenstein, and Norway.

8. What is the data retention period, or if not possible, the criteria used to determine it?

The personal data you have provided to us will be processed and stored for one (1) year after the career opportunity you applied for is closed. After elapsing this time period, we will proceed to the permanent erasure of your personal data, without keeping any copy. In relation to your registration in Deloitte Talent Community, personal data will be stored until you decide to revoke your consent and in any case no longer than two years. Once these terms have expired, Deloitte will automatically delete your collected personal data, or transform it into anonymous form in an irreversible manner.

The above-mentioned data retention period may, however, be affected by other legal requirements which may extend minimum data retention requirements. Additionally, one general consideration when determining data retention periods (including archiving periods) is the possibility that this data may be needed to pursue or defend legal claims.

9. How do we protect and safeguard your personal data?

We will process your data with the utmost care and respect.

Your personal data are processed with the aid of electronic tools, ensuring the use of appropriate measures for the security of the processed data and guaranteeing their confidentiality, in accordance with the principles applicable to the processing of personal data pursuant to Article 5 of the GDPR, such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These measures can include:

  • The training and updating activities of its staff ensuring that they are informed about privacy obligations if they have access to and process personal data;
  • Administrative and technical controls in order to limit access only to personal data that need to be known in relation to the purposes of the processing;
  • Technical security measures (e.g., firewalls, cryptography, antivirus software);
  • Physical security measures. 

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any possible data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Third parties will only process your personal data where they have agreed to treat the data confidentially and to keep it secure in compliance with the applicable law.

10. What are your rights and how can you exercise them?

In relation to the processing of your personal data, you have specific rights according to articles 12-22 of the GDPR:

  • Access: you can ask for confirmation as to whether or not a certain processing of data concerning you is in place, as well as further clarifications about the information referred to in this privacy notice;
  • Rectification: you can ask to rectify or supplement the data you have provided to us, if inaccurate;
  • Erasure: you can request that your data be deleted, if they are no longer necessary for our purposes, in case of withdrawal of consent or your opposition to the processing, in case of unlawful processing, or there is a legal obligation to erase them;
  • Restriction: you can request that your data be processed only for the purpose of storage, with the exclusion of other processing, for the period necessary for the correction of your data, in case of unlawful processing for which you oppose the cancellation, if you have to exercise your rights in court and the data stored by us may be useful to you and,  finally, in the event of opposition to the processing and a review is in progress on the prevalence of our legitimate reasons over yours;
  • Object: you can object at any time to the processing of your data, unless there are our legitimate reasons to proceed with the processing that prevail over yours, for example for the exercise or our defense in court;
  • Withdrawal of consent: you may withdraw your consent at any time, in all cases where consent is the legal basis for processing. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.
  • Portability: you can ask to receive your data, or to have them transmitted to another Data Controller indicated by you, in a structured format, commonly used and readable by automatic device.

Processing activities are carefully evaluated to ensure a fair balance between your rights, which are assessed on a case-by-case basis (e.g., by considering the respective legal basis in each case and the purposes of the processing) and our interests. We would like to inform you that, even though we are committed to respecting your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.

To exercise these rights, you can contact our Data Protection Officer by sending an e-mail to DataPrivacyOfficer@deloitte.gr .

The time limit for the Deloitte Greece Entities to address your request is 1 month, which may be extended up to 2 further months in cases of particular complexity.

We also inform you that you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.

11. Changes to this Privacy Notice

We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. We therefore invite you to regularly consult our Privacy Policy in order to stay up to date with any changes made since your last consultation.