Privacy Notice for CSA

Last revised: February 2023

This Privacy Notice applies to Deloitte Greece Entities, which are:

1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS SA”,

2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.”,

3. “Deloitte Alexander Competence Center Single-Member Sosiete Anonyme of Business Consultans” with the distinctive title “DACC SA” and

4. “Koimtzoglou-Bakalis-Venieris-Leventis & Associates Law Partnership” with the distinctive title “KBVL Law firm”

(collectively “Deloitte” or the “Firm”), in compliance with applicable national and European legislation on data protection, hereby informs, in its capacity as a data controller, with respect to the collection, processing and storage of data subjects’ personal data.

This privacy statement explains what information we gather about you, what we use that   information for and who we give that information to.  It also sets out your rights in relation to your information and who you can contact for more information or queries.

Please read the following information carefully and let us know if you have any questions by contacting the Firm’s DPO at

Useful Definitions:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

This privacy statement sets out how we will collect, handle, store and protect information about you. You are responsible for ensuring that any personal information submitted voluntary by you to Engagement Review Process is accurate, complete and up-to-date.


Purposes regarding the processing of your personal data:

The collection will take place for the fulfilment of the sole purpose, which is the Engagement Review Process initiative.

Categories of personal data that we process:

Deloitte maintains the following personal information that you voluntarily submit: full name, company, role and your feedback to our questions.


You are responsible for ensuring that any personal information submitted by you to Engagement Review Process is accurate, complete and up-to-date.


Legal bases for the processing:

The legal basis for the processing of your personal data is your consent (art. 6 par.1a GDPR) that you provided to us for the purpose of participating in the Engagement Review Process initiative.

In such case, you may revoke your consent at any time, by sending an email to the Firm’s DPO at:

Who we disclose your information to?

When it is necessary to perform one or more of the purposes outlined above by use of appropriate partners, we may disclose your personal data to:

·       other members of the Deloitte Network;

·       entities that provide services to us and/or the Deloitte Network;

·       other entities within the Deloitte Network and other third parties, as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition, and only provided that the law permits such disclosure.

Please note that some of the recipients of your personal data mentioned above may be based in countries outside the European Economic Area. In such cases, we will ensure that there are adequate safeguards in place to protect your personal data, which comply with our legal obligations and applicable legislation and we also commit to inform you before any data transfer outside the EU.

In all cases, we may be requested to disclose your personal data if required to do so by law, a regulator or during legal proceedings.

Protection of your personal information:

We have in place reasonable commercial standards of technology and operational security to protect all personal information provided by individuals from loss, misuse and unauthorized access, disclosure, alteration or destruction. Only authorized personnel, who have been made appropriately aware of our privacy obligations, are provided access to personal information.

How long we keep your information for?

We will hold your personal data on our systems for a period of two (2) years, provided that you have consented to this retention period. After the above mentioned retention period, we may request the renewal of your consent and in case we do not receive it, we will proceed to the erasure of your personal data.

Your rights:

According to articles 12-22 of the General Data Protection Regulation (GDPR), you have the following rights:

(a)  Right to obtain from the Firm transparent information as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: The purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the Firm rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority. Where the personal data are not collected from the data subject, any available information as to their source.

(b)  You have the right to obtain from the Firm without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

(c)  You have the right to obtain from the Firm the erasure of personal data concerning you without undue delay and the Firm shall have the obligation to erase personal data without undue delay, where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, when you withdraw your consent on which the processing is based and where there is no other legal ground for the processing, when you object to the processing and there are no overriding legitimate grounds for the processing, when your personal data have been unlawfully processed, when the personal data have to be erased for compliance with a legal obligation to which the Firm is subject.

(d)  You have the right to obtain restriction of processing of your personal data when: a) the accuracy of your personal data is contested and until the accuracy of the data is verified; b) the processing is unlawful and you oppose to the erasure of your personal data and request the restriction of their use instead; c) your personal data is no longer needed for the purposes of the processing, but they are required for the establishment, exercise or defense of legal claims; and d) you have objected to the processing pending the verification whether there are legitimate grounds concerning the Firm and override those for which you oppose to the processing.

(e)  You have the right to receive without any cost accrued your personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller, provided that it is technically feasible. This right concerns the data that you have provided to the Firm and their processing is carried out by automated means based on your consent or in performance/execution of a relative contract.

(f)   You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, in cases when processing is necessary for the performance of a task carried out in the public interest; or processing is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, including profiling based on those provisions. The Firm shall no longer process the personal data unless the Firm demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 

(g)  As the processing is based on consent, you have the right to withdraw your consent at any time.The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.


The Firm would like to inform you that, even though we are committed to respecting your rights, we might sometimes not be able to satisfy your requests, especially when it comes to the rights of erasure or restriction of data processing. We might have to continue the processing of your data if we are obliged to do so by law, or to comply with court decisions or other requests by competent authorities or we have overriding interests to do so, for example to defend our legal rights before the competent authorities.

To exercise any of your rights or make a complaint to us relating to your privacy or if you have any other questions about our use of your personal data, please send an email to the Firm’s DPO to the following email address We will make every possible effort to respond as soon as possible and in any case within the 30 day time limit or as set out in law.

You always have the right to file a complaint before the competent supervisory authority, which in Greece is the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.

However, should you have a complaint or question, it is advisable to contact the Firm first, in order to try and solve the matter amicably.