Privacy Notice

Regarding the data processing carried out in connection with ESG Explained series of articles

The present Privacy Notice applies to the data processing activities carried out in connection with the ESG Explained series of articles (hereinafter the “Series of Articles”) by Deloitte Advisory and Management Consulting Private Limited Company (registered seat: 84/C Dózsa György Road, Budapest, 1068, Hungary; company registration number: 01-10-044100), Deloitte Auditing and Consulting Ltd. (registered seat: 84/C Dózsa György Road, Budapest, 1068, Hungary; company registration number: 01-09-071057), Deloitte CRS Ltd. (registered seat: 84/C Dózsa György Road, Budapest, 1068, Hungary; company registration number: 01-09-975176), Deloitte Legal Göndöcz and Partners Law Firm (registered seat: 84/C Dózsa György Road, Budapest, 1068, Hungary) (hereinafter together “Deloitte” or “Data Controller”).

The above listed Deloitte entities are joint controllers, their designated joint controller representative is Deloitte Advisory and Management Consulting Private Limited Company that is entitled to act on behalf of the above companies and is responsible for providing information to the data subjects in a complaint manner, and for processing and responding to the request submitted to any company by a data subject or authority.    

Categories of the processed personal data:

In relation to the person who requests notification by e-mail of the publication of other parts of the Series of Articles after the publication of its first article (hereinafter: “Data Subject”): name, e-mail address, his/her Employer organization’s name, position held in Employer organization.

Purpose of the data processing:

After the publication of the first article of the Series of Articles, informing the Data Subject about the publication of other parts of the Series of Articles by e-mail at the request of the Data Subject.

Recipients of the personal data

Data Processors:

Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland;

Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic;

Deloitte CZ Services s.r.o., Italská 2581/67, 120 00, Prága 2 - Vinohrady, the Czecz Republic;

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

The above-mentioned Data Processors provide IT related services.

Legal basis of the data processing:  

Voluntary consent of the Data Subject, which may be withdrawn at anytime. The withdrawal shall not affect the lawfulness of processing based on consent before withdrawal.

Term of the data processing:

The data will be processed until the consent is withdrawn. Please note that without processing the Data Subject’s personal data the notification about the publication of other parts of the Series of Articles cannot be provided, so if the consent is withdrawn, further notification is not provided.

In the absence of such withdrawal the retention period of the personal data is 1 (one) year from the day of their collection. The personal data will be permanently deleted after the end of the term. If the Data Subject withdraws his/her consent, then the Data Controller shall take action to delete the data without undue delay.

Security of data processing:

The Data Controller and data processors shall establish technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of the personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with Deloitte CE instructions, policies and applicable laws. In case where the data processing includes the transfer outside of the European Union (EU) the transfer is based on EU approved standard contractual clauses, thus ensuring an adequate level of personal data protection as required by the applicable data protection laws.

Data Subject’s rights:

The Data Subject has the following rights regarding data processing by the Data Controller:

a.    Right to information: The Data Subject may request information at any time on the processing of his/her personal data. At the Data Subject’s written request, the Data Controller shall inform the Data Subject of which of his/her data the Data Controller is processing, the purpose and duration of data processing, the addressees, the data subject’s rights, as well as his/her option of filing a complaint.

b.    Right to access: The Data Subject may access his/her personal data, also request copy of the personal data.

c.    Right to rectification: The Data Subject may at any time request the rectification or completion of his/her data.

d.    Right to object: The Data Subject may object against the processing of his/her data.

e.    Right to erasure: The Data Subject may request the erasure of his/her data, if

              i.    the data processing is no longer necessary, or

            ii.    his/her data are unlawfully processed.

f.     Right to withdraw consent: The Data Subject may at any time withdraw his/her consent. The Data Controller must delete the data or render them irreversibly unidentifiable.

g.    Right to request the restriction of data processing,

              i.    if the accuracy of the data is disputed (the restriction applies until it is established whether it is indeed or is not necessary to clarify the data),

            ii.    if the data processing is unlawful, and the Data Subject objects to their deletion and requests their restriction instead,

           iii.    if the Data Controller has no longer any use of the data for the defined purpose, but the Data Subject needs them for filing, asserting or protecting legal claims.

h.    Right to data portability: upon request, the Data Subject is entitled to receive his/her personal data provided to the Data Controller in a machine readable format and/or request that the Data Controller transfer these data to another data controller assigned by the Data Subject.

In response to a request for the exercise of the Data Subject’s rights, the Data Controller shall notify the Data Subject, in writing within 30 (thirty) days of receipt of the request. The Data Subject shall send any statements, comments or requests concerning the processing of his/her personal data via postal mail addressed to the registered office of the Data Controller at 1068 Budapest, Dózsa György út 84/C or in an e-mail message sent to the e-mail address. Should you have any questions, requests or comments regarding the data processing, please indicate “ESG Explained Series of Articles” as the subject of your inquiry.

Right to legal remedy: Upon the infringement of his/her rights, the Data Subject may turn to the regional court with competence at his/her address or place of residence, and anyone may request an investigation by the Hungarian National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa Street 9-11., mailing address: 1363 Budapest, Pf. 9., e-mail:, website: with reference to an infringement of their rights or the immediate risk thereof. The regional court shall give such request priority and hear the procedure as a matter of urgency.