data privacy

About us

Deloitte CE Privacy Statement for Clients

Applicable for Deloitte in Hungary entities

Updated February 26th 2019

Deloitte Central Europe Privacy Statement

(information on your personal data processing) applicable to our client, vendor, contractor and sub-contractor relationships

English version below, versions in local languages available in PDF format:
AlbaniaBosnia & HerzegovinaBulgaria, CroatiaCzech RepublicEstoniaKosovoLatviaLithuaniaMacedoniaMontenegroPolandRepublic of Srpska, Romania and MoldovaSlovak RepublicSloveniaSerbia

Definitions

“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients.

“Deloitte Central Europe” (“Deloitte CE”) is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.

“Controller” (“we”, “us” or “our”) means a controller or data controller determining the purposes of personal data processing (as further defined in the Data Protection Legislation).

“Processor” means a data processor or processor processing the personal data on behalf of the controller (as further defined in the Data Protection Legislation).

“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; and (c) any other similar national privacy law.

“GDPR” means the General Data Protection Regulation (EU) (2016/679).

“Personal Data” means any personal data (information relating to an identified or identifiable natural person / data subject) processed in connection with or as part of the services provided to our clients or in relation of the contractual relationships with our vendors, contractors or sub-contractors or as necessary for activities that are part of our standard business operations.

“Processing” means any operation or set of operations on personal data (manual or automated) such as collection, recording, structuring, storage, use, disclosure, restriction, erasure or destruction (as further defined in the Data Protection Legislation).

“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).

Summary
This Privacy Statement is applicable to processing of your personal data (“data”) by us and explains:

  • what personal data we process about you;
  • why (for what purposes) we process your personal data (including the legal grounds for your data processing);
  • how and in what locations we process your personal data (where we transfer your personal data and with whom we share your data);
  • what are your rights.

This Privacy Statement applies from the date specified at the top of this page. We may modify or amend this Privacy Statement from time to time therefore we encourage you to review this statement periodically.

What personal data we process
We process the personal data that you provide to us, that we obtain from your employer or contractual partner, advisor or third party or that you explicitly made publicly available.

This personal data may include:

  • your name, surname and gender;
  • your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number;
  • history and details of your business contacts with Deloitte;
  • your bank account number (in case that our client/contractor/vendor and sub-contractor is a natural person);
  • IP address;
  • your personal data provided in connection with the execution of your rights in accordance with this Privacy Statement;
  • CCTV images and other information we collect when you access our premises (the specific and customized information on this personal data processing is available in the respective Deloitte CE premise if applicable – the CCTV images may be also processed by the building owner or the authorized third party).

For the purposes specified here-below we do not collect or process any ‘sensitive’ or ‘special categories’ of personal data as defined in the Data Protection Legislation. The additional types and categories of your personal data that are processed directly for the purposes of provision of our services are described in the Deloitte CE entities providing services as data controllers and Deloitte CE entities providing services as data processors privacy statements.

Purposes of your data processing (the “Purposes”)

  • compliance with the applicable legal, regulatory or professional requirements (anti money laundering);
  • addressing requests and communications from competent authorities;
  • general contract administration, financial accounting (invoicing) and statistic;
  • internal compliance and risk analysis (including investigating or preventing security incidents);
  • protecting our rights and legitimate interests;
  • general client, vendor, contractor or sub-contractor relationship purposes (including the feedback and complaints, as well as assessment and development of business opportunities);
  • utilization of internal or hosted (cloud) information technology systems, services and applications (for communication, data sharing and archiving purposes).

Please note that this Privacy Statement does not include the information on processing of personal data for the purposes of marketing, direct mailing and recruitment. The processing of personal data for such purposes is described in the specific privacy statements that may be also part of your consent with such personal data processing (where relevant). We do not process your personal data for direct mailing and marketing purposes without your explicit consent however we may ask you for such consent in the course of personal data processing for the Purposes.

Legal basis for your data processing:
We process your personal data only when the processing is necessary

  • to administer the contract, we have with you personally or to take steps to enter into the contract with you;
  • for compliance with a legal obligation we are subject to;
  • for the purposes of our legitimate interest which might be:
        - to execute and fulfil contracts with our vendors, contractors or sub-contractors,
        - to protect our business interests (including to conduct our risk and quality assessments),
        - to ensure that the complaints or requests delivered to us are properly addressed.

Retention of your personal data
Your personal data shall be retained by us for a period of 10 years following the provision of services to our clients or the expiration of our contractual relationships with our vendors, contractors or sub-contractors or as required by the applicable laws or relevant regulations or for Deloitte legitimate interest.

Personal data controller
In the context of this Privacy Statement the data controller is the Deloitte CE entity that is party to the client, vendor, contractor or sub-contractor contract.

Sharing and transferring your personal data
Your personal data may be disclosed/transferred to and processed by the following recipients for the Purposes:

Deloitte group of entities listed here. If applicable your personal data will be processed only to the extent allowed for the Purposes and in accordance with the Data Protection Legislation. Each of the recipient(s) shall be responsible for ensuring the appropriate protection of your data, providing information on your data processing and obtaining additional consents if required. In case your data is transferred across country borders (including the territories outside of the European Union) then such transfer will take place only in the case that the obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled. 

Processors
Our approved administrative and IT service suppliers:

4C Hungary Kft., 8 Várfok street, 4th floor, door no 2; Budapest, 1012, Hungary
Billigence Europe Limited, with registered seat at 12 Gough Square, London, EC4A 3DW, United Kingdom
con4PAS, s.r.o., Novodvorská 1010/14, 142 01 Prague 4 – Lhotka, Czech Republic 
Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 – Vinohrady, Czech Republic
Deloitte CZ Services s.r.o., Italská 2581/67, 120 00, Prague 2 – Vinohrady, Czech Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom
Digital Resources a.s., Poděbradská 520/24, 190 00 Prague 9, Czech Republic
MobileXpense, Rue des Colonies 11, 1000 Brussels, Belgium
SI-Consulting Sp. z o.o., Slezna Str. 118, 53-111 Wroclaw, Poland

Non-EU based (all non-EU based data processors have concluded the EU approved Standard Contractual Clauses with us ensuring an adequate level of Personal Data protection as required by the Data Protection Legislation).

Deloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India
Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA 
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

Their access rights are strictly limited to the extent that it is only for necessary technical, administrative and help desk support services.

Security of processing
We and our data processors established technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with Deloitte CE policies and Data Protection Legislation. Deloitte CE is a holder of ISO 27001 certification – widely recognized global information standard.

Your rights
You have your right to:

  • request access to your personal data (and request a copy of the personal data that we process),
  • request us to update and correct your personal data (right to rectification),
  • request us to delete your personal data (where possible), or 
  • require a restriction on the processing of your data.

You may object to the processing (in certain cases as specified by GDPR), as well as execute your right to data portability (receive a copy of personal data which you provided to us in a structured machine –readable format and request us to transmit such data to another data recipient).

 

You can enforce all rights described here can be enforced by sending e-mail to: CEprivacy@deloittece.com or a written notice to: Deloitte CE Data Protection Leader, Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 – Vinohrady, Czech Republic

You can also use the above contacts for any questions related to processing your personal data including the security safeguards when transferring the data outside of the EU region.

It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence in case you are of an opinion that the processing of your personal data infringes the GDPR.

 

Deloitte Central Europe Service Specific Privacy Statement

Deloitte Central Europe entities providing services as data controllers

Applicable to the following services: AuditTax AdvisoryGlobal Employment ServicesLegalRisk AdvisoryFinancial AdvisoryConsulting.

What personal data we process
As controller we process the personal data that you provide to us, including the personal data on your family members and dependents if needed given the nature of service provided, or the data that we obtain from your employer or contractual partner, advisor or third party, under the condition that such data were collected lawfully.

Depending on the given type of services this personal data may include:

  • your name, surname and gender, date of birth, your ID or passport details, tax ID number, social security and national insurance number,
  • your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number, education certificates),
  • other data necessary for the provision of the certain type of service to your contractor or employer (marital status, number of children, information about your family members, their names, surnames, dates of birth, as appropriate),
  • financial data (including bank account details, credit history, employment income and personal investment income/gains),
  • data related to your relationship with our client (purchased goods or services).

Purposes of your data processing (“Purposes”)
provision of services to you personally or to our clients (being your employer of your contractual partner) as agreed in the respective contract

Processing tools
For some type of services, the special tools are utilized for personal data processing

Legal basis for your data processing

  • the performance of the contract to which you are a party, or if you are not a party to the contract, then
  • our legitimate interest in providing the services based on the contract to your employer or contractual partner, or
  • compliance with legal obligations which Deloitte is subject to when providing the services to you or to your employer/contractual partner (i.e. the applicable laws (if any) regulating the provided services explicitly determine that while providing the service we process your personal data as a personal data controller).

The provision and processing of your personal data (including use of certain tools for data processing as indicated here-above) is necessary for the Purposes.

Retention of your personal data
Your personal data shall be retained by us for a period of 10 years following the provision of services to you or to our clients or as required by the applicable laws or relevant regulations or for Deloitte legitimate interest.

Sharing and transferring your personal data
Your personal data may be disclosed/transferred to and processed by the following recipients for the Purposes:

Recipients
Deloitte group of entities listed here. If applicable your personal data will be processed only to the extent allowed for the Purposes and in accordance with the Data Protection Legislation. Each of the recipient(s) shall be responsible for ensuring the appropriate protection of your data, providing information on your data processing and obtaining additional consents if required. In case your data is transferred across country borders (including the territories outside of the European Union) then such transfer will take place only in the case that the obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled. 

Processors
Our subcontractors (approved by the client in the contract or otherwise) and our approved administrative and IT service suppliers:

EU based

Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 – Vinohrady, Czech Republic
Deloitte CZ Services s.r.o., Italská 2581/67, 120 00, Prague 2 – Vinohrady, Czech Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom
Digital Resources a.s., Poděbradská 520/24, 190 00 Prague 9, Czech Republic
SI-Consulting Sp. z o.o., Slezna Str. 118, 53-111 Wroclaw, Poland
Audit Services: Deloitte Group Support Centre BV, a private limited liability company established in The Netherlands, Gustav Mahlerlaan, 2970 Amsterdam, The Netherlands

Audit Services: Deloitte Group Support Centre BV, a private limited liability company established in The Netherlands, Gustav Mahlerlaan, 2970 Amsterdam, The Netherlands

In order to procure proper administrative, technical and operational support, we may also contract local service providers (in the countries that we operate in) that will process your personal data as personal data processors. Such local service providers are our entrusted partners providing mainly local archiving, currier, translation, IT support or reprographic services. Any such local services provider, prior to the provision of the services, concludes a data processing agreement in line with requirement of Data Protection Legislation. You can obtain full list of such local personal data processor directly upon your request to us.

Non-EU based
Since the processing of Personal Data may include transfer of personal data outside of the European Union (EU), all of the below entities have concluded the EU approved Standard Contractual Clauses with Deloitte entity providing the services under the Engagement to ensure an adequate level of Personal Data protection as required by the Data Protection Legislation.

Tax/Global Employment ServicesDeloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India
Deloitte Tax LLP, 30 Rockefeller Plaza, New York, 10112 – 0015, USA (the owner and administrator of GA Organizer)
Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA 
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

Their access rights are strictly limited to the extent that it is only for necessary technical, administrative and help desk support services.

Processing tools
For some type of services, the special tools are utilized for your personal data processing - find more information about the processing of your personal data under the links below.

Global Employment Services:
GA Organizer Tool

Audit Services:
Deloitte Connect
Deloitte iCount

Security of processing
Deloitte and its data Processors established technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach

Your rights 
Please refer to the Deloitte Central Europe Privacy Statement.

 

Deloitte Central Europe Service Specific Privacy Statement

Deloitte Central Europe entities providing services as data processors

 

Applicable to the following services: PayrollImmigrationForensics (other than advisory), certain services in the area of IT Consulting.

What personal data we process
As processors we process the personal data that you provide to us, including the personal data on your family members and dependents if needed given the nature of service provided, or the data that we obtain from your employer or contractual partner, advisor, third party or that are publicly available.

This personal data may include:

  • your name, surname and gender, date of birth, your ID or passport details, tax ID number, social security and national insurance number,
  • your occupation (job position) and general contact details (work or home address, personal or work e-mail address and telephone number, education certificates,
  • other data necessary for the provision of the certain type of service to your contractor or employer (marital status, number of children, information about your family members, their names, surnames, dates of birth, as appropriate),
  • financial data (including bank account details, employment income and personal investment income/gains),
  • data related to your professional activities, work performance and evaluation.

Purposes of your data processing 
Provision of the services to you personally or to our clients (your employer or contractual partner) as determined in the respective contract based on the instruction of the controller (you, your employer or contractual partner)

Your personal data processing is done based on the instructions of our clients – personal data controllers that are also responsible for delivering the information on your personal data processing to you including the information how to execute your rights – please contact your employer/contractual partner directly to:

  • request access to your personal data (and request a copy of the personal data that is processed),
  • request to update and correct your personal data (right to rectification), 
  • request to delete your personal data (where possible), or 
  • request to a restriction on the processing.

Controller:

The Controller is primarily the Deloitte CE Entity that is party to the client contract.

In accordance with the Data Protection Legislation for the Purposes indicated above, the Personal Data may be disclosed/transferred to and processed by the following Recipients of Personal Data:
Deloitte group of entities:

In line with the Purposes specified here-above and to the extent necessary for the provision of Services, the Personal Data may be disclosed to another Controller within the Deloitte group of companies (http://www2.deloitte.com/global/en/get-connected/global-office-directory.html).

If the transfer of Personal Data across country borders (including the territories outside of the European Union) is also required, (the Deloitte entity will act as another Controller) then the transfer will take place only in the case that the obligations as stipulated by the Data Protection Legislation for such transfers are fulfilled.

Processors:

The following Processors process the Personal Data on behalf of the Controller in line with the Purposes:

Subcontractors (approved by the client in the contract or otherwise)

Deloitte CE standard service suppliers:

EU based service suppliers:

Deloitte Advisory & Management Consulting Private Limited Company, Dózsa György út 84.C., 1068 Budapest, Hungary
Deloitte CZ Services s.r.o., Karolinská 654/2, 186 00 Prague 8, Czech Republic
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Karolinská 654/2, 186 00, Prague 8, Czech Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom
4C Hungary Kft., 8. 4th floor door no 2 at Várfok street, Budapest, 1012, Hungary
con4PAS, s.r.o., Novodvorská 1010/14, 142 01 Prague 4 – Lhotka, Czech Republic
MobileXpense, Rue des Colonies 11, 1000 Brussels, Belgium
SI-Consulting Sp. z o.o., Slezna Str. 118, 53-111 Wroclaw, Poland

Non-EU based service suppliers:

Since the processing of Personal Data includes transfer outside of the European Union (EU), all of the below entities have concluded the EU approved Standard Contractual Clauses with the Deloitte entity which the client entered into the contractual relationship with, or some of them have become a member of the Privacy Shield, thus ensuring an adequate level of Personal Data protection as required by the Data Protection Legislation.

Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA
Deloitte Support Services India Private Limited, RMZ Futura, Block B, 2nd Floor, Plot No. 14 & 15, Road No. 2, Hi-Tec City Layout, Madhapur, Hyderabad – 500 081, Telangana, India
Deloitte Tax LLP, 30 Rockefeller Plaza, New York, 10112 – 0015, USA (Applies to Tax and GES services only)
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA

The above mentioned personal data Controllers and Processors shall establish technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of the Personal Data processed. The safeguards will prevent the unauthorized use of or unauthorized access to the Personal Data or prevent a personal data breach (security incident) in accordance with Deloitte CE instructions, policies and applicable Data Protection Legislation. Deloitte CE entities processing client data are also ISO 27001 certified (ISO/IEC 27001 Information security management).
The processing of Personal Data is necessary for the provision of Services under the contract.

The individuals (personal data subjects) have the right to request access to their Personal Data and rectification or erasure of their Personal Data, or a restriction on the processing or to object to the processing, as well as the right to data portability. All rights described in this paragraph can be enforced by sending an e-mail request to the data controller at: CEprivacy@deloitte.com and also have the right to lodge a complaint with the supervisory authority in the country of their residence if they consider that the processing of personal data relating to them infringes the Data Protection Legislation.

Did you find this useful?

Related topics