Privacy Notice for Deloitte Clients
18 June 2018
This privacy notice explains what information we gather, what we use that in-formation for and who we give that information to. It also sets out your rights in relation to your information and who you can contact for more information or queries. Click on the links below to take you to the more detailed sections of this statement:
- Which data do we collect and for which purposes
- The legal basis for the collection and processing of your personal data
- From whom do we collect your personal data?
- Who do we share your personal data with and why?
- Who do we transfer your personal data to?
- For how long do we store your data?
- Your rights
- Revision of our privacy notice
We may collect and process the following types of personal data:
- date of birth;
- national identification number;
- phone number;
- home address;
- country of residence;
- family circumstances (e.g. civil status and contact details on dependents) and close relatives;
- e-mail address;
- IP address;
- office location;
- employee identification number;
- time registration;
- employment and education details (e.g. previous employment and education details);
- salary, severance pay, bonus and pension information;
- assets, including debt, loan, income, wealth;
- travel and expenses;
- leaves of absence;
- bank account details and transactions;
- tax-related information;
- documentation requirements.
The personal data listed above is collected and processed for the following purposes:
- delivering services to our clients and for the purposes of compliance with applicable legal or regulatory requirements and/or internal policies;
- documentation requirements;
- handling requests, complaints and claims from third parties;
- handling inspections and queries by supervisory authorities; external auditors and legal advisors; and
- compliance with internal policies.
We may collect and process information about our clients when clients, or client’s employees, visit our website and register information, e.g. by subscribing to our newsletter. The information may also be provided by public sources. The personal data is processed for the purpose of knowing our clients and their interests so we can deliver quality services. The logic used for this limited profiling activity is simple and consists mainly of the different activities of the subscribers making a point values, which is summed up. The registration is limited and is therefore not considered to be intrusive. Therefore, we process this information based on legitimate interests as specified below. To read more about our specific processing in regard to information from our website, please see the Privacy Notice for our website.
We may also collect the following types of special categories of personal data for the purpose specified above:
- Trade union membership
- Data concerning health
We collect and process your data based on the following basis:
- Consent, see GDPR article 6 paragraph 1 (a);
- Performance of a contract, see GDPR article 6 paragraph 1 (b);
- A legal obligation to which Deloitte is subject, see GDPR article 6 paragraph 1 (c);
- The legitimate interests of Deloitte, see GDPR article 6 paragraph 1 (f).
The legitimate interests pursued by Deloitte include the following purposes: Performance of our contractual obligations to the client; staffing and resource allocation; provision of access to relevant systems; knowing our clients; compliance with internal policies; documentation requirements; handling requests, complaints and claims from third parties. These processes are necessary for the effective operation of our business and require collection and processing of the personal data of the data subjects.
We do not collect and process special categories of data unless there is a legal basis in the GDPR; establishment, exercise or defence of legal claims, or consent.
In connection with one or more purposes outlined above, the personal data disclosed by or collected from client/you may be disclosed to and shared with the following recipients: Public authorities, our professional advisors (e.g. audi-tor and legal advisors) vendors; and Deloitte entities.
Transfer of personal data to data processors
We may transfer your personal data to other Deloitte entities. We may also transfer the personal data to IT providers, including cloud service providers, or to vendors of external services, who process and /or store the personal data on our behalf.
Transfer of personal data to data controllers
We may transfer your personal data to other data controllers, e.g. if Deloitte has a legal obligation to transfer the data to public authorities.
Transfer of personal data to recipients in countries outside the EU/EEA
We may transfer personal data disclosed by or collected from you to recipients located in countries outside the EU/EEA for the purposes listed in section 1. In such case, the legal basis for the international transfer is either EU’s Model Clause Agreement or the US Privacy Shield Certification, or Deloitte’s Binding Corporate Rules when applicable.
We store the personal data for as long as necessary to fulfil the purposes listed above, however, for no longer than necessary for the administration of the cli-ent relationship, for no longer than we would have a legitimate interest or for no longer than for the fulfilment of legal requirements. We have specific retention periods for client data, which is based on either legal obligations or Deloitte’s legitimate interest in keeping the personal data for a longer period. As an ex-ample, we may have a legitimate interest in keeping personal data to defend a potential legal claim. These periods are dependant of the service provided and is based on a risk assessment of Deloitte’s need to retain data for a longer peri-od of time held up against the data subject’s interest in having it deleted. Deloitte will store data securely and in accordance with the GDPR.
Subject to the conditions set out in the applicable data protection legislation, the data subject enjoy the rights set out below. In the following, you can read about your rights and how to perform them:
The right to request access to your personal data
You can send us a request for access to get information about whether we pro-cess personal information about you in connection with your client relationship with Deloitte, and thus gain insight into what information we process about you if you are registered.
The right to rectification of your personal data
If you believe the information we have stored about you is incorrect (e.g. wrong contact details) you can request that we correct this at any time.
The right to erasure of your personal data
You can withdraw your consent to process personal data at any time. If you withdraw your consent, we will delete your personal information that is processed on this basis.
If you request erasure of your personal data, the data will be deleted. However, the right to erasure is not absolute, as it should be balanced against legal requirements and Deloitte’s legitimate interest.
The right to restriction of processing
If you do not wish us to delete your information but have reasons to wish that we will stop processing them in ways other than storage, you may, under certain circumstances, have the right to request this.
The right to data portability
According to Article 20 of the GDPR you have the right to data portability for per-sonal information about yourself that you have given to Deloitte and which has a basis for processing in consent or agreement. The main basis for processing your personal information, is the contract between you as a client and Deloitte. If you wish to exercise your right to portability, the relevant information from your profile will be exported to a Microsoft Excel document and handed over to you.
The right to objection to the processing of your personal data
You have the right to object to processing of personal data concerning you, where the processing is based on public interest or legitimate interest of Deloitte, e.g. profiling. If so, Deloitte will no longer process your personal data unless there is a legitimate ground for doing so which, according to a balancing test, is overriding.
The right to objection to profiling
You have the right to object to your personal data being processed for direct marketing purposes. This includes profiling to the extent that it is related to such direct marketing.
File a complaint
You also have the right to file a complaint with the competent supervisory authority. In Norway, this is Datatilsynet. Complaints can be delivered on their website by following this link: datatilsynet.no.
Please contact us by filling out this contact form or send us an e-mail to email@example.com if you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights.
Deloitte AS / Deloitte Advokatfirma AS
Dronning Eufemias gate 14