Privacy Notice for visitors of Deloitte’s offices and websites and use of our marketing related services

Last revised: 5 December 2024

This Privacy Notice intends to specify which personal data we collect and process about you when you interact with our websites, visit our offices or we provide certain marketing related services to you. Our processing activities take place in accordance with the EU Regulation 2016/679 (GDPR) and data protection laws and regulations applicable to the Data Controller(s) listed in Clause 2.

This Privacy Notice applies for the following websites (including any sub-sites and domains hereunder:

  • www.deloitte.dk
  • Starfsstöðvar á Íslandi | Deloitte Ísland 
  • https://www2.deloitte.com/no/ 
  • www2.deloitte.com/se 
  • www2.deloitte.com/fi 

(hereinafter separately referred to as “Deloitte Site” and collectively as “our websites”). 

The Privacy Notice does not apply to other websites that may be accessed via external URLs. We encourage visitors to review the Privacy Notice on each of these other websites before disclosing any personal data to third parties.

This Privacy Notice sets out how we will collect, handle, store, protect and otherwise process information about you when:

  • You visit our offices and premises; 
  • You use and browse our websites; 
  • We provide marketing related services to you or our clients such as provision of newsletters; performance of events and seminars you have signed up for;
  • Performing any other activities that form part of the operation of our business, as described in further detail below.

It provides evidence of the nature of the personal data collected by the Data Controller, the purposes of the processing and indicates your rights in relation to the data processed and who to contact for further information or to send any requests.

This Privacy Notice applies to the following Deloitte member firms and their affiliates:

  • Denmark: Deloitte Statsautoriseret Revisionspartnerskelskab, Weidekampsgade 6, DK-2300 Copenhagen SV. E-mail: koebenhavn@deloitte.dk 
  • Iceland: Deloitte ehf., Deloitte Legal ehf., Dalvegur 30, 201 Kópavogur, Ísland, E-mail: deloitte@deloitte.is 
  • Finland: Deloitte Oy, Itämerenkatu 25, 00180 Helsinki, Finland E-mail: deloitte@deloitte.fi
  • Norway: Deloitte AS, Dronning Eufemias gate 14, 0191 Oslo, Postboks 221, 0103 Oslo, E-mail: noss@deloitte.no
  • Sweden: Deloitte AB, Rehnsgatan 11, 113 57 Stockholm, Sweden, E-mail: info.stockholm@deloitte.se

Each member firm is hereinafter separately referred to as “Data Controller” or “Deloitte member firm” and collectively referred to as “Deloitte Nordic” or “Data Controllers”.  The term “us” “we” shall also refer to a Deloitte member firm or Deloitte Nordic depending on the context.

Each Deloitte member firm is independent Data Controller for its own collection, use, storage, and other processing of personal data. 

The Deloitte member firms are joint Data Controllers when we collect, share and/or process your personal data with the other member firms for the same purposes such as provisions of marketing related services within Deloitte Nordic towards our clients, and when supporting and optimizing the operation and effectiveness of our websites or Services. In this connection we have entered into a joint controller agreement addressing the internal responsibilities of each the member firm.  

Each of the above Deloitte member firms belongs to the Deloitte network (the Deloitte network being Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), together with its member firms and their respective subsidiaries, affiliates, and other firms with which it constitutes a network called the “DTTL network”). Each being independent legal entities.

Data Subject/IndividualsCategories of personal dataPurposes of processing data and data retentionLegal Basis
  • Visitors to our websites
  • Cookie data in the form of IP-address, browser type, ID device type, country and language, access time 
  • Your cookie selection
  • How you interact with our website and its content and time 
  • Areas of interest
  • Complaint details
  • To ensure an effective, functional and informative website, marketing our services, products and brand towards our clients, business relationships, and (potential) candidates and business opportunities 
  • Cookie data are stored for the sessions and periods as further detailed in our Cookie Notice at the relevant Deloitte website 
  • Placement of cookies takes place based on consent except from essential necessary cookies ensuring functionality of our websites cf. EU’s e-Privacy Directive 
  • Deloitte’s use of personal information collected as part of the cookies is based on Deloitte’s legitimate interest cf. GDPR article 6.1 (f) in having an effective website; marketing our business, products, services and brand, towards our business relationships and potential clients, and attract the best candidates
  • Individuals who have signed up for Deloitte invitations for events, seminars, newsletter, and other marketing activities and/or registration in our CRM systems
  • Name, contact details as e-mail address, phone, potential employer, role and title, fields of interests including newsletters, food preferences (if provided by you as part of your participation in an event)
  • Your feedback to an event, webinar, newsletter, or service of Deloitte
  • Deloitte’s interest in marketing its business, offerings, and name
  • Planning, conducting and administrating events, seminars and marketing campaigns
  • Provision of relevant newsletters and articles
  • Attract potential candidates
  • Optimizing its services through feed back
  • Facilitate networking for our clients and business relationship or candidates
  • food preferences for food at served at seminars 
  • Data are stored until no longer needed to provision of the services to you or your withdrawal of a request or if contact data are no longer active. However, data may be stored longer due to requirements for retention under mandatory law e.g. bookkeeping purposes which requires storage of 5 years.
  • Deloitte’s disclosure of marketing activities directly to you is based on consent to the extent thisis required under national marketing regulation
  • Our processing of your data in our CRM systems is based on our legitimate interests in handling

    our daily customer and business relationship management (e.g. in the form of meeting a request from you for invitations and news letters or participation in an event and seminar), planning and administrate and conducting an event, as well as acounting and financial tasks cf. GDPR article 6.1 (f)
  • As regard use of your feedback to our surveys this is based on your consent cf. GDPR article 6.1 (a) 
  • As regard registration of your food preferences and/or information on food allergies this is based on you consent cf. GDPR article 6. 1 (a)
  • Visitors to our office’s participation in meetings, events, network arrangements etc.
  • Registration of name of visitors’ name, e-mail address, potential employer, title, purpose for visit, whom to meet in Deloitte, date of visit, photos, (situation picture from event) or portrait (if explicitly agreed to by you) 
  • Photos/video of visitors at our entrances
  • Identification of visitors as part of Deloitte’s security measures and for crime prevention
  • Administration of our guests and visitors to Deloitte facilities, planning of the visit and an event and securing our facilities
  • Data are stored 30 days after visit
  • Our registration of your name Deloitte’s legitimate interest in securing its premises, its visitors and our employees cf. GDPR article 6.1 (f)
  • Portrait photos is based on your consent cf. GDPR article 6.1 (a) 
  • Deloitte’s legitimate interest in conducting an event cf. GDPR article 6.1 (f)
  • Visitors to our websites or third parties’ websites where we advertise and social medias
  • Cookie-ID and cookie setting
  • IP address
  • Device and browser type, referring URL
  • Time of visit and length
  • If you have shown interest in our website and when Language
  • To send marketing material to you based on your interest (profiling) and measure the impact of our marketing activities
  • Data are stored as further detailed in our Cookie Notice at our websites
  • Our placement of cookies is based on your consent except from strictly necessary cookies cf. EU’s e-privacy Directive 
  • Use of your personal data collected by cookies is based on Deloitte’s legitimate interests cf. GDPR article 6.1 (f) in providing tailored marketing material to you; to optimize our websites and services and in branding Deloitte

Children's privacy

We understand the importance of protecting children's privacy in the interactive online world. This website is not designed for or deliberately aimed at children 13 years of age or younger. It is not our intention to knowingly collect or maintain information about anyone under the age of 13.

Deloitte’s legitimate interest

Deloitte processes personal information based on the legal basis of legitimate interest for the purposes specified above. Due to the structure of Deloitte Nordic it is necessary to disclosure and share certain data within the Nordic member firms to be able to perform the services and related tasks towards our clients and business relationships in the Nordic countries. Deloitte recognizes the rights of freedom of individuals, and we are aware that Deloitte’s interests may in some situations conflict with such rights. Therefore, our processing activities based on Deloitte’s legitimate have been thoroughly assessed to ensure a fair balance between the rights of individuals, the purposes of our processing activities and its necessity for us as well as the interest of the individuals herein, the nature and scope of their personal data, the safeguards implemented by Deloitte including information to the individuals about the purpose and their rights, and Deloitte’s interests to ensure that any potential impact to the individuals is proportionate with the purposes of the processing prior to any processing activities. 

Cookies and tracking technologies

Our websites cf. Clause 1 collects standard internet log information, including IP address, browser type and language, visit times and referring URLs. To ensure that this website is well managed and to facilitate better navigation, we or our service providers may also use cookies ("cookies", small text files stored in the user's browser) or web beacons ("web beacons", electronic images that allow this website to count the number of visitors who have accessed a particular page, and to access certain cookies) to collect aggregated data. 

Supplementary information about cookies on our websites can be found in our Cookie Notice at the relevant Deloitte Site listed in Clause 1. Here you will also find information on how to control your consent settings for cookies in your browser or change your cookie consent. 

We may also acquire information about users by obtaining it from the interaction patterns carried out on the relevant Deloitte Site. For example, to improve the experience of using our websites and ensure its proper functioning, we (or Deloitte’s service providers) may use cookies (small text files installed in the user's browser) and a web beacon that collects personal data. Further information on how to use cookies, and how to manage them can be found in the Cookie Notice at the relevant Deloitte Site listed in Clause 1 above.

To disable profiling cookies, please refer to the Cookie Notice of our websites.  

When we advertise on third parties’ websites or social media we may collect or received personal data on which adds and news you have been looking at. We do this to be able to tailor our marketing activities to your interests (profiling) and to measure the effect of our marketing activities.  We are joint controller with the third parties who has provided the data to us.  However Deloitte Nordic is Data Controller for our own use of such collected personal data. For third parties use of their data we shall refer to their privacy and Cookie Policy to be found in our Cookie Notice at our websites.

Our websites further integrate with various blogs, forums, wikis and other social media applications or services that allow you to share content with other users (e.g., Facebook, Twitter and LinkedIn, collectively called "social media"). Personal information or other information that you have provided to some social media for public use may be read, collected, and used by other users of the social media service, over which we have little or no control. Therefore, we are not responsible for the use, misuse or embezzlement of personal data or other information that you contribute to any social media services.

You can find more about how we use cookie in our Cookie Policy  Cookies (deloitte.com)

In connection with one or more of the purposes set out in the Clause 3 above, we may disclose information about you to:

  • Companies belonging to the Deloitte Network for the performance of internal administration activities;

    Third parties delegated and/or appointed by us for the performance of activities or part of the activities related to the provision of the services requested or to the navigation on a Deloitte Site (e.g., companies that provide IT services, management, and maintenance of the Deloitte Site); 

  • Third parties for the installation of cookies as required by the Cookie Notice of the relevant Deloitte Site. Please note that Deloitte may be joint controller with a third-party cookie provider for the collection of data through cookies. Said third parties are responsible for their own use of the collected and transferred data. You will find a link to the relevant third parties with whom we share data in our Cookie Notice including a link to their privacy and Cookie Notice;

  • Authorities to the extent required under law e.g. due to booking purposes.

Your data will be communicated to these third parties after being appointed as data processors or recognized as autonomous Data Controllers and will be processed by collaborators and/or employees of Deloitte in the context of their respective functions and in accordance with the instructions given by Deloitte itself. 

If necessary for the purposes stated above, the data collected may be transmitted or made accessible to other companies in the Deloitte       Network, to entities that provide services to us as part of the specified purposes and/or the Deloitte Network (e.g., vendors, suppliers), to competent authorities (e.g., courts, tax authorities, regulatory authorities) including those based in other countries, which may include countries outside Switzerland or outside the European Economic Area (EEA). Third parties to whom your personal data are transferred, are bound by specific agreements, and are required to keep your data securely. 

In such cases, the transfer will take place in accordance with the provisions of Chapter V of the GDPR through the adoption of appropriate safeguards that ensure a level of data protection in accordance with the obligations to which it is legally bound, such as EU Commissions latest Standard Contractual Clauses, Binding Corporate Rules, other applicable legal tool or based on a statutory exemption (e.g. if you have given your consent to the transfer, if the transfer is directly connected with the conclusion or performance of a contract with you or if the transfer is necessary for the establishment, exercise or enforcement of legal claims before a foreign authority).

The information systems and computer programs used by us are configured in such a way as to minimize the use of personal data. 

Retention periods for the listed purposes of our use of personal data are listed in the table in Clause 3. In addition hereto, we may have to store data for the duration established by legal provisions, including those provided for the protection of our rights or third parties’ rights in the event of litigation or defensive investigations or a claim. 

We will process your data with the utmost care and respect. 

Your personal data are processed with the aid of electronic tools, ensuring the use of appropriate measures for the security of the processed data and guaranteeing their confidentiality, in accordance with the principles applicable to the processing of personal data pursuant to Article 5 of the GDPR, such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These measures can include:

  • The training and updating activities of its staff ensuring that they are informed about privacy and confidentiality obligations if they have access to and process personal data;

  • Administrative and technical controls in order to limit access only to personal data that need to be known in relation to the purposes of the processing (access right management);

  • Technical security measures (e.g., firewalls, cryptography, antivirus software, VDI remote); 

  • Physical security measures. 

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any possible data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Third parties will only process your personal data where they have agreed to treat the data confidentially and to keep it secure in compliance with the applicable law.

In connection with Deloitte’s processing of your personal data for the above purposes, profiling may take place, for example to tailor the content of our website to provide you with a more personalised experience and to improve your experience on our website based on the preferences you yourself define. Please be informed that you are entitled to object to the profiling. In such case, we may not be able to provide you with our services. Please see relevant contact details in clause 9 below.

Your rights

In relation to the processing of your personal data, you have specific rights cf.  Art. 15 to 21 of the GDPR

  • Access: you can ask for confirmation as to whether or not a certain processing of data concerning you is in place, as well as further clarifications about the information referred to in this Privacy Notice; 

  • Rectification: you can ask to rectify or supplement the data you have provided to us, if inaccurate;

  • Erasure: you can request that your data be deleted, if they are no longer necessary for our purposes, in case of withdrawal of consent or your opposition to the processing, in case of unlawful processing, or there is a legal obligation to erase them;

  • Restriction: you can request that your data be processed only for the purpose of storage, with the exclusion of other processing activities, for the period necessary for the correction of your data, in case of unlawful processing for which you oppose the cancellation, if you have to exercise your rights in court and the data stored by us may be useful to you and,  finally, in the event of opposition to the processing and a review is in progress on the prevalence of our legitimate reasons over yours;

  • Object: you can object at any time to the processing of your data, unless there are our legitimate reasons to proceed with the processing that prevail over yours, for example for the exercise or our defence in court;

  • Withdrawal: you may revoke your consent at any time, in all cases where consent is the legal basis for processing. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. It might also imply that we cannot provide you the services you have requested. You may withdraw you consent by contacting Deloitte, see below.

  • Portability: you can ask to receive your data, or to have them transmitted to another Data Controller indicated by you, in a structured format, commonly used and readable by automatic device.

 

How to exercise your right and contact details of Deloitte

To exercise your rights, or if you have any questions or want to file a request you can always contact our Nordic privacy team by sending an email to: nordicprivacy@deloitte.com.

You can at any time reach out to any of the above Deloitte member firms to address your rights. If needed, we will redirect you to the relevant Deloitte member firms responsible for collection and processing your personal data.

The time limit for looking into and addressing your request is 1 month, which may be extended up to 2 further months in cases of particular complexity. 

We also inform you that you have the right to lodge a complaint with the Supervisory Authority for the protection of personal data: 

  • Denmark: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby E-mail: dt@datatilsynet.dk

  • Norway: Datatilsynet, Postboks 458 Sentrum, 0105 Oslo  E-mail: postkassen@datatilsynet.no

  • Sweden: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, E-mail: imy@imy.se

  • Finland:  Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman), Lintulahdenkuja 4, 00530 Helsinki, E-mail: tietosuoja@om.fi

  • Iceland: Icelandic Data Protection Authority Persónuvernd, E-mail: postur@personuvernd.is
We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. We therefore invite you to regularly consult our privacy policy in order to stay up to date with any changes made since your last consultation.