Privacy Statement

About us and this privacy notice

Deloitte AB (“Deloitte”, or “we”, “our”, “us”) is a member firm in Deloitte Touche Tohmatsu Limited's global network. We are strongly committed to protect your personal data used in our work and to be in compliance with the applicable legislation. This privacy statement covers our processing activities regarding personal data of individuals outside of Deloitte’s organisations and visitors to our homepage. We hope that this privacy statement will help you understand what kind of information we process and how.

We may collect and process the below types of personal data for the purposes of

- providing services to our clients (which could be you, your employer or someone else that you have a relationship with);

-  Marketing and relationship management;

- compliance with legal or regulatory requirements;

- internal policies;

- ensuring the integrity of our systems and network;

- protecting our legal interests in case of a dispute; and

- handling inspections and queries by supervisory authorities, external auditors and legal advisors.

Basic data: name, address, telephone number, e-mail address, employment, title, education, age, birthday, gender, family circumstances, country of residence, passport information, social security number (Sw. personnummer)

Financial data: salary or other income, loans/debt, tax-related information, investments and assets

Online data: IP-address, ID/username on social media account, cookie ID and other online ID

Sensitive data: data relating to health and membership of trade union

Sensitive data will only be collected when there is a legal requirement such as statutory audit or payroll services, or when you give us your explicit consent.

Please note that we may collect other types of personal data if it is necessary to provide a specific service to a client.

We usually collect your personal data in the following ways:

  • Data collected directly from you
  • Data collected from a third person (such as your employer or a service provider)
  • Data collected from publicly available source (such as the Swedish Companies Registration Office, Swedish Tax Authorities and the website of the company you work for etc.)
  • Other Deloitte entities

We collect and process your personal data based on the following legal basis:

- Consent

- Performance of a contract

- A legal obligation to which we are subject to

- The legitimate interest of Deloitte or our client

The legitimate interest of Deloitte includes the following purposes

- Provide our clients with services;

- Ensure the integrity of our networks and systems;

- Compliance with internal policies;

- Relationship management and marketing purposes such as sending newsletters, facilitate Deloitte events; and

- Manage and improve our website.

To be able to tailor our website to provide you with a more personalized experience and to ensure that the communication we send to you are as relevant as possible we do basic profiling where we match your activity on our homepage to your marketing preferences if you accept cookies and sign up to receive communication from us. Please note that you have the right to object to the profiling but this would result in us not being able to personalize our communication to you. To object to the profiling you have to manage your cookie preferences. We are also able to track basic interactions to markering e-mails, such as click on links etc. If you object to profiling, based on e-mail interactions, please unsubscibe to marketing e-mails from Deloitte.

In connection with one or more purposes outlined in section 1, your personal data may be disclosed to and shared with the following recipients: Our client; public authorities; our professional advisors (e.g. auditor and legal advisors); service providers; IT-providers including cloud services; insurance and pension companies (if part of our services to our client) and other Deloitte entities.

We may also need to disclose your personal data to authorities and/or to other third parties if required to do so by law, a regulator or during legal proceedings.

Please note that some of the recipients of your personal data referenced above may be based in countries outside of the European Union whose laws may not provide the same level of data protection. In such cases, we will ensure that there are adequate safeguards in place through EU’s standard contractual clauses to protect your personal data that comply with our legal obligations.

We will hold your personal data on our systems for the longest of the following periods:

  • as long as is necessary for the relevant activity or services;
  • any retention period that is required by law (for example in audit, we have a legal obligation to retain data for 10 years after the end of the calendar year in which the audit was concluded); and
  • the end of the period in which litigation or investigations might arise in respect of the services.

We use a range of physical, electronic and managerial measures to ensure that we keep your personal data secure, accurate and up to date. These measures include:

  • education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data; 
  • administrative and technical controls to restrict access to personal data on a ‘need to know’ basis;
  • technological security measures, including fire walls, encryption and anti-virus software; and
  • physical security measures, such as staff security passes to access our premises.

Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavor to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.

In case of a data breach, we have special measures set to limit the risk of information dissemination. We will of course follow the guidelines and requirements specified by the regulatory authority for incident reporting.

You have various rights in relation to your personal data. In particular, you have a right to:

  • obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you;
  • ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
  • ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data;
  • withdraw consent to our processing of your personal data (to the extent such processing is based on consent);
  • receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract; and
  • object to our processing of your personal data.

In cases where we are a Data Controller, you can claim these rights directly from us. If we are a data processor, you should contact the Data Controller whom we receive your personal data from instead in order to exercise your rights. 

Please note that your rights are not absolute, Deloitte is subject to statutory professional secrecy which means that we might be restricted to disclose certain information to you.

If you wish to get into contact with us you can do that through this contact form.

You also have a right to file a complaint with the Swedish data protection authority (Sw. Integritetsskyddsmyndigheten).

Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm

Telephone: 08-657 61 00
E-post: imy@imy.se

If you have any questions regarding our processing of your personal data you are welcome to send an email to privacy@deloitte.se  
We keep our privacy notice under regular review and thus the notice may be subject to changes. The date of the last revision of the privacy notice can be found on the top of the page.