Policy för personuppgifter

Accounting Sweden

National Data Privacy Policy for Accounting services

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for BPS services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants.

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

Accounting provides services of outsourced economy function. The services puts Accounting mainly in the position of a Data Processor. That means that Accounting processes personal data on behalf of a Data Controller (e.g. the Client). The Data Controller determines the purpose and means of the processing, and instructs the Data Processor of how the personal data can and may be processed. The Data Processor is not entitled to process the personal data for its own purposes unless it is explicitly agreed.

2.1 The accounting services and engagement comprises:

• Book-keeping
• Monthly accounts
• Annual accounts
• Annual reports
• Payroll services (monthly calculations and reports as well as yearly summaries)
• Tax returns (VAT and PAYE returns, income tax returns)
• Consultations – accounting and tax issues
• Similar actions necessary to fulfil the assignment

2.2 Before entering into a contractual relation with a Client, it is mandatory for us as an auditing firm to accomplish conflict and independence checks, due to legal obligation as we are subject to. We inform the Client of the purposes, the legal basis and the retention period of the personal data comprised in the checks. It is the Client’s responsibility to inform the data subjects about these checks, since the personal data is transferred to us from the Client, and we have no relation to the data subjects. Additional information about or Independence Checks can be found here [länk].

3. Description of purposes, legal basis and processes

3.1 The purpose of processing personal data within our assignments

The purpose of the processing of personal data within Accountig is to comply with the Client and engagement acceptance process and to provide accounting, pay roll and book keeping services according to the engagement with the client.

3.2 The legal basis

The legal basis for processing the personal data within our engagement is the data processor agreement (DPA), of which Accounting has entered into with the Client for performing the services as described in the engagement letter.

3.3 Examples of data collected and processed during an Accounting engagement

Personal data collected and processed by instructions from the Client are typically but not limited to:

- Business contact information
- Date of birth
- Personal ID Number
- Email adress
- Home address
- Country of residence, passport number
- Family circumstances (for example marital status and dependents)
- Employment and employment details (for example salary, benefits, loans)
- Payroll information
- Financial and tax-related information
- Insurance and pension information
- Investments and assets
- IP-address

Personal data may vary depending on the engagement, and the Client’s unique requests. An exhaustive list of all personal data that may be processed is therefore not possible to announce.

Accounting doesn’t process any special categories of personal data (eg. race or ethical origin, religious and philosophical beliefs, political opinions, health, trade union membership, genetic or biometric data).

4. Retention of Personal Data

4.1 The personal data is processed for as long as the engagement with the client is valid. After that, documentation of the assignment is retained for 10 years due to Reko 140 p. 5 (Swedish standard for accounting and payroll services).

4.2 For processes in place to retain and erase the personal data of our Client’s, please see our Retention policy.

5. Personal Data Subjects Rights

5.1 You have various rights in relation to your personal data. In cases where we are a data controller, you can claim these rights directly from us. If we are data processors, you should contact the data controller whom we receive your personal information from instead, in order to exercise your rights.

5.2 As a data subject, you always have the right to request access, right of rectification, the right to erasure and the right to restriction of processing your personal data. You can also object to our processing. If you want to lodge a complaint to the Supervisory authority about our processing, you should contact Datainspektionen, www.datainspektionen.se.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.