Policy för personuppgifter

Audit Sweden

National Data Privacy Policy for Audit & Assurance services

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for Audit & Assurance services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants.

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

2.1 The audit and assurance engagement comprises:

  • Examination, in accordance with the Swedish Companies Act (2005:551), of the Company's accountancy and annual report and the administration by the board of directors and when applicable the managing director (“the Management") of the company, which is intended to provide us with evidence supporting our audit report to the annual general meeting,
  • Other examination and reporting which it is incumbent upon the elected auditor to perform under the Swedish Companies Act (“Statutory supplementary engagements"), and
  • Assistance and advice which is occasioned by observations made in the course of such examination and other comparable advice (“Audit advise").

The audit is conducted in accordance with generally accepted auditing standards in Sweden.

Deloitte is a Data Controller when performing the services within the Audit and assurance engagement.

3. Personal Data collected and processes

3.1 The purpose of collecting and processing personal data

Personal data is collected and processed for the following purposes:

  • Compliance with applicable legal or regulatory obligations and requirements, and/or internal policies for Audit and Assurance engagements
  • Providing our clients with services as they request, as for all services
  • Client account opening and other administrative purpose, as for Independence Checks
  • Services we receive from our professional advisors, such as lawyers, accountants and consultants

The legal ground for collection and processing of personal data is the legal obligation to which Deloitte is subject to for Audit and Assurance engagements (according to Art. 6 paragraph 1 c).

3.2 Examples of data collected and processed during an audit engagement

Personal data collected and processed during an audit engagement are typically but not limited to:

- Business contact information
- Age
- Date of birth
- Personal ID Number
- Gender
- Email adress
- Home address
- Country of residence, passport number
- Family circumstances (for example marital status and dependents)
- Employment and education details (for example precious employment and education details)
- Financial and tax-related information
- Investments and assets
- IP- address

4. Retention of Personal Data

4.1 Personal Data is retained for 10 years due to legal obligation. For processes in place to retain and erase client data please see our Retention policy.

However, certain data shall be stored/processed further then 10 years if:

a. Personal data is necessary for a potential dispute with the client. Relevant personal data shall be kept as long as the dispute is ongoing and the information is relevant

b. The relevant personal data about the client is kept in connection with unsettled invoices (debt collection)

5. Personal Data Subjects Rights

5.1 The data subject in audit services are defined as the employees, board members, owners and other stakeholders of the Company whom we have the audit and assurance engagement for.

5.2 The rights of the data subject is restricted according to legal requirements of professional secrecy that the auditor are obliged to adhere to in the case of Audit and Assurance Services (Revisionslag (1999:1079) § 35). Exercise of the registered’s rights must for that reason be decided in each case. The data subject would most likely not have the right to request access, right of rectification, the right to erasure nor the right to restriction of processing the personal data. If you want to lodge a complaint to the Supervisory authority about our processing, you should contact Datainspektionen, www.datainspektionen.se.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.