Policy för personuppgifter
1.1 Purpose and scope
1.2 Compliance with this policy
Adherence to this policy is mandatory for all Deloitte employees and consultants.
All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.
2. Description of services
BPS provides services as interim solutions, project support and outsourced economy function. The services puts BPS mainly in the position of a Data Processor. That means that BPS processes personal data on behalf of a Data Controller (e.g. the Client). The Data Controller determines the purpose and means of the processing, and instructs the Data Processor in how the personal data can and may be processed. The Data Processor is not entitled to process the personal data for its own purposes unless it is explicitly agreed. Since BPS mainly works in the client’s digital environment we are limited in the personal data we process.
Before entering into a contractual relation with a Client, it is mandatory for us as an auditing firm to accomplish conflict and independence checks, due to legal obligation as we are subject to. We inform the Client of the purposes, the legal basis and the retention period of the personal data comprised in the checks. It is the Client’s responsibility to inform the data subjects about these checks, since the personal data is transferred to us from the Client, and we have no relation to the data subjects. Additional information about our Independence Checks can be found here [länk].
3. Description of purposes, legal basis and processes
3.1 The purpose of processing personal data within our assignments
The purpose of the processing of personal data within BPS is to comply with the Client and engagement acceptance process and to provide accounting, pay roll and book keeping services according to the engagement with the client.
3.2 The legal ground for processing
The legal ground for processing the personal data within our engagement is the data processor agreement (DPA), of which BPS has entered into with the Client for performing the services as described in the engagement letter.
3.3 The personal data that BPS mainly process comprises:
- Former employees
- Suppliers employees
- Customers employees
General categories of personal data
- Phone number
- E-mail address
- Postal address
- Social Security number
- Work title
BPS don’t process any special categories of personal data (eg. race or ethical origin, religious and philosophical beliefs, political opinions, health, trade union membership, genetic or biometric data)
4. Retention of Personal Data
4.1 The personal data is processed for as long as the engagement with the client is valid. Personal data can be processed after the engagement has ended if that is required by member state or national law.
When the engagement is terminated the personal data shall be deleted or returned to the Client, and/or access to the personal data (if in the Client’s environment) shall be denied.
4.2 For processes in place to retain and erase the personal data of our Client’s, please see our Retention policy.
5. Personal Data Subjects Rights
5.1 You have various rights in relation to your personal data. In cases where we are a data controller, you can claim these rights directly from us. If we are data processors, you should contact the data controller whom we receive your personal information from instead, in order to exercise your rights.
If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to firstname.lastname@example.org.