Policy för personuppgifter

BPS Sweden

National Data Privacy Policy for BPS services

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for BPS services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants.

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

BPS provides services as interim solutions, project support and outsourced economy function. The services puts BPS mainly in the position of a Data Processor. That means that BPS processes personal data on behalf of a Data Controller (e.g. the Client). The Data Controller determines the purpose and means of the processing, and instructs the Data Processor in how the personal data can and may be processed. The Data Processor is not entitled to process the personal data for its own purposes unless it is explicitly agreed. Since BPS mainly works in the client’s digital environment we are limited in the personal data we process.

Before entering into a contractual relation with a Client, it is mandatory for us as an auditing firm to accomplish conflict and independence checks, due to legal obligation as we are subject to. We inform the Client of the purposes, the legal basis and the retention period of the personal data comprised in the checks. It is the Client’s responsibility to inform the data subjects about these checks, since the personal data is transferred to us from the Client, and we have no relation to the data subjects. Additional information about our Independence Checks can be found here [länk].

3. Description of purposes, legal basis and processes

3.1 The purpose of processing personal data within our assignments

The purpose of the processing of personal data within BPS is to comply with the Client and engagement acceptance process and to provide accounting, pay roll and book keeping services according to the engagement with the client.

3.2 The legal ground for processing

The legal ground for processing the personal data within our engagement is the data processor agreement (DPA), of which BPS has entered into with the Client for performing the services as described in the engagement letter.

3.3 The personal data that BPS mainly process comprises:

Data subjects

  • Employees
  • Former employees
  • Suppliers
  • Suppliers employees
  • Customers
  • Customers employees

General categories of personal data

  • Name
  • Phone number
  • E-mail address
  • Postal address
  • Social Security number
  • Work title

BPS don’t process any special categories of personal data (eg. race or ethical origin, religious and philosophical beliefs, political opinions, health, trade union membership, genetic or biometric data)

4. Retention of Personal Data

4.1 The personal data is processed for as long as the engagement with the client is valid. Personal data can be processed after the engagement has ended if that is required by member state or national law.

When the engagement is terminated the personal data shall be deleted or returned to the Client, and/or access to the personal data (if in the Client’s environment) shall be denied.

4.2 For processes in place to retain and erase the personal data of our Client’s, please see our Retention policy.

5. Personal Data Subjects Rights

5.1 You have various rights in relation to your personal data. In cases where we are a data controller, you can claim these rights directly from us. If we are data processors, you should contact the data controller whom we receive your personal information from instead, in order to exercise your rights.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.