Policy för personuppgifter

Clients & Industries Sweden

National Data Privacy Policy for Clients & Industries services

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for Clients & Industries services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants.

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

Clients & Industries is a survey and marketing function within Deloitte Sweden, offering support to business areas on:

- Key Client programs
- Relationship building initiatives
- Communications, branding, marketing and crisis management

The services puts Clients & Industries in the position of a Data Controller. We determine the purpose and means of the processing, e.g. how personal data can and may be processed.

2.1 The Client & Industries services and engagement comprises processing of personal data of data subjects with a relation to Deloitte as Clients, or data subjects that has consent to our processing of their personal data, or data subjects where we believe they benefit from information and communication we provide them with. The personal data processed are typically

- Contact information (name, company, e-mail, phone number etc.)
- Contact role/persona (business role and responsibilities, education)
- Event registration information (including dietary restrictions)
- Communication history – event registrations, received e-mails, link clicks
- Survey data – may contain multi-purpose survey data

3. Description of purposes, legal basis and processes

3.1 The purpose of processing personal data

C&I processes personal data in order to:
- Communicate with the purpose of relevant information and marketing to clients, potential clients, employees and students; Primarily newsletters and invitations
- Keep track on event registrations
- Enable certain digital features to the organization, e g survey tool, event app tools etc.

3.2 The legal basis

The legal basis for processing the personal data is for some operations consent, and for other Clients & Industries legitimate interest. Where the legal basis is consent, such consent is transparent, freely given and specific for the service, of which the data subject can always withdraw. Where the legal basis is legitimate interest for Deloitte, such interest shall never compromise nor supersede the data subjects interest of not having it’s personal data processed.

We believe that Client’s and Client’s representatives have interest in receiving information related to their specific business area that we as an auditing firm can provide them with. Such information can contain updated legal requirements from authorities, surveys of general/specific development within their business area, and other marketing related operations that they may benefit from.

We also believe that potential Client’s and their representatives, applicants to positions within Deloitte, students etc. have the same interest, and due to that we process personal data of these groups as well. The personal data we have of them come from either collection from different public sources, or from social media as LinkedIn or our own Facebook site, or directly from these subject if they participate in events, network meetings and similar gatherings.

When communicating, we always offer the possibility of unsubscribing further information from us by ticking a link that always follow every mail sent from us.

Clients & Industries doesn’t process any special categories of personal data (eg. race or ethical origin, religious and philosophical beliefs, political opinions, health, trade union membership, genetic or biometric data).

4. Retention of Personal Data

Personal data is processed for as long as the respective needs for processing is still relevant and data deemed correct.

Clients & Industries has a bi-annual sorting out processes in place for each record of personal data, to keep the personal data up to date, accurate and relevant.
For processes in place to retain and erase the personal data of our Client’s, please see our Retention policy.

5. Personal Data Subjects Rights

5.1 As a data subject, you always have the right to request access, right of rectification, the right to erasure and the right to restriction of processing your personal data. You can also object to our processing. If you want to lodge a complaint to the Supervisory authority about our processing, you should contact Datainspektionen, www.datainspektionen.se.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.