Policy för personuppgifter

Financial Advisory

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for Audit & Assurance services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants.

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

2.1 The financial advisory engagement comprises:

Transaction Services, Advisory Corporate Finance services, Restructuring Services (including statutory insolvency services), Forensic services (including Integrity Due Diligence services), Real Estate Financial Advisory and similar services.

Deloitte will be a Data Controller or a Data Processor when performing the services, depending on the scope and the ability for Deloitte to determine the purposes and means of processing personal data in the engagement.

3. Personal Data collected and processes

3.1 When Deloitte is a Data Controller, personal data is collected and processed for the following purposes

  • Compliance with applicable legal or regulatory obligations and requirements, and/or internal policies for the engagements
  • Providing our clients with services as they request, as for all services
  • Client account opening and other administrative purpose, as for Independence Checks
  • Services we receive from our professional advisors, such as lawyers, accountants and consultants

The legal ground for collection and processing of personal data is (a) we have a legitimate interest in processing personal information, which may be to:

  • provide services to our clients; 
  • keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so;
  • evaluate, develop or improve our services or products; or
  • protect our business interests


(b) we are subject to legal or regulatory obligations, such as providing information to a public body or law enforcement agency

The legitimate interest for Deloitte shall never compromise nor supersede your interest of not having your personal data processed. However, without access to all the personal information that we need, we may be unable to provide or complete the services for our client.

We believe that our client’s have interest in receiving information related to their specific business area that we as an auditing firm can provide them with. Such information can contain updated legal requirements from authorities, surveys of general/specific development within their business area, and other marketing related operations that they may benefit from.

3.2 When Deloitte is a Data Processor, the legal basis for processing the personal data within our engagement is the data processor agreement (DPA), of which we have entered into with the client for performing the services as described in the engagement letter.

3.3 Examples of data collected and processed during an engagement when we are Data Controllers

Personal data collected and processed during an engagement are typically but not limited to:

  • Name
  • Contact Details
  • Date of birth/personal id number
  • Government identifiers (such as national insurance number)
  • Employment records
  • Financial information

Deloitte may also need to process personal information that may be considered as a special categories of personal data (for instance health or ethnic origin) that we require in order to provide the services or that may become apparent to us based on the personal information that we receive from our Client’s.

  • Personal data may vary depending on the engagement, and the Client’s unique requests. An exhaustive list of all personal data that may be processed is therefore not possible to announce.

4. Retention of Personal Data

4.1 When Deloitte is a Data Controller, personal data is retained for as long as it is necessary to fulfil the purposes of our services; or as long as it is necessary in order to comply with applicable laws, professional standards; or as long as the period in which litigation or investigations might arise in respect of our services to our client. For processes in place to retain and erase client data please see our Retention policy.

However, certain data shall be stored/processed further then 10 years if:

a.Personal data is necessary for a potential dispute with the client. Relevant personal data shall be kept as long as the dispute is ongoing and the information is relevant

b. The relevant personal data about the client is kept in connection with unsettled invoices (debt collection)

4.2 When Deloitte is a Data Processor, the personal data is processed for as long as the engagement with the client is valid.

5. Personal Data Subjects Rights

5.1 The data subject in our engagements are defined as the employees, board members, owners and other stakeholders of the Company whom we have engagement for, or the third party companies that we perform analyzes of.

5.2 A data subject have various rights in relation to their personal data. As a data subject, you always have the right to request access, right of rectification, the right to erasure and the right to restriction of processing your personal data. You can also object to our processing. In cases where we are a Data Controller, you can claim these rights directly from us. If we are Data Processors, you should contact the Data Controller whom we receive the personal information from instead, in order to exercise the rights.

If you want to lodge a complaint to the Supervisory authority about our processing, you should contact Datainspektionen, www.datainspektionen.se.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.