Policy för personuppgifter

Risk Advisory Sweden

National Data Privacy Policy for RA services

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for Risk Advisory services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants. 

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

Risk Advisory provides audit and consulting services within strategic & reputation-, regulatory-, financial-, operational- and cyber risk management. For our services, Risk Advisory will become either Data Controller or Data Processor depending on the character of the engagement, which means different responsibilities and obligations. Auditing services puts Risk Advisory in the role as a Data Controller. This means that Deloitte determines the purposes and means of the processing of personal data. General advisory services often constitutes a Data Processor role. 

All services and engagements could involve processing personal data of data subjects of the Client. If Risk Advisory will be a Data Controller, information about the processing of personal data shall be attached to the engagement letter. If Risk Advisory would be a Data Processor, a Data Processing Agreement shall be entered into as a part of the engagement letter. 

3. Description of purposes, legal basis and processes

3.1 The purpose of processing personal data within our assignments

Risk Advisory’s purpose of processing personal data is to perform independent audits and qualified advisory services with regards to our contractual engagements with clients. 

3.2 The legal ground for processing

When acting as a Data Controller, Risk Advisory’s legal ground for processing personal data is the legal obligation of which we are subject to when performing auditing services, or legitimate interest when performing advisory services. 

When acting as a Data Processor, the legal ground for processing personal data is the Data Processor Agreement (DPA). 

3.2 The personal data that Risk Advisory mainly process comprises:

Data subjects

• Suppliers of the Client

• Suppliers of the Clients employees 

• Board members and/or stakeholders of Clients

• Clients employees

• Clients customers

General categories of personal data

• Name

• Phone number

• E-mail address

• Postal address

• Social Security number

• Work title

• Gender

• Employment and education details (for example previous employment and education details)

• Financial and tax-related information

• Employment records

• AML related information (for example KYC-documentation)

• Investments and assets

• IP- address

Risk Advisory could potentially process special categories of personal data (e.g. race or ethical origin, religious and philosophical beliefs, political opinions, health, trade union membership, genetic or biometric data). If such data is to be processed within an engagement, that should specifically be stated. 

4. Retention of Personal Data

4.1 When Deloitte is a Data Controller, personal data is retained for as long as it is necessary to fulfil the purposes of our services; or as long as it is necessary in order to comply with applicable laws, professional standards; or as long as the period in which litigation or investigations might arise in respect of our services to our client. For processes in place to retain and erase client data please see our Retention policy

However, certain data shall be stored/processed further then 10 years if:

a. Personal data is necessary for a potential dispute with the client. Relevant personal data shall be kept as long as the dispute is ongoing and the information is relevant
b. The relevant personal data about the client is kept in connection with unsettled invoices (debt collection)

4.2 When Deloitte is a Data Processor, the personal data is processed for as long as the engagement with the client is valid, or as long as it is necessary in order to comply with applicable laws and professional standards.

5. Personal Data Subjects Rights

5.1 A data subject have various rights in relation to their personal data. As a data subject, you always have the right to request access, right of rectification, the right to erasure and the right to restriction of processing your personal data. You can also object to our processing. In cases where we are a Data Controller, you can claim these rights directly from us. If we are Data Processors, you should contact the Data Controller whom we receive the personal information from instead, in order to exercise the rights. 

If you want to lodge a complaint to the Supervisory authority about our processing, you should contact Datainspektionen, www.datainspektionen.se.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.