Policy för personuppgifter

Tax & Legal Sweden

National Data Privacy Policy for Tax & Legal services

1. Introduction

1.1 Purpose and scope

This policy is a management tool, not legal advice, and describes the application of the EU 679/219 General Data Protection Regulation (GDPR) in broad non-legal terms for Tax & Legal services provided by Deloitte Sweden. This policy is to be seen as a supplemental to the Deloitte Privacy Policy available at www.deloitte.se, and the internal Nordic Security Council Data Privacy Policy for Deloitte employees and consultants.

1.2 Compliance with this policy

Adherence to this policy is mandatory for all Deloitte employees and consultants.

All Staff and Partners have an individual responsibility to ensure their personal compliance with this policy and should seek guidance from their national security team or further clarification if required.

2. Description of services

The tax and legal services comprises practical and solution-oriented advice in the entire spectrum of tax issues for companies and individuals. Our expertise covers Swedish and international corporate taxation, individual taxation, transfer pricing, incentive programs, value added tax and other indirect taxes as well as some legal advisory services.

Deloitte is a Data Controller when performing the services within tax and legal services.

3. Personal Data collected and processes

3.1 The purpose of collecting and processing personal data
Personal data is collected and processed for the below listed purposes:

  • Compliance with applicable legal or regulatory obligations and requirements, and/or internal policies for our engagements (legal)
  • Providing our clients with services as they request, as for all services (contractual and consent)
  • Client account opening and other administrative purpose, such as Independence Checks (legal)
  • Services we receive from our professional advisors, such as lawyers, accountants and consultants (legitimate interest)

The legal grounds for collection and processing of personal data is contractual relations as well as consent and legitimate interest.

3.2 Examples of data collected and processed during our services

Personal data collected and processed during our services are typically but not limited to:
- Business contact information
- Age
- Date of birth
- Personal ID Number
- Gender
- Email address
- Home address
- Country of residence, passport number
- Family circumstances (for example marital status and dependents)
- Employment and education details (for example precious employment and education details)
- Financial and tax-related information
- Investments and assets
- IP- address
- Other categories of data, such as special category data, necessary to perform the services requested

4. Retention of Personal Data

4.1 Personal Data is retained for 12 years due to legal obligation and Deloitte’s internal data retention standards. For processes in place to retain and erase client data please see our Retention policy.

Certain data shall be stored/processed beyond the above limitations if:

a. Personal data is necessary for a potential dispute with the client/client’s employees. Relevant personal data shall be kept as long as the dispute is ongoing and the information is relevant
b. The relevant personal data about the client/client’s employees is kept in connection with unsettled invoices (debt collection)

5. Personal Data Subjects Rights

5.1 The data subject in our services are defined as the employees, board members, owners and other stakeholders of the Client whom we have the engagement for.

5.2 The rights of the data subject is restricted according to legal requirements of professional secrecy that we are obliged to adhere to while providing our services. Exercise of the registered’s rights must for that reason be decided in each case. The data subject would most likely not have the right to request access, right of rectification, the right to erasure nor the right to restriction of processing the personal data. If you want to lodge a complaint to the Supervisory authority about our processing, you should contact Datainspektionen, www.datainspektionen.se.

If you have any questions, or if you wish to exercise any of your right’s as a registered data subject, we look forward to a notification to privacy@deloitte.se.