Deloitte Audit Privacy Statement
Last revised: 30 May 2018
This Privacy Statement explains what personal information we may gather about you when we provide our clients with services and how this personal information may be used and shared. This Privacy Statement also sets out your rights in relation to your personal information and tells you who you can contact if you have questions.
This Privacy Statement is divided into the sections listed below. Click on the links to navigate to the relevant topic:
- Who does this Privacy Statement apply to and what does it cover?
- What personal information do we collect?
- How do we collect personal information?
- Disclosing personal information relating to third parties
- How do we use your personal information?
- On what legal basis do we process personal information about you?
- To whom will we disclose your personal information?
- How do we keep your personal information secure?
- How long will we keep your personal information?
- Sending you marketing information
- What are your rights?
- Changes to this Privacy Statement
- Contact us
Who does this Privacy Statement apply to and what does it cover?
This Privacy Statement applies to Deloitte LLP, an entity within the Deloitte Network (also referred to as “Deloitte”, “we”, “us”, and “our”). As used in this Privacy Statement, the “Deloitte Network” refers to one or more of Deloitte Touche Tohmatsu Limited a UK private company limited by guarantee, and its network of member firms and associated entities, each of which is a legally separate and independent entity. Please see deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
This Privacy Statement applies to the Audit part of Deloitte’s business. This business carried out external audits and external assurance engagements, in many cases because of a legal requirement, as well as related services such as internal audits and giving of advice. In most circumstances when providing our services in Audit we will be acting as a Data Controller, and this Privacy Statement sets out how we will process your personal information when providing these services.
Your personal information will be protected and handled with utmost consideration for its confidentiality and your privacy.
This Privacy Statement contains additional details about when we may share your personal information with other members of the Deloitte Network and other third parties (for example, our service providers).
In this Privacy Statement, we refer to handling, collecting, protecting and storing your personal information as "processing".
What personal information do we collect?
Deloitte may collect personal information relating to you such as:
- contact details;
- date of birth;
- government identifiers (such as national insurance number);
- employment records; or
- financial information.
Deloitte may also need to process personal information about you that may be considered sensitive or a special category (for example about your health or ethnic origin) that we require to be able to provide the services or that may become apparent to us based on the personal information that we receive.
How do we collect personal information?
Deloitte may collect personal information about you in different ways, for example:
- you may provide it directly to us;
- we may obtain it because of the services that Deloitte provides or has previously provided to our clients;
- we may receive it from other members of the Deloitte Network or from third parties, such as your employer, or a tax authority and/or other relevant authority/administrative bodies; or
- we may have observed or inferred from the information you provide to us and the way you interact with us, for example from cookies used on a Deloitte Network website you visit.
This personal information can be received in any manner, including in-person discussions, telephone conversations, and electronic or other written communications.
Without access to all the personal information that we need, we may be unable to provide or complete the services for our client.
Where another person (a company or a partnership (eg your employer) or any third parties acting on your or their behalf) provides your personal information to us, they must also comply with their obligations under the relevant privacy laws and regulations.
Disclosing personal information to us relating to third parties
If any personal information which you provide to us relates to any third party, then by providing us with their personal information you confirm that you have obtained any necessary permissions from those persons to the reasonable use of their personal information in the way set out in this Privacy Statement, or you are otherwise permitted to give us this personal information. You should share a copy of this Privacy Statement with those other individuals when disclosing any personal information about them to us.
How do we use your personal information?
Deloitte collects personal information about you to:
- provide services to our client;
- keep you informed of services we think may be of interest to you; or
- produce aggregate insights that do not identify you.
We may also use your personal information for the purposes of, or in connection with:
- compliance with applicable legal, regulatory or professional requirements; or
- protecting our rights and/or property.
On what legal basis do we process personal information about you?
We are required by law to set out in this Privacy Statement the legal grounds upon which we rely in order to process your personal information.
We may use your personal information for the purposes outlined above because:
(a) we are subject to legal or regulatory obligations. This is the most common ground for external audits and external assurance. For example, it is a legal obligation for most companies to have an external audit, which involves them passing data to an independent external auditor. There may be other legal obligations, for example, the rules around client money held by financial institutions requires those institutions to have someone independent check it is being handled properly. In addition, we may need to provide information to a public body or law enforcement agency; or
(b) we have a legitimate interest in processing your personal information, which may be to:
- provide services to our clients;
- keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so;
- evaluate, develop or improve our services or products; or
- protect our business interests.
To the extent that we process any special categories of data relating to you for any of the purposes outlined above, we will do so because either: (i) you have given us your explicit consent to process that data; (ii) we are required by law to process that data in order to ensure we meet our 'know your client' and 'anti-money laundering' obligations (or other legal obligations imposed on us); (iii) the processing is necessary to carry out our obligations under employment, social security or social protection law; (iv) the processing is necessary for the establishment, exercise or defence of legal claims; (v) you have made the data manifestly public; or (vi) the processing is necessary for reasons of substantial public interest.
To whom will we disclose your personal information?
In connection with one or more of the purposes outlined in the “How do we use information about you?” section above, we may disclose your personal information to:
- other members of the Deloitte Network;
- those individuals or entities with whom you have requested us to share information, such as your spouse or civil partner;
- competent authorities, including courts and authorities regulating us, another member of the Deloitte Network, or our client, in each case to comply with legal or regulatory obligations or requests;
- service providers handling your information on our behalf; in each case, such service providers will be contractually bound by confidentiality and privacy obligations consistent with the obligations in this Privacy Statement; or
- third parties to whom we disclose information in the course of providing services to our client.
Please note that some of the recipients of your personal information referred to above may be based in countries or regions without data protection rules similar to those in effect in your area of residence. In such cases, adequate safeguards will be in place to protect your personal information. Such adequate safeguards might include a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal information to those countries.
For further details about the transfers described above and the adequate safeguards used by Deloitte with respect to such transfers, please contact us using the details below.
How do we keep your personal information secure?
We have in place reasonable commercial standards of technology and operational security to protect your personal information from loss, misuse and unauthorised access, disclosure, alteration or destruction. Only authorised personnel, with appropriate awareness of privacy and security obligations, are provided access to personal information.
How long will we keep your information?
We retain personal information as long as is necessary to fulfil the purposes identified in the “How do we use information about you?” section above or as otherwise necessary to comply with applicable laws, professional standards, or as long as the period in which litigation or investigations might arise in respect of our services to our client.
Sending you marketing information
We and other members of the Deloitte Network may use your information from time to time to inform you by letter, telephone, email and other electronic methods, about similar products and services (including those of third parties) which may be of interest to you.
You may, at any time, request that we and/or other members of the Deloitte Network do not send such information to you by one, some or all channels, by following the opt-out instructions in communications from us or writing to us.
What are your rights?
You have various rights in relation to your personal information. In particular, you have a right to:
- obtain confirmation that we are processing your personal information and request a copy of the personal information we hold about you;
- ask that we update the personal information we hold about you, or correct such information that you think is inaccurate or incomplete;
- ask that we delete personal information that we hold about you, or restrict the way in which we use your personal information;
- withdraw consent to our processing of your personal information (to the extent our processing is reliant on your consent);
- ask us to stop or start sending you marketing messages at any time; and
- object to our processing of your personal information.
Any request for access to or a copy of your personal information must be in writing and we will endeavour to respond within a reasonable period and in any event within the period required by applicable data protection legislation. We will comply with our legal obligations as regards your rights as a data subject.
Changes to this Privacy Statement
We may modify or amend this Privacy Statement from time to time at our discretion. When we make changes to this Statement, we will amend the revision date at the top of this page and the modified or amended privacy statement shall apply to you and your personal information as of that revision date. We encourage you to review this Privacy Statement on our website periodically to be informed about how we are protecting your personal information.
If you wish to exercise any of the rights relating to your information set out above, or if you have any questions or comments about privacy issues, or you wish to raise a complaint about how we are using your information you can contact us in the following ways:
- write to Data Protection Officer, Deloitte LLP at 2 New Street Square, London EC4A 3BZ; or
- send an email to DPO@deloitte.co.uk.
If you have any concerns about our use of your information, you also have the right to make a complaint to the Information Commissioner's Office, which regulates and supervises the use of personal data in the UK, via their helpline on 0303 123 1113. If you are not based in the UK, you have a right to complain to the EU Data Protection Authority (“DPA”) in your jurisdiction. If you would like to be directed to the appropriate DPA, please contact us.