Last updated: 18 June 2026
Definitions:
“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see www.deloitte.com/about to learn more.
“Deloitte Central Europe” (“Deloitte CE”) is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of, and firms associated with Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.
“Controller” (“we”, “us” or “our”) means a controller or data controller determining the purposes of personal data processing (as further defined in the Data Protection Legislation).
“Processor” means a data processor processing personal data on behalf of the controller (as further defined in the Data Protection Legislation).
“Data Protection Legislation” means the following legislation to the extent applicable from time to time: (a) national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; (c) ePrivacy and (d) any other similar national privacy law.
“GDPR” means the General Data Protection Regulation (EU) (2016/679).
“Personal Data” means any information relating to an identified or identifiable natural person / data subject that is processed in connection with or as part of the services provided to our clients or in relation to contractual relationships with our vendors, contractors or subcontractors, or as necessary for activities that are part of our standard business operations.
“Processing” means any operation or set of operations on personal data (manual or automated) such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, restriction, erasure or destruction (as further defined in the Data Protection Legislation).
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed (as further defined in the Data Protection Legislation).
Summary:
This Privacy Statement is applicable to processing of your personal data (“data”) by us and explains:
This Privacy Statement applies from the date specified at the top of the page. We may modify or amend this Privacy Statement from time to time; therefore, we encourage you to review this statement periodically.
What personal data we process: We process personal data that we obtain from the individual who referred you and recommended you as a suitable candidate, from our cooperating recruitment agency, or from personal data that you have explicitly made publicly available (on social media sites or otherwise).
These personal data include:
For the purposes specified below, we do not collect or process any ‘sensitive’ or ‘special categories’ of personal data as defined in the Data Protection Legislation.
Purposes of your data processing (the “Purposes”):
Evaluation of your experience, skills, and education to decide on your suitability to be involved in the recruitment process for our existing job opportunities.
Legal basis for your data processing:
We process your personal data only when the processing is necessary:
Retention of your personal data: Your personal data shall be retained by us only for as long as necessary to fulfil the purposes of processing. The maximum retention period is 28 days. Before this period expires, we will either contact you with an invitation to the hiring process or permanently delete your personal data (unless you give us your explicit and unambiguous consent to further processing of your personal data).
Personal data controller: In the context of this Privacy Statement, the data controller is the Deloitte CE entity leading the decision-making process, as listed at: Personal Data Controllers
Sharing and transferring your personal data: Your personal data may be disclosed, transferred to, and processed by the following recipients for the Purposes:
Deloitte CE group of entities listed at: Our Markets at Deloitte CE If applicable, your personal data will be processed only to the extent permitted for the Purposes and in accordance with the Data Protection Legislation. Each recipient shall be responsible for ensuring the appropriate protection of your data, providing information on the processing of your data, and obtaining additional consents if required. If your data is transferred across country borders (including to territories outside the European Union), such transfer will take place only where the requirements stipulated by the Data Protection Legislation for such transfers are fulfilled. Your personal data will be disclosed only to selected members of Deloitte CE Talent leadership and local talent teams, and to individuals who have decision-making authority in the selection process.
Processors: our approved administrative and IT service suppliers:
Their access rights are strictly limited to what is necessary for technical, administrative, and help desk support services.
Your personal data may also be processed by recruitment agencies cooperating with Deloitte CE.
Security of processing: We and our data processors have established technological, physical, administrative, and procedural safeguards in line with industry-accepted standards in order to protect and ensure the confidentiality, integrity, and availability of all personal data processed; prevent unauthorized use of or access to personal data; and prevent personal data breaches (security incidents), in accordance with Deloitte CE policies and the Data Protection Legislation. Deloitte CE holds ISO 27001 certification, a widely recognized global information security standard.
Your rights:
You have the right to:
You may object to the processing of your personal data (in certain cases as specified by the GDPR), as well as exercise your right to data portability (receive a copy of the personal data that you provided to us in a structured, machine-readable format and request us to transmit such data to another recipient).
You can exercise all rights described here and submit any questions related to the processing of your personal data, including the security safeguards for transfers of personal data outside the EU, by sending an e-mail to CEprivacy@deloittece.com or by submitting an e-mail or written notice to the relevant Deloitte Central Europe entity acting as the controller of your personal data (i.e., the recruiting Deloitte entity with which you are applying or otherwise interacting).
It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence in case you are of an opinion that the processing of your personal data infringes the GDPR.