INFORMATION OF PERSONAL DATA PROCESSING (Privacy Notice)
Provided by Executive Committee of Deloitte1 Central Europe (“ExCo”)
To name residing at adress
Date of birth DD MM YYYY
(Hereinafter the “Partner”)
In accordance with the EU General Data Protection Regulation (EU) 2016/679 (hereinafter the “GDPR”), you acknowledge that the Data Controller is the ExCo and your personal data specified herein will be processed by the Deloitte CE entity (“DELOITTE”) in the country of your residence authorized by the Data Controller. The processing is carried under the Deloitte CE Partner Agreement and in connection with, or in relation to all the purposes arising from the Deloitte CE Partner Agreement, Deloitte CE policies and procedures or any other additional agreement concluded with any entity of Deloitte CE group.
A. Definitions:
“Controller“ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data.
“Personal data” any information relating to an identified or identifiable natural person (data subject)
“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the Data Controller.
“Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed. In relation to your personal data the Recipients can be e.g. employees(-s) of Controller, or Processor. Public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with the law shall not be regarded as Recipients.
B. Personal data categories and extent of the processing:
DELOITTE will process your personal data to the following extent:
- personal data to the extent required by the relevant applicable legislation provided by you or obtained from the competent authorities (this may include the special categories of personal data as defined by GDPR – data revealing your ethnic or racial origin or data concerning health in particular);
- personal data submitted by you before entering into the contractual relationship (your name, surname, permanent residency, contact data, ID numbers, numbers of your documents such as passports or visa´);
- personal data relating to your professional qualifications and experience, including the data included in the excerpt from the criminal records issued by the competent authorities;
- other personal data relating to your relationship with Deloitte CE and performance of your obligations related to this relationship (for example: performance management data, data on trainings and e-learnings attendance, phone-call lists, usage of DELOITTE devices and Deloitte CE systems etc.) whether provided or created by you or by other persons;
- personal data of your family members or dependents provided by you if this is required by applicable legislation in the areas of social and health security or for the purposes or various benefit programs provided by Deloitte CE (Please note that prior when providing the personal data of other persons to Deloitte CE you shall ensure that the respective persons are informed and their consents is obtained (where required by the applicable laws) and photographs, video and audio recordings.
C. Purpose of processing of your personal data and the legal basis:
Performance of a contract
The purpose of processing of your personal data is for the Deloitte CE to exercise its rights and obligations pursuant to Partner Agreement and other relevant legislation, in particular, with regard to
- Keeping reports on background checks performed prior you joined Deloitte CE in the extent and for the purposes as described in the Information on Background Check Procedure delivered to you prior the screening
- Confirmation of compliance with Deloitte CE Independence policies, to be verified by the Deloitte CE Independence Director prior to or at the start of this engagement.
- Maintaining the professional standing reviews (performed prior any change of partnership and periodically during the term of the Deloitte CE Partner Agreement (every 5 years). Professional standing reviews involve processing of the following personal data collected from the publicly available sources:
- Business information - corporate affiliations, shareholding and administrating information (past and current);
- Details in respect of ownership structure and registration, including timeline of ownership, and registered activity of the companies;
- Financial information – financial statements or indicators, depending on the availability of information;
- International Sanctions list check;
- Court decisions or pending files in the courts, in the jurisdictions where you reside;
- Criminal check in local or international databases with your name;
- Registries of the national corruption institutions with the names of the subjects;
- Potential allegations of unethical behaviour and/or adverse media against you
Compliance with applicable legislation
Your personal data will also be processed to the extent required by the relevant applicable legislation. Such data may be provided by you or may be obtained from the competent authorities (this may include the special categories of personal data as defined by GDPR – data revealing your ethnic or racial origin or data concerning health in particular).
Legitimate interest
DELOITTE is also entitled to process the Personal Data for the purpose of monitoring your compliance with relevant Deloitte CE policies relating to security of DELOITTE’s devices and Deloitte CE systems:
Processing in this extent is based on Deloitte CE legitimate interest in ensuring its business continuity and protection of its economic, commercial and financial interests and in particular compliance with the rules of confidentiality. This includes, among others, prevention and remedy of any technical problems, prevention and suppression of activities that are intentionally illegal, contrary to the public order or that are wilfully damaging to any third party’s rights and dignity, prevention and suppression of any violation of intellectual property rights as well as confidentiality and integrity of Deloitte CE data, the security and good technical functioning of its systems and the costs relative thereto, as well as the material protection of all Deloitte CE resources.
Consent
Your personal data may be processed based on your consent for the purposes of:
a) Performing the annual performance process which includes the information which Contribution Group3 you are assigned to, in the manner and to the extent as described herein for transparency purposes: The Contribution Group the Equity Partner is assigned to following the completion of the annual performance evaluation process will be shared by the Chief Executive Officer of Deloitte CE among the Partners on an annual basis, whereas the Deloitte CE Board of Directors shall approve when and how the Contribution Groups are to be shared; and
b) Informing the public on various activities executed, organized or supported by the Deloitte CE (other than those necessary for the performance of your duties under the Partner Agreement and described in the Privacy Notice), in particularly taking, publishing and processing your photographs or audio and video recording.
D. Recipients of your personal data:
DELOITTE is entitled to provide your personal data to the following Recipients that are the approved Deloitte CE Data Processors, who process the personal data on behalf of Deloitte CE entities, under the conditions and to the extent agreed in a written authorisation/contract. In particular, for the purpose of your records in the HR systems, processing of his/her HR and remuneration records, providing benefits and also to provide IS/IT services, document archiving, e-mail and other hosted applications and to the extent necessary for the performance of rights and obligations arising from the contractual relationship between you and Deloitte CE as well as for the purpose of monitoring your compliance with relevant Deloitte CE policies relating to security of DELOITTE’s devices and system based on Deloitte CE legitimate interest in ensuring its business continuity and protection of its economic, commercial and financial interests and in particular compliance with the rules of confidentiality.
The list of approved Deloitte CE Data Processors is published and accessible here:
Paper versions of the above-mentioned lists are available at the Deloitte CE Legal Department and will be provided to you upon request. Your personal data may also be disclosed to the competent authorities as authorized by the applicable laws.
The above list does not apply for personal data processors involved in the professional standing reviews – the only entities involved in the processing of data for this particular purpose are:
Deloitte Consultanta SRL, 4-8 Nicolae Titulescu Road, 2nd floor Deloitte area and 3rd floor, District 1, Bucharest, Romania
Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Deloitte CZ Services s.r.o, Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom
Personal Data transfers: DELOITTE may transfer the personal data for the purposes as specified above to Deloitte CE entities and DTTL member firms and their respective subsidiaries and affiliates during the term of the contractual relationship including to countries outside of the EU territory which may not ensure the same level of protection as required by the EU legislation. Such transfers to countries outside of the EU either to the processor (as indicated in the list of approved Processors within Deloitte CE) or controller are therefore secured by the EU approved Standard Contractual Clauses as required by GDPR. In specific situations such as e.g. mobility programme or cross-border cooperation provision, your personal data can be transferred to the recipient outside the EU who will become the data Controller and it will become fully responsible for the personal data processing in compliance with local data protection or privacy laws.
E. Term of processing:
The personal data will be processed during the contractual relationship until the purposes of processing of such personal data are fulfilled; or as required by the applicable legislation. After the contractual relationship is terminated the personal data will be kept by DELOITTE for a period of three months after termination or as required by the applicable legislation or to protect the legitimate interests of Deloitte CE. After this period expires and the processing for the mentioned purposes is not required any more, the personal data will be anonymised or permanently deleted.
Your personal data processed for the purpose of professional standing reviews shall be retained for 3 months or until the report is issued. After your professional review is completed (only the data included in the report) will be kept for the period of 3 years.
You are responsible for the accuracy and update of your personal data you provide to DELOITTE. You undertake to notify DELOITTE of any changes in the personal data provided without undue delay.
F. Duty of confidentiality:
During and after the contractual relationship, you are obliged to keep confidential all personal data disclosed or made accessible to you in the course of your contractual relationship with Deloitte CE, it is strictly prohibited use the personal data for personal purposes, or to publish them or make them accessible without approval of the ExCo or the particular natural person´s consent. Other obligations related to work with personal data are specified in Deloitte CE internal policies and regulations, of which you were informed and which you undertake to comply with.
G. Security of processing:
DELOITTE shall establish technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with DELOITTE instructions, policies and applicable laws. Deloitte CE is a holder of ISO 27001 certification – widely recognized global information standard:
H. Your rights:
You have a right to:
- request access to your personal data (and request a copy of the personal data that we process),
- request us to update and correct your personal data (right to rectification),
- request us to delete your personal data (where possible), or
- require a restriction on the processing of your data.
You may object to the processing (in certain cases as specified by GDPR), as well as execute his/her right to data portability (receive a copy of personal data which you provided to us in a structured machine – readable format and request us to transmit such data to another data recipient).
You can enforce all rights described here can be enforced by sending e-mail to CEprivacy@deloittece.com.
It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence in case you are of an opinion that the processing of your personal data infringes the GDPR.
For more information on the execution of your data subject rights, please follow DELOITTE 1604.03 Data Subjects' Rights Execution policy4 available here:
In …………..….. on.........................
Partner signature.................................................
PARTNER’S CONSENT TO THE PROCESSING OF PERSONAL DATA
Granted to ExCo
(Hereinafter the “Controller”)
By name residing at adress
Date of birth DD MM YYYY
(Hereinafter the “Partner”)
A. Definitions:
“Controller“ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this consent the Controller of your personal data is DELOITTE.
“Personal data” means any information relating to an identified or identifiable natural person (data subject)
“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the Data Controller.
“Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed. The Recipients can be e.g. employee(-s) of Controller and Processor(s) Public authorities which may receive personal data in the framework of a particular inquiry in accordance with the law shall not be regarded as Recipients.
B. In accordance with EU General Data Protection Regulation (EU) 2016/679 (hereinafter the “GDPR”, you hereby grant your consent to processing of your personal data by the ExCo or to the Deloitte CE entity authorized by ExCo (“DELOITTE”) as the Data Controller (s). This consent is voluntarily granted for the following purposes:
- To perform the annual performance process which includes the information which Contribution Group5 you are assigned to, in the manner and to the extent as described herein for transparency purposes: The Contribution Group the Equity Partner is assigned to following the completion of the annual performance evaluation process will be shared by the Chief Executive Officer of Deloitte CE among the Partners on an annual basis, whereas the Deloitte CE Board of Directors shall approve when and how the Contribution Groups are to be shared.
- To inform the public on various activities executed, organized or supported by the Deloitte CE (other than those necessary for the performance of your duties under the Partner Agreement and described in the Privacy Notice), in particularly to take, publish and process your photographs or audio and video recording.
C. Data sharing and data transfers: In addition to the data recipients specified in the section B. above your personal data provided under this consent will be processed by the following Processors:
Deloitte Advisory & Management Consulting Private Limited Company, Dózsa Gy út 84.C., 1068 Budapest, Hungary
Deloitte CE Business Service Sp. z o.o., Al. Jana Pawla II 22, 00-133 Warsaw, Poland
Deloitte Central Europe Service Centre s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Deloitte CZ Services s.r.o., Italská 2581/67, 120 00, Prague 2 - Vinohrady, Czech Republic
Deloitte Global Services Limited, Hill House, 1 Little New Street, EC4A 3TR London, United Kingdom Deloitte Touche Tohmatsu Services, Inc., 30 Rockefeller Plaza, New York, 10112 – 0015, USA
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
Your personal data processed under this consent may also be disclosed to the competent authorities as authorized by the applicable laws. The processing of personal data under this consent may involve transfers outside of the EU territory. As required by GDPR such transfers are always secured by the EU approved Standard Contractual Clauses.
Social sites and platform providers: In case you grant your consent to publication of your photographs or audio and video recording on social networking sites, you acknowledge that the processing is also governed by terms and conditions of the provider of such social networking sites (acting as joint-Controllers).
D. Term of processing: You grant your consent to Deloitte CE until the purposes of processing of your personal data as described herein are fulfilled; or until revoked by you as per instructions here-below. After this period expires your personal data will be anonymised or permanently deleted.
E. Deloitte CE shall establish technological, physical, administrative and procedural safeguards all in line with the industry accepted standards in order to protect and ensure the confidentiality, integrity or accessibility of the personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with Deloitte CE instructions, policies and applicable laws. Deloitte CE is a holder of ISO 27001 certification – widely recognized global information standard:
https://resources.deloitte.com/sites/centraleurope/quality/Pages/Security-Awareness.aspx
F. Your rights:
You have a right to:
- request access to your personal data (and request a copy of the personal data that we process),
- request us to update and correct your personal data (right to rectification),
- request us to delete your personal data (where possible), or
- require a restriction on the processing of your data.
You may object to the processing (in certain cases as specified by GDPR), as well as execute his/her right to data portability (receive a copy of personal data which you provided to us in a structured machine – readable format and request us to transmit such data to another data recipient).
You can enforce all rights described here can be enforced by sending e-mail to CEprivacy@deloittece.com.
It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence in case you are of an opinion that the processing of your personal data infringes the GDPR.
For more information on the execution of your data subject rights, please follow DELOITTE 1604.03 Data Subjects' Rights Execution policy6 available here:
It is also your right to lodge a complaint with a local data protection supervisory authority in the country of your residence in case you are of an opinion that the processing of your personal data infringes the GDPR.
H. By signing this document, you grant your consent for the purposes specified in Section B 1 and B 2 above and to take, publish and process your photographs or audio and video recording in accordance to the applicable laws via the following platforms:
☐ social networking sites (e.g. LinkedIn, Facebook, Instagram) – please note and be aware that the processing is governed by the Terms and Conditions of the respective web-site provider
☐ external website (www.deloitte.com) and other websites provided by Deloitte CE
☐ intranet and office plasma TVs
In …………..….. on.........................
signature.................................................
1 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). Deloitte Central Europe (“Deloitte CE”) refers to the regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm of DTTL. DTTL and each of its member firms are legally separate and independent entities.
2 Please, pay special attention to policy 1603.014 ICT Systems - Reasonable Personal Use of Deloitte Devices and Systems available under the following link: https://resources.deloitte.com/sites/centraleurope/CE%20Policies/1600%20Security/1603%20Information%20Security/1603.014%20ICT%20Systems%20-%20Reasonable%20Personal%20Use%20of%20Deloitte%20Devices%20and%20Systems.pdf
3 For the above purpose Contribution Group is defined as follows: “Contribution Group” shall mean the individual grouping divided into subgroups that a Deloitte CE Partner has been assigned to under the PCCS whereby each Partner is assigned to a contribution group and subgroup on an annual basis based upon the relative value of their contribution to Deloitte CE each contribution group/subgroup being associated with a role unit range.
4 Information is also available in policy 1604.02 Employees' Personal Data Protection available here: https://resources.deloitte.com/sites/centraleurope/CE%20Policies/1600%20Security/1604%20Personal%20and%20Confidential%20Data%20Protection/1604.02%20Employees%27%20Personal%20Data%20Protection.pdf
5 For the above purpose Contribution Group is defined as follows: “Contribution Group” shall mean the individual grouping divided into subgroups that a Deloitte CE Partner has been assigned to under the PCCS whereby each Partner is assigned to a contribution group and subgroup on an annual basis based upon the relative value of their contribution to Deloitte CE each contribution group/subgroup being associated with a role unit range.
6 Information is also available in policy 1604.02 Employees' Personal Data Protection available here: https://resources.deloitte.com/sites/centraleurope/CE%20Policies/1600%20Security/1604%20Personal%20and%20Confidential%20Data%20Protection/1604.02%20Employees%27%20Personal%20Data%20Protection.pdf