Skip to main content

Privacy Notice for Applicants to Positions within Deloitte

Last revised: 17.02.2026

1. What is the purpose of this Privacy Notice?

This Privacy Notice intends to specify how we as the data controller will collect, process and store your personal data in connection with our recruitment processes, and, with your consent, through our Recruitment Marketing CRM. We process personal data in accordance with the EU’s General Data Protection Regulation (GDPR) and the national data protection laws in the countries we operate.

Please read this Privacy Notice carefully in order to understand how we will process your personal data, what rights you have regarding said processing and who to contact for further information or to send any requests.

2. What is the identity and contact details of the Data Controller?

This Privacy Notice applies to the following Deloitte member firms and their affiliates:

Each Deloitte member firm is an independent data controller for the processing of personal data in relation to the recruitment processes conducted by that Deloitte member firm.

The above Deloitte member firms act as joint data controllers when collecting, sharing and/or otherwise processing your personal data jointly for the same purposes, e.g., where recruitment takes place on a Nordic level and where one or more of the aforementioned Deloitte member firms are involved in the recruitment process.

The terms “us” and “we” shall refer to the Deloitte member firm conducting the recruitment process, or to all or some of the aforementioned Deloitte member firms collectively (“Deloitte Nordic”), depending on the context.

Each of the aforementioned Deloitte member firms belong to the Deloitte network (the Deloitte network being Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), together with its member firms and their respective subsidiaries, affiliates, and other firms with which it constitutes a network called the “DTTL network”), each being an independent legal entity.

3. Which data do we collect about you, for which purposes and under which legal basis?

We collect and process personal data to carry out the recruitment process and fulfill your request to consider your application for an open role, which may include one or more of the activities listed below. We will only process your personal data for the purpose for which we collected it, and for purposes compatible with the original purpose, subject to applicable law.

Purpose of data processing

Legal basis for processing
  • Identifying relevant candidates for open positions
  • Conducting interviews
  • Conducting tests and assessments, such as personality and logical tests, todetermine your suitability for the position(s)
  • Communicating with you during your candidacy, including requests foradditional information if required

Consent given by the data subject (applicant) – Art. 6 (1)(a) of GDPR
  • Providing you with an employment contract

In order to take steps at the request of the data subject (applicant) prior to entering into a contract – Art. 6 (1)(b) of GDPR
  • Profiling (e.g., by automated data processing) which may take place inconnection with personality tests, logical tests and other tests as part ofthe recruitment process (please see further information in paragraph 8)
  • Sharing personal data within Deloitte Nordic to identify relevant candidate
  • Conducting background checks for security reasons as allowed byapplicable legislation, as well as verifying your education, formeremployment and references
  • Handling applications that do not proceed further
  • Statistical purposes and optimizing our recruitment process with regard to,for example, diversity and inclusion
  • The establishment, exercise or defense of legal claims related to yourapplication process, should it be relevant

Deloitte’s legitimate interest – Art. 6 (1)(f) of the GDPR

Processing your personal data in our Recruitment Marketing CRM to consider your suitability for future roles at Deloitte, which, among others, includes the following activities:

  • Building a relationship with you and learning more about yourcareer interest;
  • Assessing your suitability for current or future roles at Deloitte;
  • Contacting you if we find that you would be a suitable candidatefor a current or future role at Deloitte;
  • Sending you newsletters about events, positions, campaigns related to positions and career opportunities within Deloitte by e-mail and otherwise.

Consent given by the data subject (applicant) – Art. 6 (1)(a) of GDPR

For applications to Deloitte Statsautoriseret Revisionspartnerskelskab (Deloitte DK), processing of information about whether or not you have been subject to any criminal conviction in accordance with Article 10 of the GDPR

Article 6(1) (a), cf. Section 8 (3) of the Danish Data Protection Act (“Databeskyttelsesloven”)

For applications to Deloitte ehf. or Deloitte Legal ehf. (Deloitte IS), processing of criminal records in accordance with Article 10 of the GDPR

Article 12(3), cf. Article 9(1)(6) of Act No. 90/2018 on Data Protection and the Processing of Personal Data

To fulfill the purposes specified above, we may collect and process the following types of personal data to the extent necessary:

  • Name and contact information (e-mail address, home address, telephone number);
  • Date of birth;
  • Personal identity number (only after an offer has been sent and the employment contract is being negotiated);
  • Nationality or country of residence and work permit status;
  • Photo, should you wish to provide one;
  • Employment and education details and other information provided by you in your CV, diploma or any other documents disclosed by you to us;
  • Contact details of references;
  • Test results and internal candidate evaluations carried out in connection with your application process;
  • For applications to Deloitte Statsautoriseret Revisionspartnerskelskab (Deloitte DK) we may also request to see your criminal record as part of the final recruitment process if you are offered a position. Criminal record data are deleted after presentation;
  • For applications to Deloitte ehf. or Deloitte Legal ehf. (Deloitte IS) we may also request to see your criminal record as part of the final recruitment process if you are offered a position, but it will not be entered into our systems;
  • For applications to Deloitte AB (Deloitte SE) we may also engage a third-party vendor, ToFindOut AB, to perform a background check as part of the final recruitment process if you are offered a position. The vendor processes personal data as an independent data controller. For more information, please reference the vendor’s privacy notice.

Personal data is provided to us or to our supplier by you, or by the references you have mentioned in your application and/or related documents.

Should you be hired by Deloitte, your personal data will be processed as described in the separate Privacy Notice for Employees.

Legitimate interest as legal basis

We process personal data on the legal basis of legitimate interest for the purposes specified above. We recognize the rights and freedoms of individuals, and we are aware that our interests may in some situations conflict with such rights and freedoms.

Therefore, prior to initiating processing activities based on legitimate interest, we assess the processing activity thoroughly to ensure a fair balance between the rights and interests of individuals and our interests and their necessity, taking into account, for example, the nature and scope of personal data processing, the safeguards implemented by us, whether individuals could expect such processing to take place, and whether any potential impact to the individuals is proportionate with the purposes of processing.

Should you have any further questions regarding our use of legitimate interest as a legal basis, please contact us using the contact details provided in paragraph 9. 

4. Who has access to your personal data and to whom is it disclosed

For the purposes specified above, we transfer your personal data to our recruitment system provider, SmartRecruiters, which processes and stores your personal data on our behalf as our data processor. SmartRecruiters’ hosting location is in Germany.

We may also transfer your personal data to other systems or service providers we use as data processors in the recruitment process. In connection with one or more of the purposes set out in paragraph 3, we may disclose information about you to:

  • Headhunters assisting Deloitte in the recruitment process to identify relevant candidates;
  • Companies belonging to the Deloitte Network for the performance of internal administration activities;
  • Competent authorities (including courts), for the performance of their institutional functions within the limits established by laws or regulations.

Your personal data will be communicated to these third parties after they are appointed as our data processors or are recognized as autonomous data controllers and will be processed by them in the context of their respective functions and, where such third party is our data processor, in accordance with the instructions given by us.

5. Is your data transferred abroad?

If necessary for the purposes stated above and subject to legal basis, the personal data collected may be transmitted or made accessible to other companies in the Deloitte Network, to entities that provide services to us and/or the Deloitte Network (e.g., vendors, suppliers) or to competent authorities including those based in other countries, which may include countries outside of the European Union (EU) and the European Economic Area (EEA). Third parties to whom your personal data is transferred are bound by specific agreements and are required to keep your data securely.

In such cases where personal data is transferred outside of the EU/EEA, we guarantee that the transfer will take place in accordance with the provisions of Chapter V of the GDPR through the adoption of appropriate safeguards that ensure a level of data protection in accordance with the obligations to which we are legally bound, such as, Standard Contractual Clauses, other applicable legal basis or based on a statutory exemption (e.g. if you have given your consent to the transfer, if the transfer is directly connected with the conclusion or performance of a contract with you or if the transfer is necessary for the establishment, exercise or enforcement of legal claims before a foreign authority).

6. What is the data retention period?

When you apply for an open position at Deloitte, we will retain your personal data for a period of twenty-four (24) months from the date on which the recruitment process ends.

If you have given your consent for us to use your personal data to consider you for future positions within Deloitte as well, we will retain your personal data in our Recruitment Marketing CRM system SmartRecruiters for a period of twenty-four (24) months from day on which you have given your consent. Prior to the expiration of this initial retention period, we may ask for your consent to retain your data for an extended period of time, so that we may consider you for other positions that become available. If you choose not to give your consent to this extended retention period, your personal data will be deleted at the expiration of the initial twenty-four (24) month period.

You are entitled to withdraw your consent at any time as instructed in paragraph 9. At your request, your personal data will be deleted to the extent such deletion does not conflict with applicable law or our legitimate interest in defense of legal claims related to your application process. 

7. How do we protect and safeguard your personal data?

We will process your personal data with the utmost care and respect by implementing appropriate technical and organizational security measures, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Your personal data are processed with the aid of electronic tools, ensuring the use of appropriate measures for the security of the processed data and guaranteeing their confidentiality, in accordance with the principles applicable to the processing of personal data pursuant to Article 5 of the GDPR, such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These measures can include:

  • The training and updating activities of our staff ensuring that they are informed about privacy obligations if they have access to and process personal data;
  • Administrative and technical controls in order to limit access only to personal data that need to be known in relation to the purposes of the processing;
  • Technical security measures (e.g., firewalls, cryptography, antivirus software);
  • Physical security measures.

In addition, we limit access to your personal data to only those employees, agents, contractors and other third parties who have a business need to have access. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any possible data breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Third parties will only process your personal data where they have agreed to treat the data confidentially and to keep it secure in compliance with the applicable law.

8. Profiling

In connection with personality tests, logical tests and other tests as part of the recruitment process, profiling (e.g., by automated data processing) may take place. Please be informed that you are entitled to object to such profiling as instructed in paragraph 9. If you wish to exercise this right, please note that your application may be withdrawn, and you may no longer be a candidate for the position.

If you have given your consent to us to use your personal data to consider you for future positions within Deloitte as well, we will use profiling in order to ensure that we will only send you information on positions that may be relevant to you. The information that you provide us with, and the results of any possible personality tests, logical tests and other tests carried out by us as part of a recruitment process, will assist us in building a profile of you. Please be informed that you are entitled to object to such profiling as instructed in paragraph 9. 

9. What are your rights and how can you exercise them?

In relation to the processing of your personal data, you have specific rights as defined in Articles 15 to 21 of the GDPR:

  • Access: you can ask for confirmation as to whether or not a certain processing of data concerning you is in place, as well as further clarifications about the information referred to in this Privacy Notice, and to receive a copy of your personal data processed by us;
  • Rectification: you can ask to rectify or supplement the data you have provided to us, if inaccurate;
  • Erasure: you can request that your data be deleted, if they are no longer necessary for our purposes, in case of withdrawal of consent or your opposition to the processing, in case of unlawful processing, or there is a legal obligation to erase them;
  • Restriction: you can request that your data be processed only for the purpose of storage, with the exclusion of other processing activities, for the period necessary for the correction of your data, in case of unlawful processing for which you oppose the cancellation, if you have to exercise your rights in court and the data stored by us may be useful to you and, finally, in the event of opposition to the processing and a review is in progress on the prevalence of our legitimate reasons over yours;
  • Object: you can object at any time to the processing of your data. If we have compelling legitimate reasons that prevail the grounds of your particular situation, we may continue the processing. This may be, for example, for the establishment, exercise or the defence of legal claims in court;
  • Withdrawal: you may withdraw your consent at any time, in all cases where consent is the legal basis for processing. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal;
  • Portability: you can ask to receive your data, or to have them transmitted to another data controller indicated by you, in a structured format, commonly used and readable by automatic device, provided that the legal basis for processing is your consent or a contract.

To exercise these rights, you can contact us by sending an e-mail to NordicPrivacy@deloitte.com.

The time limit for addressing your request is one (1) month, which may be extended up to two (2) further months in cases of particular complexity.

We also inform you that you have the right to lodge a complaint with the Supervisory Authority for the protection of personal data:

  • Denmark
    Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby
    dt@datatilsynet.dk
  • Finland
    Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman), Lintulahdenkuja 4, 00530 Helsinki
    tietosuoja@om.fi
  • Iceland
    Icelandic Data Protection Authority Persónuvernd
    postur@personuvernd.is
  • Norway
    Datatilsynet, Postboks 458 Sentrum, 0105 Oslo
    postkassen@datatilsynet.no
  • Sweden
    Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm
    imy@imy.se 

10. Changes to this Privacy Notice

We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. We therefore invite you to regularly consult our Privacy Notice to stay up to date with any changes made since your last consultation.