Privacy Notice for Deloitte former employees

1. What is the purpose of this document?  

Deloitte Greece Entities (hereinafter referred to as “Data Controller” or “Deloitte” or “the Firm” or “we” or “us”) are committed to protect your privacy and process your data in a clear and transparent manner. 

This privacy notice describes the processing of your personal data within your former working relationship with us, as below identified, in accordance with the General Data Protection Regulation (GDPR), national law 4624/2019, as in force, and all the applicable data protection laws and regulations. It provides information on the nature of the personal data - where personal data means any information relating to an identified or identifiable natural person (“Data Subject”) - collected by the Data Controller, the purposes of the processing and indicates your rights in relation to the data processed and who to contact for further information or to send any requests. It applies to all former employees, such as the permanent or temporary staff, secondees and trainees. 

2. What is the identity and contact details of the Data Controller? 

The Data Controller is each Greek Deloitte entity in relation to which you have a former employment relationship, and more specifically: 

1. “Deloitte Business Solutions Societe Anonyme of Business Consultants” with the distinctive title “DELOITTE BUSINESS SOLUTIONS S.A.”, 

2. “Deloitte Certified Public Accountants Societe Anonyme” with the distinctive title “DELOITTE.” and 

3. “Deloitte Alexander Competence Center Single-Member Societe Anonyme of Business Consultants” with the distinctive title “DACC S.A.”. 

DELOITTE BUSINESS SOLUTIONS S.A. and DELOITTE. are based in 3a Fragkokklisias & Granikou str., Marousi, Athens, P.O. 151 25. DACC S.A. is based in Pempti and Triti 6th Industrial Area Block of Technopolis Thessaloniki, Municipality of Pylaia Chortiatis, D.E. Pylaia, P.E. Thessaloniki.

3. What are the contact details of the Data Protection Officer? 

The Data Protection Officer can always be contacted at the following e-mail address: DataPrivacyOfficer@deloitte.gr.

4. Which data do we collect about you, for which purposes and what legal basis do we use? 

The personal data that we process are collected from you and may be categorized as follows: 

• Basic identification information (such as full name, date of birth, gender, marital status, home address, household information, nationality, telephone number, cell phone number, email address, TIN, Tax Office, ID card, social insurance number, vehicle number of corporate car). 

• Information relating to your education, qualifications, certifications relating to your employment, as well as your employment performance (such as curriculum vitae details, letters of recommendation, job description, qualifications and areas of expertise, photographs, hiring data, work history, records of holiday or absence, appraisals, other performance measures and, where appropriate, disciplinary and grievance records, training records, records of technical skills tests, participation in professional or academic organisations, seminar’s attendance lists, learning history and certificates of completion of e-learning courses). 

Your data may be processed for the purposes listed below:  

Deloitte does not carry out any automated decision-making processes, including profiling, that produce legal effects concerning you or significantly affecting you. 

We will only process your personal data for the purpose for which we collected it, unless we reasonably believe that we need to process it for another reason and that reason is compatible with the original purpose. If we have to process your personal data for an unrelated purpose, we will notify you and explain the legal basis for doing so.  

5. Who has access to your personal data and to whom is it disclosed?  

Your data may be communicated – for the purposes referred above in this privacy notice – to the following categories of recipients: 

• Companies belonging with the Deloitte Network; 

• Entities that provide services to us and/or the Deloitte Network; 

• Competent authorities (including courts, tax authorities, social security authorities and regulatory authorities overviewing the Firm and/or the Deloitte Network); 

• Other entities within the Deloitte Network and other third parties, as part of a corporate transaction such as a sale, divestiture, reorganization, merger or acquisition, and only provided that the law permits such disclosure. 

In all cases, we may be requested to disclose your personal data if required to do so by law, a regulator or during legal proceedings.  

Your data will be communicated to these third parties after being appointed as data processors or recognized as autonomous data controllers and will be processed by collaborators and/or employees of Deloitte in the context of their respective functions and in accordance with the instructions given by Deloitte itself.  

6. Are your data transferred abroad? 

If necessary for the purposes stated above, the data collected may be transmitted or made accessible to other companies in the Deloitte Network, to entities that provide services to us and/or the Deloitte Network (e.g., vendors, suppliers), to competent authorities (e.g., courts, tax authorities, regulatory authorities) including those based in other countries, which may include countries outside the European Economic Area (EEA). Third parties to whom your personal data are transferred are bound by specific agreement and are required to keep your data securely. 

In such cases, we guarantee that the transfer will take place in accordance with the provisions of Chapter V of the GDPR through the adoption of appropriate safeguards that ensure a level of data protection in accordance with the obligations to which we are legally bound, such as Standard Contractual Clauses, Binding Corporate Rules, other applicable legal basis or based on a statutory exemption (e.g. if you have given your consent to the transfer, if the transfer is directly connected with the conclusion or performance of a contract with you or if the transfer is necessary for the establishment, exercise or enforcement of legal claims before a foreign authority).  

For further information about the third parties, how we work with them and their processing of your personal data, or for information about the adequate safeguards installed by us in respect of data transfers please send an e-mail to the  DataPrivacyOfficer@deloitte.gr. 

7. What is the data retention period, or if not possible, the criteria used to determine it? 

Employees’ files are stored for 5 years after the end of the employment relationship. In addition, where required, we also retain your personal data for the period of time specified by law in order to comply with the relevant legal obligations of the Firm. 

Detailed information about the retention period for each category of your personal data can be found in the Firm’s Data Retention Policy. In case you need any further information, please send an email to the Firm’s DPO at DataPrivacyOfficer@deloitte.gr. 

8. How do we protect and safeguard your personal data? 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, processed, or accessed in an unauthorized way, altered, or disclosed. These measures can include: 

• Education and training of relevant staff to ensure they are aware of our privacy and data protection obligations when processing personal data; 

• Administrative and technical controls to restrict access to personal data on a “need to know” basis; 

• Technical security measures including, but not limited to: firewalls, encryption and anti-virus software; 

• Physical security measures. 

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.  

We have put in place procedures to deal with any incident that may lead to a security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Third parties will only process your personal data on our instructions and only where they have agreed to treat the data confidentially and to keep it secure in compliance with the applicable law. 

9. What are your rights and how can you exercise them? 

In relation to the processing of your personal data, you have specific rights according to Art. 15 - 22 of the GDPR: 

• Access: you can ask for confirmation as to whether or not a certain processing of data concerning you is in place, as well as further clarifications about the information referred to in this privacy notice;  

• Rectification: you can ask to rectify or supplement the data you have provided to us, if inaccurate; 

• Erasure: you can request that your data be deleted, if they are no longer necessary for our purposes, in case of withdrawal of consent or your opposition to the processing, in case of unlawful processing, or there is a legal obligation to erase them; 

• Restriction: you can request that your data be processed only for the purpose of storage, with the exclusion of other processing activities, for the period necessary for the correction of your data, in case of unlawful processing for which you oppose the cancellation, if you have to exercise your rights in court and the data stored by us may be useful to you and,  finally, in the event of opposition to the processing and a review is in progress on the prevalence of our legitimate reasons over yours; 

• Object: you can object at any time to the processing of your data, unless there are our legitimate reasons to proceed with the processing that prevail over yours, for example for the exercise or our defence in court; 

• Withdrawal of consent: you may revoke your consent at any time, in all cases where consent is the legal basis for processing. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. 

• Portability: you can ask to receive your data, or to have them transmitted to another Data Controller indicated by you, in a structured format, commonly used and readable by automatic device. 

• Automated individual decision-making, including profiling: you can request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. 

To exercise these rights, you can contact us at  DataPrivacyOfficer@deloitte.gr  

The time limit for Deloitte to address your request is 1 month, which may be extended up to 2 further months in cases of particular complexity. 

We also inform you that you have the right to lodge a complaint with the Supervisory Authority for the protection of personal data, which in Greece is the Hellenic Data Protection Authority (HDPA), by following the instructions found on the HDPA’s website.

However, should you have a complaint or question, it is advisable to contact the Firm first, in order to try and solve the matter amicably. 

10. Changes to this Privacy Notice 

We may modify or amend this Privacy Notice from time to time at our discretion and we will promptly inform you through traditional channels of communication (e.g. by publishing the new information on our website). When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. We therefore invite you to regularly consult this Privacy Notice in order to stay up to date with any changes made since your last consultation.