1. What is the purpose of this document?
Deloitte Greece Entities (hereinafter referred to as “Data Controller” or “we” or “us”) are committed to protect your privacy and processing your data in a clear and transparent manner.
This privacy notice is intended for the Deloitte Greece website, designated as “Greek” in the upper right-hand corner with a URL commencing “http://www.deloitte.com/gr” (“Deloitte Site” or “this Site”), whilst it does not apply to other websites that could potentially be accessed by clicking from external URLs. We encourage visitors to review the privacy notice on each of these other websites before disclosing any personal data.
Specifically, this privacy notice applies to each of the Greek legal entities belonging to the Deloitte network (the Deloitte network being Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), together with its member firms and their respective subsidiaries, affiliates and other firms with which it constitutes a network called the “DTTL network”), as described in detail in the next section.
Each Greek Deloitte entity is a separate and independent legal entity, and this privacy notice applies to each separately. None of the GreekDeloitte entities have any liability for the other entities’ acts or omissions.
This privacy notice describes how we process personal data about you while browsing Deloitte Site, in accordance with (a) the General Data Protection Regulation (GDPR); (b) national law 4624/2019, as applicable, and any other applicable data protection laws and regulations. It provides information on the nature of the personal data collected by the Data Controller, the purposes of the processing and indicates your rights in relation to the data processed and who to contact for further information or to send any requests.
In particular, this privacy notice sets out how we will collect, handle, store and protect information about you when:
We may also prepare a specific privacy notice that we shall invite you to refer to, in relation to certain services or in the context of personal data collection forms (e.g., when sending applications for job positions).
Protecting the privacy of minors is extremely important for us. Please be aware, however, that this Site and our services are not directed to minors. It is not our policy to collect or retain such data.
2. What is the identity and contact details of the Data Controller?
The Data Controller is each Greek Deloitte entity, and more specifically:
DELOITTE BUSINESS SOLUTIONS S.A. and DELOITTE. are based in 3a Fragkokklisias & Granikou str., Marousi, Athens, P.O. 151 25. DACC S.A. is based in Pempti and Triti 6th Industrial Area Block of Technopolis Thessaloniki, Municipality of Pylaia Chortiatis, D.E. Pylaia, P.E. Thessaloniki.
3. What are the contact details of the Data Protection Officer?
The Data Protection Officer can be contacted at the following e-mail address: DataPrivacyOfficer@deloitte.gr.
4. Which data do we collect about you and for which purposes?
We may collect personal data from users while browsing this Site or when requesting the activation of certain services through the appropriate forms / data collection forms.
The personal data collected by the Data Controller could include:
We may also acquire information about users by obtaining it from the interaction patterns carried out on the Site. For example, to improve the experience of using this Site and ensure its proper functioning, we (or our service providers) may use cookies (small text files installed in the user's browser) and a web beacon that collects personal data. Further information on how we use cookies, and how to manage them can be found in the Cookie Notice at the following link.
In exceptional cases, we could also process special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs). However, if this should occur, we will request the user's explicit consent to collect and use such information.
Personal data provided to us could be used for the following purposes:
a) To enable the navigation of this Site, customize or improve the Website and the related services offered to you;
b) For the performance of services requested and the management of activities instrumentally related to such services;
c) To send insights, opinions, updates, reports on topical issues or details of our products and services that we think might be of interest to you, to contact you to invite you to events, seminars, briefings, and business development purposes. You can find more information about the processing of personal data in the context of our marketing activities in our “Privacy Notice for Marketing & Communications”;
d) To fulfil legal obligations and/or to comply with requests from Authorities, public entities, and organizations.
e) To exercise rights, including those of third parties, in court and, where applicable, in administrative proceedings or arbitration or conciliation procedures.
In relation to the above-mentioned purposes, please refer to paragraph 10 to find out which rights you can exercise.
5. What is the legal basis on which we process your personal data?
We will use your personal data for the purposes indicated above on the assumption of the following conditions of legitimacy (legal basis):
As for the purpose (c), the communication of personal data is optional, and its refusal will have no consequence on the services requested.
6. Who has access to your personal data and to whom is it disclosed?
Your personal data will not be published, exposed, or made available and / or consulted by indeterminate subjects.
In connection with one or more of the purposes set out in the paragraph 4, we may disclose information about you to:
Your data will be communicated to these third parties after being appointed as Data Processors or recognized as autonomous Data Controllers and will be processed by collaborators and/or employees of Deloitte in the context of their respective functions and in accordance with the instructions given by Deloitte itself.
7. Are your data transferred abroad?
If necessary for the purposes stated above, the data collected may be transmitted or made accessible to other companies in the Deloitte Network, to entities that provide services to us and/or the Deloitte Network (e.g., vendors, suppliers), to competent authorities (e.g., courts, tax authorities, regulatory authorities) including those based in third countries, outside the European Economic Area (EEA). Third parties to whom your personal data are transferred, are bound by specific agreement and are required to keep your data securely.
In such cases, we guarantee that the transfer will take place in accordance with the provisions of Chapter V of the GDPR through the adoption of appropriate safeguards that ensure a level of data protection in accordance with the obligations to which we are legally bound, such as, Standard Contractual Clauses, Binding Corporate Rules, other applicable legal basis or based on a statutory exemption (e.g. if you have given your consent to the transfer, if the transfer is directly connected with the conclusion or performance of a contract with you or if the transfer is necessary for the establishment, exercise or enforcement of legal claims before a foreign authority).
If you have any questions about this, please contact us at DataPrivacyOfficer@deloitte.gr.
8. What is the data retention period, or if not possible, the criteria used to determine it?
The information systems and computer programs used by us are configured in such a way as to minimize the use of personal data.
We will retain personal data on the basis of the following criteria:
9. How do we protect and safeguard your personal data?
We will process your data with the utmost care and respect.
Your personal data are processed with the aid of electronic tools, ensuring the use of appropriate measures for the security of the processed data and guaranteeing their confidentiality, in accordance with the principles applicable to the processing of personal data pursuant to Article 5 of the GDPR, such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These measures can include:
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any possible data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Third parties will only process your personal data where they have agreed to treat the data confidentially and to keep it secure in compliance with the applicable law.
10. What are your rights and how can you exercise them?
In relation to the processing of your personal data, you have specific rights [Art. 15 to 21 of the GDPR]:
Processing activities are carefully evaluated to ensure a fair balance between your rights, which are assessed on a case-by-case basis (e.g., by considering the respective legal basis in each case and the purposes of the processing) and our interests. To exercise these rights, you can contact our Data Protection Officer by sending an e-mail to DataPrivacyOfficer@deloitte.gr.The time limit for Deloitte Greece Entities to address your request is 1 month, which may be extended up to 2 further months in cases of particular complexity.
We also inform you that you have the right to lodge a complaint with the Hellenic Data Protection Authority, by following the instructions found on the HDPA’s website.
11. Changes to this Privacy Notice
We may modify or amend this Privacy Notice from time to time at our discretion. When we make changes to this notice, we will amend the revision date at the top of this page, and such modified or amended Privacy Notice will be effective from that revision date. We therefore invite you to regularly consult our Privacy Notice in order to stay up to date with any changes made since your last consultation.