Skip to main content
Analysis:
Analysis

Mandatory Customer Due Diligence

Why customer due diligence is necessary?
 

In accordance with Act LIII of 2017 on the Prevention and Combating of Money Laundering and the Financing of Terrorism (hereinafter referred to as "Anti-Money Laundering Act"), we are obliged to have up-to-date customer due diligence related data regarding our Clients.

As required by law, Deloitte is obligated to

  • identify the Client / Client’s authorized representative(s),
  • obtain a statement from the Client / Client’s representative(s) on the beneficial owner(s) and the personal data described by AML Act for such owners, as well as on the beneficial owner(s)’ status in relation to being politically exposed person,
  • to examine whether any members of the client’s ownership structure, management member (executive officers) or business partners originate from a high-risk third country with strategic deficiencies (being the citizen of such country or an entity registered in such country).

Deloitte performs customer due diligence procedure regarding all Clients in accordance with the applicable law but reserves the right to implement additional customer due diligence measures as set forth in its relevant internal policies.

When does customer due diligence need to be performed?

  • Before the conclusion of the contract and at predetermined intervals during the term of the contract.
  • It is important that in case of changes regarding Client data, the Client shall notify Deloitte within 5 working days and provide updated information/data.

In the course of customer due diligence procedure, the provision of data is voluntary, but in the absence of the relevant data provided, Deloitte is obliged to refuse cooperation with the client based on AML rules.

  • Beneficial Owner Statement
  • Copies of identification documents (see "copy of identification documents")

Additional documents may occasionally be required—our colleagues will inform you separately if any of the following are needed.

  • Company Registry Extract, which is not older than 30 days
  • Latest financial statement available
  • Ownership structure chart, additional documents related to customer’s ownership structure

What should I consider when submitting the Declaration?

  • The Beneficial Owner Statement must be filled in completely and legibly, as well as dated and signed by the representative(s) of the Client.
  • Copies of documents must be legible.

When filling out the declaration, please pay attention to the following:

Please note that Deloitte requests documents regarding the person(s) acting on behalf of the client (the storage of document copies is carried out in accordance with legal regulations).

In the case of Hungarian citizens

  • Identity card (legible copies of both sides) or
  • Driving license in card format (legible copies of both sides) or
  • Passport (copy of page containing personal data) and
  • Copy of address card (without page containing the personal identification number)

In the case of foreign nationals

  • Identity card (legible copies of both sides) or
  • Passport (copy of page containing personal data) and
  • Copy of proof of address in case of place of residence in Hungary.

Please be informed that, pursuant to the Anti-Money Laundering Act, Deloitte is obliged to make photocopies of the documents presented, for identity verification purposes.

Privacy statement

Of data requested by Deloitte companies operating in Hungary for customer due diligence and client acceptance procedures

Act LIII of 2017 on the Prevention and Combating of Money Laundering and the Financing of Terrorism (hereinafter referred to as "Anti-Money Laundering Act") requires entities providing particular services — including also Deloitte entities operating in Hungary, i.e. Deloitte Advisory and Management Consulting Private Limited Company, Deloitte Auditing and Consulting Ltd., Deloitte CRS Ltd., Deloitte Legal Göndöcz and Partners Law Firm (hereinafter together referred to as "Deloitte") — to perform a background check of future clients in the manner set out by the Anti-Money Laundering Act (hereinafter referred to as "customer due diligence") prior to the execution of the respective contract.

Although data supply is voluntary for such customer due diligence, the Anti-Money Laundering Act requires Deloitte to refuse cooperation if such data supply fails to take place (shall the client due diligence fail). The data process is prescribed by law.

Client data are processed by Deloitte as data controller according to the provisions of the Anti-Money Laundering Act, and shall be regularly updated and retained for 8 (eight) years from the termination of the business relationship.

In the frame of the customer due diligence the client, the natural person acting on behalf or in the name of the client (proxy, person authorized to proceed or representative) and the beneficial owner of the client shall be identified. Deloitte’s forms used in the due diligence procedure are in line with the relevant legal requirements, and they only contain the obligatory data scope, thus the obtaining of those data may not be omitted, if required.

Request for ID copies

Please be informed that according to Section 7 (8) of the Anti-Money Laundering Act Deloitte is obliged to prepare copies of the documents presented for the purposes of identification and verification of identity (except for the back of the official address card proving personal identification).

Client acceptance procedure

Besides and in addition to its customer due diligence obligation prescribed by the Anti-Money Laundering Act, Deloitte is required to carry out client due diligence by internal policies laid down by the global group headquarters, designed to identify and prevent money-laundering, also to perform an internal client acceptance in the case of services outside the scope of the Anti-Money Laundering Act (hereinafter referred to as "client acceptance").

Client acceptance for entities of Deloitte Central Europe's network is performed by the Risk Operation Center (ROC), which is part of the Polish subsidiary of Deloitte Central Europe. ROC performs client acceptance exclusively based on data and information extracted from publicly available databases. Where personal data may be involved, the legal basis of the data processing is Deloitte's legitimate interest in completing the client acceptance process. Otherwise, the provisions of this privacy statement shall be applicable for the processing of such personal data.

Process and transfer of the data obtained by the Hungarian Deloitte, recipients, data processors

Deloitte shall use personal data acquired during the customer due diligence as well as the client acceptance exclusively for anti-money laundering related due diligence and in order to identify the client, in case of client acceptance to carry out the client onboarding process. Personal data can be accessed only by Deloitte's designated personnel involved in providing services to the client concerned and responsible for checking compliance with anti-money laundering provisions, as well as Deloitte's anti-money laundering agents. Please be informed that the persons having access to the personal data are bound by legal (Labour Code and Act on Attorneys) and contractual confidentiality obligations.

Please be informed Deloitte Advisory and Management Consulting Private Limited Company – as data processor – provides AML administrative services to the other three Deloitte companies determined above.

Deloitte uses the services of Digital Resources a.s. (Poděbradská 520/24, 190 00 Prague 9, Czech Republic) – as data processor – in storing the documents provided and prepared during the customer due diligence.

Data handover

According to Section 22 of the Anti-Money Laundering Act the service provider obliged by such Act shall be entitled to accept the result of the client due diligence of another service provider shall the conditions determined in the Act fulfil. If – in the course of a Deloitte's customer due diligence performed pursuant to the Anti-Money Laundering Act – the client has provided consent Deloitte may provide copies of the data and documents required to perform the customer due diligence to another Deloitte company contracting with the client in the future. If such handover is carried out based on the client's consent, Deloitte receiving the copies of the data and documents, will use them solely for client due diligence purposes as described in this notice

Data security

Deloitte ensures data protection, i.e. protects data from unauthorised access, modification, transfer, publication, deletion or destruction, incidental destruction or damage, as well as from becoming inaccessible pursuant to the provisions of the Regulation no 2016/679 of the European Parliament and the Council on General Data Protection Regulation (hereinafter referred to as “GDPR”).

Data subjects’ rights

Requests related to the exercise of data subjects’ rights shall be addressed to the respective Deloitte company (registered office: 1068 Budapest, Dózsa György út 84/C).

Rights of the data subjects concerning processing:

  • Right to information (access): the data subject may request information about the processing of his/her personal data at any time. When requested by the data subject in writing, the controller provides information about the categories of personal data concerned, the purpose and duration of processing, the recipients, the rights of the data subject and the possibility to file complaints to the authority.
  • Right to rectification: the data subject has the right to request the clarification or supplementation of their processed data at any time. The data subject must submit facts and evidence supporting the need for rectification to any request for the rectification of data.
  • Right to object: the data subject may object to the processing of his or her data at any time on grounds relating to his or her particular situation.
  • Right to erasure: a data subject may request their data to be erased when processing is no longer required in line with the AML Act the data subject’s data are processed unlawfully, or
  • Right to restriction: the data subject has the right to request the restriction of the processing of their data by the controller
    • if the accuracy of the data is disputed (the restriction applies until it is established whether it is indeed or it is not necessary to clarify the data),
    • if the data processing is unlawful, and the data subject objects to their deletion and requests their restriction instead,
    • if the data controller has no longer any use of the data for the defined purpose, but the data subject needs them for filing, asserting or protecting legal claims,
    • the data subject has objected to data processing; in this case, the restriction applies for the period until it is established whether the legitimate reasons of the controller override those of the data subject.

The data controller shall inform the data subject in writing of the execution of the data subject's request within 30 (thirty) days of its receipt. Data subjects may submit their requests, statements, comments or questions related to the processing of their data by post in a letter sent to the attention of the respective Deloitte to the address 1068 Budapest, Dózsa György út 84/C or by sending an e-mail message to the dataprivacyHU@deloittece.com e-mail address.

  • Right to legal remedy: In case their rights are violated, data subjects have the right to turn to the competent court according to their place of permanent or temporary residence, and anyone may request the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf., e-mail: ugyfelszolgalat@naih.hu, telephone number: +36 (1) 391 1400, website: https://naih.hu/) to conduct an investigation due to the fact that an infringement of right occurred or there is an imminent threat thereof. The court shall proceed in relation to the subject of the request immediately.
Application of data privacy provisions

The provisions of the Data Privacy Act apply only to (personal) data of natural persons; and thus are not applicable for the processing of corporate information. Corporate information and documentation recorded in and deleted from the commercial register are publicly available according to Act V of 2006 on Public Company Information, Company Registration and Winding-up Proceedings.

Budapest, 1 January 2025.

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?