We may collect and process the following types of personal data:

• name;
• age;
• date of birth;
• national identification number;
• gender;
• phone number;
• home address;
• country of residence;
• passport;
• family circumstances (e.g. civil status and contact details on dependents) and close relatives;
• photo;
• e-mail address;
• IP address;
• title;
• office location;
• department;
• employee identification number;
• time registration;
• employment and education details (e.g. previous employment and education details);
• salary, severance pay, bonus and pension information;
• assets, including debt, loan, income, wealth;
• travel and expenses;
• leaves of absence;
• bank account details and transactions;
• tax-related information;
• documentation requirements.

The personal data listed above is collected and processed for the following purposes:

• delivering services to our clients;
• staffing and resource allocation;
• provision of access to relevant systems;
• compliance with applicable legal or regulatory requirements and/or internal policies;
• documentation requirements;
• handling requests, complaints and claims from third parties;
• handling inspections and queries by supervisory authorities; external auditors and legal advisors; and
• customer relationship management.

We may also collect the following types of special categories of personal data (GDPR art. 9) for the purpose specified above:

• Trade union membership;
• Data concerning health;
• Revealing racial or ethnic origin; 
• Political opinions; and
• Criminal records (GDPR art. 10).

We collect and process your data based on the following basis:

• Consent, see GDPR article 6 paragraph 1 (a);
• Performance of a contract, see GDPR article 6 paragraph 1 (b);
• A legal obligation to which Deloitte is subject, see GDPR article 6 paragraph 1 (c); 
• The legitimate interests of Deloitte, see GDPR article 6 paragraph 1 (f).

We do not collect and process special categories of data unless there is a legal basis in the GDPR article 9 paragraph 2; establishment, exercise or defense of legal claims, or consent.

We collect your personal data from you, as well as from public authorities, insurance providers, banks, your employer, your/client’s business partners, third party advisors, our websites, registered information, and other Deloitte entities depending on the nature of the engagement.

In connection with one or more purposes outlined above, the personal data disclosed by or collected from client/you may be disclosed to and shared with the following recipients: Public authorities, our professional advisors (e.g. auditor and legal advisors) vendors; and other Deloitte entities.

Transfer of personal data to data processors 

We may transfer your personal data to other Deloitte entities. We may also transfer the personal data to IT providers, including cloud service providers, or to vendors of external services, who process, access and /or store the personal data on our behalf. 

Transfer of personal data to data controllers

We may transfer your personal data to other data controllers, e.g. if Deloitte has a legal obligation to transfer the data to public authorities.

Transfer of personal data to recipients in countries outside the EU/EEA 

We may transfer personal data disclosed by or collected from you to recipients located in countries outside the EU/EEA for the purposes listed in section 1. In such case, the legal basis (transfer mechanism) for the international transfer is either our internal data transfer agreements, an adequacy decision or EU’s Model Clause Agreement.

In addition to ensuring an equivalent transfer mechanism, Deloitte will assess the impact of such potential transfers. 

We store the personal data for as long as necessary to fulfil the purposes listed above, however, (i) for no longer than necessary for the administration of the client relationship, (ii) for no longer than we would have a legitimate interest or (iii) for no longer than for the fulfilment of legal requirements or internal guidelines. We have specific retention periods for client data, which is based on either legal obligations or Deloitte’s legitimate interest in keeping the personal data for a given period. As an example, we may have a legitimate interest in keeping personal data to defend a potential legal claim. These periods are dependent on the service provided and is based on a risk assessment of Deloitte’s need to retain data for a longer period of time held up against the data subject’s interest in having it deleted. Deloitte will store data securely and in accordance with the GDPR.

Subject to the conditions set out in the applicable data protection legislation, the data subject has certain rights. In the following, you can read about your rights and how to perform them:

The right to request access to your personal data

You can send us a request for access to get information about whether we process personal information about you in connection with your client relationship with Deloitte, and thus gain insight into what information we process about you if you are registered.

The right to rectification of your personal data

If you believe the information we have stored about you is incorrect (e.g. wrong contact details) you can request that we correct this at any time.

The right to erasure of your personal data

You can withdraw your consent to process personal data at any time. If you withdraw your consent, we will delete your personal information that is processed on this basis.

If you request erasure of your personal data, the data will be deleted. However, the right to erasure is not absolute, as it should be balanced against legal requirements and Deloitte’s legitimate interest. 

The right to restriction of processing

If you do not wish us to delete your information but have reasons to wish that we will stop processing them in ways other than storage, you may, under certain circumstances, have the right to request this.

The right to data portability

According to Article 20 of the GDPR you have the right to data portability for personal information about yourself that you have given to Deloitte and which has a basis for processing in consent or agreement. The main basis for processing your personal information, is the contract between you as a client and Deloitte. If you wish to exercise your right to portability, the relevant information from your profile will be exported to a Microsoft Excel document and handed over to you.

The right to objection to the processing of your personal data

You have the right to object to processing of personal data concerning you, where the processing is based on public interest or legitimate interest of Deloitte, e.g. profiling. If so, Deloitte will no longer process your personal data unless there is a legitimate ground for doing so which, according to a balancing test, is overriding.

The right to objection to profiling 

You have the right to object to your personal data being processed for direct marketing purposes. This includes profiling to the extent that it is related to such direct marketing.

File a complaint

You also have the right to file a complaint with the competent supervisory authority. In Norway, this is Datatilsynet. Complaints can be delivered on their website by following this link.

Please contact us by filling out this contact form  or send us an e-mail to noprivacy@deloitte.no if you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights.

Address details: 

Deloitte AS / Deloitte Advokatfirma AS
Dronning Eufemias gate 14
0191 Oslo
Norway

We keep our privacy notice under regular review and thus the notice may be subject to changes. The date of the last revision of the privacy notice can be found on the top of the page.

We may collect and process your personal data for the following purposes:

• providing services to our clients;
• relationship management;
• compliance with applicable legal or regulatory requirements and/or internal policies;
• documentation requirements;
• handling requests, complaints and claims from third parties;
• handling inspections and queries by supervisory authorities;
• external audit and legal advice.

We may collect the following types of general categories of personal data for the purposes specified above:

• Name;
• age;
• date of birth;
• national identification number;
• gender;
• phone number;
• home address;
• country of residence;
• visa;
• family circumstances (e.g. civil status and contact details on dependents and close relatives);
• photo;
• email address;
• title;
• opinions;
• actions;
• employment and education details (e.g. previous employment and education details);
• salary and pension information;
• leaves of absence;
• bank account details;
• tax-related information and investments;
• information on any criminal records;
• ownership of shares;
• voting rights;
• management position or similar role; and
• any status as or relation to a politically exposed person (if required in accordance with anti-money laundering regulation).

We may also collect the following types of special categories of personal data for the purposes specified above:

• racial or ethnic origin,
• trade union membership,
• data concerning health 

We collect your personal data from you, our clients and our vendors as well as from public authorities; other Deloitte entities, and other third-party business relations, depending on the character of the engagement.

We collect and process your data based on one or more of the following articles in GDPR:

• Art. 6 paragraph 1 (a) the data subject’s consent to the processing of his or her personal data for one or more specific purposes;
• Art. 6 paragraph 1 (c) compliance with legal obligations to which our client or Deloitte is subject;
• Art. 6 paragraph 1 (f) Deloitte’s legitimate interests;
• Art. 9 paragraph 2 (b) employment and social security and social protection law purposes; and
• Art. 9 paragraph 2 (f) establishment, exercise or defense of legal claims

In connection with one or more purposes outlined above, the personal data disclosed by or collected  may be disclosed to and shared with the following recipients: Public authorities, our professional advisors (e.g. auditor and legal advisors) vendors; and other Deloitte entities.

Transfer of personal data to data processors

We may transfer your personal data to other Deloitte entities. We may also transfer your data to IT providers, including cloud service providers, or to external service providers, who process and/or store the personal data on our behalf.

Transfer of personal data to recipients in countries outside the EU/EEA

We may transfer your personal data to recipients located in countries outside the EU/EEA for the purposes listed in section 1. In such case, the legal basis for the international transfer will be EU’s Standard Contractual Clauses (SCC), or other applicable legal basis.

We store your personal data for as long as necessary to fulfil the purposes above.

Subject to the conditions set out in the applicable data protection legislation, you have the following rights:

• The right to request access to your personal data;
• The right to rectification of your personal data;
• The right to erasure of your personal data;
• The right to restriction of processing of your personal data;
• The right to data portability; and
• The right to objection to the processing of your personal data

Please note that these rights are not absolute, as they should be balanced against legal requirements and Deloitte’s legitimate interests.

You also have the right to file a complaint with the Norwegian Data Protection Agency (Datatilsynet):

Datatilsynet
Postboks 458 Sentrum
0105 Oslo

Complaints can be delivered on their website by following this link.

Please contact us by filling out this contact form  or send us an e-mail to noprivacy@deloitte.no if you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights.

Address details:

Deloitte AS / Deloitte Advokatfirma AS
Dronning Eufemias gate 14
P.O Box 221 Sentrum
0191 Oslo
Norway

We keep our privacy notice under regular review and thus the notice may be subject to changes. The date of the last revision of the privacy notice can be found on the top of the page.