Notice on personal data processing

Appendix No. 1 to the Deloitte¹ Questionnaire

for the purposes of Anti-Money Laundering (“AML”) complex of activities to prevent and combat legalization of proceeds from crime (money laundering), financing of terrorism and proliferation of weapons of mass destruction – to achieve compliance with legal requirements, and actively monitor for and report suspicious activities. 

This Notice is provided in accordance with the Data Protection Legislation². 

The Personal Data Controller (володілець персональних даних) deciding on the purpose of processing 

Deloitte¹ – Limited Liability Company “Deloitte & Touche Ukrainian Services Company”, registration number: 25642478, address: 48, 50a Zhylyanska Street, Kyiv, 01033, Ukraine (hereinafter, “Deloitte”) as an entity obligated under the Law of Ukraine “On Prevention and Counteraction to Legalization (Laundering) of Criminal Proceeds, Terrorist Financing, and Financing of Proliferation of Weapons of Mass Destruction” No. 361-IX dated 6 December 2019; Order of the Ministry of Finance of Ukraine “On the Approval of the Regulation on the Implementation of Financial Monitoring by the Subjects of Primary Financial Monitoring, the State Regulation and Supervision of Whose Activities Is Carried out by the Ministry of Finance of Ukraine” No. 282 dated 7 June 2024 and other applicable regulatory and legal acts (hereinafter, the “Law”) collects and processes your personal data in the scope and for the purposes specified in this Notice. 

Purpose of personal data collecting and processing 

Personal data are collected and processed for the purpose of compliance with the Law.

Types of personal data 

Deloitte collects and processes types of the data as indicated on the Questionnaire.  

The Data Subject categories 

In accordance with the Law, the data are collected from or in relation to the following Data Subjects:

• Statutory representative, empowered representative, or a full power of attorney holder, who, on behalf of Deloitte’s client – a legal entity, an entity under foreign law, entrepreneur, trust, or an entity under the civil law, establishes a business relationship with Deloitte; 
• Ultimate beneficial owner of Deloitte’s client; 
• Executive body of Deloitte’s client, persons authorized to operate Deloitte’s client account and/or dispose of Deloitte’s client property, as well as other persons whose identification and verification may be required in certain cases by the Law. 

Lawfulness of personal data processing

Personal data are collected for the purpose of compliance with the Law.

As described above, the provision of personal data for the specified purpose is obligatory. A failure to provide the personal data will have legal consequences as introduced by the Law, which may generally lead to the following potential impact: 

• Non-compliance with AML cooperation obligation imposed by the Law on clients;
• Incompletion of AML procedures of Deloitte;
• Not establishing business relationship with a client;
• Reporting suspicion to the local competent authority. 

Data are collected directly from the Data Subjects listed above or from the authorized Deloitte’s client personnel or indirectly from publicly available sources and/or documentation provided by the Data Subject or authorized Deloitte’s client personnel. Electronic data are kept in such a manner that only authorized Deloitte’s staff has access to the data.

The Data Recipients/categories of persons or entities having access to the personal data processed

Deloitte CE’s staff is responsible for fulfilling the requirements of the Law, compliance with the Deloitte Anti-Money Laundering Policy, Deloitte CE’s AML Policy implementation, and Deloitte CE’s AML compliance program. 

Deloitte CE approves the Data Processors providing administrative and IT support auxiliary services to Deloitte CE as agreed in a written authorization/contract. 

Personal data processing period 

Personal data shall be kept during the period defined by the Law, i.e. for five years from the date of the business relationship termination. Upon expiration of the said period, the personal data will be permanently deleted. 

Security of processing   

Deloitte CE shall establish technological, physical, administrative, and procedural safeguards all in line with the industry accepted standards to protect and ensure the confidentiality, integrity, or accessibility of all personal data processed; prevent the unauthorized use of or unauthorized access to the personal data or prevent a personal data breach (security incident) in accordance with Deloitte CE’s instructions, policies, and applicable laws. Deloitte CE is a holder of ISO 27001 certification – widely recognized global information standard.

The Data Subject’s rights 

Each Personal Data Subject has the right to request access to his/her personal data and rectification or erasure of personal data or a restriction on data processing, but only to the extent it would be possible under the applicable Law. The Data Subject may object to his/her personal data processing (in certain cases as specified by the Data Protection Legislation), as well as to execute the right to data portability, and other rights specified in Article 8 of the Law of Ukraine No. 2297-VI “On Personal Data Protection”. All rights described here can be enforced by sending a written notice to ceuaprivacy@deloittece.com.

Each Data Subject has also a right to lodge a complaint with a local data protection supervisory authority in Ukraine (the Ukrainian Parliament Commissioner for Human Rights (Ombudsman)) in case they are of an opinion that the processing of their personal data infringes the Data Protection Legislation.