Datenschutzhinweise

Last updated: 13 September 2024

Privacy Notice

„Privacy Policy“ and „Information on the processing of personal data in accordance with Art. 13, 14 DSGVO“

Introduction

The following sections, “Privacy Policy” and “Information about the processing of personal data in accordance with Art. 13, 14 GDPR,” explain what data we collect about you, what we need this data for and to whom we pass on this data. In addition, they also include your rights in relation to your data and the contact persons to whom you can turn for further information or inquiries.

While the “Privacy Policy” is intended primarily to clarify what personal data we process, store and protect if you use “our website” and “Deloitte apps” (as defined below), the “Information about the processing of personal data in accordance with Art. 13, 14 GDPR” essentially describes how your data are processed in the context of our services for you / our customers and in the context of all other activities that are part of the performance of our business activities.

I. Privacy Policy

Who does this Privacy Policy apply to, and what does it cover?

This Privacy Policy applies solely to the specific website of deloitte.com/de, for which Deloitte GmbH Wirtschaftsprüfungsgesellschaft headquartered in Munich and the companies owned or controlled by us (“Deloitte,” “we,” “us” or “our”), are responsible, as well as for applications (“Deloitte-Apps”) and other websites that are offered by Deloitte.

The deloitte.com website consists of several individual, global, country-specific, regional, and service-specific Web sites, each of which is provided by Deloitte Touche Tohmatsu Limited (“DTTL”) or one of its national and independent member firms or affiliates (collectively, the “Deloitte network”). To learn more about DTTL, the member firms of DTTL and their affiliates, see About Deloitte.

We are committed to protecting your privacy and to processing your information in an open and transparent manner.

This Privacy Policy explains how we process, store and protect information about you when you use our website and other Deloitte apps. We also explain how your data are processed when we provide services to you / our customers and in all other activities that are part of our business activities.

If this policy refers to “our website” or “this website,” this refers to the specific websites on deloitte.com that are labeled “Deloitte Deutschland” in the upper right-hand corner of this website, as well as websites, whose URL begins with https://www.deloitte.com/de or with https://www.deloittelegal.de/dl/.

This privacy policy also contains information about when we share your personal information with other members of the Deloitte network and other third parties (such as our service providers).

If you provide us with information via the Deloitte website or when using Deloitte apps, you agree, in accordance with Art. 6 (1) (a), 7 of the GDPR (General Data Protection Regulation), that we may use your personal data in the context of the principles laid down here. This also applies to a possibly required transfer of personal data to foreign member firms of Deloitte Touche Tohmatsu Limited. Please note in this regard that certain links (electronic links) on the German Deloitte website lead to the websites of third parties or other member firms of Deloitte Touche Tohmatsu Limited, which, because of their national autonomy and independence as well as potential differences in local law, are not subject to the content of this Privacy Statement. Deloitte GmbH Wirtschaftsprüfungsgesellschaft accepts no liability for the content and / or data protection treatment of data put on these other websites.

Regarding other areas of deloitte.com

Please note that the other country-specific, regional and service-specific websites on deloitte.com are provided by other companies / entities within the Deloitte network and not by us. The terms of this privacy statement do not apply to these websites and other websites to which this website may be linked. We encourage visitors of our website to review the privacy statements on each of these other websites before disclosing personal information.

What data do we collect?

Our cookies terms of use can be viewed on our cookies page.

Deloitte Cookie Notice

The personal data we collect or obtain about you may include (but is not limited to): name; age; date of birth; gender; e-mail address; country of birth; information about work and education/training (e.g. what company you work for, your job description and details of your training); financial and tax information (e.g. where you are resident for income and tax purposes); your posts on blogs, forums, wikis and all other social media applications and services we provide; your IP address; your browser type and your browser language; your access times; complaint details; details about how you use our products and services; details of how you would like to interact with us and other comparable information.

The personal data processed by us may also contain what are known as “sensitive” or “special categories” of personal data, if you provide us with these voluntarily. The types of personal data and particular categories of personal data we process may vary depending on the type of services we provide to you / our customers or the way you use our website.

We underline the importance of protecting the privacy of minors (especially children under the age of 13), in particular with regard to possible misuse of today’s internet communications. For this reason, we would like to emphasize that our website and services are not designed for children or intentionally targeted towards minors. We do not knowingly collect or store information about minors.

How are your data processed by us?

Processing of personal data collected via our website

In addition to the purposes outlined above in connection with the conduct of our business, we may also process your personal information collected through our website:

to manage and improve our website,
customize the content of our website to give you an individualized user experience and to draw your attention to information about our products and services that may be of interest to you,
to manage and answer all inquiries you make to us through our website,
for the purposes to which the visitor has voluntarily consented within the meaning of Article 6 (1) (a), 7 GDPR, such as in the context of an application or registration for the purpose of obtaining general or exclusive information, as well as for purposes that registered users can expect in the context of their website usage.

If you, as a registered visitor, no longer wish to use the information or other areas offered, you can object to any further processing of your personal data for the future at any time. Please contact Deloitte Legal Rechtsanwaltsgesellschaft mbH as the responsible body within the meaning of the GDPR, Erna-Scheffler-Straße 2, 40476 Düsseldorf, or legal@deloitte.de on this matter. The objection will incur no costs other than the transmission costs according to the basic tariffs.

Processing of personal data for the provision of services to our customers

We process your personal data for the purpose of carrying out individual contractual relationships, for the provision of services for you / our customers. In this context, we may process your personal information in the course of correspondence regarding the services. Such correspondence may take place with you, our client, other members of the Deloitte network, our service providers or relevant authorities. Similarly, we may process your personal information in order to conduct the necessary pre-audits related to our services (e.g., conflict or “know-your-client” checks as per regulatory requirements) or in the course of discussing services we may potentially provide.

As we offer our clients a wide range of services, the way we process personal information in relation to our services also varies. For example, we may process personal information:

a customer’s employees to assist those employees in their tax affairs if they work abroad,concerning
a customer’s employees and contractors while conducting an audit (or similar activity) for a client,
concerning a customer to help said customer prepare a tax return.Processing of personal data for other activities that are part of our business activities

We may also process your personal data in connection with the following purpose, which is related to the original purpose (depending on the necessity and professional admissibility in individual cases):

Applicable legal or regulatory obligations,
Inquiries and communications from competent authorities in the context of relevant professional secrecy obligations,
Accounting, billing and risk analysis purposes,
For the purposes of maintaining customer relationships, including, but not limited to: (i) providing thought leadership or information concerning our products and services that we believe are of interest to you; (ii) contacting you to obtain feedback on our services; and (iii) contacting you for any other market or research purpose, to the extent that the specific legal preconditions are in place,
provided to us by our specialist advisors, such as attorneys, auditors and consultants,
Administrative purposes related to the specific business activity
Protection of our rights and those of our customers.

Legal basis for the processing of personal data

We process your personal information for the purposes listed above: (a) on the basis of our legitimate interest in the effective provision of our services to you and our customers; (b) on the basis of our legitimate interest in the effective and lawful pursuit of our business, unless your interests outweigh this interest; (c) on the basis of our statutory and regulatory obligations, such as the management of records for tax purposes; (d) because the data are necessary for the provision our services to you / our customer.

To the extent that we process sensitive personal information relating to you for any of the purposes listed above, we either do so because: (i) you have given us your express consent to process that data; (ii) we are required by law to process such information to ensure we comply with our “know your client” and “anti-money laundering” obligations (or other applicable legal obligations); (iii) the processing is necessary to fulfill our labor, social security or social protection obligations; (iv) the processing is necessary to assert, exercise or defend any legal claims, or (v) you have made the data public.

If we are required by law to obtain your explicit consent to provide you with certain promotional materials, we will only offer you those materials if we have obtained such consent from you. If you no longer wish to receive further advertising material from us, you can click on the unsubscribe function in the message or send an e-mail to kontakt@deloitte.de or to legal@deloitte.de and object to the processing of your personal data for these purposes at any time without stating any reasons. The objection will incur no costs other than the transmission costs in line with the basic tariffs.

Who do we share your information with?

In connection with one or more of the purposes outlined in the section “How are your data processed by us?,” we may provide details about you to: other members of the Deloitte network; third parties providing services to us and / or the Deloitte network; competent authorities (including courts and authorities supervising us or other members of the Deloitte Network); your employer and / or its advisor; your advisors; organizations that assist us in identifying fraud and other third parties who legitimately request access to personal information related to you for one or more of the purposes outlined in the section “How are your data processed by us?” In any case, disclosure will only take place if this is also admissible after taking into account relevant professional confidentiality obligations.

Our website hosts various blogs, forums, wikis, and other social media applications or services that enable you to share content with other users (collectively known as “social media applications”). However, when using these social media applications, please be aware at all times that the information disseminated through this information channel may (also) be read, collected, stored and / or used by other users of the application. We have little or no control over these other users and therefore cannot guarantee that all the information you provide in the social media applications will be treated in accordance with this Privacy Policy. We therefore take no responsibility for these persons and their treatment of your (personal) data.

Medium.com is a publishing platform where any registered user can write their own articles and publish them without having to maintain their own blog. We use www.medium.com to publish thought leadership and articles on technology and innovation.

Please note that some of the recipients of your personal information mentioned above may be located in countries outside the European Union whose privacy laws may be less comprehensive. In such cases, we will ensure that adequate safeguards have been put in place to protect your personal information and that these safeguards comply with our legal obligations. If the recipient is not a member of the Deloitte network, a data transmission agreement with the recipient based on standard contractual clauses for the transfer of personal data to third countries recognized by the European Commission may be an appropriate safeguard.

We can also provide further details regarding the transfers described above and the appropriate security arrangements made by Deloitte with respect to these transfers. Please contact privacy@deloitte.de for more information.

We may also be obliged to disclose your personal information if required to do so by law, by a regulatory agency or as part of a legal process.

We are entitled to share non-personal, anonymized and aggregated data with third parties for various purposes, including but not limited to: data analysis, research, quoting, thought leadership and promotional purposes.

Please note, if you provide data to other member companies of Deloitte Touche Tohmatsu Limited, that the individual member companies are nationally autonomous and independent, are generally subject to laws that deviate from the GDPR and, if applicable, have provided an alternative declaration to the Privacy Statement. For this reason, we would particularly like to ask you to read through the respective privacy statements of certain other member companies of Deloitte Touche Tohmatsu Limited before you forward your personal data to them. This also applies if you instruct us to forward your personal data to them. Deloitte GmbH Wirtschaftsprüfungsgesellschaft accepts no liability for the content and / or data protection treatment of data that you or we put on other websites at your request.

Protection of your personal data

In order to protect visitor data that is entered on the website, Deloitte GmbH Wirtschaftsprüfungsgesellschaft uses technologically generally accepted security standards to safeguard visitor data on the German website from misuse, loss and falsification. In addition, only certain Deloitte employees have access to the visitor data that can be identified as personal data. These employees will ensure that the confidentiality of this sensitive information is respected within the scope of the purpose of transmission. In accordance with the relevant confidentiality agreements provided by other participating companies (including certain member companies of Deloitte Touche Tohmatsu Limited), this principle also applies to their websites and thus also to employees, agents and affiliates whom they entrust with the visitor data as part of the purpose of the transfer.

All visitors to our websites should also be aware that links (electronic “references”) on the German website lead to other websites and information provided by third parties. Unless expressly assured above, Deloitte GmbH Wirtschaftsprüfungsgesellschaft assumes no responsibility for content on third-party websites, including those relating to compliance with certain security standards or compliance with the General Data Protection Regulation.

Notwithstanding the foregoing regarding visitor data on the German websites, we use a variety of physical, electronic and operational measures to ensure that your personal information is generally safe, accurate and up-to-date. These measures include, but are not limited to:

professional development and training of relevant employees to ensure that they are aware of the data protection obligations when handling personal data,
administrative and technical controls to restrict access to personal data to persons who need to know (“need to know” principle),
security measures, including firewalls, encryption and anti-virus software,
physical security measures, such as a requirement to show employee security badges to obtain access to our premises.

Although we apply reasonable security measures once we have received your personal information, the transmission of data over the Internet (including via e-mail) is never completely secure. We strive and do our utmost to protect personal information but cannot guarantee the security of the data transmitted to or from us. Please note that we have an ISO 27001 certified information security management system that aims to provide optimal protection of all the information we process.

How long do we retain your data?

We store your personal information on our systems for the longest of the following periods: (i) as long as required by the activity or service in question; (ii) for a legally required retention period; (iii) until the end of the period in which a lawsuit or service investigation may arise in relation to the services

Specifically, depending on the category of data, Deloitte will store your personal data in accordance with the applicable statutory retention requirements, essentially as follows:

Auditors’ reference files: 10 years from the end of the calendar year of completion of the order,
Lawyers’ reference files: 6 years from the end of the calendar year of completion of the order
Accounting documents: 10 years,
Received commercial or business letters and reproductions of dispatched commercial or business letters as well as other tax-relevant documents: 6 years.

Your rights

You have a range of rights in connection with your personal data. In particular, you have the right:

to request an update of your personal data held by us or, if you think these are inaccurate or incomplete, a correction of that data,
to request the deletion of your personal data stored by us or a restriction on the way we process these data, if this is not precluded by legal obligations,
to revoke your consent to the processing of your personal data by us at any time free of charge without giving reasons, which can be done by contacting kontakt@deloitte.de (if such processing is based on consent),
to obtain a copy of the personal information you have provided to us in a structured, common and machine-readable format and to transmit it to another party (if processed on the basis of consent or a contract),
to object to the processing of your personal data by us.

If you wish to exercise your rights or if you have other questions about how your personal information is processed by us, please send an e-mail to kontakt@deloitte.de or write us at the following address:

Deloitte GmbH Wirtschaftsprüfungsgesellschaft
Business Development
Kurfürstendamm 23
10719 Berlin

Right of appeal

If you do not agree with the way your personal information is processed by us, or with a request or inquiry that you have addressed to us, please contact privacy@deloitte.de. You also have the right to contact the Deloitte Data Protection Supervisor. For an overview of relevant regulators, see the Deloitte and Deloitte Legal company details.

Changes to this privacy policy

If necessary, we may amend or supplement this privacy policy.

To let you know when we make changes to this privacy policy, we will adjust the revision date at the top of this page. The newly amended or expanded privacy policy will be effective as of this revision date. Therefore, we encourage you to periodically review this policy to learn how we process and protect your information.

Please note that the Deloitte websites and the Deloitte apps, including this Privacy Notice, have been made available to provide general information and guidance on certain topics, but not to delve into individual topics. The Deloitte websites and Deloitte apps are not designed to provide binding advice (including on accounting, tax, legal affairs, investments), any other service or work output, or any response to any related matter, for example. Accordingly, you cannot rely on the content of Deloitte websites or Deloitte apps with regard to taking a decision or action, and should therefore always consult with a professionally qualified advisor on matters relating to your personal finances and business dealings.

Questions about the protection of privacy

If you have any questions about this Privacy Statement, or feel that you have specific concerns about it that should be addressed, feel free to contact us directly via kontakt@deloitte.de or via legal@deloitte.de.

Privacy Policy for the use of Google Analytics & Adobe Analytics

Our websites use the Google Analytics web analytics service provided by Google Inc. (“Google”) and Adobe Analytics, provided by Adobe Systems, Inc. Small text files called “cookies” are stored by a server on the Internet on your PC to facilitate an analysis of your usage behavior on this website. The information generated and collected by the cookie is usually transferred to a Google or Adobe Analytics server in the USA, where it is evaluated and stored.

If IP anonymization is activated on this website, the IP address of Google or Adobe will be shortened beforehand within the member states of the European Union and in the other contracting states of the Agreement on the European Economic Area. The complete transfer of the IP address to the server of Google or Adobe Analytics in the US and the shortening of the IP address being carried out there occurs only in exceptional cases.

Google or Adobe Analytics uses the information above on behalf of the website operator to evaluate the traffic flows and interactions on this website and compile reports on website activity. In addition, the website operator will be provided with additional services related to website and internet use.

There is a possibility that you can prevent the storage of cookies on your computer by selecting the relevant browser settings and thus prevent the use of Google Analytics and Adobe Analytics. However, this setting may result in your not being able to fully use all features of this website.

In addition, you have the option to prevent the transfer of your information about the use of this website to and the processing of this data by Google or Adobe Analytics by downloading and installing the browser plug-ins available at the following links:
http://tools.google.com/dlpage/gaoptout?hl=en or http://www.adobe.com/privacy/opt-out.html

II. Information about the processing of personal data in accordance with Art. 13, 14 GDPR

Please ensure that, in addition to the information below, you are also familiar with Deloitte’s Privacy Policy. For questions of understanding or other queries, please contact us at privacy@deloitte.de.

Deloitte GmbH Wirtschaftsprüfungsgesellschaft provides services in the areas of auditing, risk advisory, tax consultancy, financial advisory and consulting for companies and institutions from all economic sectors; legal advice is provided in Germany by Deloitte Legal Rechtsanwaltsgesellschaft mbH (“Deloitte Legal”) (collectively “Deloitte” / “we”). As part of the commission to provide the above services, Deloitte processes personal data according to the individual order. This information complements the Privacy Policy above and provides a more concrete description of how Deloitte processes your personal information as part of the provision of the commissioned service.

Please note that this information refers exclusively to personal data within the meaning of Art. 4 No. 1 GDPR, i.e. not all data and information that Deloitte receives in relation to the underlying client relationship, but essentially only information that relates to an identified or identifiable natural person. Notwithstanding this, the professional secrecy and confidentiality obligations to which Deloitte and Deloitte employees are subject by the professional law of tax consultants, certified public accountants and lawyers, as applicable, shall apply in full to all data and information we receive from you under the client relationship, regardless of whether this is personal data within the meaning of the GDPR.

The controller within the meaning of the GDPR

The controller within the meaning of Art. 4 (7) EU General Data Protection Regulation (GDPR), which is responsible for processing your personal data in connection with all services not provided by Deloitte Legal, is:

Deloitte GmbH Wirtschaftsprüfungsgesellschaft
Rosenheimer Platz 4
81669 München

Deloitte Legal Rechtsanwaltsgesellschaft mbH
Erna-Scheffler-Straße 2
40476 Düsseldorf

If the contractor of a contract for the performance of our services is another German Deloitte company, then it acts as the responsible body in the case concerned. An overview of the German Deloitte companies can be found here.

Data protection officer & data protection supervisor

All German Deloitte companies have appointed data protection officers. You can contact the respective data protection officer at privacy@deloitte.de. The relevant supervisory authorities can be found here.

Purposes of processing and legal basis for processing

Deloitte processes your personal information for the purpose of fulfilling our (pre)contractual obligation to our customers. In particular, we process your contact details such as name, address, telephone number and e-mail address in this context in order to carry out pre-contractual measures (such as internal pre-contractual compliance checks or within the scope of the client / contract) and to carry out our respective contractual obligations, including administrative execution and settlement of the respective contract on the basis of Art. 6 para. 1 lit. b) GDPR. Deloitte uses IT systems to administer and store your personal information to manage and execute order requests / assignments, but with no automated decision-making or profiling.

Depending on the category of documents, Deloitte will store personal data for record keeping / documentation and archival purposes in accordance with relevant legislation for a varying period of time:

Auditors’ reference files: 10 years from the end of the calendar year of completion of the order
Lawyers’ reference files: 6 years from the end of the calendar year of the completion of the order
Accounting documents: 10 years
Received commercial or business letters and reproductions of the dispatched commercial or business letters as well as other tax-relevant documents: 6 years

As a rule, Deloitte receives the necessary personal data from the customers. In this respect, Deloitte has, in accordance with Art. 6 para. 1. f) GDPR, a legitimate interest in the processing of this personal data, as Deloitte is obliged to carry out the contracted service on the basis of the underlying contract. In this context, it is essential for Deloitte to process any personal data related to the contact persons of our customer (including at an early stage within the context of the offer preparation).

If you have commissioned Deloitte to perform certain services, such additional personal data relating to you will be processed in the context of order processing in addition to your contact details to the extent that they are necessary for the provision of the service agreed with you and that you have forwarded such information to us. In this respect, the processing of your personal data is justified to ensure the fulfillment of the contract between you and Deloitte and according to Art. 6 para. 1 b) GDPR.

Please note that Deloitte’s General Terms and Conditions generally require the client to be obliged to provide Deloitte with all the documents and information necessary to complete the contract. In this respect, the processing of the respective order and the associated fulfillment of the contractually agreed service by Deloitte is not possible or possible only to a limited extent if and insofar as the necessary information is not provided.

As Deloitte is required by law to ensure proper record keeping, extensive documentation of its clients and assignments (also beyond the conclusion of an order) as well as compliance with further retention and documentation obligations (including due to professional, accounting or commercial and corporate law requirements), Deloitte processes your personal data in the context of documents to be recorded, work results or related customer-related correspondence (also for the purpose of file management), documentation and archiving both in the form of paper files and in the context of IT systems used for this purpose on the basis of Art. 6 para. 1. c) GDPR for the fulfillment of our aforementioned legal obligations.

Notwithstanding the foregoing purposes, Deloitte will, to the extent permitted by applicable law, also process your contact information (including name, address, e-mail address) for marketing and advertising purposes, in other words, for example, to provide you with information about our further offers or events. This is done on the basis of consents and / or a legitimate economic interest of Deloitte as defined in Art. 6 para. 1. f) to inform their customers about further offers and events they provide and thus to establish and maintain a long-term customer relationship.

Finally, Deloitte also processes your contact information for the purpose of maintaining our business contacts when we receive them in the course of a business event, as part of a business appointment (e.g. by exchanging business cards) or as part of an order, and transfer these into the CRM system we use (Customer Relationship Management System).

Because Deloitte has a legitimate commercial interest in maintaining contacts in the context of business relations beyond the initial contact, to use them for establishing a business relationship and to remain in contact with the data subject for this purpose, the above processing of your personal data takes place on the basis of Art. 6 para. 1. f) GDPR.

Categories of data recipients and transfers to third countries

In connection with the implementation of the above-mentioned processing, personal data may also be received from third parties, as specified below. Your personal data may be stored within and outside the EU/European Economic Area (EEA). Data may be transferred to both European and non-European countries, whereby the transfer of data may be temporary and does not necessarily lead to storage.

To other Deloitte member firms¹for the purpose of cooperation in the provision of our services

Where necessary for the provision of the service, i.e. in the case of a foreign assignment or where the expertise of a foreign colleague is required, Deloitte cooperates with other companies from the global Deloitte network. If such a transfer is made to a network company outside the EU/EEA, the member firms of the Deloitte network have entered into an internal data protection agreement, containing the EU standard contractual clauses of the EU Commission within the meaning of Art 46 para 2 lit c) GDPR. This agreement requires a consistent level of data protection across all Deloitte entities worldwide. It therefore allows for global transfers of data in accordance with applicable European privacy laws.

Deloitte's internal IT service providers and external IT service providers within the EU/EEA

Deloitte uses other German or foreign Deloitte network companies as internal network and third parties as external IT service providers, which provide services for the operation, maintenance and care of the IT systems and applications used by the Deloitte network companies. Both internal and external IT service providers are bound by instructions.

To Deloitte's internal IT service providers and external IT service providers outside of the EU/EEA

To the extent that access is provided by an internal IT service provider outside the EU/EEA, an adequate level of data protection is ensured by our internal data protection agreement and contracts we have in place with those network companies. containing Standard Contractual Clauses (SCC) of the EU Commission within the meaning of Art. 46 (2) (c) GDPR.

When using external IT service providers outside the EU/EEA, an adequate level of data protection is ensured through the use of standard contractual clauses (SCC) of the European Commission within the meaning of Art. 46 (2) (c) GDPR.

Depending on the recipient country, external data transfers further undergo a Transfer Impact Assessment to evaluate the legal and practical implications in the recipient country. This assessment includes a review of local laws and practices to determine if additional protective measures are necessary. 

To authorities, courts or other bodies

In connection with the performance of our services, it may be necessary to transmit information, work results and documents to authorities, courts or other public or private bodies (including transfers abroad in the case of a foreign assignment). The same applies to cases in which Deloitte is obliged by law, administrative or court order to disclose personal data. This shall only occur if there are no professional secrecy obligations to the contrary.

Your rights in connection with data processing

The GDPR essentially grants data subjects the following rights, which you can assert at any time by contacting the data protection officer named in this information at

In principle, you can request information from Deloitte at any time as to whether personal data about you are processed or stored at Deloitte and which personal data are affected. Please note that your right to information may be restricted to the extent that such information conflicts with professional secrecy and to the extent that information requiring secrecy would be disclosed.

In addition to your right to information, you can request the correction of your data at any time. In addition, you have the right to delete your data if and when the data are no longer needed for the purposes for which it was collected or, if the processing is based on your consent, you have revoked your consent. The aforementioned right to delete your data is waived if your data must not be deleted due to a legal obligation or must be processed due to a legal obligation or if data processing is required for the assertion, exercise or defense of legal rights.

In addition, you have the right to request that Deloitte restrict the processing of your personal information.

Added to this is a right to data portability, i.e. you may request that Deloitte retain the data you provide in a structured, common and machine-readable format and / or that such data be transmitted to another controller. Please note that this does not apply if you have made the data available to us on the basis of consent or on the basis of a contract concluded with you or if the processing is carried out using automated procedures.

If Deloitte processes your personal data on the basis of Art. 6 para. 1. f) GDPR (e.g. if your employer, as a Deloitte customer, has provided us with your personal information as a contact in your company, or if we use your contact information to send you information about offers and events provided by Deloitte), you can object to this processing at any time.

Right of appeal to a data protection supervisory authority

In addition to the data subject rights listed above, you also have the right to complain to a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that the processing of your personal data violates data protection law. In each case, the supervisory authority of the federal state in which the controller has its seat is responsible.

Duration of data storage

Please note that Deloitte will store and process your personal information for as long as it is necessary for the fulfillment of the above mentioned processing purposes. Insofar as personal data are subject to statutory retention obligations or are part of documents subject to statutory retention requirements, Deloitte will store this data for the duration of the statutory retention period.

Depending on the category of documents, Deloitte will generally store personal information for the following varying periods of time, based on applicable statutory retention requirements:

Auditors’ reference files: 10 years from the end of the calendar year of completion of the order,
Lawyers’ reference files: 6 years from the end of the calendar year of completion of the order,
Accounting records as per legal requirement: 10 years,
Received commercial or business letters and reproductions of the dispatched commercial or business letters as well as other tax-relevant documents: 6 years.

If the data are subject to different retention periods, the longest retention period applies, and the legally required retention period may be extended depending on the individual case, e.g. if the information is required to assert, exercise or defend legal rights even after expiration of the retention period.

¹ Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/de/UeberUns to learn more.

Deloitte Legal refers to the legal practices of Deloitte Touche Tohmatsu Limited member firms, their affiliates or partner firms that provide legal services. Please see deloittelegal.de/dl/en/about to learn more.