Last update: 25 April 2019
For the purpose of running and managing innovation-related projects (i.e. Open Innovation Challenges, Innovation Awards) Deloitte has licensed the platform and all related functionalities as a white label product from Agorize SAS (“Agorize”), a service provider of Deloitte with whom Deloitte has agreed on a data processing agreement according to Art. 28 GDPR to processes any personal data for and on behalf of Deloitte. We are committed to protecting your privacy and to processing your information in an open and transparent manner.
If you provide information via the Deloitte website, you automatically provide Agorize and us with the respective information and you agree, in accordance with Art. 6 (1) (a), 7 of the GDPR (General Data Protection Regulation), that we and our data processor Agorize may use and process your personal data in the context of the principles laid down here. Accordingly, you also declare your consent that we may store your data locally and process your personal information for the purpose of informing you in case of topics that we believe could be of interest for you and your company such as but not limited to open innovation challenges, innovation awards, business meetings, pitch days. This also applies to a possibly required transfer of personal data to foreign member firms of Deloitte Touche Tohmatsu Limited. Please note in this regard that certain links (electronic links) on the Deloitte website lead to the websites of third parties or other member firms of Deloitte Touche Tohmatsu Limited, which, because of their national autonomy and independence as well as potential differences in local law, are not subject to the content of this Privacy Statement. Please also note in this regard that client´s of Deloitte using the website may potentially process your personal information you provide via the website for the purpose of managing their challenges. Deloitte Digital GmbH accepts no liability for the content and/or data protection treatment of data put on these other websites. Furthermore, Deloitte Digital GmbH is not responsible and accepts no liability for the processing of any data by Deloitte´s clients in the context of potential challenges.
Please note that other country-specific, regional and service-specific websites relating to Deloitte are available on deloitte.com. These are provided by other companies/entities within the Deloitte network and not by Agorize and/or us. The terms of this privacy statement do not apply to these websites and other websites to which this website may be linked. We encourage visitors of our website to review the privacy statements on each of these other websites before disclosing personal information.
Although the use of our website is not conditional on the transmission of your personal data and we do not store any personal data via the Deloitte website without your consent, we may potentially process your personal information if you voluntarily provide it to us for specific purposes in the designated areas of our website.
In the course of providing services in relation to the open innovation platform, Agorize/we may collect or receive this personal information because you provide it to us (e.g. through a registration form on our website for startups managed by Agorize in order to participate in an innovation related project such as open innovation challenges and innovation awards), because we have received it from other people (e.g. Agorize in form of an excel sheet giving an overview of all startups and their contact details having applied on various challenges or any third party we engaged to the extent legally permissible to assist in the conduct of our business) or because they are publicly available.
Furthermore, in the course of providing our services and in conducting necessary pre-checks in connection with our services (e.g. conflict or “know-your-client” checks as per regulatory requirements) or in the context of discussing services that we may potentially provide, we will potentially process personal data about you to the required extent.
How are your data processed by us?
Processing of personal data collected via our website
In addition to the purposes outlined above in connection with the conduct of our business and the provision of the open innovation based platform provided by Agorize, we may also process your personal information collected through the website:
- to manage and answer all inquiries you make to us through our website,
- to download in Excel and CSV format to store and manage you in our startup portfolio and reach out to you in case of topics that we believe could be of interest for you and your company such as but not limited to open innovation challenges, innovation awards, business meetings, pitch days. In this context, your data will be processed by Deloitte and stored locally on Deloitte servers and /or private clouds within Germany.
- for the purpose of informing you about potential new challenges from our clients. If you, as a registered visitor, no longer wish to use the information or other areas offered, you can object to any further processing of your personal data for the future at any time. Please contact Deloitte Digital GmbH as the responsible body within the meaning of the GDPR, Business Development, Kurfürstendamm 23, 10719 Berlin, or email@example.com on this matter if you are visiting this website as a challenge owner. The objection will incur no costs other than the transmission costs according to the basic tariffs. Please contact Deloitte Digital GmbH as the responsible body within the meaning of the GDPR, 81669 MÜNCHEN, Rosenheimer Platz 4, or firstname.lastname@example.org this matter if you are visiting this website as a startup.
Processing of personal data for the provision of services to our customers
We process your personal data for the purpose of carrying out individual contractual relationships, for the provision of services for you / our customers. In this context, we may process your personal information in the course of correspondence regarding the services. Such correspondence may take place with you, our client, other members of the Deloitte network, our service providers or relevant authorities. Similarly, we may process your personal information in order to conduct the necessary pre-audits related to our services (e.g., conflict or “know-your-client” checks as per regulatory requirements) or in the course of discussing services we may potentially provide.
Processing of personal data for other activities that are part of our business activities
We may also process your personal data in connection with the following purpose, which is related to the original purpose (depending on the necessity and professional admissibility in individual cases):
- Applicable legal or regulatory obligations,
- Inquiries and communications from competent authorities in the context of relevant professional secrecy obligations,
- Accounting, billing and risk analysis purposes,
- For the purposes of maintaining customer relationships, including, but not limited to: (i) providing thought leadership or information concerning our products and services that we believe are of interest to you; (ii) contacting you to obtain feedback on our services; and (iii) contacting you for any other market or research purpose, to the extent that the specific legal preconditions are in place,
- provided to us by our specialist advisors, such as attorneys, auditors, and consultants,
- Administrative purposes related to the specific business activity
- Protection of our rights and those of our customers.
We process your personal information for the purposes listed above: (a) on the basis of our legitimate interest in the effective provision of our services to you and our customers; (b) on the basis of our legitimate interest in the effective and lawful pursuit of our business, unless your interests outweigh this interest; (c) on the basis of our statutory and regulatory obligations (d) because the data are necessary for the provision of our services to you / our customer, (e) because you have given us your express consent to process that data..
To the extent that we process sensitive personal information relating to you for any of the purposes listed above, we either do so because: (i) you have given us your express consent to process that data; (ii) we are required by law to process such information to ensure we comply with our “know your client” and “anti-money laundering” obligations (or other applicable legal obligations); (iii) the processing is necessary to fulfill our labor, social security or social protection obligations; (iv) the processing is necessary to assert, exercise or defend any legal claims, or (v) you have made the data public.
If we are required by law to obtain your explicit consent to provide you with certain promotional materials, we will only offer you those materials if we have obtained such consent from you. If you no longer wish to receive further advertising material from us, you can click on the unsubscribe function in the message or send an e-mail to email@example.com and object to the processing of your personal data for these purposes at any time without stating any reasons. The objection will incur no costs other than the transmission costs in line with the basic tariffs.
Who do we share your information with?
In connection with one or more of the purposes outlined in the section “How are your data processed by us?,” we may provide details about you to: other members of the Deloitte network; third parties providing services to us and / or the Deloitte network; competent authorities (including courts and authorities supervising us or other members of the Deloitte Network); your employer and / or its advisor; your advisors; organizations that assist us in identifying fraud and other third parties who legitimately request access to personal information related to you for one or more of the purposes outlined in the section “How are your data processed by us?” , especially but not limited to access by challenge owners for their respective challenge management. In any case, the disclosure will only take place if this is also admissible after taking into account relevant professional confidentiality obligations.
Please note that some of the recipients of your personal information mentioned above may be located in countries outside the European Union whose privacy laws may be less comprehensive. In such cases, we will ensure that adequate safeguards have been put in place to protect your personal information and that these safeguards comply with our legal obligations. If the recipient is not a member of the Deloitte network, a data transmission agreement with the recipient based on standard contractual clauses for the transfer of personal data to third countries recognized by the European Commission may be an appropriate safeguard.
We can also provide further details regarding the transfers described above and the appropriate security arrangements made by Deloitte with respect to these transfers. Please contact firstname.lastname@example.org for more information.
We may also be obliged to disclose your personal information if required to do so by law, by a regulatory agency or as part of a legal process.
We are entitled to share non-personal, anonymized and aggregated data with third parties for various purposes, including but not limited to: data analysis, research, quoting, thought leadership and promotional purposes.
Protection of your personal data
In order to protect visitor data that is entered on the website, Deloitte Digital GmbH uses technologically generally accepted security standards to safeguard visitor data on the website from misuse, loss and falsification. In addition, only certain Deloitte employees have access to the visitor data that can be identified as personal data. These employees will ensure that the confidentiality of this sensitive information is respected within the scope of the purpose of transmission. In accordance with the relevant confidentiality agreements provided by other participating companies (including certain member companies of Deloitte Touche Tohmatsu Limited), this principle also applies to their websites and thus also to employees, agents and affiliates whom they entrust with the visitor data as part of the purpose of the transfer.
All visitors to our website should also be aware that links (electronic “references”) on the website lead to other websites and information provided by third parties. Unless expressly assured above, Deloitte Digital GmbH assumes no responsibility for content on third-party websites, including those relating to compliance with certain security standards or compliance with the General Data Protection Regulation.
Notwithstanding the foregoing regarding visitor data on the website, we use a variety of physical, electronic and operational measures to ensure that your personal information is generally safe, accurate and up-to-date. These measures include, but are not limited to:
- professional development and training of relevant employees to ensure that they are aware of the data protection obligations when handling personal data,
- administrative and technical controls to restrict access to personal data to persons who need to know (“need to know” principle),
- security measures, including firewalls, encryption and anti-virus software,
- physical security measures, such as a requirement to show employee security badges to obtain access to our premises.
How long do we retain your data?
We store your personal information on our systems for the longest of the following periods: (i) as long as required by the activity or service in question; (ii) for a legally required retention period; (iii) until the end of the period in which a lawsuit or service investigation may arise in relation to the services
Specifically, depending on the category of data, Deloitte will store your personal data in accordance with the applicable statutory retention requirements, essentially as follows:
- Auditors’ reference files: 10 years from the end of the calendar year of completion of the order,
- Lawyers’ reference files: 6 years from the end of the calendar year of completion of the order
- Accounting documents: 10 years,
- Received commercial or business letters and reproductions of dispatched commercial or business letters as well as other tax-relevant documents: 6 years.
You have a range of rights in connection with your personal data. In particular, you have the right:
- to request an update of your personal data held by us or, if you think these are inaccurate or incomplete, a correction of that data,
- to request the deletion of your personal data stored by us or a restriction on the way we process these data if this is not precluded by legal obligations,
- to revoke your consent to the processing of your personal data by us at any time free of charge without giving reasons, which can be done by contacting email@example.com (if such processing is based on consent),
- to obtain a copy of the personal information you have provided to us in a structured, common and machine-readable format and to transmit it to another party (if processed on the basis of consent or a contract),
- to object to the processing of your personal data by us.
If you wish to exercise your rights and use the website as a client of Deloitte, please send an e-mail to firstname.lastname@example.org or write to us at the following address:
Deloitte GmbH Wirtschaftsprüfungsgesellschaft
If you wish to exercise your rights and use this website as a start-up, please send an e-mail to email@example.com.
Right of appeal
If you do not agree with the way your personal information is processed by us, or with a request or inquiry that you have addressed to us, please contact firstname.lastname@example.org. You also have the right to contact the Deloitte Data Protection Officer. For an overview of relevant regulators, see the al company details.
Questions about the protection of privacy
2. Information about the processing of personal data in accordance with Art. 13, 14 GDPR
Please note that this information refers exclusively to personal data within the meaning of Art. 4 No. 1 GDPR, i.e. not all data and information that Deloitte receives in relation to an underlying client relationship and/or in connection with any services of Deloitte, but essentially only information that relates to an identified or identifiable natural person. Notwithstanding this, applicable secrecy and confidentiality obligations to which Deloitte and Deloitte employees are subject shall apply in full to all data and information we receive under a client relationship, regardless of whether this is personal data within the meaning of the GDPR.
The controller within the meaning of the GDPR
The controller within the meaning of Art. 4 (7) EU General Data Protection Regulation (GDPR), which is responsible for processing your personal data in connection with all services not provided by Deloitte Legal, is:
Deloitte Digital GmbH
Rosenheimer Platz 4
If the contractor of a contract for the performance of our services is another German Deloitte company, then it acts as the responsible body in the case concerned. An overview of the German Deloitte companies can be found here.
Data protection officer & data protection supervisor
All German Deloitte companies have appointed data protection officers. You can contact the respective data protection officer at email@example.com. The relevant supervisory authorities can be found here.
Purposes of processing and legal basis for processing
Deloitte processes your personal information for the purpose of fulfilling our (pre)contractual obligation to our customers. Furthermore, in the context of the open innovation platform services, we process your personal information for the purpose managing and offering new challenges as well as for the purpose of storing your data in local excel sheet in order to keep an overview of participating/ed startups and to contact them in case of new challenges.
In particular, we process your contact details such as name, address, and e-mail address in this context for the above mentioned purposes and in order to carry out pre-contractual measures (such as internal pre-contractual compliance checks or within the scope of a client / contract) and to carry out our respective contractual obligations, including administrative execution and settlement of the respective contract on the basis of Art. 6 para. 1 lit. b) GDPR. Deloitte uses IT systems to administer and store your personal information to manage and execute order requests/assignments, but with no automated decision-making or profiling.
Depending on the category of documents, Deloitte will store personal data for record keeping/documentation and archival purposes in accordance with relevant legislation for a varying period of time:
- Auditors’ reference files: 10 years from the end of the calendar year of completion of the order
- Lawyers’ reference files: 6 years from the end of the calendar year of the completion of the order
- Accounting documents: 10 years
- Received commercial or business letters and reproductions of the dispatched commercial or business letters as well as other tax-relevant documents: 6 years
As a rule, Deloitte receives the necessary personal data from the customers and startups. In this respect, Deloitte has, in accordance with Art. 6 para. 1. a), 7 GDPR, received an express consent in the processing of those personal data. Furthermore, Deloitte has, in accordicanc with Art. 6 para. 1 f ) GDPR a legitimate interest in the processing of this personal data, as Deloitte is obliged to carry out the contracted service on the basis of the underlying contract an/or the performance of the open innovation platform services. In this context, it is essential for Deloitte to process any personal data related to the contact persons of the startups and our clients (including at an early stage within the context of the offer preparation).
If you have commissioned Deloitte to perform certain services, such additional personal data relating to you will be processed in the context of order processing in addition to your contact details to the extent that they are necessary for the provision of the service agreed with you and that you have forwarded such information to us. In this respect, the processing of your personal data is justified to ensure the fulfillment of the contract between you and Deloitte and according to Art. 6 para. 1 b) GDPR.
Please note that Deloitte’s General Terms and Conditions generally require the client to be obliged to provide Deloitte with all the documents and information necessary to complete the contract. In this respect, the processing of the respective order and the associated fulfillment of the contractually agreed service by Deloitte is not possible or possible only to a limited extent if and insofar as the necessary information is not provided.
As Deloitte is required by law to ensure proper record keeping, extensive documentation of its clients and assignments (also beyond the conclusion of an order) as well as compliance with further retention and documentation obligations (including due to professional, accounting or commercial and corporate law requirements), Deloitte processes your personal data in the context of documents to be recorded, work results or related customer-related correspondence (also for the purpose of file management), documentation and archiving both in the form of paper files and in the context of IT systems used for this purpose on the basis of Art. 6 para. 1. c) GDPR for the fulfillment of our aforementioned legal obligations.
Notwithstanding the foregoing purposes, Deloitte will, to the extent permitted by applicable law, also process your contact information (including name, address, e-mail address) for marketing and advertising purposes, in other words, for example, to provide you with information about our further offers or events. This is done on the basis of consents and / or a legitimate economic interest of Deloitte as defined in Art. 6 para. 1. f) to inform their customers about further offers and events they provide and thus to establish and maintain a long-term customer relationship.
Finally, Deloitte also processes your contact information for the purpose of maintaining our business contacts when we receive them in the course of a business event, as part of a business appointment (e.g. by exchanging business cards) or as part of an order, and transfer these into the CRM system we use (Customer Relationship Management System).
Because Deloitte has a legitimate commercial interest in maintaining contacts in the context of business relations beyond the initial contact, to use them for establishing a business relationship and to remain in contact with the data subject for this purpose, the above processing of your personal data takes place on the basis of Art. 6 para. 1. f) GDPR.
Categories of data recipients and transfers to third countries
In connection with the implementation of our commissioned service, personal data, as specified below, may in exceptional cases, also be transmitted to third parties. In this respect, data can be transferred to both European and non-European countries and can be stored outside the EU:
To other Deloitte member companies1 for cooperation as part of our service provision
To the extent necessary to provide the commissioned service, i.e. in the case of a foreign relationship or if the expertise of a foreign counterpart is required, Deloitte cooperates with other companies in the global Deloitte network. Insofar as such a transfer is made to a network company outside the EU / European Economic Area, an appropriate level of data protection is ensured by the use of standard contractual clauses provided by the EU Commission within the meaning of Art. 46 para. 2. c) GDPR. The EU standard contractual clauses can be found at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF.
To authorities, courts or other bodies
In connection with the performance of our services, it may also be necessary to provide information, work results and documents to authorities, courts or other public or private entities (in the case of foreign relations, also abroad). The same applies to the cases in which Deloitte is required by law, government or court order to publish/disclose personal data. This only occurs if there are no professional confidentiality obligations to the contrary.
To Deloitte-internal service providers as well as external IT service providers
Within the scope of its activities, Deloitte uses other German or foreign Deloitte network companies in individual cases as network-internal IT service providers who provide services for the operation, maintenance and care of the IT systems and applications used by the Deloitte network companies. Deployment of these companies with access rights to personal data takes place only if this was agreed in the order agreements with our customers or is legally permissible without consent in individual cases.
Insofar as access is provided by a network company outside the European Economic Area, an appropriate level of data protection is ensured by the use of standard contractual clauses provided by the EU Commission within the meaning of Art. 46 para. 2. c) GDPR.
Specialized and client-related IT service providers, which are deployed when, for instance, processing clients, providing specialist applications for tax consultants, auditors and/or lawyers as well as cloud services, are only used in coordination with our clients where this is required by law.
Your rights in connection with data processing
The GDPR essentially grants data subjects the following rights, which you can assert at any time by contacting the data protection officer named in this information at firstname.lastname@example.org.
In principle, you can request information from Deloitte at any time as to whether personal data about you are processed or stored at Deloitte and which personal data are affected. Please note that your right to information may be restricted to the extent that such information conflicts with professional secrecy and to the extent that information requiring secrecy would be disclosed.
In addition to your right to information, you can request the correction of your data at any time. In addition, you have the right to delete your data if and when the data are no longer needed for the purposes for which it was collected or, if the processing is based on your consent, you have revoked your consent. The aforementioned right to delete your data is waived if your data must not be deleted due to a legal obligation or must be processed due to a legal obligation or if data processing is required for the assertion, exercise or defense of legal rights.
In addition, you have the right to request that Deloitte restrict the processing of your personal information.
Added to this is a right to data portability, i.e. you may request that Deloitte retain the data you provide in a structured, common and machine-readable format and / or that such data be transmitted to another controller. Please note that this does not apply if you have made the data available to us on the basis of consent or on the basis of a contract concluded with you or if the processing is carried out using automated procedures.
If Deloitte processes your personal data on the basis of Art. 6 para. 1. f) GDPR (e.g. if your employer, as a Deloitte customer, has provided us with your personal information as a contact in your company, or if we use your contact information to send you information about offers and events provided by Deloitte), you can object to this processing at any time.
Right of appeal to a data protection supervisory authority
In addition to the data subject rights listed above, you also have the right to complain to a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that the processing of your personal data violates data protection law. In each case, the supervisory authority of the federal state in which the controller has its seat is responsible.
Duration of data storage
Please note that Deloitte will store and process your personal information for as long as it is necessary for the fulfillment of the above-mentioned processing purposes. Insofar as personal data are subject to statutory retention obligations or are part of documents subject to statutory retention requirements, Deloitte will store this data for the duration of the statutory retention period.
Depending on the category of documents, Deloitte will generally store personal information for the following varying periods of time, based on applicable statutory retention requirements:
- Auditors’ reference files: 10 years from the end of the calendar year of completion of the order,
- Lawyers’ reference files: 6 years from the end of the calendar year of completion of the order,
- Accounting records as per legal requirement: 10 years,
- Received commercial or business letters and reproductions of the dispatched commercial or business letters as well as other tax-relevant documents: 6 years.
If the data are subject to different retention periods, the longest retention period applies, and the legally required retention period may be extended depending on the individual case, e.g. if the information is required to assert, exercise or defend legal rights even after expiration of the retention period.
1 Deloitte refers to Deloitte Touche Tohmatsu Limited (“DTTL”), a “private company limited by guarantee,” its network of member companies and their affiliates. DTTL and each of its member companies are legally autonomous and independent. DTTL (also called “Deloitte Global”) does not provide services to customers. A more detailed description of DTTL and its member companies can be found at www.deloitte.com/en/UeberUns.