Privacy Notice According to the European Regulation 2016/679

We would like to inform you, as Data Controllers, according to art. 13 of the European General Data Protection Regulation 679/2016 related to the protection of personal data ("GDPR") and local applicable law, that personal data provided through the web-portal (“Website”) will be processed in compliance with the laws in force, as further specified.

Please be informed that the term “processing”, according to the GDPR, means any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1. Data Controller and Data Protection Officer

The Data Controllers are Officine Innovazione S.r.l., VAT No. 10230520966, with registered office in Milano, via Tortona 25, and All the Deloitte Risk Advisory firms of Deloitte EMEA (hereinafter “Deloitte”).

The Data Protection Officer (DPO), identified by Deloitte is Tommaso Stranieri, to be contacted at the following e-mail

2. Nature of Personal Data, Purposes and Legal Bases of the processing activities

The personal data processed by Deloitte, which means, according to GDPR, any information related to an identified or identifiable related to the natural person, are those provided to Deloitte by the person Participant (“Participant” or “Data Subject”) in Deloitte RegTech Challenge (“Challenge”), filling in the registration form and submitting the application for the Challenge, including name, surname, role assumed in the company participating to the Challenge.

The personal data will be used exclusively for the following purposes: i) for the management of any activities required for the implementation and execution of services related to the Challange, including the evaluation of the best Projects and the selection of the finalists and winners of the Challenge; ii) for the fulfilment of obligations under applicable laws, including EU regulations or legislations, as well as for exercising rights before the Courts.

The consent of the Participant in the Challenge for the processing of his/her personal data for the mentioned purposes is not necessary, since the personal data is collected for the fulfillment of the services required and related to the Challenge to which the Participant takes part, as well as the compliance with legislative obligations.

The legal basis of the processing is found in the performance of the services required and related to the Challenge and in the legislative provisions.

3. Mandatory /Optional nature of providing personal data

The provision of personal data of the Participant is mandatory as strictly necessary for the participation of the Participant in the Challenge and for the fulfillment of legal obligations. The refusal to provide personal data implies the impossibility to permit the participation of the Participant in the Challenge and to fulfill the legal obligations.

4. Methods of the processing activities

The personal data is collected electronically and processed with electronic tools and manually, ensuring the appropriate security measures and the confidentiality of the data processed, according to the principles of art. 5 of GDPR. The personal data will be processed by authorized persons acting under the authority of Deloitte, within the scope of their respective functions and in accordance with the instructions given by the same Deloitte.

5. Period of the processing activitiesn

The personal data will be processed for the entire duration of the Challenge and as long as it is needed for the performance of services related to the Challenge, as well as for the further period required for the fulfilment of current civil, fiscal and tax obligations and for exercise or defence of legal claims.

6. Communication and transfer of personal data

With reference to the above-mentioned purposes, Deloitte may communicate the personal data to:

  • - Other member firms of Deloitte Network, if necessary for the pursuit of the above mentioned purposes;
  • - Third parties appointed by Deloitte for the fulfillment of services related to the performance of the activities provided under the Challenge;
  • - Deloitte’s Clients, with reference to the winners of the Challenge;
  • - Competent authorities (including Courts), for the performance of their institutional functions within the limits established by law or regulations.

Members firms of Deloitte Network, to which the personal data could be transmitted, may be placed in countries outside the European Union. In such cases, the Deloitte guarantees the adoption of appropriate measures that ensure an adequate level of data protection, such as the use of standard contractual clauses for the transfer of personal data to Third Countries.

The personal data will not be disclosed to undetermined recipients.

7. Data Subject’s rights

With reference to data processing activities, the Data Subject can exercise the following rights (artt.15-21 of GDPR):

  • - obtain confirmation that Deloitte is processing data subject’s personal data and request a copy of it;
  • - update, modify and/or correct personal data (right to rectification);
  • - request the erasure or the limitation of the processing of data processed in violation of the law, including data that do not need to be kept for the purposes for which they were collected or otherwise processed (right to be forgotten and right to restriction of processing);
  • - object to data processing activities (right to object);
  • - withdraw the consent, where given, without prejudice to the lawfulness of the processing of the consent given before the withdrawal;
  • - lodge a complaint with the data protection Authority;
  • - receive a copy of personal data in an electronic format and request that such data will be transmitted to another Data Controller (right to data portability).

To exercise these rights, the Data Subject may contact the Data Protection Officer by sending an e-mail to the following address:

Last updated: 19 July 2018