BDO Privacy Statement for Corporate Clients
Privacy Statement
- Introduction
- Data Controller
- Security of Personal Data
- International transfers of Personal Data
- Provision of Personal data to third parties
- BDOs BINDING CORPORATE RULES FOR PROCCESSORS AND CONTROLLERS
- Your Rights
- Complaints
- Data Retention
This Privacy Statement describes how and why BDO Limited (“we” or “us”) collects and uses personal data (i.e. data relating to an identified or identifiable individual) in the course of its business. It applies to personal data provided directly to us by the individuals concerned and to personal data provided to us by companies and other organisations.
We are committed to the protection of personal data and to fair and transparent processing. If you have any questions about this Privacy Statement, you can contact our Data Protection Officer via email at privacy@bdo.gg.
To find out more about how and why we process personal data, please refer to the relevant section of this Privacy Statement (using the tabs above).
BDO Limited (a limited liability partnership registered in Guernsey with number 29684 with a registered address of PO Box 180, Plaza House, Second Floor, St Peter Port, GY1 3LL) is registered as a data controller under registration number DPA2720.
We have policies, procedures and training in place in respect of data protection, confidentiality and information security. We regularly review such measures with the objective of ensuring their continuing effectiveness. The Privacy Statement was last updated in December 2021.
International transfers of personal data
In the course of running our business and providing services to clients we may transfer personal data to third parties located in other countries that have less stringent data protection laws. Where we transfer personal data to a country not determined by the relevant authority to provide an adequate level of protection for personal data, we will take steps to ensure that personal data will be adequately protected in accordance with applicable law, such as using the European Commission approved standard contractual clauses.
Provision of personal data to third parties
We will only share personal data with third parties where we are legally permitted to do so. We do not provide information to third parties for their own marketing purposes and we do not undertake mailings for third parties. Where we transfer personal data to third parties, we will put in place appropriate contractual arrangements and seek to ensure that there are appropriate technical and organisational measures in place to protect personal data.
We may provide personal data to:
- Other BDO Member Firms – we may share personal data with other members of the BDO International Network where required for the provision of services to our clients and/or for administrative purposes.
- Third parties involved in the performance of services – we may also share personal data to third party organisations who assist us in providing services to clients or are otherwise involved in the services we provide to clients.
- Third parties who provide IT services, data processing or functionality – like many professional service providers, we use third party providers to support our business andthe provision of services to our clients, such as cloud based software providers, web hosting/management providers, data analysis providers, and data back-up and security/storage providers. We may transfer personal data to such third parties.
- Auditors and advisers – we may transfer personal data to our auditors and advisers as required by law or as reasonably required in the management of our business.
- Third parties where required by applicable law and regulation – we may be requested or compelled to disclose personal data to third parties such as regulators and law enforcement agencies. We will only provide personal data to such parties where there is a legal requirement or permission to do so.
BDOs BINDING CORPORATE RULES FOR PROCCESSORS AND CONTROLLERS
At BDO, we are strongly committed to protect the privacy of your personal data and the personal data of your clients. To help demonstrate our commitment, BDO has implemented Binding Corporate Rules for Controllers and Binding Corporate Rules for Processors (the ‘BCRs’), which have been approved by the European data protection authorities. The BCRs set out the data privacy principles with which BDO firms must comply when using and sharing personal data within the BDO network.
For more information about our BCRs and Global Privacy Programme please read our ‘BDOs Binding Corporate Rules for processors and Controllers’.
You have rights in relation to any of your personal data held by us as a data controller. Should you wish to exercise your rights right, please contact our Data Protection Officer via email at privacy@bdo.gg. We will endeavour to respond to any request promptly and within any legally required time limit.
You also have a right to update your personal data that we hold. In order to do so please contact your usual BDO contact or otherwise contact our Data Protection Officer via email
at privacy@bdo.gg.
Where we process your personal data based on your consent, you have a right to withdraw consent at any time. Should you wish to do so, please contact our Data Protection Officer via email at privacy@bdo.gg. Finally, in addition to the rights above, you may also have other rights in relation to personal data, including a right to erasure/deletion, the right to data portability and the right to restrict and/or object to our processing of personal data. Such rights may only be available to you from 25 May 2018, when the General Data Protection Regulation comes into effect.
Should you wish to complain about our use of your personal data, please contact our Data Protection Officer via email at privacy@bdo.gg. We will investigate all complaints received and will endeavour to respond to complaints promptly.
You may also complain about our use of personal data to the Information Commissioner’s Office. For further information on your rights and the complaints process, please visit the Information Commissioner’s Office website: https://www.odpa.gg/for-individuals/make-a-complaint/.
We will only keep personal data for as long as necessary for the purposes for which it was collected, or as required by applicable law or regulation.
Unless there are any overriding legal, regulatory or contractual requirements, we will retain records of services provided (which may include personal data) in accordance with our document retention policy.
Corporate clients (and individuals connected with our corporate clients)
We aim to collect personal data only to the extent necessary for us to provide our services to our clients and for other agreed purposes. Where personal data is required for us to perform services for our clients, we request that our clients provide all necessary information to relevant individuals (known as “data subjects”) about our use of personal data. Our clients may therefore refer data subjects to this Privacy Notice. We generally collect personal data directly from our clients or from third parties acting on their instructions.
Such personal data may be used for the following purposes:
- Provision of professional services – We undertake a wide range of services, including Audit, Tax, Advisory and Outsourcing services. We may have to process personal data in order to perform such services and/or provide advice and deliverables to our clients.
- Managing, administering, and developing our business – We process personal data inorder to manage our relationship with clients, develop our business and services, maintain and develop our IT systems, manage and host events, and to administer and manage our website, systems and applications.
- Quality and risk management and security – we use various measures to protect personal data and other client information, which include monitoring the services provided to clients to detect, investigate and resolve security threats. Such monitoring may involve processing personal data, for example the automatic scanning of email correspondence for threats. Our client take-on procedures involve processing personal data that may be obtained from publicly available sources (such as sanctions lists, criminal convictions databases, and general internet searches) to identify any risks relating to individuals and organisations that may prevent us from working for a particular client or on a particular matter.
- Providing information about our services to our clients – unless the relevant individual has opted-out, we may use client business contact details to provide information aboutour services and activities and events that may be of interest.
- Compliance with legal and regulatory obligations – as a regulated firm, we are subject to various legal, regulatory and professional obligations that may require us to process and/or retain personal data held on our client files.