Business terms for the use of global portal
1.1 BDO is BDO Statsautoriseret Revisionsaktieselskab, Danish Central Business Register (CVR) no. 20222670, and a member firm of the BDO Network.
1.2 BDOI is BDO International Limited registered in UK. It is the governing entity of the BDO Network. BDOI provides no client services. Services are provided solely by the member firms in their respective geographic areas.
1.3 BDO Network is a network of independent public accounting, tax, and advisory firms (member firms). Each of BDOI and the member firms is a separate legal entity and has no liability for another such entity's acts or omissions. Nothing in the arrangements or rules of the BDO Network shall constitute or imply an agency relationship or a partnership between BDOI and the member firms.
1.4 BWSB is Brussels Worldwide Services BVBA under BDOI.
1.5 The Client is the company, institution, fund, association or public authority, etc. to whom BDO provides services in the fields of accounting, auditing and consultancy, etc. plus its employees.
1.6 An Engagement is a contract between the Client and BDO to the performance of services or delivery of deliverables detailed in an Engagement Letter, including agreement about use of the Global Portal.
1.7 The Global Portal is the portal where the Client and BDO can, securely and efficiently, exchange and share documents and information for use in the day-to-day working relationship between BDO and the Client.
1.8 The Administrator is the user which the Client has designated as responsible for the administration of user access and user rights.
1.9 The Team Management module in Global Portal is the feature where the Administrator creates, changes and deletes its own users and corresponding user rights in Global Portal.
1.10 The Client User is the users that the Client has created in Global Portal.
1.11 Working hours are Monday-Thursday from 8:00 to 16:00 and Friday from 8:00 to 15:30 on normal business days. Saturdays, Sundays and public holidays, Danish Constitution Day, the Friday after Ascension Day, Christmas Eve and New Year's Eve are not normal business days.
2. THE GLOBAL PORTAL
2.1 The Global Portal is an online collaboration space designed to assist the Client in meeting the business challenges by connecting the Client with the knowledge and expertise of the BDO professionals and to assist the BDO professionals in serving the Client better.
2.2 The Global Portal is provided by BWSB under BDOI to the BDO Network’s member firms, including BDO.
2.3 The following functionalities are available on the Global Portal:
- The exchange and sharing of documents, including work schedules, for use in the day-to-day working relationship between BDO and the Client.
- News and information for the Client from BDO and knowledge-sharing.
3. ACCESS, USE, STORAGE AND SECURITY REQUIREMENTS
3.1 Access to the Global Portal
3.1.1 Upon entering into the Engagement Letter, BDO creates an Administrator for the Client of the Client’s own choosing. The Administrator is responsible for the administration of other Client users who need to be given access to the Global Portal.
3.1.2 To access the Global Portal, the Administrator receives a username and a password from BDO. The username and password must be treated confidentially, and they are not transferable.
3.1.3 The Client is responsible for creating, changing or deleting the Client Users on the Global Portal which the Administrator manages in the Team Management module. Should any changes occur in the Client’s organisation which mean that Client Users need to be deleted or have their user rights changed, then it is solely the Client’s responsibility to perform the required user administration, if necessary, in accordance with instructions provided by BDO.
3.1.4 If necessary, for the proper running of the Global Portal, the Client User's password(s) may be reset from time to time.
3.1.5 If the Client knows or suspects that third parties are, or may become, privy to information concerning the username or password or that these have been lost, stolen or are missing, the Client must notify BDO immediately.
3.1.6 BDO is entitled to block access to the Global Portal, if:
- The Client no longer has commitments with BDO that entitle them to access the Global Portal.
- There are reasonable grounds to suspect that access security has been compromised by virus, hacker attack or similar security breach.
- There are reasonable grounds to suspect misuse of the Global Portal, including use of the Global Portal for money laundering, fraud or the like.
- Public authorities command BDO according to judicial decision or statutory law.
3.1.7 BDO shall inform the Client in writing before blocking access. Should this not be possible, notification is made immediately after blocking with details of the time and date this occurred and the reason for doing so, unless a notification of the reason could breach the security of the Global Portal. BDO shall rescind the blocking when the reasons for doing so are no longer present.
3.1.8 Reopening of the Global Portal can be done by contacting BDO in writing.
3.2 Use of the Global Portal
3.2.1 The Client obtains a limited, non-exclusive and non-transferable right to use the Global Portal.
3.2.2 The Global Portal is a portal for the sharing of documents between the Client and BDO, which is relevant to the day-to-day operations of financial management, auditing and accounting, etc. as well as for filing these shared documents.
3.2.3 Both the Client and BDO are obligated to have their own internal filing system, where all documents that have been transferred to the Global Portal can be found in their original form. Should it be necessary to make changes to a document in the Global Portal, then the document must first be edited locally, after which the original document on the Global Portal is deleted, and the new document transferred.
3.2.4 Storing of all other information than that which belongs naturally under the purposes stated in item 3.2.2 is not permitted, including data files containing video, images, programs, etc. or pornographic or controversial material. In case of repeat violations, the Client will be excluded from the Global Portal.
3.2.5 The Client has the option to transfer standardised calculation models, document templates or similar from the Global Portal, just as the Client can receive news and other specialist information via the Global Portal. Transfer is at the Client’s own initiative and liability. BDO does not guarantee the Client’s ability to read or use these documents. It is likewise the Client’s own responsibility to ensure they are in possession of the necessary software to be able to open, read and/or edit these.
3.2.6 The Client can communicate with BDO via the Global Portal. BDO is not responsible for ensuring that such messages come to BDO’s knowledge, in that there can be delays or hindrances to BDO’s receiving of messages via the Global Portal, regardless of whether the message is confirmed as sent on the Global Portal.
3.3 Storing of data
3.3.1 Transferred data to the Global Portal is stored for five years.
3.4 Security Requirements
3.4.1 BDO implements suitable security measures that address risks of the operation of the Global Portal.
3.4.2 The Client is obligated, at its own expense, to maintain the integrity of its equipment and programs necessary for connecting to the Internet. The Client is also obligated to have an appropriate antivirus program constantly installed and activated, as well as to ensure that the operating system is regularly updated. If necessary, these conditions shall be followed according to BDO’s instructions.
3.4.3 Prior to the Client accessing the Global Portal, the Client must check that its systems, programs and data are free of viruses. Should this not be the case, the Global Portal must not be used.
3.4.4 The Client is obligated to notify BDO immediately of any irregularity about which it may become aware that concerns data and user security.
4. PROCESSING OF PERSONAL DATA
4.1 BDO processes personal data about the Administrator and Client Users. The personal data for each Administrator/Client User extends to:
- Name, title, email address and phone number.
- Requests, questions or complaints.
4.2 BDO processes personal data when the Client transfers, registers and files documents on the Global Portal. It may be all type of personal data, including special categories of personal data and personal data relating to criminal convictions, pertaining to the Client and data subjects that belong under the Client’s business, including employees.
4.4 BDO stores the personal data as stated in 4.1 for as long as the Client User remains on the Global Portal. When the Client User is deleted as a Global Portal user, BDO stores personal data for a period of time that allows BDO to comply with any documentation requirements in accordance with legislation that may be applicable at any given time and to defend or present legal claims and to deal with any complaints. BDO implements appropriate measures to prevent any further processing of this personal data.
4.5 BDO has implemented recognised data security standards to protect the personal data listed in 4.1 and 4.2 against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to personal data that is transmitted, stored or processed in any other way.
4.6 Data extracts from BDO’s systems will provide sufficient evidence of any and all use of the Global Portal and any and all instructions, guidelines and other communications between BDO and the Client, as well as any and all transactions and activities carried out under the Engagement. Evidence to the contrary may be submitted only in the event of clear errors in the data extracts from BDO’s systems. The use of login data for the Global Portal provides sufficient proof of the identity of the authorised user.
4.7 BDO may engage third parties for the purpose of providing and maintaining the Global Portal. To the extent that contracted third parties may need to have access to the Global Portal and also possibly to Client’s or Client Users' information, including personal data, the Client assents to the processing of its data for these purposes. The Client hereby authorises BDO and the aforementioned third parties contracted by BDO to process all the data provided. Should the Client need to obtain authorisation from other parties for the processing of any data, the Client warrants that it has such authorisation.
5.1 The Client and BDO each own their own data on the Global Portal. Considering the purpose of the Global Portal as a portal for the exchange of documents and the obligation as set out in 3.2.2 to have its own internal files where all documents transferred to the Global Portal can be found in their original format, all data will be deleted and the Client’s Global Portal closed when the Client’s agreement stated in the Engagement Letter with BDO on access to the Global Portal has ended.
5.2 BDO or the third party from which BDO has obtained permits/licences will at all times remain the owner of all the intellectual and other property rights regarding the Global Portal.
5.3 BDO and any third parties engaged by BDO for the purposes of the Global Portal retain the usage and ownership rights to the Global Portal and the related technology. When the Client access the Global Portal using Microsoft SharePoint technology and by using the Global Portal, the Client agrees to be bound by the license terms, set out here, as they may be amended from time to time.
5.5 The Client may link to the Global Portal provided that such link does not involve unauthorised use of the Global Portal, or of BDO’s logos; any false claims (actual or implied) of endorsement by, or other relationship with BDO; or any other infringement of our trademarks, copyright and/or other intellectual property rights.
5.6 The Client may not publish information relating to the Global Portal or operate or otherwise use the Global Portal with the aid of third parties or on its own in a manner (including but not limited to storing or reproducing all or part of the Global Portal on another internet page or inserting links, hyperlinks or deep links between the Global Portal and any other internet page) for which no prior written permission has been obtained from BDO.
6.1 The Client’s responsibility
6.1.1 The Client and the Client User are wholly responsible for their use of the Global Portal, and for the usernames and passwords allocated. The Client User shall make use of the Global Portal only with its own individually allocated username and password or the username and password granting access to the Global Portal.
6.1.2 The Client is responsible for the proper usage and security of the Client's hardware and software and of the user certificates giving access to the Global Portal. The Client is prohibited from allowing unauthorised parties access to the Global Portal. The Client is required to use reliable antivirus software before and during use of the Global Portal. Furthermore, the Client may not use the Global Portal in nonsecure environments.
6.1.3 The Client is responsible for administration of its Client Users, their rights and access to the Global Portal. If a Client User shall no longer have access to the Global Portal, including after restructuring, dismissal, resignation or similar, the Administrator is responsible for blocking the user’s access to the Global Portal. Should the Administrator no longer have access to the Global Portal, then it is the Client’s responsibility to contact BDO immediately so that the Administrator can be changed.
6.1.4 The Client shall notify BDO immediately by telephone and in writing (including by email) if the Client becomes aware that security of the Global Portal may be threatened.
6.1.5 The Client is not responsible for any unauthorised use of the Global Portal which may take place after BDO has received the Client’s written notification that the Client’s access to the Global Portal is to be blocked.
6.1.6 The Client and the Client User will maintain the confidentiality of the content and technology of the Global Portal using at least the same degree of care as the Client and the Client User use in maintaining their own proprietary and/or confidential information, but in no event using less than a reasonable degree of care.
6.1.8 The Client and the Client User shall in no way violate third party intellectual property rights and shall in no way interfere with or commercially exploit the system of which the Global Portal forms part except as specifically permitted herein.
6.1.9 Except as otherwise provided in an applicable Engagement Letter, the Client may not engage in any of the following relating to the Global Portal and/or its contents, nor may the Client authorise other parties to do so:
- make use of the service for any purpose other than that for which access has been provided,
- copy or distribute the Global Portal or any of its contents,
- amend or create an extract of the Global Portal,
- deduce, change or edit source codes relating to the Global Portal, or
- distribute, exploit, transfer or sublicense the Global Portal or any rights related to it.
6.1.10 The Client’s use of the Global Portal is at own risk and the Client assumes full responsibility and risk of loss resulting from the usage, including with respect to loss of service or data. The Client and the Client User remain at all times responsible for the accuracy and completeness of the data contributed to the Global Portal and for the timely submission thereof.
6.1.11 If the Client saves information from the Global Portal on own computers, servers or other storage mediums, the Client is responsible and accountable for the security, storage and availability of this information.
6.2 BDO’s responsibility
6.2.1 BDO is responsible for maintaining the technical and organisational environment necessary for the Global Portal and for endeavouring to ensure that the information therein is secure and accessible only to authorised persons.
6.2.2 BDO does not guarantee permanent availability of the Global Portal. BDO reserves the right, at its own discretion, to withdraw the Global Portal, either from the Client and/or in general, in such instance as virus attacks, internet security breaches, problems caused by the Client connection issues or in other situations where uninterrupted use of the Global Portal is or may be threatened. Where possible, BDO shall notify the Client in advance.
6.2.3 BDO and any third parties involved with BDO shall not be responsible, or be held responsible, for the Client User’s use of the Global Portal, or for the use of the usernames and passwords allocated.
6.2.4 BDO is not responsible or liable for the existence of an operational point-to-point connection between the systems and software owned or used by the Client and the Global Portal or the platform on which the Global Portal runs.
6.2.5 BDO is not responsible and/or liable for the content and/or use of the software, software packages or data in question if the Client uses the Single-Sign-On functionality to connect to software applications owned by or licensed (paid or free licence) to the Client,
6.2.6 BDO is not responsible for any losses as a consequence of operating disruptions that prevent the use of the Global Portal, including the ability to establish access to the Global Portal or connection to the Global Portal’s IT systems, or if the connection is interrupted, regardless of whether this is BDO’s fault or due to external circumstances.
6.2.7 BDO is not liable in any event for indirect loss to the Client, including business interruption, loss of interest income, loss of time, loss of goodwill or for material damage at the Client's premises, including loss of data or programs, even if the damage is the result of a defect in the Global Portal or BDO’s IT systems. This applies regardless of whether BDO has been informed of the possibility of such a loss, and regardless of whether BDO has acted negligently.
6.2.8 BDO’s exemption from liability does not apply if:
- BDO should have foreseen the conditions that were the cause of the loss when the Engagement Letter was entered into or should have avoided or overcome the cause of the loss.
- Damage or costs are incurred due to wilful intent to cause damage, deception, fraud or wilful recklessness on the part of BDO’s personnel.
- In all cases, legislation holds BDO responsible for the conditions that are the cause of the loss.
6.3.1 The Global Portal is provided as is, without warranty of any kind, although BDO take commercially reasonable steps to make the Global Portal useful and secure.
6.3.2 BDO does not warrant that the Global Portal will be secure, error-free, free from viruses or malicious code, or will meet any particular criteria of performance or quality, and BDO expressly disclaim all implied warranties, including warranties of merchantability, title, and fitness for a particular purpose, noninfringement, compatibility, security, and accuracy.
6.3.3 BDO is not liable for any loss of turnover, profit or goodwill for any reason whatsoever, even if BDO has been informed of the likelihood of this loss, unless such responsibility results from mandatory rules in the Product Liability Act.
6.3.4 BDO will endeavour to repair malfunctions reported to BDO by the Client, except if the cause of the malfunction is attributable to the Client or to the system and/or software used by the Client. If the Client acts in breach of the obligations arising from or in connection with the use of the Global Portal, the Client will be liable for all the resulting damage and costs incurred by BDO.
6.3.5 BDO will not be liable for any damage or costs incurred by the Client or by third parties as a result of the Client’s use of the Global Portal, regardless of the reason for such damage or costs, which may include without limitation damage due to:
inaccurate or incomplete Client information;
- malfunctions, errors, delays or any other deficiencies of the Global Portal and/or BDO’s means of communication, such as not being able to send, receive, store or change information;
- viruses, spyware and other harmful software;
- temporary or prolonged denial of access to or shutdown of the Global Portal for the purposes of maintenance, adjustments or improvements;
- the alteration, extension or (partial) deletion of the Global Portal;
- any acts or omissions by the Client and/or other authorised users in breach of the obligations arising from or in connection with the Global Portal; or loss of electricity if the Client is logged in on the system.
6.3.6 Under no circumstances can BDO be held liable for the use of models, templates and documents or news and specialist information, etc. including that BDO does not guarantee in any event that:
- these satisfy the Client's needs, requirements and expectations.
- these exhaustively describe the selected issues, and
- that these, whatever their nature, are free from error, correct, exact, reliable, updated, secure or can be used for the given purpose.
BDO is therefore not liable for either direct or indirect losses suffered by the Client or third party as a result of an error in models, templates or documents or as a result of the use of these.
6.3.7 BDO does not bear any responsibility whatsoever for the content, accuracy or security of any web sites or applications that are linked (by way of hyperlink or otherwise) to the Global Portal. BDO shall not be held responsible for any damage as a result of using these links or transferring data from these websites.
6.3.8 The Client indemnifies BDO against any and all third-party claims arising from or in connection with the Global Portal, including but not limited to third-party claims arising from non-fulfilment by the Client or persons working at or for the Client of any of the obligations applicable to them.
6.3.9 If any of the above limitations of liability is invalid or unenforceable in any jurisdiction, then (i) in that jurisdiction it shall be re-construed to the maximum effect permitted by law to effect its intent as nearly as possible and the remaining terms shall remain in full force and effect, and (ii) in every other jurisdiction all of these terms shall remain in full force and effect.
7.1 BDO offers the Client support within the defined working hours concerning access to and use of the Global Portal.
7.2 If, for whatever reason, the Global Portal is unavailable for more than one day, the Client shall contact BDO both by telephone and by email and, where necessary, alternative arrangements will be made for submission, preparation and/or approval of the documents so as not to prejudice any timely filing of documents or otherwise. If the Client does not make immediate contact with BDO, BDO shall not be responsible for the consequences of any late filing of documents or otherwise.
7.3 BDO shall notify the Client in advance of any planned maintenance of the Global Portal.
8.1 BDO does not charge a fee for standard access to and use of the Global Portal. BDO reserves the right to charge Clients a fee for the use of the software at any time.
8.2 In the event BDO charges the Client a fee for the use of the software, the Client may terminate this agreement.
9.3 It is the Client’s own responsibility to notify BDO of any changes to the Client’s address or email address. The Client also bears the responsibility for ensuring that the Client is notified of changes if the Client has not registered a change of address or email address.
9.4 Should the Client report that it does not wish to be bound by the amended terms, then the agreement stated in the Engagement Letter will be considered as terminated on the date when the amended terms entered into force.
10. TERMINATION OF THE USE OF THE GLOBAL PORTAL
10.2 The Client may terminate the agreement about use of the Global Portal stated in the Engagement Letter with one month's notice. Termination must be notified in writing.
10.3 The Client’s access to the Global Portal and hence the right to use the Global Portal apply for the term of the Engagement, except if the parties agree that BDO will make the Global Portal available for a longer period with or without changes to its form and content.
10.4 BDO has the right to prematurely terminate or defer for an indefinite period of time, at any time, with immediate effect and without having to give prior notice, the Client’s and the Client Users’ access to and hence its right to use all or parts of the Global Portal, for the purposes of maintenance, adjustments or improvements or in connection with events of threat to the security of the Global Portal.
10.5 Upon termination of the right to use the Global Portal, and upon request from the Client, BDO will return the information and data available to the Client on the Global Portal, except if and insofar as the information and data does not specifically apply to the Client or the Client User.
10.6 Upon termination of the right to use the Global Portal, BDO will destroy the Client’s information and data, except if BDO needs the information and data to perform the Engagement or to comply with its statutory or professional safekeeping duties or other duties.
11.2 Should the Global Portal not function as expected, or if transferred models, templates and documents, etc. are damaged or do not work, then the Client should make a claim to BDO within a reasonable time. The limitation period is 2 years, and the claim is limited to original defects.
11.3 BDO’s services on the Global Portal are subject in all respects to Danish law, and any disputes which may arise between the Client and BDO can be brought before a Danish court of law only. The venue is the Danish judicial district where BDO has its head office, which is presently Aarhus.
13. LAST UPDATED
This statement was last updated the 7th of February 2020.
TERMS OF PROCESSING OF PERSONAL DATA
These terms and conditions for data processing set out the rights and obligations applicable when BDO Statsautoriseret revisionsaktieselskab carries out the processing of personal data on behalf of companies or public authorities in BDO Global Portal.
1.1 Global Portal is the portal where the company or public authority and BDO Statsautoriseret revisionsaktieselskab can, securely and efficiently, exchange and share documents and information for use in their day-to-day working partnership.
1.2 The General Agreement is the agreement between the company or the public authority and the BDO Statsautoriseret revisionsaktieselskab for the use of Global Portal, including commercial terms and conditions.
1.3 The Data Processing Agreement is these terms and conditions for the processing of personal data.
1.4 The General Data Protection Regulation is European Parliament and Council regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
1.5 The Data Protection Act is Danish Act No. 502 of May 23, 2018 concerning supplementary provisions to the regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information.
1.6 The Data Controller is the company, institution, fund, association or public authority, etc. to whom BDO Statsautoriseret revisionsaktieselskab provides benefits and services in the fields of accounting, auditing, and consultancy, etc.
1.7 The Data Processor is BDO Statsautoriseret Revisionsaktieselskab, CVR no. 20222670.
1.8 The Parties are the data controller and the data processor.
1.9 Personal data is any information relating to an identified or identifiable individual (the data subject).
1.10 The Processing of Personal Data is any activity or range of activities, with or without the use of automatic processing, which is based on personal data or a collection of personal data, e.g. collection, recording, organisation, systematisation, storage, adaptation or alteration, retrieval, search, use, disclosure by transmission, dissemination or any other form of being made available, compilation or combination, limitation, deletion or destruction.
2. DATA PROCESSING AGREEMENT
2.1 The data processing agreement is designed with a view to the parties’ compliance with article 28(3) of the General Data Protection Regulation, which stipulates specific requirements for the content of a data processing agreement.
2.2 The data processor's processing of personal data must be with a view to the fulfilment of the general agreement concluded between the parties.
2.3 The data processor agreement and the main agreement are mutually interdependent and cannot be terminated separately. The data processing agreement may, however, be replaced by another valid data processing agreement without terminating the general agreement.
2.4 The data processing agreement has precedence in relation to any corresponding provisions in other agreements between the parties, including those found in the general agreement.
2.5 The data processing agreement is concluded upon conclusion of the general agreement and the latest version of the data processing agreement can be requested at any time.
2.6 The data processing agreement does not free the data processor from obligations which are directly imposed on the data processor pursuant to the Danish Data Protection Act or any other legislation.
3. THE DATA CONTROLLER’S RIGHTS AND OBLIGATIONS
3.1 The data controller is responsible to the outside world, including the data subject, for the processing of personal data within the framework of the General Data Protection Regulation and the Danish Data Protection Act.
3.2 The data controller therefore has both rights and obligations to make decisions about the permitted purposes of the processing and which aids may be used to assure its performance.
3.3 The data controller is (inter alia) responsible for assuring that there is a legal basis for the processing that the data processor is instructed to perform.
4. THE DATA CONTROLLER’S INSTRUCTIONS
4.1 The data processor may only process personal data after having received documented instructions from the data controller, unless it is required to do so by EU law or national law in the member states to which the data processor is subject. In this case, the data processor shall inform the data controller of any such legal requirements before processing, unless relevant legislation prohibits such notification, out of consideration to important social interests, cf. article 28(3)(a) of the General Data Protection Regulation.
4.2 The data controller instructs the data processor in the following:
- The data processor will make available a system in which the data controller can exchange and share documents for use in the daily partnership between the data controller and the data processor.
- The data processor records and stores personal data in Global Portal.
- The data processor processes all types of personal data, including specific categories of personal data (sensitive personal information) and personal data concerning criminal convictions and offences, concerning the data controller itself and the data subjects insofar as concerns the data controller’s business, including employees.
- The data processor processes personal data until the general agreement is cancelled or terminated by either party. Accordingly, processing is not time limited.
- The data processor shall establish appropriate technical and organisational security measures that address the risks that are entailed in the data processor’s processing of personal data on the data controller’s behalf. As a minimum, the data processor shall implement the security measures outlined in 6.3.
- The data processor uses subcontracting data processors who have been approved by the data controller, cf. section 7.
- In order to provide services via the Global Portal, the Data Processor may transfer personal data (outside the EEA) to countries that may not provide a level of protection of personal data that may be regarded as equivalent to that afforded under the European data protection legislation, cf. section 8. Whenever personal data is transferred internationally, the data processor takes appropriate steps to ensure its security and confidentiality in accordance with applicable data protection law.
4.3 The data processor shall immediately notify the data controller if the data processor believes that an instruction is in conflict with the General Data Protection Regulation or the Danish Data Protection Act.
5.1 The data processor shall ensure that only those who are currently authorised for that purpose, are able to gain access to the personal data that is processed on behalf of the data controller. Access to the data must immediately be revoked if the authorisation expires or is removed.
5.2 Only those persons for whom it is necessary to have access to the personal data in order to fulfil the data processor’s obligations towards the data controller may be granted such authorisation.
5.3 The data processor shall ensure that the persons who are authorised to process personal data on behalf of the data controller have accepted a duty of confidentiality or are subject to an appropriate statutory duty of secrecy.
6. SECURITY OF PROCESSING
6.1 The data processor shall implement any and all measures that may be required in accordance with article 32 of the General Data Protection Regulation, which, inter alia, makes provision for the taking account of the current level, implementation costs and the nature of the specific processing, scope, context and purpose and the risks of varying likelihood and severity to the rights and freedoms of individuals and the obligatory implementation of appropriate technical and organisational measures in order to ensure a level of security that is appropriate to these risks.
6.2 The obligation mentioned above entails that the data processor must carry out a risk assessment and then implement technical and organisational security measures to address identified risks.
6.3 The data processor shall implement the following security measures on the basis of a risk assessment:
- The processor shall establish an information security policy, which is translated into procedures and guidelines.
- The data processor shall introduce technical security measures for the protection of personal data, including system access and rights management, encryption, data transmission, and logging, etc.
- The data processor shall implement security measures that ensure the ability to restore the availability of and access to the personal data in the event of a physical or technical event, in a timely manner.
- The data processor shall physically secure any locations where personal data is processed and stored.
- The data processor shall have procedures for the regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures it has implemented to ensure that processing is secure.
7. THE USE OF SUBCONTRACTING DATA PROCESSORS
7.1 The data processor shall comply with the conditions referred to in articles 28(2) and (4) of the General Data Protection Regulation before employing the services of another data processor (subcontracting data processor).
7.2 The data processor may not employ a subcontracting data processor for the fulfilment of this data processing agreement without the prior approval of the data controller.
7.3 The data processor must, however, inform the data controller of any proposed changes concerning the addition or replacement of subcontracting data processors, thereby allowing the data controller the opportunity to object to such changes.
7.4 At the time when the Data Processing Agreement enters/entered into force, the Data Controller has authorised the use of the following subcontracting data processors:
- Brussels Worldwide Services BVBA under BDO International, which has located servers for the operation of Global Portal in the Microsoft Azure data center in West Europe/North Europe.
7.5 The data processor shall require that its subcontracting data processors are at least in full compliance with the same data protection obligations as those laid down in this data processor agreement, thus providing the necessary guarantees that the subcontracting data processor will implement the appropriate technical and organisational security measures in such a manner that the processing satisfies the requirements of the General Data Protection Regulation.
7.6 If the subcontracting data processor fails to fulfil its data protection obligations, the data processor shall remain fully accountable to the data controller for the fulfilment of the subcontracting data processor's obligations.
8. TRANSFER OF DATA TO THIRD COUNTRIES
8.1 The data processor may only transfer personal data to third countries or international organisations on the instructions of the data controller, unless such transfer is required by EU or national law to which the data processor is subject. In this case, the data processor shall inform the data controller of any such legal requirements before processing, unless relevant legislation prohibits such reporting, out of consideration to important social interests, cf. article 28(3)(a) of the General Data Protection Regulation.
9. ASSISTANCE TO THE DATA CONTROLLER
9.1 Taking into account the nature of the processing, the data processor shall assist the data controller as far as possible in the data controller’s fulfilment of its obligation to respond to requests for the exercise of the rights of data subjects as laid down in chapter 3 of the General Data Protection Regulation. Assistance is provided by means of appropriate technical and organisational measures.
9.2 The data processor shall assist the data controller in its assurance of compliance with the data controller’s obligations pursuant to articles 32-36 of the General Data Protection Regulation, taking into account the nature of the processing and the information that is available to the data processor, cf. article 28(3)(f) of the General Data Protection Regulation.
9.3 Section 9.2 entails that the data processor shall, inter alia, assist the data controller in ensuring its compliance with:
- The obligation to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks associated with the processing
- The obligation to report any breach of personal data security to the Danish Data Protection Agency without undue delay and if possible, within 72 hours after the data controller has become aware of the breach, unless it is unlikely that the personal data security breach involves a risk to the rights or freedoms of individuals.
- The obligation to inform the data subject(s) of personal data breaches without undue delay where such a breach is likely to pose a high risk to the rights and freedoms of individuals.
10. NOTIFICATION OF A PERSONAL DATA SECURITY BREACH
10.1 The data processor shall inform the data controller without undue delay after becoming aware that there has been a breach of personal data security at the data processor, or any subcontracted data processor.
10.2 In accordance with section 9.2 of this agreement and taking into account the nature of the processing and the information that is available to the data processor, the data processor shall assist the data controller with its notification of the breach to the supervisory authority.
This may mean that the data processor should, among other things, help to provide the following information, which, under article 33(3) of the General Data Protection Regulation, must be included in the data controller's notification to the supervisory authority:
- The nature of the personal data security breach, including (if possible) the categories and approximate number of affected data subjects and their categories and the approximate number of affected personal data registrations.
- The probable consequences of the personal data security breach.
- The measures that have been taken or that have been proposed in order to manage the personal data security breach including, if appropriate, measures to restrict its possible harmful effects.
11. DELETION AND RETURN OF PERSONAL DATA
11.1 When the general agreement has been brought to an end, the data processor is obligated to delete all personal data, unless storage of the personal data is a legal requirement pursuant to EU or national law.
12. SUPERVISION AND AUDITING
12.1 The data processor shall make all information available which is required in order to demonstrate the data processor's compliance with article 28 of the General Data Protection Regulation and this data processing agreement to the data controller, and enable and contribute to audits, etc., including inspections performed by the data controller or another auditor who is authorised by the data controller.
12.2 The data controller or a representative of the data controller shall also be granted access to perform inspections, including physical inspections, at the data processor’s premises if the data controller deems that this is necessary.
12.3 The data controller’s supervision of any subcontracting data processors shall be through the data processor. The data processor shall perform appropriate supervision of compliance with this data processing agreement at its subcontracting data processors, based on a risk assessment of the individual data processor’s construction.
13. ENTRY INTO FORCE AND EXPIRY/TERMINATION
13.1 This data processing agreement shall enter into force at the same time as the general agreement.
13.2 Both Parties may require the data processor agreement to be renegotiated if changes in legislation or deficiencies within the agreement give cause to do so.
13.3 This data processing agreement may be terminated pursuant to the termination conditions as laid down in the general agreement.
13.4 The data processing agreement shall be in force for as long as the processing is carried out. Regardless of the termination of the general agreement and/or the data processing agreement, the data processing agreement shall be in force until the processing has ceased and any personal data in the data processor's possession has been deleted.
14. LAST UPDATED
This statement was last updated the 7th of February 2020.
1.1 BDO is BDO Statsautoriseret Revisionsaktieselskab, Danish Company Business Register (CVR) no. 20222670, hereinafter referred to as "BDO", "we", "us" or "our".
1.2 The Client is the company, institution, fund, association or public authority, etc. by whom you are employed.
1.3 Global Portal is the portal where the Client and BDO can safely and efficiently exchange and share documents and knowledge for use in the daily collaboration between BDO and the client.
1.4 The data subject is the Client's employee who uses Global Portal and is hereinafter referred to as "the data subject", "you" or "yours".
2. PROCESSING OF PERSONAL DATA
2.1 In order to process your personal data related to the use of Global Portal, we must have a legal basis, cf. sections 2.2 and 2.3.
2.2 We process your personal data in order to fulfil our contractual obligations to the Client in accordance with the terms and conditions as described in “Business terms and conditions for the processing of personal data”. We also process your personal data in order to be able to handle your inquiries and requests, to achieve compliance with the legal obligations to which we are subject and to exercise our legal rights, where necessary. Processing is pursuant to the agreement that has been concluded between BDO and the Client and in accordance with article 6(1)(b) of the General Data Protection Regulation, which concerns contractual fulfilment.
2.3 We process your personal data in order to pursue our legitimate interests in our ability to adapt and improve the functions in Global Portal, to measure and optimise the operation of Global Portal and to produce information that will help us to develop new functions in Global Portal. We do so pursuant to article 6(1)(f) of the General Data Protection Regulation concerning the balancing of interests.
2.4 We collect and register your personal data in the following instances:
- when you register to Global Portal
- when you complete your user profile
- when you subscribe to any of our insights
- when you subscribe to any of our blogs
- when you register to attend an event
- when you enter a discussion forum
- when you contact us to request further information
2.5 In order to register and gain access to the Global Portal, users may be asked to provide their full name, email address and location. This information is used to verify your identity each time you log in to the Global Portal. You may also have the option to submit additional information such as telephone number, the name of your company, your professional position and your picture. This information will be used to manage your account and customise and improve the Global Portal. Personal or other information that you upload or post via the Global Portal may also be read or used by other authorised users who have been granted access to the Global Portal’s collaboration spaces to which you have access.
2.6 When you access the Global Portal, we may collect technical information such as your IP (Internet Protocol) address, details of the pages you visit on the Global Portal, and which browser you used to view the Global Portal.
2.8 We collect the minimum amount of information to enable us to deal with your request. We will indicate where the provision of information is voluntary or compulsory. We would normally only request additional information to enable us to provide the most appropriate response to your request. We only use the personal information that you provide to deal with your request, and to manage the Global Portal and the services that we offer to you via the Global Portal as described in this Privacy Statement.
3. SECURITY OF PROCESSING
3.1 We have implemented generally accepted standards of technology and operational security to protect personal information from loss, misuse, alteration or destruction. We require all employees and principals to keep personal information confidential and only authorised personnel have access to this information.
3.2 When we process your personal data in order to pursue our legitimate interests (cf. 2.3), we ensure that our legitimate interests do not override your interests or your fundamental rights and freedoms.
3.3 When you are a user of Global Portal, we store your personal data. When you are deleted as a Global Portal user, we store your personal data for the period of time that allows us to comply with the documentation requirements in accordance with legislation that may be applicable at any given time and to defend or present legal claims and to deal with any complaints. We take appropriate measures to prevent any further processing of your personal data.
3.5 Any other specific websites contained within the Global Portal are provided by the applicable related entities managing them and are not the responsibility of BDO. Such websites, as well as other websites that may be linked to the Global Portal, are not governed by this Privacy Statement. We encourage visitors to review each of these other web sites' privacy statements before disclosing any personal information.
4. THIRD PARTIES
4.1 We may contract with other companies or individuals to deal with your enquiry or to otherwise operate the Global Portal or our business activities. We may give such companies access to your personal information in connection with those purposes on our behalf. We may also share your personal information with other member firms within the BDO network provided that this is consistent with the basis on which we have collected your personal information.
4.2 From time to time, we may disclose personal information in response to a court order, subpoena, government investigation, or as otherwise required or permitted by law.
4.3 We do not provide information to third parties for their own marketing purposes and we do not undertake mailings for third parties.
4.4 We may, as a result of a sale, merger, consolidation, change in control, transfer of assets, reorganisation or liquidation of our company (a "Reorganisation Event"), transfer, sell or assign your personal information to third parties involved in the Reorganisation Event.
5. INTERNATIONAL TRANSFERS
5.1 You acknowledge that in order to provide services to you via the Global Portal we may need to transfer your personal information (outside the EEA) to countries that may not provide a level of protection of personal information that may be regarded as equivalent to that afforded under the European data protection legislation. Whenever your personal information is transferred internationally, we will take appropriate steps to ensure its security and confidentiality in accordance with applicable data protection law.
6.1 You have the right to exercise certain rights in relation to our processing of personal data about you in accordance with articles 15-18 and articles 20-21 of the General Data Protection Regulation. This concerns the following rights:
- The right to gain insight into data about you
- The right to have data about you rectified
- The right to have data about you deleted
- The right to limit the processing of your data
- The right to object to the processing of your personal data
- The right to obtain your personal data (data portability).
6.2 You can exercise these rights by sending an email to [email protected]. We will deal with all such requests in accordance with applicable data protection and other legislation. Note that we must always be compliant with the provisions of the Danish Auditing Act (revisorloven) concerning storage and of the provisions of the Danish Bookkeeping Act (bogføringsloven) concerning storage on behalf of our Clients.
7. CONTACT AND COMPLAINTS
7.1 Should you wish to complain about BDO's processing of personal data, please submit your plaint to Risk & Compliance at BDO Statsautoriseret revisionsaktieselskab, either as an ordinary letter addressed to Kystvejen 29, 8000 Aarhus C or by email to [email protected]. We will process your complaint and contact you.
7.2 You have the right to and may at any time file a complaint about BDO's processing of personal data. You should submit your complaint to the Danish Data Protection Agency at Datatilsynet, Borgergade 28, 5, DK 1300, Copenhagen K, Denmark.
8. LAST UPDATED
This statement was last updated the 7th of February 2020.
We gather information from users of this Global Portal automatically and when you decide to provide us with information, for example, when you register to this Global Portal. This information is treated with confidence and is only used by BDO as per the terms of the Privacy Statement.
We may use "cookies" to keep, and sometimes track, information about you.
1.1 Cookies are small text files which are downloaded to your computer or mobile device when you visit a web site or application. Your web browser (such as Internet Explorer, Mozilla Firefox or Google Chrome) then sends these cookies back to the web site or application on each subsequent visit so that they can recognise you and remember things like personalised details or user preferences. Cookies do not damage your system. You can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent.
1.3 BDO does not share this data with third parties. Our cookies do not store sensitive information such as your name or address, they simply just enable us to see behaviour on the web site to help us improve your experience. However, if you would prefer to restrict, block or delete cookies from this Global Portal, or any other web site, you can use your browser to do this. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.
2. HOW TO CONTROL MY COOKIES
2.1 There are various ways that you can control and manage your cookies which are discussed in a bit more detail below. Please remember that any settings you change will not just affect this Global Portal’s cookies. These changes will apply to all web sites that you visit (unless you choose to block cookies from particular web sites).
3. MANAGING COOKIES IN MY BROWSER
3.1 Most modern browsers will allow you to:
- See what cookies you have got and delete them on an individual basis.
- Block third party cookies.
- Block cookies from particular web sites.
- Block all cookies from being set.
- Delete all cookies when you close your browser.
3.2 You should be aware that any preferences will be lost if you delete cookies. This includes where you have opted out from cookies, as this requires an opt-out cookie to be set. Also, if you block cookies completely many web sites will not work properly and some functionality on these web sites will not work at all.
4. FURTHER INFORMATION ABOUT COOKIES AND HOW TO MANAGE THEM
If you would like to learn more about cookies in general and how to manage them, visit aboutcookies.org. Please note that we cannot be responsible for the content of external web sites.
5. LAST UPDATED
This statement was last updated the 7th of February 2020.