Privacy statement - BDO Clients
BDO Statsautoriseret Revisionsaktieselskab, CVR no. 20222670, is a member of BDO International Ltd., a UK company limited by guarantee, and forms part of the worldwide network of independent legal entities, each delivering services under the name of ”BDO”.
BDO is an international network of independent public accounting, tax and advisory firms (the ”BDO Network”) which perform professional services under the name of BDO (“BDO Member Firms”). BDO International Ltd. (“BDOI”) is a UK company limited by guarantee. This company is the governing entity of the BDO Network.
Each of BDOI and the Member Firms is a separate legal entity and has no liability for another entity’s acts or omissions. Nothing in the arrangements or rules of the BDO Network shall constitute or imply an agency relationship or partnership between BDOI and the Member Firms.
2. Privacy statement
This Privacy Statement (referred to as ”Privacy Statement") applies to client relationships with BDO Statsautoriseret Revisionsaktieselskab, CVR number 20222670 (referred to as "we", "us", "our" or "BDO").
This Privacy Statement covers the information that BDO is under an obligation to give to the data subjects according to Article 13 of the General Data Protection Regulation (GDPR).
3. Purpose of and legal basis for the processing of your personal data
When you are created as a client of BDO, we will process personal data on you.
The purposes of our processing of your personal data are to:
- Deliver the agreed services in accordance with our contractual obligations towards you as a client,
- Comply with the legal obligations we are under, and cooperate with public authorities where we have a legal obligation to do so,
- Manage the current client relationship, and
- Develop our services.
The legal basis of our processing of your personal data is the following provisions:
- Article 6 (1)(b) GDPR: Processing is necessary to perform a contract to which the data subject is a party, or for the purpose of implementing measures taken at the request of the data subject prior to making a contract,
- Article 6 (1)(c) GDPR: Processing is necessary to comply with a legal obligation imposed on BDO, such as obligations under the Danish Anti-Money Laundering Act, the Audit Act, or other relevant legislation,
- Article 6 (1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by BDO. Our legitimate interests are for example to be able to perform the engagement and handle the client relationship, and to develop our services.
4. Categories of data subjects
When you are a client at BDO, BDO will process personal data on the following categories of data subjects: The client and the client’s owners.
In performing the engagement, BDO will process personal data on the following categories of data subjects: The client’s employees, customers, suppliers and business partners, and any other persons whose personal data are included when performing the engagement.
5. Categories of personal data
As a client at BDO, the following personal data on you will be processed:
- General personal data according to Article 6 GDPR, such as name, address, telephone number, email address, date of birth, bank account information, and copy of passport or driving licence,
- CPR number is covered by section 11 of the Data Protection Act.
In performing the engagement, BDO will process the following categories of personal data:
- General personal data according to Article 6 GDPR, such as name, address, telephone number, email address, date of birth, bank account information, and pay information,
- Special categories of personal data covered by Article 9 GDPR: health status data and trade union membership,
- Information on sentences and breach of law covered by Article 10 GDPR,
- CPR number covered by section 11 of the Data Protection Act.
6. Disclosure and passing on of personal data
BDO discloses personal data to data processors, who process personal data on behalf of BDO.
BDO passes on personal data to the following categories of recipients:
- Member firms within BDO’s international network,
- Public authorities, where required according to a court order, writ of summons or according to legal requirements.
As a result of sale, merger, combination, change of control, transfer of assets, reorganisation or liquidation of our business (reorganisation), we may transfer, sell or pass on your personal data to the entity which, as a result of this reorganization, takes over or becomes responsible for the part(s) of our business processing your personal data according to this Privacy Statement.
7. Transfer of personal data to third countries
We transfer your personal data to other Member Firms within the BDO network where this is necessary for performing the engagement, provided this is in accordance with the basis for our collection of your personal data.
BDO uses data processors resident in non-EU and non-EEA countries. We transfer the personal data required for using the systems of the individual data processors. Moreover, your personal data may be passed on to other data controllers resident in non-EU and non-EEA countries. We pass on your personal data only where required for performing the engagement.
The transfer of your personal data to recipients outside the EU or EEA will always be based on a valid transfer basis either in the form of a decision made by the Commission on the adequacy of the level of protection, see Article 45 GDPR, or in the form of standard data protection clauses, see Article 46 GDPR.
8. Retention of your personal data
We retain your personal data as a client at BDO until five years after the end of the calendar year in which the client relationship ended.
We retain personal data used in performing the engagement until five years after the end of the calendar year in which the engagement was completed, after which date the personal data are deleted currently. This also applies when the client relationship ends.
Retention periods and erasure time limits are determined in accordance with applicable legislation.
9. Your rights
You are entitled to exercise certain rights in relation to our processing of personal data on you in accordance with Articles 15 to 18 and Articles 20 to 21 GDPR. The rights are:
- Right of access to your data
- Right to rectification of your data
- Right to erasure of your data
- Right to restriction of processing of your data
- Right to object to processing of your personal data
- Right to data portability.
You can exercise these rights by sending an email to firstname.lastname@example.org. We will consider all such requests in accordance with applicable data protection legislation and other legislation.
10. Contact and complaint
If you wish to complain of BDO’s processing of personal data, you can send your complaint to Risk & Compliance in BDO Statsautoriseret revisionsaktieselskab, either by ordinary letter to Kystvejen 29, 8000 Aarhus C or by email to email@example.com. We will consider your complaint and return with our response.
You are entitled to and can at any time make a complaint to Datatilsynet (the Danish Data Protection Agency) of BDO’s processing of personal data. The complaint must be filed with Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, e-mail: firstname.lastname@example.org.
You are welcome to contact us by email to email@example.com if you have any questions in relation to this duty of disclosure.