Privacy statement for BDO
Your privacy is important to BDO, and we care about the integrity, availability, and confidentiality of your personal data. All processing of personal data in BDO shall comply with the prevailing legislation, including the Personal Data Act (personopplysningsloven) and EU’s General Data Protection Regulation (GDPR).
In addition to being subject to the data protection legislation, BDO is part of a large global network that sets requirements for our processing of personal data. The requirements are set out in BDOs Binding Corporate Rules (BCR) available here. We report annually to BDO’s global organisation on how we comply with these requirements.
Controller and processor
BDO comprises BDO AS, org.no. 993 606 650 and BDO Advokater AS, org. no. 996 798 577. BDO AS and BDO Advokater AS are two independent legal entities with individual obligations pursuant to the data protection legislation. However, the companies cooperate very closely and, in many ways, they operate as if they were one. This also applies to the processing of personal data.
BDO can be the controller or processor depending on the type of processing we do. As a main rule, we act as the controller when we process personal data in connection with auditing services and legal services. We can also be the controller for certain advisory services like internal audit engagements and due diligence. In addition, we are the controller for the processing of personal data that we do for our own purposes or pursuant to statutory obligations, such as marketing and client control as determined by the Norwegian Act on Measures to Prevent Money Laundering and Financing of Terrorism (the Anti-Money Laundering Act).
When BDO provides accounting and payroll services for our customers, we will normally be the processor for our clients. This also applies to several of our advisory services. As a processor, BDO’s processing of personal data will be regulated by a data processor agreement with the client.
Anyone with personal data registered in BDO’s systems has the right to:
- Access the personal data
- Rectify incorrect and incomplete personal data
- Delete personal data
- Restrict the processing of personal data
- Data portability
- Protest against the processing of personal data
Please note, however, that the rights are not absolute and that they can be limited. We can be subject to a duty of confidentiality that can limit your right to access. We may also be subject to statutory storage obligations that can limit your right to request that personal data about you shall be deleted. If we turn down your request to exercise one of your rights, we will always provide a description of the basis for the rejection.
You can exercise your rights by submitting a request to BDO’s Data Protection Officer email@example.com or by mailing a letter to BDO AS at the attention of the Data Protection Officer, Postboks 1704 Vika, 0121 Oslo. We shall reply to the request without undue delay and within 30 days at the latest.
When BDO is the processor for our clients, the request shall be directed to the controller, i.e., to BDO’s client.
If you are of the opinion that we are processing personal data in violation of the data protection legislation, you can address a complaint to BDO’s Data Protection Officer. You can also complain directly to the Data Protection Authority (Datatilsynet).
Do others have access to your personal data?
Depending on the the circumstances for collecting the personal data, BDO may share information containing personal data. BDO will share such information only if it has been agreed with the client or it is required to comply with legislation or requests from the authorities.
As a legal firm, we are subject to a trict duty of confidentiality implying that we as a main rule may share information only with courts of law and opposite parties when necessary to carry out the engagement, when it has been agreed with the client or if it is necessary to comply with statutory obligations.
As an audit, advisory and accounting firm, we may, however, share personal data in some instances, such as:
- Supervisory authorities will get access to our documentation in connection with supervisions
- Those carrying out quality controls of us will have access to our documentation
- Reporting of suspicious transactions to the Norwegian Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim)
- The police may in certain instances get access to our documentation
- If a client is subject to a tax review, we can be obliged to transfer information that may contain personal data to the tax authorities
- We may have to share information containing personal data to a debt settlement committee, bankruptcy estate or estate manager in connection with debt negotiations or bankruptcy
- If we are summoned as a witness in a court case, we may be obliged to witness.
Our use of processors
BDO has several suppliers who can process personal data on our behalf. Suppliers who process personal data on behalf of BDO must be able to document satisfactory routines for privacy and information security. BDO therefore require all such suppliers to undergo a security check before they become suppliers of ours. Furthermore, we make sure to enter into data processing agreements with the suppliers that allow us to monitor that the suppliers process personal data in accordance with the requirements of the GDPR.
In assignments where BDO is the processor for our clients, these suppliers will be considered sub-processors. A list of BDO’s subprocessors can be found here.
Transfers to third countries
As a main rule, we do not transfer personal data to countries outside the EU/EEA (third countries). In exceptional cases, however, personal data may be transferred by giving personnel localised in third countries access to personal data hosted in the EU/EEA. At such transfers, BDO will ensure that appropriate safeguards are applied, and that the personal data is subject to an adequate protection level.
If BDO is transferring personal data to companies in the BDO network localised outside the EU/EAA, the transfer will normally be protected by BDO’s BCR. If this does not cover the concrete transfer or BDO is transferring to others that are not part of the BDO network, we will ensure that the EU’s Standard Contractual Clauses (SCC) applies.
BDO takes information security seriously, and we have established appropriate security measures to protect the confidentiality, availability, and integrity of your personal data. The access to personal data is limited to employees with a professional need for such access, and all employees are subject to a duty of confidentiality. Material containing personal data worthy of extra protection transferred to or from BDO, shall always be secured against access by means of encryption. Personal data worthy of extra protection includes health information, national identity number, payroll and debt information and knowledge about criminal acts and violations of law.
More information on this topic BDO is available for our clients on request.
How does BDO process personal data?
Processing of client and supplier contact information
Processing of personal data when providing services
Processing of personal data when performing client controls
Processing of personal data for marketing and professional updates
Processing of personal data when using our websites
Processing of personal data when BDO is organising courses
Processing of personal data for recruitment
We encourage our clients to use their contact person in BDO about questions on BDO’s processing of personal data.
Questions from others than clients can be directed to the Data Protection Officer at firstname.lastname@example.org or to BDO AS at the attention of the Data Protection Officer, Postboks 1704 Vika, 0121 Oslo.
The date for the last update of this privacy statement is April 17th. 2023