You share certain personal data with BDO to enable our staff to give you the best possible service as agreed. These data tell us something about yourself, or can be linked to you as a person in various ways. As far as the processing of these data is concerned, BDO does of course abide by the principles of the General Data Protection Regulation (GDPR).
The personal data that BDO processes will depend on the assignment, but we ask you to provide us with only the data that are strictly necessary so that we can guarantee the agreed form of service.
Principles of processing your personal data
For processing the personal data, BDO follows the principles as set out in the GDPR. These principles must be respected at all times when processing personal data and are as follows:
- Lawful, proper and transparent;
- Exclusively for legitimate purposes;
- Not more or longer than necessary;
- Accurate, up to date and confidential;
- Appropriate technical and organizational security measures.
Personal data will be processed only for specific, designated purposes on a lawful basis. These are:
- Client acceptance;
- To perform the agreed service;
- To be able to provide information on the service;
- Communication relating to the service.
BDO will retain your personal data no longer than necessary for providing the agreed service. Precisely how long will depend on the specific data and the form of service for which your data are processed, and is laid down in various laws. A record and retention policy ensures that the correct retention period is adhered to.
BDO takes all technical and organizational measures that may reasonably be expected of it to secure your personal data. Naturally these measures are entirely in line with prevailing laws and regulations and the current state of the art.
Upon taking up employment with BDO, new employees are instructed in the rules and procedures within the organization, in particular concerning the applicable security rules and procedures. Attention is regularly given to increasing our employees' awareness of security and privacy issues.
The ICT department of BDO has an ISO27001 certification, which means that this department meets the international standard for information security. The scope of the certificate is 'To develop, maintain and support customer portals and document management systems as well as manage ICT infrastructures'.
Your personal data are not shared unless there are legal grounds to do so, for example if the police, judiciary or regulators request information from us under the law. The courts can also oblige us to provide information or allow such information to be inspected.
BDO Nederland stores its data always within the borders of the EU. Should data be shared outside these borders in connection with the service we provide, this will always be done with the appropriate level of security.
For us to be able to carry out our service, we make use of a number of partners. It is possible that your personal data will be stored, with your permission, with one of these partners. Naturally BDO has made agreements with these partners on how your personal data must be handled. These agreements are laid down in processor agreements. Which and how many partners are involved will depend on the service BDO provides for you, but these will be partners in the following categories:
- Partners designing, maintaining and improving IT systems and applications (KPN, CTAC, Microsoft);
- 'Infrastructure as a Service' service providers in the field of data centres, data storage and data communication (KPN, CTAC, Microsoft);
- 'Software as a Service' service providers in the field of accountancy and financial software such as online bookkeeping services and online salary administration (AFAS, Loket.nl, Twinfield).
Complaints & regulation
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) checks whether BDO complies with the General Data Protection Regulation. Data subjects have the right to submit a complaint to a regulatory authority if they believe that their rights have been breached. The regulator in that case is the Dutch Data Protection Authority.
Questions and requests to access, rectify and erase your personal data
If you would like more information about your personal data that BDO processes, we can only provide this information once it is sufficiently clear who you are (identification) and that you are also the person you say you are (authentication). This identification will be carried out at one of BDO's branches.
Concerning your personal data, you have a number of legal rights:
- The right to access your personal data held by us;
- The right to submit a request to rectify or erase your personal data;
- The right to object to a certain way in which your personal data are used.
In certain cases, BDO cannot or is not permitted to rectify or erase data, for example if this is contrary to the law and regulations. A request for access or rectification can be submitted in writing to our Data Protection Officer at the following address:
BDO Holding B.V.
T.a.v. Data Protection Officer
5600 AD Eindhoven
We will send you a written reply to your request within four weeks.
More detailed information on the protection of personal data can be found in the accompanying privacy regulations (link will be made available in due course).
This privacy statement is applicable to BDO Holding B.V. and the companies affiliated to it at any time.
Amendments to this statement
BDO may amend or update this privacy statement from time to time. You can see when it was most recently updated from the revision date at the end of the statement. The amendments and additions are effective from the date on which they are posted. It is therefore advisable to view the privacy statement from time to time to check whether it contains any relevant changes.
Most recently amended on: 02-07-2018