This Privacy Statement sets out the categories of personal data that BDO Holding B.V. (BDO) collects and processes about you.
You provide certain personal data to BDO to enable us to provide our services to you. Personal data is any information relating to an identifiable individual or from which an individual can be identified. The personal data that BDO processes depends on the assignment, but we do not ask for more personal data than what is required to provide you with our services.
BDO complies with the lawful bases set forth in the General Data Protection Regulation (GDPR) for processing personal data. As such, BDO warrants, among other things, that personal data are:
- Processed lawfully, fairly and in a transparent manner;
- Only processed for legitimate purposes and only to the extent and for as long as required for the purpose for which it is processed;
- Accurate and processed in a manner that ensures integrity and confidentiality. We ensure this by taking appropriate technical and organisational security measures.
Purposes and lawful bases
BDO processes personal data for specific purposes on a lawful basis. In the overview below, you can see the purposes and lawful bases on which BDO processes personal data.
|Lawful basis under the GDPR|
|The performance of contracts with customers||Article 6(1)(b) of the GDPR - performance of the contract and/or the legitimate interest of BDO|
|The performance of contracts with suppliers||Article 6(1)(b) of the GDPR - performance of the contract and/or the legitimate interest of BDO|
|The performance of contracts with employees||Article 6(1)(b) of the GDPR - performance of the contract|
|The exercise of rights (of action) arising under contracts||Article 6(1)(b) of the GDPR - the performance of the contract|
|Carrying out marketing activities|
Article 6(1)(a) of the GDPR - consent of the data subject; or
Article 6(1)(f) of the GDPR - the legitimate interest of BDO
|Carrying out recruitment activities|
Article 6(1)(b)(f) of the GDPR - performance of the contract and/or the legitimate interest of BDO
|Compliance with legal obligations to which BDO is subject||Article 6(1)(c) of the GDPR - compliance with legal obligations|
|The (specific) purpose for which personal data is processed with the consent of the data subject||Article 6(1)(a) of the GDPR - consent of the data subject|
Where the processing of personal data by BDO is based on consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent only applies to future processing.
BDO holds and processes the following categories of personal data, but only insofar as processing is necessary for the relevant purpose (see the purposes above):
- Date of birth;
- Place of birth;
- BSN (citizen service number);
- Identity document number;
- Phone number;
- Email address;
- IP address
- Bank account number;
- Credits to, debits from and transfers to bank accounts;
- Financial information
- Tax returns;
- Financial and advisory reports;
- Credit notes;
- Payment behaviour;
CCTV footage recorded at BDO offices.
If you would like more information about the personal data that BDO processes about you, we can only provide this information when it is sufficiently clear who you are (identification) and that you are actually the person you say you are (authentication). Such identification will take place at one of the BDO offices.
In addition to the right to request information, you also have a number of other statutory rights with regard to your personal data. These rights are:
- Right of access: the right to have access to the personal data that BDO holds about you;
- Right to rectification/right to be forgotten: the right to have data corrected or erased;
- Right to object: the right to object to the use of your personal data in certain circumstances.
- Right to restriction of processing: the right to restrict the (future) processing of your personal data.
- Right to data portability: the right to have your data transferred to you or another organisation.
BDO will at all times review and comply with your request to the extent permitted by applicable laws and regulations. You can submit any questions and/or requests you may have about the processing of your personal data by BDO to our Data Protection Officer using the contact details below:
BDO Holding B.V.
Data Protection Officer
P.O. box 182
5600 AD Eindhoven
You will receive a written response to your request within one month.
If you do not agree with a decision made by BDO with regard to the processing of your personal data, you can contact us. We are always open to discussing and finding consensus on solving the issue. You also have the right to file a complaint with the Dutch Data Protection Authority about the way in which BDO processes your personal data.
BDO will keep your personal data only for as long as is necessary for providing the agreed services and for complying with applicable laws and regulations. In our record and retention policy, we have set specific time limits for the erasure and/or periodic review of personal data in order to ensure that the appropriate retention periods are applied.
In principle, BDO does not share your personal data with other parties (third parties), unless there is a lawful basis for doing so. As such, BDO may disclose personal data to external bodies as categorised below where we are under a legal requirement to do so:
- Requests received from time to time from law enforcement, judicial authorities, regulatory authorities or the courts for access to personal data held by BDO.
- Sharing your personal data within the BDO network or with a number of select business relations that help us provide our services, including relations that process data on our behalf.
We work with a number of partners that help us provide services. We refer to these partners as our (sub)processors or collaboration partners. It is possible that your personal data is stored with or otherwise processed by one of these partners. BDO has made contractual arrangements with these partners regarding how they may process or use your personal data in order to ensure that your personal data is adequately protected.
BDO has partners in the following categories:
- Design, maintenance and optimisation of IT systems and applications;
- ‘Infrastructure as a Service’ service providers in the field of data centres, data storage and data communication;
- Marketing activities and events and customer communication management;
- Preparation of reports and statistics, printing of publications and designing of products;
- Legal services, auditing services and other special services provided by lawyers, notaries, trustees, auditors and other professional advisers.
- Providers of specialised services such as the archiving of physical documents.
- ‘Software as a Service’ service providers in the field of accountancy and financial software such as online accounting services and online payroll management services.
BDO currently works with the following (sub)processors.
Transfer of data outside the EU
In principle, BDO stores your data within the borders of the EU. However, where data is shared outside the EU for the purposes of providing services, BDO will ensure there are adequate levels of data safeguards in place and will implement appropriate safeguards (where necessary) to protect your personal data. We will always inform you when we share your data with business relations outside the EU.
Examples of measures taken by BDO for the transfer of personal data outside the EU are:
- Binding Corporate Rules for transfer of personal data within the BDO network, both within and outside the EU. This is an internal code of conduct for data traffic within the BDO network, which has been approved by the competent regulatory authority.
- Model contracts, including additional measures where necessary, for transfer of personal data to business relations outside the EU.
Personal data can be transferred outside the EU if an adequacy decision is in place or if you have given consent to the transfer.
BDO takes all technical and organisational measures that may reasonably be expected of us to protect your personal data. Needless to say, these measures are entirely in line with prevailing laws and regulations and the current state of the art.
Upon employment with BDO, new employees are informed of the rules and procedures within the organisation, especially with regard to the applicable security rules and procedures. Regular attention is given to raising security and privacy awareness among employees.
The Digital Technology Services (DTS) department of BDO Holding B.V. has been officially ISO27001 certified since January 2015. Since January 2023 the ISO27001 scope was successfully extended with the processes of BDO Cyber Security of Line of Service BDO Advisory B.V. This means we comply with the international standard for information security. The scope of the certificate is: “Develop, maintain and support customer portals and document management systems as well as manage ICT infrastructures plus the cybersecurity services divided into the categories Assess & Assure, Consult & Implement and Continuous Security”.
If you would like to know more about our security measures or ISO27001 certification? Please contact our Quality, Risk Management & Legal department by mail of phone number (040) 269 81 11.
If you would like to know more about BDO's privacy and data processing policy and how we use your personal data, please contact please contact the Data Protection Officer using the details below:
BDO Holding B.V.
Data Protection Officer
P.O. box 182
5600 AD Eindhoven