1. Who are we?
1.1. BDO as controller
With this statement (hereinafter referred to as “Statement”), we would like to inform you why and how BDO Belgium, which consists of the Belgian BDO entities (hereinafter referred to as “we”, or “BDO”) collects and processes your personal data. Belgian BDO entities, which are not regarded as third parties vis-à-vis one another, all process your personal data in accordance with this Statement. These are collected and stored centrally at BDO.
Our contact details can be found in point 10 of this Statement.
Within the scope of its services to its clients, BDO acts as a processor of its clients’ personal data. This is dealt with in the processing agreement between BDO and its clients and is not part of this Statement.
As a controller, we are responsible for processing the personal data which we request and use for marketing purposes, the proper functioning of our company and our client management procedures.
In any case, we take the measures to guarantee that you:
- remain informed about our processing of your personal data and about your rights;
- continue to control the personal data we process;
- can exercise your rights regarding your personal data. More information on your rights can be found in point 9 of this Statement.
1.2. Data Protection Officer
We have appointed a Data Protection Officer. This is an expert on the protection of personal data who provides an additional guarantee that we will process your personal data correctly.
You can contact the Data Protection Officer via the channels mentioned in point 9 of this Statement.
2. What data do we collect about you?
2.1. Personal data
We understand “personal data” to mean any information referring to a particular natural living person.
Where applicable, it contains data on you and/or your representatives, staff, self-employed persons whom you have engaged and/or directors and, as the case may be, your suppliers or customers (jointly also referred to hereafter as “you” or “your”).
When handing us personal data on your staff, representatives, and/or self-employed persons and/or directors, suppliers and/or customers, you must inform them of the existence and content of this Statement, including our obligations, their rights and the way in which they can exercise such rights.
In particular, we collect the following data:
- from our existing clients: identification and contact details (surname, first name, gender, email address, telephone number, copy of identity card, etc.), designated areas of interest and certain financial data (bank account number, etc.);
- from prospective clients: identification and contact details (surname, first name, gender, email address, telephone number, etc.), indicated areas of interest, etc. We may also collect these data (as described above) from other sources, including your employer or your clients). For instance, in the course of our accounting services, we may process personal data of suppliers, customers of our own clients.
We may also receive personal data (as described above) from other persons, including your employer/employees or your clients. For example, we may process personal data of suppliers or clients of our own clients within the framework of our accountancy activities.
We need and use this information for the purposes stated in point 3 of this Statement. In particular, some personal data are required as a consequence of the contractual relationship we have with our clients in order to enable us to carry out our contractual obligations. Failure to provide this personal data may prevent or delay the fulfilment of these obligations.
2.2. Sensitive data
As data controller, we do not intend to collect and process neither personal data of minors nor so-called sensitive data, namely:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- genetic or biometric data (e.g. facial images and fingerprints);
- data relating to health;
- data relating to sexual behaviour or sexual orientation.
However, should we receive this kind of data, we will not use any such sensitive personal data provided to us and will erase it.
3. Why do we need your data?
3.1. To be able to accept you as a client and correctly execute the contract
We need personal data to:
- register and manage you as a customer or a prospective customer in our customer relationship management (CRM) system;
- be able to accept you as a client in our client acceptance procedure;
- be able to contact you as a client and to join you in coordinating matters in connection with providing the services you requested;
- be able to invoice our services or to make statements of accounts for the services provided;
- carry out the agreement with our clients and deliver the services asked for.
We will use your personal data solely if they are necessary.
3.2. For (direct) marketing purposes
We would like to be able to inform you about our services, events or relevant news items.
You might receive our direct marketing communication (newsletters, whitepaper, advertisement, etc.) if you have given us your explicit consent to do so. We will specifically ask your consent for such processing if you are not a BDO client.
If you already have a client relationship with us, we will send you marketing communication which we suspect might interest you or will benefit you. We consider it our legitimate interest to inform you of the kind of services we can offer to you.
Furthermore, we may publish photographs of you on our websites and social media platforms (LinkedIn, Facebook, YouTube, Twitter and Instagram) in order to promote our activities (social activities, conference you attended etc.). We will do so solely if you have given us your explicit consent. We encourage you to read the privacy statements on the website of the social media listed above in order to understand how your personal data (such as your photographs and/or video’s) are protected.
You can use your right to object, at any time without suffering any harm, to these processing as stated in point 9.2 (for direct marketing) and in point 9.3 of this Statement (for the photographs).
3.3. To be able to function as a company
This purpose amounts to what is called a “legitimate interest”. As a matter of fact, we still have a number of legitimate interests on which personal data processings are based. We only do such processings after we have considered the fact that, in any event, the balance between our legitimate interests and their possible impact on your privacy is not disrupted.
However, should you nevertheless have any objections with regard to these processing operations, you can still exercise your right to object, at any time and under certain conditions, as explained in point 9.3 of this Statement.
Personal data are processed in different situations, for example when personal data may:
- serve as evidence (archives);
- be used to record your participation in and/or attendance at our events;
- be used to be able to provide you with any information you have requested;
- be used to ensure that our records are kept accurate and up to date;
- be used to establish, exercise, defend and indemnify the rights of BDO or the persons it may represent, for example in disputes;
- be used for the administration, (risk) management and monitoring of our organisation, including for matters relating to compliance (e.g. money laundering, fraud prevention and investigations and privacy), risk functions and inspection, complaint management and internal and external audit;
- be coordinated and used to centralise or efficiently manage our clients, to create segments or sectors (e.g. Public Sector, Real Estate & Construction, Life Sciences, Retail, etc.), and to create more detailed profiles of clients or prospective clients to be able to communicate with you in a more targeted way;
- be used to administer and manage our website, (IT) system and applications.
Personal data can be used to support and simplify customers’ purchasing, use and termination of services, including preventing you from having to fill in information that you previously provided, or to avoid needing to go through an entire identification process again if you want to become a client with another BDO entity. In this way, identification data can be transmitted to BDO entities to make it easier for such entities to identify the client.
4. What is the legal basis for processing your personal data?
We may only lawfully use and process your personal data if one of the following conditions is met:
- The use of your personal data is necessary to execute a contract that you have concluded with us or, at your request, to be able to take the necessary steps to reach an agreement with us.
- The purposes of the processing stated in point 3.1 of this Statement is based on these grounds.
- We have your explicit and voluntary consent to use your personal data for a particular purpose. For example, we will request your consent to write to you for direct marketing purposes, as stated in point 3.2 of this Statement, if you do not yet have a client relationship with us.
- The use of your personal data is necessary for the purposes of our legitimate interests. When we process your personal data to meet our legitimate interests we ensure that your privacy is protected and that your interests or fundamental rights and freedoms are not overridden by our legitimate interests. For more information about the balancing test that we carry out to process your personal data to meet our legitimate interests or if you want to object to these uses of your personal data, please contact us at the details below as stated in point 9.3 of this Statement. We base the processing necessary to operate as a company on our legitimate interest, as mentioned under point 3.3 of this Statement, and to be able to contact our existing customers for direct marketing purposes, as mentioned under point 3.2 of this Statement.
- We may be required by law to process certain data and, as the case may be, to transmit them to the relevant authorities.As a matter of fact, within the framework of certain services (auditing mandates, tax returns, accounting, etc.), BDO is required to duly respect obligations of reporting to the authorities; also, we must be able to react correctly if you exercise your rights in terms of the privacy legislation, and we are also obliged to answer questions from the Data Protection Authority, for example if there are any complaints.
5. With whom do we share your personal data?
- Only our employees and the self-employed persons working for us who effectively need access to perform their duties, will be granted access to your data. These people act under our supervision and responsibility.
- We also call on external suppliers that carry out certain processing operations for us so that we can offer you our products and activities, such as IT services (including legal, financial, accounting and similar other services). Since these third parties have access to personal data within the scope of the services we request, we have taken technical, organisational and contractual measures to guarantee that your personal data are processed and used solely for the purposes stated in point 3 of this Statement.
- Only if we are legally obliged to do so can your personal data be provided to supervisory institutions, tax authorities and investigation services.
We may also share anonymous data, which cannot identify you, for general business analysis, e.g. we may disclose the number of visitors of our websites or users of our services (without any further information concerning the client itself).
6. Where are your Data stored and processed?
Your data will not be transported outside the EU and, in any event, we will ensure that the minimum legal requirements and security standards are respected at all times. If we suspect that your data will be stored and processed outside the EU, we will explicitly inform you of this and ensure that the same level of protection is used as is applicable within the EU.
Apart from the above mentioned cases, your personal data will never be transferred or made available to third parties and will be used exclusively for our purposes. Other companies can therefore not use your data, e.g. to send you advertising.
7. How long do we retain your personal data?
We only store your data for as long as this is necessary for the purposes for which the data are to be used as stated in point 3 of this Statement (e.g. to execute an agreement, send information you requested, etc.). More precisely, we will keep your personal data for as long as we have a (contractual) relationship with you. Once our relationship with you has come to an end, we will retain your personal data for a period of time that enables us to:
- maintain our business records for analysis and/or audit purposes;
- comply with record retention requirements under the law;
- defend or bring any legal claims;
- deal with any complaints.
Any deviations from or clarifications of this principle are expressly stated under the various purposes referred to in point 3 of this Statement.
We will delete your personal data when it is no longer required for these purposes. Should there be any personal data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures by anonymizing them and/or by preventing any further processing or use of the data.
8. How do we secure your personal data?
We have implemented generally accepted standards of technology and operational security to protect personal data from loss, misuse, alteration or destruction unauthorized.
We require all employees, principals and independent collaborator to keep personal data confidential and only authorized personnel have access to this data.
9. What are your rights?
9.1. Right of access, rectification, erasure, transferability of data and objection
9.1.1. Right to access your personal data
You have the right at all times to access and inspect your personal data processed by us. In this context, we will provide you with a free copy of your personal data.
9.1.2. Right to rectify your personal data
You have the right at any time to have incorrect, incomplete, inappropriate or outdated personal data erased or rectified.
9.1.3. Right to withdraw your consent
If the processing is based on your express consent, then you have the right to withdraw such consent at any time.
We wish to inform you that withdrawing your consent to certain processing operations of your personal data may result in you no longer being informed of, or being able to use, activities or services that we offer.
9.1.4. Right to object to certain processing
You have the right to object to processing activities based on legitimate interest as referred to in point 3.3.
9.1.5. Right to have your personal data erased
You are entitled to have your personal data deleted. On these grounds, if you no longer wish to have a relationship with BDO, you can request us to stop using your personal data.
However, we may keep personal data required for purposes of proof. Under this right of erasure, you also have the right to ask us at any time to stop using your personal data that are processed on the grounds of your consent or our legitimate interest. Due to legitimate interests, we may still continue to process your personal data after weighing your interests against ours, unless you decide to terminate your relationship with us.
9.1.6. Right to transfer personal data
You have the right to request that personal data that you personally provided to us - in a structured, commonly used and digital form - be forwarded to you so that you can store them for personal (re)use, or to forward such personal data directly to another data controller, to the extent that it is technically possible for us to do so.
However, the privacy legislation provides for a number of restrictions to this right, which means that it does not apply to all data.
9.1.7. Right to limit certain processing operations
You may request that we limit the processing of your personal data in any of the following cases:
- if you dispute the accuracy of your personal data, you may request a limitation of its processing for a period that enables us to verify the accuracy of your personal data;
- if the processing is unlawful and you object to the erasure of the personal data and you request us instead to limit their use;
- if we no longer need your personal data for the processing purposes referred to in point 3, but you still need your data for the establishment, exercise or substantiation of a legal claim;
- if you objected to a processing operation, we will continue processing pending an answer to the question as to whether the legitimate grounds of BDO more heavily outweigh yours;
- If you have obtained the right to have the processing of your data limited, we will no longer perform any operations with the personal data concerned, other than the storage of these data.
9.2. Right of objection to direct marketing
As has been stated in point 3.2 of this Statement, we use your personal information to address commercial information, advertisement or personal proposals to you (by way of direct marketing campaigns or electronic newsletters). If you do not wish to receive such communications from us (any longer), you have the right to object to the processing of your data for direct marketing purposes by using the options provided to this end in each email you receive from us. We will then no longer process your data for direct marketing purposes. Your request will be executed as soon as possible.
If you have exercised your right to object, you may, if you so wish, again allow direct marketing activities through the same channels.
We draw your attention to the fact that your exercise of the right to object will not prevent us from contacting you, where appropriate, for any other purpose, including the execution of the contract, in accordance with this Statement.
9.3. How to exercise rights
To exercise the rights mentioned above you may send us a written request, dated and signed, and containing a photocopy of a proof of identity.The request can be sent either :
- by email: [email protected]
- in writing to the following postal address: BDO, attn. the Data Protection Officer, Da Vincilaan 9, box E.6, 1930 Zaventem
When exercising your right, we request that you clearly state the right to which you wish to appeal and any processing operation(s) you oppose or which consent you wish to withdraw. Always be as specific as possible if you wish to exercise your rights.
This request is free of charge, except when we consider the request to be manifestly unfounded or excessive (as in the case of a repeated request).
For any additional copy requested, we may also request payment of a reasonable fee based on administrative costs.
The request to obtain a copy of the data will be processed within one month. This period of time may be extended by two months, taking into account such factors as the complexity and number of requests. In the event of an extension of the term, you will be informed of this and of the reasons for the extension.
We will notify third parties to whom the data were communicated of any rectification, erasure or limitation that has been carried out unless this is not possible or requires a disproportionate effort.
10. How to submit questions or complaints
If you have a question or complaint about our personal data processing, about the exercise of your rights or about this Statement, you can contact us in the following ways:
- by email: [email protected]
- in writing to the following postal address: BDO, attn. the Data Protection Officer, Da Vincilaan 9, box E.6, 1930 Zaventem
- by phone: +32 2 778 01 00
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. However, should you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the data protection authority of the country in which you live using their website.
If you live in Belgium, you can file a complaint with the Belgian Data Protection Authority. All information on this matter can be found at https://www.dataprotectionauthority.be/.
11. Amendments to this Statement
We may amend or supplement this Statement as we deem necessary.
If significant changes are made to this Statement, the date on which it is amended will be adjusted and we will also notify you accordingly and provide you with a copy of the amended Statement.
We also encourage you to periodically review this Statement to find out how we process and protect your personal data.