• Legal & Privacy

BDO’s DATA PROTECTION DECLARATION

Data protection refers to the right to privacy and the right to determine how your personal data is used.

Personal data means data and evaluations that can be linked to an individual person.

BDO AS and BDO Advokater AS (hereafter referred to as BDO) process personal data as an employer, as a supplier of services, for marketing purposes and in connection with visits to our website, www.bdo.no.

Data protection is an important part of BDO’s deliveries and we attach the highest priority to protecting the integrity, accessibility and confidentiality of all personal data.

This personal data declaration provides supplementary information about which personal data we collect, how this information is collected and your rights if we record personal data relating to you. The CEO of BDO AS has primary responsibility for personal data processing activities at BDO AS. The CEO of BDO Advokater AS has primary responsibility for personal data processing activities at BDO Advokater AS. Responsibility for daily monitoring of BDO’s compliance with data protection regulations is delegated to the Risk Management Partner.

In which areas does BDO process personal data?

  1. Client and supplier information

    BDO processes personal data about clients and suppliers, in addition to any third parties where this is required to fulfil contract obligations.

    The legal basis for such processing is Section 8, first paragraph and Section 8 a), b) or f) and Section 9 a), b) and f) of the Norwegian Personal Data Act.

    The information processed includes contact information for clients and suppliers.

    Personal data is stored in a separate database and is deleted five years after the conclusion of the client relationship.

  2. Marketing

    BDO processes personal data for marketing purposes. Such personal data can be exchanged between BDO AS and BDO Advokater AS, but will not be passed on to other enterprises.

    – NEWSLETTERS

    BDO issues newsletters to which recipients subscribe on a voluntary basis. Subscribers then receive regular e-mails containing their selected newsletters. To be able to send the newsletters to the right person, BDO records your name and e-mail address.

    This information is stored in a separate database and will not be passed on to others.
    The legal basis for this processing is consent. You can withdraw your consent for your data to be stored at any time. BDO will then delete your contact information from the address list for the relevant newsletter.

    – ADDRESS REGISTER

    BDO stores contact information for potential clients in a separate database. The information is retrieved from publicly available sources, such as enterprises’ websites. The personal data is processed in order to market our services and coordinate this marketing work.

    The legal basis for this processing is Section 8 letter f of the Norwegian Personal Data Act.

    Personal data for potential clients is deleted within one year of being recorded in the database, provided that a client relationship has not been established.

    – COOKIES

    BDO logs information about all visitors to the company’s website www.bdo.no using Google Analytics. The information that is recorded cannot be linked to the visitor or traced back to you as an individual. We collect the data to gain a better understanding of how our users use the website, so we can adapt the pages to optimally suit our users.

    Like most other websites, we store data in a cookie on your PC. Most browsers are configured to receive cookies from websites. You can delete stored cookies by following the relevant instructions in your browser. You can find information about this in your browser’s Help function. Please note that restricting the use of cookies can affect the functionality of our website.

    – Google Analytics

    The cookies on our website are provided by Google Analytics (first-party cookies). These are automatically deleted if you do not return to the website within 24 months. You can prevent any of your data being recorded by Google Analytics by installing an add-on in your browser: Google Analytics Opt-out Browser Add-on

    BDO uses the Google Analytics analysis tool to study traffic, usage patterns and trends on its website. The data that is collected is used to optimise the user experience and adapt the website’s content.  In accordance with Google’s guidelines for use of Google Analytics, no personal data is collected about users. The data that is collected is stored on Google’s servers. You can read more about how Google collects and protects data here.

    – Google Display Advertising

    The DoubleClick cookie is a third-party cookie that enables third-party suppliers, including Google, to display targeted advertisements from BDO on a number of websites that are part of Google’s content network. This is also known as remarketing. You can read more about the benefits of remarketing here.

    Remarketing is used to adapt advertisements for users based on their interests and previous website use. This targeted approach helps to make marketing more relevant to you as a user. In accordance with Google’s data protection policy, no data is collected or processed that could be used to identify individuals. You can opt out of targeted Google Display advertisements here.

  3. Services

    – AUDIT SERVICES

    Processing of personal data in connection with BDO’s audit services is based on Section 8 first paragraph of the Norwegian Personal Data Act, cf. Chapter 5 of the Norwegian Auditors Act.

    Any personal data processed in audit assignments will primarily relate to contact information and other data concerning the employment relationship.

    Section 5-5 of the Norwegian Auditors Act requires the auditor to store documentation and numbered correspondence in an ordered and secure manner for at least ten years. The same applies to correspondence concerning consultancy services. BDO shall delete the above documentation within one year of the expiry of the duty to store information.

    – LAWYER SERVICES

    BDO’s lawyer services primarily relate to taxes. BDO Advokater AS also offers assistance with investigation assignments.

    If any personal data is processed that is not regulated by the Administration of Justice Acts, our processing will be regulated by data processor agreements with our clients. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.

    – CONSULTANCY SERVICES

    BDO’s consultancy services include compliance and investigations, internal audit, transaction support, corporate management, and security and emergency response planning. In some of our client assignments we may process personal data on behalf of our clients, including biographical data, employment relationship data, financial data, information relating to family matters (affiliation with politically exposed individuals), health data, and information on potentially criminal acts.

    In these types of assignments BDO is the data processor and signs a data processor agreement with the client as data controller. The data processor agreement establishes the frameworks for BDO’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement. BDO also assists the client in satisfying the requirements for obligation to obtain a licence/to notify where relevant.

    – ACCOUNTANCY SERVICES

    BDO can perform all or some accounting duties for clients. Personal data processed in this context typically includes names, ID numbers and salary information.

    In these assignments BDO is the data processor and signs a data processor agreement with the client as data controller. The data processor agreement establishes the frameworks for BDO’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.

  4. Client checks and investigations

    BDO is required to implement client checks in accordance with Sections 5, 6 and 15 of the Norwegian Money Laundering Act, and to perform more detailed investigations if it is suspected that a transaction relates to the proceeds of a criminal act, cf. Section 17 of the Norwegian Money Laundering Act.

    Data that BDO is required to process in this connection includes names/company names, ID numbers, organisation numbers, permanent addresses, family matters (association with politically exposed individuals), and data relating to potential suspected criminal acts.

    Processing of personal data relating to client checks and any duty to investigate can involve processing sensitive information, including in connection with criminal acts.

    In accordance with Section 22 of the Norwegian Money Laundering Act, BDO is required to store documents used for client checks for at least five years after the cessation of the client relationship or completion of the transaction, unless a shorter period is established in other legislation or regulations.

    Documents and information relating to client checks and any investigations in accordance with Section 17 of the Norwegian Money Laundering Act are stored in separate databases, protected against unauthorised access and deleted within one year of the expiry of the duty to store information.

    Under certain circumstances BDO is also required to deliver information to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime, for example where it is suspected that a transaction relates to proceeds of a criminal act. However, this does not apply to knowledge acquired by lawyers as a result of work to establish the client’s legal status.

  5. HR administration

    BDO processes personal data as part of its HR administration procedures. Personal data processed in this context includes biographical data, salary information, assessments, information about next of kin, and qualifications/position level.

    The legal basis for this processing is Section 8 letter f of the Norwegian Personal Data Act.

    Personal data relating to HR administration is stored for as long as the individual in question is employed at BDO. Personal data for unsuccessful applicants is deleted one year after the relevant individual applied for the position with BDO.

Your rights

BDO’s personal data processing activities are regulated by the Norwegian Personal Data Act and associated regulations. Your rights relating to our personal data processing activities are established in Chapters III and IV of the Norwegian Personal Data Act. Some of your most important rights are presented below.

  • RIGHT TO ACCESS INFORMATION
    Anyone who asks has the right to know what type of personal data processing BDO performs, as well as basic information about these processes. This information is provided in the data protection declaration.

    If you are registered in BDO’s systems you have the right to know which information about you is recorded and which security measures are in place for processing as long as such access does not undermine security.

    You can demand that the data controller provide more detailed information as mentioned above if this is necessary to enable you to safeguard your interests.
     
  • CORRECTION AND DELETION OF INVALID PERSONAL DATA
    If BDO processes personal data about you that is inaccurate, incomplete or which it is not permitted to process, you can demand that BDO correct or delete such data. Wherever possible, BDO shall ensure that the error does not adversely affect you, e.g. by notifying recipients about inaccuracies in the delivered information.

    Inaccurate data should be deleted, and accurate and complete data recorded. If this is not possible, and consequently a document from which data has been deleted still provides an evidently misleading picture, the entire document shall be deleted.

    BDO shall respond to requests to access information or other rights in accordance with Sections 18, 22, 25, 26, 27 and 28 of the Norwegian Personal Data Act without undue delay and no later than 30 days from the date of receiving the request, unless particular circumstances make it impossible to respond to the request within this deadline. In such cases BDO shall provide a provisional response, including information about the reasons for the delay and the expected date an answer will be provided.

Data Protection Officer

BDO has a dedicated Data Protection Officer who provides guidance to help ensure that personal data is processed properly and in accordance with regulations.

The Data Protection Officer scheme is a voluntary arrangement administered by the Norwegian Data Protection Authority. Requests for access to information, correction and deletion, and notification of non-conformances are processed by the Data Protection Officer.

Contact information

Enquiries can be sent to personvern@bdo.no, or to BDO AS, FAO Data Protection Officer, PO Box 1704 Vika, NO-0121 Oslo, Norway.