Data protection refers to the right to privacy and the right to determine how your personal data is used.
Personal data means data and evaluations that can be linked to an individual person.
BDO AS and BDO Advokater AS (hereafter referred to as BDO) process personal data as an employer, as a supplier of services, for marketing purposes and in connection with visits to our website, www.bdo.no.
Data protection is an important part of BDO’s deliveries and we attach the highest priority to protecting the integrity, accessibility and confidentiality of all personal data.
This personal data declaration provides supplementary information about which personal data we collect, how this information is collected and your rights if we record personal data relating to you. The CEO of BDO AS has primary responsibility for personal data processing activities at BDO AS. The CEO of BDO Advokater AS has primary responsibility for personal data processing activities at BDO Advokater AS. Responsibility for daily monitoring of BDO’s compliance with data protection regulations is delegated to the Risk Management Partner.
Client and supplier information
BDO processes personal data about clients and suppliers, in addition to any third parties where this is required to fulfil contract obligations.
The legal basis for such processing is Section 8, first paragraph and Section 8 a), b) or f) and Section 9 a), b) and f) of the Norwegian Personal Data Act.
The information processed includes contact information for clients and suppliers.
Personal data is stored in a separate database and is deleted five years after the conclusion of the client relationship.
BDO processes personal data for marketing purposes. Such personal data can be exchanged between BDO AS and BDO Advokater AS, but will not be passed on to other enterprises.
BDO issues newsletters to which recipients subscribe on a voluntary basis. Subscribers then receive regular e-mails containing their selected newsletters. To be able to send the newsletters to the right person, BDO records your name and e-mail address.
This information is stored in a separate database and will not be passed on to others.
The legal basis for this processing is consent. You can withdraw your consent for your data to be stored at any time. BDO will then delete your contact information from the address list for the relevant newsletter.
– ADDRESS REGISTER
BDO stores contact information for potential clients in a separate database. The information is retrieved from publicly available sources, such as enterprises’ websites. The personal data is processed in order to market our services and coordinate this marketing work.
The legal basis for this processing is Section 8 letter f of the Norwegian Personal Data Act.
Personal data for potential clients is deleted within one year of being recorded in the database, provided that a client relationship has not been established.
BDO logs information about all visitors to the company’s website www.bdo.no using Google Analytics. The information that is recorded cannot be linked to the visitor or traced back to you as an individual. We collect the data to gain a better understanding of how our users use the website, so we can adapt the pages to optimally suit our users.
– Google Analytics
The cookies on our website are provided by Google Analytics (first-party cookies). These are automatically deleted if you do not return to the website within 24 months. You can prevent any of your data being recorded by Google Analytics by installing an add-on in your browser: Google Analytics Opt-out Browser Add-on
BDO uses the Google Analytics analysis tool to study traffic, usage patterns and trends on its website. The data that is collected is used to optimise the user experience and adapt the website’s content. In accordance with Google’s guidelines for use of Google Analytics, no personal data is collected about users. The data that is collected is stored on Google’s servers. You can read more about how Google collects and protects data here.
– Google Display Advertising
The DoubleClick cookie is a third-party cookie that enables third-party suppliers, including Google, to display targeted advertisements from BDO on a number of websites that are part of Google’s content network. This is also known as remarketing. You can read more about the benefits of remarketing here.
Remarketing is used to adapt advertisements for users based on their interests and previous website use. This targeted approach helps to make marketing more relevant to you as a user. In accordance with Google’s data protection policy, no data is collected or processed that could be used to identify individuals. You can opt out of targeted Google Display advertisements here.
– AUDIT SERVICES
Processing of personal data in connection with BDO’s audit services is based on Section 8 first paragraph of the Norwegian Personal Data Act, cf. Chapter 5 of the Norwegian Auditors Act.
Any personal data processed in audit assignments will primarily relate to contact information and other data concerning the employment relationship.
Section 5-5 of the Norwegian Auditors Act requires the auditor to store documentation and numbered correspondence in an ordered and secure manner for at least ten years. The same applies to correspondence concerning consultancy services. BDO shall delete the above documentation within one year of the expiry of the duty to store information.
– LAWYER SERVICES
BDO’s lawyer services primarily relate to taxes. BDO Advokater AS also offers assistance with investigation assignments.
If any personal data is processed that is not regulated by the Administration of Justice Acts, our processing will be regulated by data processor agreements with our clients. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.
– CONSULTANCY SERVICES
BDO’s consultancy services include compliance and investigations, internal audit, transaction support, corporate management, and security and emergency response planning. In some of our client assignments we may process personal data on behalf of our clients, including biographical data, employment relationship data, financial data, information relating to family matters (affiliation with politically exposed individuals), health data, and information on potentially criminal acts.
In these types of assignments BDO is the data processor and signs a data processor agreement with the client as data controller. The data processor agreement establishes the frameworks for BDO’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement. BDO also assists the client in satisfying the requirements for obligation to obtain a licence/to notify where relevant.
– ACCOUNTANCY SERVICES
BDO can perform all or some accounting duties for clients. Personal data processed in this context typically includes names, ID numbers and salary information.
In these assignments BDO is the data processor and signs a data processor agreement with the client as data controller. The data processor agreement establishes the frameworks for BDO’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.
Client checks and investigations
BDO is required to implement client checks in accordance with Sections 5, 6 and 15 of the Norwegian Money Laundering Act, and to perform more detailed investigations if it is suspected that a transaction relates to the proceeds of a criminal act, cf. Section 17 of the Norwegian Money Laundering Act.
Data that BDO is required to process in this connection includes names/company names, ID numbers, organisation numbers, permanent addresses, family matters (association with politically exposed individuals), and data relating to potential suspected criminal acts.
Processing of personal data relating to client checks and any duty to investigate can involve processing sensitive information, including in connection with criminal acts.
In accordance with Section 22 of the Norwegian Money Laundering Act, BDO is required to store documents used for client checks for at least five years after the cessation of the client relationship or completion of the transaction, unless a shorter period is established in other legislation or regulations.
Documents and information relating to client checks and any investigations in accordance with Section 17 of the Norwegian Money Laundering Act are stored in separate databases, protected against unauthorised access and deleted within one year of the expiry of the duty to store information.
Under certain circumstances BDO is also required to deliver information to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime, for example where it is suspected that a transaction relates to proceeds of a criminal act. However, this does not apply to knowledge acquired by lawyers as a result of work to establish the client’s legal status.
BDO processes personal data as part of its HR administration procedures. Personal data processed in this context includes biographical data, salary information, assessments, information about next of kin, and qualifications/position level.
The legal basis for this processing is Section 8 letter f of the Norwegian Personal Data Act.
Personal data relating to HR administration is stored for as long as the individual in question is employed at BDO. Personal data for unsuccessful applicants is deleted one year after the relevant individual applied for the position with BDO.
BDO’s personal data processing activities are regulated by the Norwegian Personal Data Act and associated regulations. Your rights relating to our personal data processing activities are established in Chapters III and IV of the Norwegian Personal Data Act. Some of your most important rights are presented below.
BDO has a dedicated Data Protection Officer who provides guidance to help ensure that personal data is processed properly and in accordance with regulations.
The Data Protection Officer scheme is a voluntary arrangement administered by the Norwegian Data Protection Authority. Requests for access to information, correction and deletion, and notification of non-conformances are processed by the Data Protection Officer.