BDO is dedicated to safeguarding your privacy and protecting your personal, business, and financial information. This Privacy Notice describes how BDO Cayman Ltd. and BDO Advisory Ltd. operating in the Cayman Islands ( “BDO”, “we”, “us”, or “our”) collects and processes Personal Information about you; how we use and protect your Personal Information; and your rights regarding Personal Information. Each Member Firm in the BDO network is a separate legal entity and a separate data controller for personal data.
This Privacy Notice applies to all Personal Information provided to us, both by you or by third parties, and we may use your Personal Information for any of the purposes described in this Privacy Notice or as otherwise stated at the time of collection.
Personal Information is any information related to an identified or identifiable natural person. A “natural person” is one who can be identified, directly or indirectly, by name, personal identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Where “you” or “your” are used in this Privacy Notice, we are referring to the person who is the subject of the Personal Information. BDO processes Personal Information for numerous purposes and the method of collection, lawful basis for processing, use, disclosure, transfer, and retention for each processing purpose may vary.
2. INFORMATION WE COLLECT
We collect only the Personal Information necessary for agreed purposes and may collect such Personal Information directly from you (to provide professional services) or indirectly from third party sources (such as public databases) where permitted by law.
We process the following categories of Personal Information in relation to our provision of professional services:
Employment information – employer, occupation, job title, role, performance data; and
Financial information – salary, accounts, other income and investments, benefits, tax status.
For certain professional services or activities, we may be required to process special categories of Personal Information in order to comply with client due diligence or “know your client” requirements which include government-issued identification documents that disclose physiological, biometric, or genetic data, or data which reveals racial or ethnic origin.
3. HOW WE USE YOUR PERSONAL INFORMATION
3.1 Providing Professional Services
We must typically process Personal Information in order to provide our professional services to you and we take steps to ensure that your information is current and accurate. The legal grounds for such processing include pursuing legitimate interests related to providing professional services, a legal obligation with which we are required to comply, public interest, or consent. Where special categories of Personal Information are processed, the legal grounds include legal obligation, public interest, or consent.
3.2 Providing Service-Related Information
We use your Personal Information to provide you with additional professional service and activity-related information which may be of interest to you, including relevant industry updates, guidance, and event invitations. The legal grounds for such processing include pursuing legitimate interests related to promoting our business and enhancing client service.
3.3 Business and Professional Service Operation and Administration
We may process Personal Information to operate our business and for administration related to professional services, including:
The legal grounds for such processing include pursuing legitimate interests related to operating, managing, and developing our business and professional services.
3.4 Regulatory Compliance
In order to demonstrate our compliance with legal, regulatory (including anti-money laundering, counter-terrorist financing, proliferation financing, sanctions), and professional obligations, we must process and retain certain categories of Personal Information. The legal grounds for such processing include complying with a legal obligation and pursuing legitimate interests related to professional obligations.
3.5 Quality Assurance and Risk Management
Policies and procedures are in place to monitor our service quality and manage client engagement risks. This includes obtaining, processing, and storing Personal Information as part of our client engagement and acceptance procedures. Use of Personal Information in this regard typically consists of public resource searches (sanctions lists, general Internet searches) to identify politically-exposed persons (PEPs), high-risk individuals, criminal charges and convictions, and organisations which may be subject to sanctions so that we can determine whether there are any issues which may preclude client on-boarding. The legal grounds for such processing include pursuing legitimate interests related to assessing the quality of our professional services and managing business-related risks.
3.6 Security Management
We have established Personal Information security procedures, protocols, and measures which include testing, detecting, investigating, containing, and resolving security threats. Personal Information may be processed as part of such measures and monitoring. The legal grounds for such processing include pursuing legitimate interests related to assessing and ensuring network and information security.
4. YOUR PERSONAL INFORMATION RIGHTS
You have certain rights in respect of your Personal Information and we are responsible for respecting, protecting, and complying with those rights.
4.1 Right to Access Personal Information
You have the right to receive confirmation from us as to whether we process Personal Information about you. You are also entitled to receive a copy of your Personal Information which we hold as well as information regarding the purposes and methods used for processing your Personal Information. You may exercise this right by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected]. We will respond to requests without undue delay and in accordance with legally-prescribed time limits.
4.2 Right to Rectification of Personal Information
You have the right to request that your Personal Information be rectified, updated, or amended where such Personal Information is inaccurate. You are also entitled to have any incomplete Personal Information completed. You may request that your Personal Information be rectified, updated, or amended by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected]. We will respond to requests in accordance with legally-prescribed time limits.
4.3 Right to Erasure (“Right to be Forgotten”)
You are entitled to have your Personal Information erased or deleted in the following circumstances:
The legal grounds for processing your Personal Information is that the processing is necessary for our legitimated interests or those of a third party, you object to such processing, and we do not have legitimate grounds which override your Personal Information rights and freedoms;
You may request that your Personal Information be erased or deleted by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected].
4.4 Right to Restrict Processing
You have the right to restrict the processing of your Personal Information in the following circumstances:
Your Personal Information is no longer required for the purposes for which such Personal Information was collected and processed, but you required such Personal Information to establish, exercise, or defend legal claims;
You may request that we restrict the processing of your Personal Information by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected].
4.5 Right to Object to Processing
You have the right to object to the processing of your Personal Information in the following circumstances
You may object to the processing of your Personal Information by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected].
4.6 Right Not to be Subject to Automated Decision-Making
You have the right not to be subject to a decision based solely on automated processing which may have a legal effect on you or similarly significantly affects you. You may require us to ensure that no such decision is taken by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected].
4.7 Right to Data Portability
You are entitled to receive the Personal Information which you provided to us in a structured, commonly used, machine-readable format. You also have the right to transmit such Personal Information to another organisation or ask us to do so on your behalf where technically feasible. You may exercise this right to data portability by contacting our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected].
4.8 Right to Withdraw Consent
Where we process Personal Information on the legal grounds of your consent, such consent can be withdrawn at any time. However, we do not typically process Personal Data on the legal grounds of consent as there are generally other legal grounds for processing. In circumstances where we do rely upon your consent for processing your Personal Information and you wish to withdraw your consent, you may contact our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected].
4.9 Right to Submit Complaint
We are committed to working with you to achieve a fair and reasonable solution to any complaint or concern you may have regarding your Personal Information, and you may contact our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected] in this regard. However, if you believe that we have not been able to assist with your complaint or concern, you have the right to submit a formal complaint to:
5. SHARING YOUR PERSONAL INFORMATION
BDO will only share your Personal Information with others, including BDO Member Firms and third party service providers, when we are legally permitted to do so. In circumstances where your Personal Information is shared, we establish contractual and security requirements to help safeguard your Personal Information and comply with our data protection, client confidentiality, and security standards.
BDO is part of a global network of Member Firms and it is common practice for us to use third party service providers in other countries to assist us with delivering professional services to you. As such, it may be necessary to transfer your Personal Information outside of the Cayman Islands; including, to countries outside of the European Economic Area (“EEA”) which do not have specific data protection laws. In such circumstances, we take steps to help ensure that all Personal Information is lawfully transferred and receives adequate protection. Where Personal Information is transferred to a country outside of the EEA which is not deemed to have an adequate level of data protection, such transfers will be subject to a contract which includes the European Union’s requirements for transfers of Personal Information outside of the EEA (the European Commission approved standard contractual clauses).
Parties to whom your Personal Information may be transferred include:
Auditors, Insurers, Legal Advisors (claims, legal rights, advice); and
6. PERSONAL INFORMATION SECURITY
We adhere to global technology and operational security standards to protect Personal Information from unauthorised access, alteration, destruction, disclosure, loss, and misuse. We restrict access to non-public Personal Information on the bases of least-privilege (employees are only permitted a level of access to information which is consistent with the business need for access) and need-to-know access so that authorised access is commensurate with defined responsibilities.
Our established framework of Personal Information policies, procedures, and training are regularly reviewed to help ensure that our data protection security measures are appropriate and adequate.
7. PERSONAL INFORMATION RETENTION
We will retain your Personal Information for as long as is considered necessary to fulfil the purposes for which such Personal Information was collected; including, as required by applicable law or regulation.
When our professional relationship with you comes to an end, we will retain your Personal Information in accordance with legal, regulatory, and contractual requirements, including to:
Our standard retention period for Personal Information is seven (7) years. If, due to technical reasons, we are unable to erase or delete your Personal Information following the retention period expiration, we will take appropriate steps to anonymise and prevent any further processing of your Personal Information.
8. CHANGES TO THIS PRIVACY NOTICE
You may request a copy of this Privacy Notice from our Data Privacy Champions, Richard Carty or Charlotte Harcourt, at [email protected]. This Privacy Notice is regularly reviewed and may be modified or updated from time to time. Modifications and updates to this Privacy Notice are effective from the date of posting.
This Privacy Notice was last updated on: 10 October 2019