Privacy Statement

Introduction 

BDO Limited registered in Guernsey is a member of BDO International Ltd, a UK company limited by guarantee, and form part of the worldwide network of independent legal entities, each of which provides professional services under the name “BDO”. 

BDO is an international network of independent public accounting, tax and advisory firms (the “BDO network”), which perform professional services under the name of BDO (the “BDO member firms”). BDO International Limited (“BDOI”) is a UK company limited by guarantee. It is the governing entity of the BDO network. 
 
Each of BDOI and the member firms is a separate legal entity and has no liability for another such entity's acts or omissions. Nothing in the arrangements or rules of the BDO network shall constitute or imply an agency relationship or a partnership between BDOI and the member firms. 

This Privacy Statement describes how and why BDO (“we” or “us”) and our subsidiaries that: (1) are contracting parties in order to provide or receive services; (2) publicise a position for which you are applying; or (3) you have some other connection to, collect and use personal data (i.e. data relating to an identified or identifiable individual) in the course of business. It applies to personal data provided directly to us by the individuals concerned and to personal data provided to us by companies and other organisations.  

We are committed to the protection of personal data and to fair and transparent processing. If you have any questions about this Privacy Statement, you can contact our Privacy Team via email at privacy@bdo.gg

To find out more about how and why we process personal data, please refer to the relevant section of this Privacy Statement. 

Data controller 

BDO Limited (a limited company registered in Guernsey with number 29684 with a registered address of PO Box 180, Plaza House, Second Floor, St Peter Port, GY1 3LL) is registered as a data controller under registration number DPA2720. 

Security of personal data 

We have policies, procedures and training in place in respect of data protection, confidentiality and information security. We regularly review such measures with the objective of ensuring their continuing effectiveness. The Privacy Statement was last updated in February 2024. 

International transfers of personal data 

In the course of running our business and providing services to clients we may transfer personal data to third parties located in other countries that have less stringent data protection laws.  Where we transfer personal data outside the EEA to countries (that may not provide a level of protection of personal information that may be regarded as equivalent to that afforded under the European data protection legislation) we will take steps to ensure that personal data will be adequately protected in accordance with applicable law. 

Provision of personal data to third parties 

We will only share personal data with third parties where we are legally permitted to do so. We do not provide information to third parties for their own marketing purposes, and we do not undertake mailings for third parties. Where we transfer personal data to third parties, we will put in place appropriate contractual arrangements and seek to ensure that there are appropriate technical and organisational measures in place to protect personal data. 

We may provide personal data to: 

  • Other BDO Member Firms – we may share personal data with other members of the BDO International Network where required for the provision of services to our clients and/or for administrative purposes. 

  • Third parties involved in the performance of services – we may also share personal data to third party organisations who assist us in providing services to clients or are otherwise involved in the services we provide to clients. 

  • Third parties who provide IT services, data processing or functionality – like many professional service providers, we use third party providers to support our business and the provision of services to our clients, such as cloud-based software providers, web hosting/management providers, data analysis providers, and data back-up and security/storage providers. We may transfer personal data to such third parties. 

  • Auditors and advisers – we may transfer personal data to our auditors and advisers as required by law or as reasonably required in the management of our business. 

  • Third parties where required by applicable law and regulation – we may be requested or compelled to disclose personal data to third parties such as regulators and law enforcement agencies. We will only provide personal data to such parties where there is a legal requirement or permission to do so. 
      

Your Rights  

You have rights in relation to any of your personal data held by us as a data controller. Should you wish to exercise your rights right, please contact our Privacy Team via email at privacy@bdo.gg. We will endeavour to respond to any request promptly and within any legally required time limit.  

You also have a right to update your personal data that we hold. To do so, please either update the personal data via the web page or applications open to you, contact your usual BDO contact or otherwise contact our Privacy Team via email at privacy@bdo.gg

Where we process your personal data based on your consent, you have a right to withdraw consent at any time. Should you wish to do so, please contact our Privacy Team via email at privacy@bdo.gg

Finally, in addition to the rights above, you may also have other rights in relation to personal data, including a right to erasure/deletion, the right to data portability and the right to restrict and/or object to our processing of personal data.  
  

Complaints 

Should you wish to complain about our use of your personal data, please contact our Privacy Team via email at privacy@bdo.gg. We will investigate all complaints received and will endeavour to respond to complaints promptly. 

You may also complain about our use of personal data to the Information Commissioner’s Office. For further information on your rights and the complaints process, please visit The Office of the Data Protection Authority website: https://www.odpa.gg
  

Data Retention 

We will only keep personal data for as long as necessary for the purposes for which it was collected, or as required by applicable law or regulation. 

Unless there are any overriding legal, regulatory or contractual requirements, we will retain records of services provided (which may include personal data) in accordance with our document retention policy. 

Privacy Statement - Contacts 

We use a customer relationship management system to collect and process personal data about business contacts such as existing clients, prospective clients and their representatives. Such personal data will typically include name, identity of employer, job title, email address, office address, telephone number and other contact details. 

We collect such personal data using various methods, including the channels below: 

1. Direct Interactions: we receive personal data directly from the contact to whom the personal data relates. Such direct interactions include, for example, instances when the contact: 

2. Requests information about our client services 

i. Provides personal data necessary for specific client services or the purposes of “know your customer” controls 

ii. Provides a business card to us either in person or virtually 

iii. Makes personal data available to us through digital portals and platforms we make available 

iv. Registers to participate in our marketing or other promotional events or subscribes to any of our publications  

vi. Provides us with feedback.

3. Websites, digital services and marketing: we receive personal data when contacts use our website, electronic portals and platforms which we offer or when contacts receive publications or marketing we send. We also collect personal data by using cookies, server logs and other similar technologies. For more information please see our website visitors policy. 

4. Third party sources: we receive personal data concerning contacts from third parties when we: 

i. Provide services to third parties who send us contact personal data to enable the provision of such services   

ii. Perform “know your client” or other legitimate background checks 

iii. Are contacted by third parties who contacts have requested provide us with their personal data on the contacts behalf 

iv. Interact with public and regulatory bodies and other authorities concerning contacts.

5. Publicly available sources: we may also collect personal data from publicly available sources including: 

i. Public registers of individuals and legal entities 

ii. Public registers of sanctioned persons 

iii. Online professional networking platforms including LinkedIn 

iv. Marketing databases. 

We may use such personal data and make it accessible to our people for the following purposes: 

    • Managing, administering and developing our business. 

    • Providing information to clients, audit entities and prospective client about our services. 

    • Identifying our clients or prospective clients’ business needs. 

    • Analysing interactions between our people and our contacts to provide information to our management on relationships and trends, including the use of an automated analytical tool to evaluate the frequency and timing of interactions with contacts.

We do not sell or otherwise release any personal data collected from contacts to third parties. 

We will not use contact personal data to send marketing materials if the contact has expressly requested through our preference centre not to receive marketing. If our contacts request that we stop processing personal data for marketing purposes, we shall cease processing such personal data for those purposes. 

Where we process personal data for the above purposes, we rely on the following lawful bases: 

6. Where it is in our, or a third party’s, legitimate interests, provided that: 

i.the processing is necessary to pursue the legitimate interests; 

ii.the interests of the data subjects do not override the legitimate interests; and 

iii. the data subjects have the right to:

a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party’s; 

b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and 

c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes.


Privacy Statement - Corporate Clients and Audited Entities 

We aim to collect personal data only to the extent necessary for us to provide our services to our clients, audited entities and for other agreed purposes. Where personal data is required for us to provide services to our clients or audited entities, we request that these entities provide all necessary information to relevant individuals (known as “data subjects”) about our use of personal data. Our clients or audited entities may therefore refer data subjects to this Privacy Notice. We generally collect personal data directly from our clients, audited entities or from third parties acting on their instructions. 

Such personal data may be used for the following purposes: 

  • Provision of professional services – We undertake a wide range of services, including Audit, Tax, Advisory and Outsourcing services. We may have to process personal data in order to perform such services and/or provide advice and deliverables to our clients (or audited entities in the case of audit services). 

  • Managing, administering and developing our business – We process personal data in order to manage our relationship with clients, develop our business and services, maintain and develop our IT systems, manage and host events, and to administer and manage our website, systems and applications. 

  • Quality and risk management and security – we use various measures to protect personal data and other client information, which include monitoring the services provided to clients and audited entities to detect, investigate and resolve security threats. Such monitoring may involve processing personal data, for example the automatic scanning of email correspondence for threats. Our client take-on procedures involve processing personal data that may be obtained from publicly available sources (such as sanctions lists, criminal convictions databases, and general internet searches) to identify any risks relating to individuals and organisations that may prevent us from working for a particular client, audited entity or on a particular engagement. 

  • Providing information about our services to our clients and audited entities – unless the relevant individual has opted-out, we may use client or audit entity business contact details to provide information about our services and activities and events that may be of interest. 

  • Compliance with legal obligations – as a regulated firm, we are subject to various legal obligations that may require us to process and/or retain personal data held on our client and audit files. 

Certain services may also require us to process special categories of personal data such as race or ethnic origin, physical and mental health, criminal records, and political, religious and philosophical beliefs. We will only process such personal data with the individual’s consent or as required by law. 

Where we process personal data for the above purposes, we rely on one or more of the following lawful bases: 

1. Where it is necessary for our performance of contractual obligations. 
2. Where it is necessary for our performance of legal obligations 
3. Where it is in our, or a third party’s, legitimate interests, provided that: 

i. the processing is necessary to pursue the legitimate interests; 
ii. the data subject’s interests do not override the legitimate interests; and 
iii. the data subjects have the right to: 

a. request deletion of their personal data, provided they object to our processing and their interests override our own or those of a third party; 
b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and 
c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes. 


Privacy Statement - Office Visitors 

What personal data do you collect when I visit the BDO Office?

Visitors to our offices are required to sign in at the reception area. We will keep a record of visitors to our offices for a short period of time in order to maintain the security of our premises and ensure the safety of any visitors e.g. in an emergency situation. Records of visitors to our offices will be destroyed when no longer needed. We will only share information about who has visited our offices where required for the detection or investigation of crime or to maintain the safety and security of our offices.

In order to maintain the security of our offices, CCTV is used at our premises by the owners of the properties that we occupy and their agents. We may, on request of the relevant owner of the property access the recordings and information taken by their CCTV to prevent and facilitate the investigation of crime.

Where we process personal data for the above purposes, we rely on the following lawful bases:

1. Where it is necessary for performance of legal obligations
2. Where it is in our, or a third party’s, legitimate interests, provided that:
 
 i. the processing is necessary to pursue the legitimate interests;
 ii. the interests of the data subjects do not override the legitimate interests; and
 iii. the data subjects have the right to:

a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party’s;
 b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections;
 c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes.


Privacy Statement - Private Clients 

We aim to collect personal data only to the extent necessary for us to provide our services to our clients and for other agreed purposes. Where personal data is required for us to provide services to our clients, we request that our clients provide all necessary information or we procure this from third parties acting on our client’s instructions.

We provide a range of services to personal clients. We may therefore process a range of personal data, as is appropriate for the performance of services, including contact details, business activities, family information and financial information such as details of income, taxation, financial interests and investments.

Certain services may also require us to process special categories of personal data such as race or ethnic origin, physical and mental health, criminal records, and political, religious and philosophical beliefs. We will only process such personal data with the individual’s consent or as required by law.

We may use personal data concerning our personal clients for the following purposes:

  • Provision of professional services – We undertake a wide range of services, including Audit, Tax, Advisory and Outsourcing services. We may have to process personal data in order to perform such services and/or provide advice and deliverables to our clients.
  • Managing, administering and developing our business – We process personal data in order to manage our relationship with clients, develop our business and services, maintain and develop our IT systems, manage and host events, and to administer and manage our website, systems and applications.
  • Quality and risk management and security – we use various measures to protect personal data and other client information, which include monitoring the services provided to clients to detect, investigate and resolve security threats. Such monitoring may involve processing personal data, for example the automatic scanning of email correspondence for threats. Our client take-on procedures involve processing personal data that may be obtained from publicly available sources (such as sanctions lists, criminal convictions databases, and general internet searches) to identify any risks relating to individuals and organisations that may prevent us from working for a particular client or on a particular engagement.
  • Providing information about our services to our clients and audited entities – unless the relevant. individual has opted-out, we may use client or audit entity business contact details to provide information about our services and activities and events that may be of interest
  • Compliance with legal obligations – as a regulated firm, we are subject to various legal obligations that may require us to process and/or retain personal data held on our client files.

Where we process personal data for the above purposes, we rely on the following lawful bases:

1. Where it is necessary for performance of contractual obligations.
2. Where it is necessary for performance of legal obligations.
3. Where it is in our, or a third party's, legitimate interests, provided that:

i. the processing is necessary to pursue the legitimate interests;
ii. the data subject’s interests do not override the legitimate interests; and
iii. the data subjects have the right to:

a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party's;
b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and
c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes.



Privacy Statement - Suppliers (and Individuals Connected with our Suppliers)

We aim to collect personal data about our suppliers (which for the purposes of this notice includes subcontractors that we use to provide services to clients) only to the extent necessary for us to receive services and goods from our suppliers, manage our relationship with our suppliers and facilitate the provision of services to our clients. Our suppliers may refer relevant data subjects to this Privacy Notice. We generally collect personal data directly from our suppliers and from third parties such as credit rating agencies.

Such personal data may be used for the following purposes:

  • Provision of professional services – We undertake a wide range of services, including Audit, Tax, Advisory and Outsourcing services. We may have to process personal data received from suppliers in order to perform such services and/or provide advice and deliverables to our clients.
  • Managing, administering and developing our business – We process personal data in order to manage our relationship with clients, develop our business and services, maintain and develop our IT systems, manage and host events, and to administer and manage our website, systems and applications.
  • Quality and risk management and security – we use various measures to protect personal data and other client information, which include monitoring the services provided to clients to detect, investigate and resolve security threats. Such monitoring may involve processing personal data, for example the automatic scanning of email correspondence for threats. Our supplier take-on procedures involve processing personal data that may be obtained from publicly available sources (such as sanctions lists, criminal convictions databases, and general internet searches) to identify any risks relating to individuals and organisations that may prevent us from working with a particular supplier.
  • Providing information about our services to our clients and audited entities – unless the relevant individual has opted-out, we may use supplier (typically subcontractor) business contact details to provide information about our services.
  • Compliance with legal obligations – as a regulated firm, we are subject to various legal obligations that may require us to process and/or retain personal data obtained from suppliers.

Where we process personal data for the above purposes, we rely on the following lawful bases:

1. Where it is necessary for performance of contractual obligations;

2. Where it is necessary for performance of legal obligations;

3. Where it is in our, or a third party’s, legitimate interests, provided that:

i. the processing is necessary to pursue the legitimate interests;

ii. the interests of the data subjects do not override the legitimate interests; and

iii. the data subjects have the right to:

a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party’s;

b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and

c. object to the processing of their personal data in circumstances where such processing is  necessary for a legitimate interest, or where processing is used for marketing purposes.


Privacy Statement - Website Visitors 

What personal data do you collect when I visit the BDO.GG website?

We do not require registration in order for you to access www.bdo.gg, but if you participate in any of the activities or services offered by the website, we will collect the personal data that we need in order to provide you with those services, such as your name, job title, email address, employer's name, and telephone number. We may also collect technical information such as your IP (Internet Protocol) address, details of the pages you visit on www.bdo.gg, other pages you visit on the Web, and which browser you used to view www.bdo.gg.

This website collects standard internet log and technical data to measure and improve the effectiveness of this website, to help diagnose problems with our server, to administer this website, to see where website traffic is coming from and to identify our users. We may also collect other information via www.bdo.gg, such as website usage activity and preferences, also known as demographic or profile data. In this connection we may use "cookies" to collect this information. For more information see our Cookie Policy.

We do not seek to collect any special category personal information from you on www.bdo.gg, such as information in respect of your race or ethnic origin, political opinions, religious or other similar beliefs, physical or mental health, sexual orientation, or criminal record. Where you provide such personal information to us voluntarily, your doing so will constitute your explicit consent to us using that information in connection with the purpose for which it has been provided.

What do you use personal data collected through the www.bdo.gg website for?

When we collect personal information from you in the following circumstances, we will use it for the stated purposes of your interaction with us which include when you:

  • subscribe to any of our insights, e.g. newsletters, events
  • subscribe to any of our blogs
  • register to attend an event
  • enter a discussion forum
  • contact us to request further information
  • request to download a document, e.g. report, newsletter.

We aim to collect the minimum amount of information necessary to enable us to deal with your request. We will indicate where the provision of information is voluntary or compulsory. We would normally only request additional information to enable us to provide the most appropriate response to your request.

Unless you ask us not to, we may also use your data to contact you with information about our business, services and events, and other information which may be of interest to you.

Where we process personal data for the above purposes, we rely on the following lawful bases:

1. Where it is in our, or a third party’s, legitimate interests, provided that:

i. the processing is necessary to pursue the legitimate interests;
 ii. the interests of the data subjects do not override the legitimate interests; and
 iii. the data subjects have the right to:

a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party’s;
b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and
c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes.