Online data protection notice
June 2022
1 General
Thank you for your interest in our services. This privacy policy provides information on how we process personal data (i.e. information relating to an identified or identifiable individual; hereinafter “personal data” or “data”) at BDO.
2 Responsible office and contact
The office responsible for data processing is: BDO AG, Schiffbaustrasse 2, 8005 Zurich, Switzerland («BDO», «us» or «we»).
Contact for privacy issues: BDO AG, Data Protection, Hodlerstrasse 5, 3011 Bern, Switzerland privacy@bdo.ch
Representative in the EU:
Brussels Worldwide Services BVBA
The Corporate Village, Elsinore Building
Leonardo Da Vincilaan 9 – 5/F
1930 Zaventem, Belgium
3 Overview of the purposes for which we process personal data
In particular, we undertake the following categories of personal data processing. A detailed description of the personal data used and further information on processing can be found under para. 5 of this privacy policy:
- If you are our customer and we provide or have provided services to you (see here for an overview of our services)
- If we received your personal data from our customer and not directly from you when providing our services to our customer.
- If you visit our website.
- If you attend one of our events.
- If we communicate with you or inform you about our services and if we advertise.
- If you have any other contractual relationship with us, e.g., as a supplier, service provider or consultant.
- If you apply for a job with us.
- If we are required to do so for legal or regulatory reasons.
- When we are performing due diligence or process personal data for other legitimate interests, such as to avoid conflicts of interest, prevent money laundering or other risks, ensure data accuracy, check creditworthiness, ensure security or enforce our rights.
4 The categories of personal data we collect
Which personal data we process depends on your relationship with us and the purpose for which we process the data (see section 3). In addition to your contact details, we also process other information about you or about people who are related to you. Under certain circumstances, this information may also consist of sensitive personal data.
We collect the following categories of personal data, depending on the purpose for which we process them:
- Contact information (e.g., last name, first name, address, telephone number, e-mail address including meta data as well as recordings and image and video recordings).
- Customer information (e.g., date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number)
- Risk management data (e.g., credit rating information, commercial register data, World Check information and data from the international BDO network)
- Financial information (e.g., data on bank details)
- Mandate data, depending on the mandate (e.g., tax information, business data (statutes, minutes, projects and contracts), employee data (e.g., salary, social security), accounting data, beneficial owners and ownership structure
- Web page data (e.g., IP address, device information (UDI), browser information, web page usage (analytics and use of plugins, etc.)
- Application data (e.g., curriculum vitae and references)
- Marketing information (e.g., newsletter registration)
More detailed information can be found in the description of the respective categories of processing (see section 5).
We usually collect these data directly from you. We may also receive information from our customers about individuals who have no direct relationship with us but with our customer (e.g. data about the customer’s employees). We collect certain data from public or official sources, such as the commercial or debt collection register (see section 5.2). In addition, we may also collect data from and share data with companies in BDO’s international network, as well as third parties such as credit reporting agencies or risk assessment information providers.
5 The personal data we process
5.1 When you use our services
From our customers we collect the personal data that we need to provide our contractually agreed service, to protect our interests, or on the basis of a legal or other binding regulation. When we fulfil a contract with you, we collect other personal data depending on the service involved and whether you are a natural person or a legal entity.
The personal data of our customers consist of the following pieces of information in particular:
- Contact information (e.g. last name, first name, address, telephone number, e-mail address and other contact information)
- Personal information (e.g. date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number, family circumstances, etc.)
- Risk management data (e.g. credit rating information, commercial register data, sanctions lists, specialised databases, data from BDO’s network or the Internet)
- Financial information (e.g. data on bank details, investments and shareholdings)
- Mandate data, depending on the mandate, e.g. tax information, business data (statutes, minutes and projects), employee data (e.g. salary and social security), accounting data, etc.
- Sensitive personal data: these personal data may also include sensitive personal data such as data relating to health, religious beliefs and social assistance measures, in particular if we provide payroll processing or accounting services.
We process these personal data for the described purposes based on the following legal bases:
- Conclusion or execution of a contract with the data subject or for the benefit of the data subject, including contract initiation and possible enforcement (e.g. consulting, and fiduciary)
- Fulfilment of a legal obligation (e.g. when we perform our duties as auditors or are required to disclose information).
- Safeguarding of legitimate interests, (e.g. for administrative purposes, to improve our quality, ensure safety, manage risk, enforce our rights, defend against claims, and review potential conflicts of interest).
- Consent (e.g. to send you marketing information).
5.2 If we do not receive information directly from our customers
When we provide services to our customers, we may also process personal data that we have not collected directly from the data subjects or other persons's personal data. These other persons are usually employees, contacts, family members or persons who have a relationship with the customers or data subjects for other reasons. We need these personal data to fulfil the contracts with our customers. We receive these personal data from our customers or from third parties contracted by our customers. Persons whose information we process for this purpose are informed by our customers that we are processing their data. Our customers can refer to this privacy policy for this purpose.
The personal data of the persons who have a relationship with our customers consist of the following information in particular:
- Contact information (e.g. last name, first name, address, telephone number, e-mail address, other contact information, and marketing data)
- Personal information (e.g. date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number, family circumstances, etc.)
- Financial information (e.g. data on bank details, investments and shareholdings)
- Mandate data, depending on the mandate, e.g. tax information, business data (statutes, minutes and projects), employee data (e.g. salary and social security), accounting data
- Sensitive personal data: these personal data may also include sensitive personal data such as data relating to health, religious beliefs and social assistance measures, in particular if we provide payroll processing or accounting services.
We process these personal data for the described purposes based on the following legal bases:
- Conclusion or execution of a contract with the data subject or for the benefit of the data subject (e.g. when we perform our contractual obligations)
- Fulfilment of a legal obligation (e.g. when we perform our duties as auditors or are required to disclose information).
- Safeguarding of legitimate interests, in particular our interest in providing the best possible service to our customers.
5.3 When you visit our websites or receive a newsletter
You can visit our websites without having to provide any personal data. However, when you visit our website, we automatically collect personal data that we need to operate our website and ensure security. We also collect data in order to analyse user behaviour on our website or in our newsletter and to use this information for the communication and improvement of our products (see also section 6, How we use cookies and the Cookie Policy).
In addition, we collect the necessary information when you register on the website to receive the newsletter or for an event, participate in a survey or fill out the contact form. Designated information on data protection exists where necessary for separate applications or logins.
This personal data consists of the following information in particular:
- Contact information (e.g. last name, first name, address, telephone number and e-mail address)
- Personal information (e.g. occupation, function, title and employer)
- Other information that you submit to us via the website
- Marketing information (e.g. newsletter mailing subscriptions)
- Technical information, information on user behaviour or website settings that is automatically transmitted to us or our service providers (e.g. IP address, UDI, device type, browser, number of clicks on the page, opening of the newsletter, clicks on links, etc., see section 6).
We process these personal data for the described purposes based on the following legal bases:
- Safeguarding of legitimate interests (e.g. for administrative purposes, to improve our quality, analyse data or publicise our services).
- Consent (e.g. to the use of cookies or the newsletter).
5.4 When you attend a BDO event
When you attend an event organised by us, we collect personal data to organise and conduct the event and, if necessary, to send you additional information afterwards. We also use your information to alert you to other events. You may be photographed or filmed by us at these events, and we may publish this footage internally or externally.
This consists of the following information in particular:
- Contact information (e.g. last name, first name, address, telephone number and e-mail address)
- Personal information (e.g. occupation, function, title, employer company and dietary information)
- Pictures or videos
- Payment information (e.g. bank details).
We process these personal data for the described purposes based on the following legal bases:
- Fulfilment of a contractual obligation with or for the benefit of the data subject, including contract initiation and possible enforcement (making participation in the event possible)
- Safeguarding of legitimate interests (e.g. holding events, disseminating information about our event, providing services, and efficient organisation).
- Consent (e.g. to send you marketing information or to create visual materials).
5.5 When we communicate with you or you visit us
If you contact us (e.g. via telephone, e-mail or chat) or if we contact you, we process the personal data required for this purpose. We also process these personal data when you visit one of our offices. In this case, you may be required to leave your contact information prior to your visit or at the reception desk. We retain these data for a restricted time to protect our infrastructure and information.
We process the following information in particular:
- Contact information (e.g. last name, first name, address, telephone number and e-mail address)
- Marginal data for communication (e.g. IP address, duration of communication, and communication channel).
- Recordings of conversations, e.g. during video conferences
- Personal information (e.g. occupation, function, title and employer)
- Time and reason for the visit.
We process these personal data for the described purposes based on the following legal bases:
- Fulfilment of a contractual obligation with or for the benefit of the data subject, including Contract initiation and possible enforcement (provision of a service)
- Safeguarding of legitimate interests (e.g. security, traceability, and processing and administration of customer relationships).
5.6 When you apply to BDO online
From people who apply online for one of our advertised positions, or who send us an application, we collect the information provided in the online application tool as well as any information provided by the applicant on their own initiative. The online application portal has a separate privacy policy and additional information on employee personal data processing will be provided during the application process.
5.7 When you provide a contractual service in another capacity (e.g. suppliers, service providers, and other contractual partners)
When we enter into a contract with you to provide a service to us, we process personal data from you or your employees. We need these data to communicate with you and to make use of your services. We may also process these personal data to check whether there could be a conflict of interest in connection with our work as auditors and to ensure that we do not take any undesirable risks, e.g. with regard to money laundering or sanctions, through our cooperation.
We process the following information in particular:
- Contact information (e.g. last name, first name, address, telephone number and e-mail address)
- Personal information (e.g. occupation, function, title and employer company)
- Financial information (e.g. data on bank details).
We process these personal data for the described purposes based on the following legal bases:
- Conclusion or execution of a contract with the data subject or for the benefit of the data subject, including Contract initiation and possible enforcement
- Safeguarding of legitimate interests, (e.g. avoiding conflicts of interest, protecting the company and enforcing legal claims)
6 How we use tracking technology
Cookies, pixels, tags and other tracking technologies («cookies») are used on the BDO website and in the BDO newsletter. Cookies are small files that are saved on your computer or mobile end device when you visit our website or receive the newsletter. We use cookies to facilitate various functions of our website and to be able to offer you the best possible browsing experience, for example by saving your settings.
For more information on the use of cookies, please see our cookie policy.
6.1 Web analytics, newsletter analysis and tracking technology
We use the following web analysis tools and retargeting technologies to obtain information regarding the use of our website, improve our Internet services and to be able to contact you with marketing on third-party websites and social media: Google Analytics, Facebook Pixel, Kentico EMS and BSI Studio (newsletter).
These tools are supplied by third-party providers. The information regarding the use of the website that is gathered for this purpose is generally transmitted through cookies or similar technology to the third-party provider’s server. Depending on the third-party provider, these servers may be located in another country.
The data are usually transmitted with the IP addresses abbreviated to prevent the identification of individual end devices. This information is passed on by third-party providers only on the basis of statutory provisions or in connection with commissioned data processing.
6.2 Google Analytics
We use Google Analytics, the web analytics service of Google LLC, Mountain View, California, USA, on our websites; Google Limited Ireland («Google») is responsible for data processing in Europe. Google Analytics uses «cookies», which are text files that are stored on your computer and allow your use of the website to be analysed. The information generated by the cookie about your use of this website (including your IP address, which is, however, anonymised using the anonymizeIp() method so that it can no longer be assigned to a specific user) is transmitted to a Google server in the USA and stored there. Google will use this information to evaluate your use of the website, compile reports on website activity for the website operators and provide other services relating to website and internet usage. Google may also transfer this information to third parties where it is required to do so by law, or where such third parties process the information on Google’s behalf. Google may associate your IP address with other data held by Google.
For data transfers to the USA, Google has undertaken to sign and comply with the EU's standard contractual clauses.
Insofar as we evaluate your visit to our website on the basis of your consent, you can revoke your consent for the future here if you no longer wish to provide it.
6.3 Google Maps
We use Google Maps (API) from Google Inc. on our website (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Google Limited Ireland, «Google» is responsible for data processing in Europe). Google Maps is a web service that displays interactive (land) maps to visually represent geographical information. By using this service, you will be shown our location and may be given directions to help you find your way to us.
As soon as you call up those sub-pages in which Google Maps map is integrated, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data are directly assigned to your account. If you do not want the data to be assigned to your profile at Google, you must log out before activating the button. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them.
For data transfers to the USA, Google has undertaken to sign and comply with the EU's standard contractual clauses.
If you do not agree to the future transmission of your data to Google in connection with your use of Google Maps, you also have the option of completely disabling the Google Maps web service by turning off the JavaScript application in your browser. Google Maps and the map display on this website cannot be used in this case.
The additional terms of use for Google Maps can be found at https://www.google.com/intl/de_US/help/terms_maps.html
Detailed information on data protection in connection with the use of Google Maps can be found at http://www.google.de/intl/de/policies/privacy/.
6.4 Social media plugins
Social media plugins («plugins») from third-party providers are used on our website. These plugins can be identified by the logo of the relevant social network. We use the plugins to offer you the opportunity to interact with the social networks and other users. We use the following plugins on our website: Facebook, Twitter, LinkedIn and YouTube.
When you access our website, your browser establishes a direct connection with the third-party provider’s servers. The content of the plugin (e.g. YouTube videos) is transmitted directly to your browser by the third-party provider in question and incorporated into the page.
The data transfer for the display of content (e.g. publications on Twitter) takes place regardless of whether you have an account with the third-party provider and are logged in there. If you are logged in with the third-party provider, the data we record are also allocated directly to your account with the third-party provider. When you activate the plugins, the information is also published in the social network and displayed to your contacts there. Please refer to the data protection notices of the third-party providers regarding the purpose and scope of the recording and further processing and use of the data by the third-party providers as well as your rights in this regard and the settings available to protect your privacy.
The third-party provider stores the data recorded about you as a user profile, which it uses for the purposes of marketing, market research and/or designing its website to meet demand. This kind of analysis is also carried out, in particular, for users who are not logged in to display demand-based marketing and inform other users of the social network about your activities on our website.
If you would like to prevent third-party providers from allocating the data gathered via our website to your personal profile in the respective social network, then you must log out of that social network before visiting our website. You can also completely prevent the plugins from being loaded with specialised add-ons for your browser, such as «Ghostery» (https://www.ghostery.com/) or «No Script» (http://noscript.net/).
6.5 Newsletter tracking
To send out our newsletters, we use the software BSI Studio from the provider BSI (BSI Business Systems Integration AG, Täfernweg 1, CH-5405 Baden). Newsletters can be sent and analysed with this software. We collect device and access data to carry out this analysis. The newsletter contains a pixel to collect these data. The newsletter or the websites accessible from this newsletter are also tracked with cookies. A pixel is an image file, which is stored on the recipient’s device.
With the help of these technologies, we receive information indicating whether the newsletter has arrived, whether it has been opened and which content has been clicked on. We use this information to improve our newsletter and our offers.
The setting of a pixel can be prevented by deactivating HTML in the mail program (varies depending on the mail program).
7 With whom we may share data
We will only disclose your data to third parties if this is necessary to provide our service, if these third parties provide a service for us, if we are required to do so by law or by the authorities, or if we have an overriding interest in disclosing the personal data. We will also disclose personal data to third parties if you have consented to this or have requested us to do so.
The following categories of recipients may receive personal data from us:
- Other BDO companies within the global BDO network, subsidiaries and affiliates.
- Service providers (e.g. IT service providers, hosting providers, suppliers, consultants, lawyers, insurance companies and credit agencies).
- Third parties within the scope of our legal or contractual obligations, authorities, state institutions and courts.
We conclude contracts with service providers who process personal data on our behalf, obliging them to ensure data protection. Most of our service providers are located in Switzerland or in the EU/EEA. Certain personal data may also be transferred to the USA (e.g. Google Analytics data) or, in exceptional cases, to other countries worldwide. If a data transfer to other countries that do not have an adequate level of data protection is necessary, this will be carried out on the basis of the EU standard contractual clauses (e.g. in the case of Google) or other suitable instruments (e.g. Binding Corporate Rules in the case of a transfer within the worldwide BDO network. BDO’s Binding Corporate Rules can be found here).
8 How long we keep the data
We retain personal data for as long as is necessary to achieve the purpose for which we collected it. If there are legal or regulatory obligations or overriding interests in storing the data for longer, we retain the personal data. This period is usually at least ten years, e.g. to fulfil archiving obligations in accordance with tax law and accounting regulations or to secure the enforcement of claims. Web analytics data are retained for a short period of time only. After the retention period has expired, the personal data are deleted or anonymised.
9 Data security
We have taken appropriate, state-of-the-art measures to ensure data security and confidentiality of personal data. These include, for example. Encryption of data transmission and restriction of access rights. We regularly review these measures and adjust them if necessary. Employees and service providers are also obliged to comply with data protection and confidentiality requirements at all times.
10 Your rights
You have the following rights in connection with our processing of personal data:
- The right to information about personal data stored by us about you, the purpose of the processing, the origin of the data and the recipients or categories of recipients to whom personal data are disclosed.
- The right to rectification if your data are incorrect or incomplete.
- The right to restrict the processing of your personal data.
- The right to request the erasure of personal data that have been processed.
- The right to data portability.
- The right to object to data processing or to withdraw consent to the processing of personal data at any time without giving reasons.
- The right to complain to a competent supervisory authority if provided for by law.
To exercise these rights, please contact the address specified in section 2.
11 Amendments to the privacy policy
We explicitly reserve the right to amend this online privacy policy at any time.
Last update: June 2022