Who is responsible for processing your personal data
BDO is the data controller for the processing of your personal data.
What personal data we process about you
The personal data that will be processed is obtained from the client, their group company (if applicable), or other, such as the Tax Agency, the Swedish Companies Registration Office or publicly available sources. The personal data relates to authorised representatives and other persons whose personal data is needed to manage the client relationship as well as data on the beneficial owner.
The categories of personal data that may be processed include contact details such as name, address, social security number/coordination number, telephone number, e-mail address, department, and job title. In connection with the registration of the client, BDO will also process data and documents confirming the identity of the persons representing the client and, where applicable, process personal data related to convictions and offences within the framework of the client due diligence measures that we are obliged by law to take in accordance with money laundering and auditing legislation.
Why we process your personal data
The personal data is processed prior to the acceptance of clients and/or assignments and in connection with the performance of the assignment in order to carry out independence checks, quality checks, checks on conflicts of interest, measures pursuant to the Act (2017:630) on measures against money laundering and terrorist financing ("Money Laundering Act"), the Auditor Act (2001:883), and the Audit Act (1999:1079). We also process personal data to document that the above measures have been taken. Such processing is necessary to meet BDO's legal obligations.
We will process personal data for other risk management measures such as insurance matters and documentation of work performed in order to protect ourselves against possible legal claims. This processing is necessary for BDO's legitimate interest in managing risks and possible claims.
We will process personal data to carry out our internal financial accounting necessary to meet our legal obligations under the Accounting Act (1999:1078) and other financial legislation.
We may process personal data from customers in order to improve the efficiency and development of the services we offer to our customers. The processing is justified by a balancing of interests where we have assessed that our legitimate interest in being able to develop our services outweighs the rights and freedoms of the data subject.
Finally, we may process personal data for internal administrative purposes that are necessary to comply with the contract we have entered into with the customer, which includes, for example, processing to collect payments and provide the customer with access to necessary systems and services. This processing is justified by our legitimate interest in being able to deliver and carry out our obligations under the contract with the customer.
Who has access to your personal data
Your personal data is processed by BDO. Data is shared with providers of mainly IT services who act as data processors and who process personal data on our behalf. We have entered into data processor agreements with all data processors to ensure that your personal data is processed in a lawful, accurate, and secure manner.
Personal data may be processed by BDO's network agencies or others engaged by BDO for the purpose of carrying out the activities referred to above on behalf of BDO or for the purpose of any quality control; they may be based both within and outside the EU/EEA.
Where appropriate, we also disclose personal data to:
- Authorities where such disclosure is provided by law.
- Our trade association FAR in connection with any quality control.
- Banks and debt collection agencies.
- Insurers.
- Law firms to observe our legal interests, if any.
How long we process and store your personal data
Personal data we process to fulfil our legal obligations under money laundering legislation is deleted five (5) years after the business relationship has ended.
Any data relating to payment and for which processing is required under the Accounting Act is deleted after seven (7) years.
Personal data that we process for the purpose of fulfilling our contract with you, the customer you are employed by or contracted to, is initially processed for as long as is necessary for us to administer the contractual relationship, exercise our rights and obligations, and fulfil our commitments to you.
Completed contracts and documentation from the completed assignment that may contain your personal data are deleted ten (10) years after the contract expires in accordance with the rules on the statute of limitations in the Limitation Act (1981:130).
Transferring your personal data outside the EU/EEA
Your personal data may be transferred to and processed in a country outside the EU/EEA which does not have the status of an adequate protection country according to the European Commission. If and when this may be the case, the transfer of personal data will be in accordance with applicable data protection legislation and based on the European Commission's approved standard contractual clauses. In case of transfer to other BDO network firms within the BDO network, BDO's Binding Corporate Rules for data controllers and processors will be used.