Online Data Protection Notice

1. General

Thank you for your interest in our services. This privacy policy provides information on how we process personal data (i.e. information relating to an identified or identifiable individual; hereinaf-ter “personal data” or “data”) at BDO.

2. Responsible office and contact

The office responsible for data processing is: BDO AG, Schiffbaustrasse 2, 8005 Zurich, Switzerland (“BDO”, “us” or “we”).

Contact for privacy issues:
BDO AG
Data Protection
Hodlerstrasse 5
3011 Bern
Switzerland
privacy@bdo.ch

Representative in the EU:
Brussels Worldwide Services BVBA
The Corporate Village, Elsinore Building
Leonardo Da Vincilaan 9 – 5/F
1930 Zaventem
Belgium

3. Personal data we collect and process

In particular, we undertake the following categories of personal data collection and processing. A detailed description of the personal data used and further information on processing can be found under section 4 of this privacy policy:

If you are our customer and we provide or have provided services to you (for an overview of our services, see here) (→ Customers, section 4.1)
If we received your personal data from our customer and not directly from you when providing our services to our customer. (→ Customers, section 4.2)
If you visit our website. (→ Website, section 4.3)
If you attend one of our events. (→ Event guests, section 4.4)
If we communicate with you or inform you about our services and if we advertise. (→ Recipients, section 4.5)
If you apply for a job with us (→ Applicants, section 4.6)
If you have any other contractual relationship with us, e.g. as a supplier, service provider or consultant. (→ Suppliers, section 4.7)
If we are required to do so for legal or regulatory reasons.
When we are performing due diligence or process personal data for other legitimate interests, such as to avoid conflicts of interest, prevent money laundering or other risks, ensure data ac-curacy, check creditworthiness, ensure security or enforce our rights.

As a rule, we collect the data directly from you, i.e. from customers, website visitors or contractu-al partners. We may also receive information about people who do not have a direct relationship with us, but with the customer (e.g. data about customers' employees). We collect certain data from public or other official sources, such as the commercial or debt collection register or social networks such as LinkedIn (see section 4.2). We may also obtain data from companies in BDO's in-ternational network and third parties, such as credit agencies (e.g. Intrum) or providers of risk assessment information, and share data with them.

Contact information (e.g. last name, first name, address, telephone number, e-mail address including meta data as well as recordings and image and video recordings).
Customer information (e.g. date of birth, nationality, marital status, occupation, title, job title, passport/ID number, AHV number)
Risk management data (e.g. credit rating information, commercial register data, World Check information and data from the international BDO network)
Financial information (e.g. data on bank details)
Mandate data, depending on the mandate (e.g. tax information, business data (statutes, minutes, projects and contracts)), employee data (e.g. salary, social security), accounting data, beneficial owners and ownership structure
Web page data (e.g. IP address, device information (UDI)), browser information, web page usage (analytics and use of plugins, etc.)
Application data (e.g. curriculum vitae and references)
Marketing information (e.g. newsletter registration)

4. The personal data we collect and process

4.1 When you use our services

From our customers we collect the personal data that we need to provide our contractually agreed ser-vice, to protect our interests, or on the basis of a legal or other binding regulation. When we fulfil a contract with you, we collect other personal data depending on the service involved and whether you are a natural person or a legal entity.

The personal data of our customers consist of the following pieces of information in particular:

Contact information (e.g. last name, first name, address, telephone number, e-mail address and other contact information)
Personal information (e.g. date of birth, nationality, marital status, occupation, title, job title, pass-port/ID number, AHV number, family circumstances, etc.)
Risk management data (e.g. credit rating information, commercial register data, sanctions lists, spe-cialised databases, data from BDO’s network or the Internet)
Financial information (e.g. data on bank details, investments and shareholdings)
Mandate data, depending on the mandate, e.g. tax information, business data (statutes, minutes and projects), employee data (e.g. salary and social security), accounting data, etc.
Sensitive personal data: these personal data may also include sensitive personal data such as data relating to health, religious beliefs and social assistance measures, in particular if we provide payroll processing or accounting services.
Marketing information (e.g. use of website or subscription to a newsletter).

We process these personal data for the described purposes based on the following legal bases:

Conclusion or execution of a contract with the data subject or for the benefit of the data subject, including contract initiation and possible enforcement (e.g. consulting, and fiduciary)
Fulfilment of a legal obligation (e.g. when we perform our duties as auditors or are required to dis-close information).
Safeguarding of legitimate interests, (e.g. for administrative purposes, to improve our quality, ensure safety, manage risk, enforce our rights, defend against claims, and review potential conflicts of in-terest).Consent (e.g. to the use of cookies or for the newsletter).
Consent (e.g. to allow the use of Cookies or to subscribe to the Newsletter)

4.2 If we do not receive information directly from our customers

When we provide services to our customers, we may also process personal data that we have not collect-ed directly from the data subjects or other persons' personal data. These other persons are usually em-ployees, contacts, family members or persons who have a relationship with the customers or data sub-jects for other reasons. We need these personal data to fulfil the contracts with our customers. We re-ceive these personal data from our customers or from third parties contracted by our customers. Persons whose information we process for this purpose are informed by our customers that we are processing their data. Our customers can refer to this privacy policy for this purpose.

The personal data of the persons who have a relationship with our customers consist of the following information in particular:

Contact information (e.g. last name, first name, address, telephone number, e-mail address, other contact information, and marketing data)
Personal information (e.g. date of birth, nationality, marital status, occupation, title, job title, pass-port/ID number, AHV number, family circumstances, etc.)
Financial information (e.g. data on bank details, investments and shareholdings)
Mandate data, depending on the mandate, e.g. tax information, business data (statutes, minutes and projects), employee data (e.g. salary and social security), accounting data
Sensitive personal data: these personal data may also include sensitive personal data such as data relating to health, religious beliefs and social assistance measures, in particular if we provide payroll processing or accounting services.

We process these personal data for the described purposes based on the following legal bases:

Conclusion or execution of a contract with the data subject or for the benefit of the data subject (e.g. when we perform our contractual obligations)
Fulfilment of a legal obligation (e.g. when we perform our duties as auditors or are required to dis-close information).

4.3 Safeguarding of legitimate interests, in particular our interest in providing the best pos-sible service to our customers. When you visit our websites or receive a newsletter

You can visit our websites without having to provide any personal data. However, when you visit our web-site, we automatically collect personal data that we need to operate our website and ensure security. We also collect data in order to analyse user behaviour on our website or in our newsletter and to use this information for the communication and improvement of our products (see also section 5, How we use tracking technologies and the Cookie Policy).

In addition, we collect the necessary information when you fill out the contact form on the website, register to receive the newsletter or for an event or participate in a survey. . Designated information on data protection exists where necessary for separate applications or logins.

This personal data consists of the following information in particular:

Contact information (e.g. last name, first name, address, telephone number and e-mail address)
Personal information (e.g. occupation, function, title and employer)
Other information that you submit to us via the website
Marketing information (e.g. to use the website or subscribe to a newsletter)
Technical information, information on user behaviour or website settings that is automatically trans-mitted to us or our service providers (e.g. IP address, UDI, device type, browser, number of clicks on the page, opening of the newsletter, clicks on links, etc., see section 5).

We process these personal data for the described purposes based on the following legal bases:

Safeguarding of legitimate interests (e.g. for administrative purposes, to improve our quality, analyse data or publicise our services).
Consent (e.g. to the use of cookies or for the newsletter or for chargeable services).

4.4 When you attend a BDO event

When you attend an event organised by us, we collect personal data to organise and conduct the event and, if necessary, to send you additional information afterwards. We also use your information to alert you to other events. You may be photographed or filmed by us at these events, and we may publish this footage internally or externally.

This consists of the following information in particular:

Contact information (e.g. last name, first name, address, telephone number and e-mail address)
Personal information (e.g. occupation, function, title, employer company and dietary information)
Pictures or videos
Payment information (e.g. bank details).

We process these personal data for the described purposes based on the following legal bases:

Fulfilment of a contractual obligation with or for the benefit of the data subject, including contract initiation and possible enforcement (making participation in the event possible)
Safeguarding of legitimate interests (e.g. holding events, disseminating information about our event, providing services, and efficient organisation).
Consent (e.g. to send you marketing information or to create visual materials).

4.5 When we communicate with you or you visit us

If you contact us (e.g. via telephone, e-mail or chat) or if we contact you, we process the personal data required for this purpose. We also process these personal data when you visit one of our offices. In this case, you may be required to leave your contact information prior to your visit or at the reception desk. We retain these data for a restricted time to protect our infrastructure and information.

We process the following information in particular:

Contact information (e.g. last name, first name, address, telephone number and e-mail address)
Marginal data for communication (e.g. IP address, duration of communication, and communication channel).
Recordings of conversations, e.g. during video conferences
Personal information (e.g. occupation, function, title and employer)
Time and reason for the visit.

We process these personal data for the described purposes based on the following legal bases:

Fulfilment of a contractual obligation with or for the benefit of the data subject, including Contract initiation and possible enforcement (provision of a service)
Safeguarding of legitimate interests (e.g. security, traceability, and processing and administration of customer relationships).
Consent (e.g. to the recording of conversations).

4.6 When you apply to BDO online

From people who apply online for one of our advertised positions, or who send us an application, we collect the information provided in the online application tool as well as any information provided by the applicant on their own initiative. The online application portal has a separate privacy policy and addition-al information on employee personal data processing will be provided during the application process.

4.7 When you provide a contractual service in another capacity (e.g. suppliers, service pro-viders, and other contractual partners)

When we enter into a contract with you to provide a service to us, we process personal data from you or your employees. We need these data to communicate with you and to make use of your services. We may also process these personal data to check whether there could be a conflict of interest in connection with our work as auditors and to ensure that we do not take any undesirable risks, e.g. with regard to money laundering or sanctions, through our cooperation.

We process the following information in particular:

Contact information (e.g. last name, first name, address, telephone number and e-mail address)
Personal information (e.g. occupation, function, title and employer company)
Financial information (e.g. data on bank details).

We process these personal data for the described purposes based on the following legal bases:

Conclusion or execution of a contract with the data subject or for the benefit of the data subject, including Contract initiation and possible enforcement
Safeguarding of legitimate interests, (e.g. avoiding conflicts of interest, protecting the company and enforcing legal claims).

5. How we use tracking technology

Cookies, pixels, tags and other tracking technologies (“cookies”) are used on the BDO website and in the BDO newsletter. Cookies are small files that are saved on your computer or mobile end device when you visit our website or receive the newsletter. We use cookies to facilitate various functions of our website and to be able to offer you the best possible browsing experience, for example by saving your settings.

For more information on the use of cookies, please see our cookie policy.

5.1 Web analytics, newsletter analysis and tracking technology

We use the following web analysis tools and retargeting technologies to obtain information regarding the use of our website, improve our Internet services and to be able to contact you with marketing on third-party websites and social media: Google Analytics, Facebook Pixel, Kentico EMS and BSI Studio (newsletter).

These tools are supplied by third-party providers. The information regarding the use of the website that is gathered for this purpose is generally transmitted through cookies or similar technology to the third-party provider’s server. Depending on the third-party provider, these servers may be located in another coun-try.

The data are usually transmitted with the IP addresses abbreviated to prevent the identification of individ-ual end devices. This information is passed on by third-party providers only on the basis of statutory provi-sions or in connection with commissioned data processing.

5.2 Google Analytics

We use Google Analytics, the web analytics service of Google LLC, Mountain View, California, USA, on our websites; Google Limited Ireland (“Google”) is responsible for data processing in Europe. Google Analytics uses “cookies”, which are text files that are stored on your computer and allow your use of the website to be analysed. The information generated by the cookie about your use of this website (includ-ing your IP address, which is, however, anonymised using the anonymizeIp() method so that it can no longer be assigned to a specific user) is transmitted to a Google server in the USA and stored there. Google will use this information to evaluate your use of the website, compile reports on website activity for the website operators and provide other services relating to website and internet usage. Google may also transfer this information to third parties where it is required to do so by law, or where such third parties process the information on Google’s behalf. Google may associate your IP address with other data held by Google.

For data transfers to the USA, Google has undertaken to sign and comply with the EU’s standard contrac-tual clauses.

Insofar as we evaluate your visit to our website on the basis of your consent, you can revoke your consent for the future here if you no longer wish to provide it.

5.3 Google Maps

We use Google Maps (API) from Google Inc. on our website (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Google Limited Ireland, “Google” is responsible for data processing in Europe). Google Maps is a web service that displays interactive (land) maps to visually represent geographical information. By using this service, you will be shown our location and may be given directions to help you find your way to us.

As soon as you call up those sub-pages in which Google Maps map is integrated, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data are directly assigned to your account. If you do not want the data to be assigned to your profile at Google, you must log out before activating the button. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them.

For data transfers to the USA, Google has undertaken to sign and comply with the EU's standard contrac-tual clauses.

If you do not agree to the future transmission of your data to Google in connection with your use of Google Maps, you also have the option of completely disabling the Google Maps web service by turning off the JavaScript application in your browser. Google Maps and the map display on this website cannot be used in this case.

The additional terms of use for Google Maps can be found at https://www.google.com/intl/de_US/help/terms_maps.html

Detailed information on data protection in connection with the use of Google Maps can be found at http://www.google.de/intl/de/policies/privacy/.

5.4 Social media plugins

Social media plugins (“plugins”) from third-party providers are used on our website. These plugins can be identified by the logo of the relevant social network. We use the plugins to offer you the opportunity to interact with the social networks and other users. We use the following plugins on our website: Face-book, Twitter, LinkedIn and YouTube.

When you access our website, your browser establishes a direct connection with the third-party provider’s servers. The content of the plugin (e.g. YouTube videos) is transmitted directly to your browser by the third-party provider in question and incorporated into the page.

The data transfer for the display of content (e.g. publications on Twitter) takes place regardless of whether you have an account with the third-party provider and are logged in there. If you are logged in with the third-party provider, the data we record are also allocated directly to your account with the third-party provider. When you activate the plugins, the information is also published in the social net-work and displayed to your contacts there. Please refer to the data protection notices of the third-party providers regarding the purpose and scope of the recording and further processing and use of the data by the third-party providers as well as your rights in this regard and the settings available to protect your privacy.

The third-party provider stores the data recorded about you as a user profile, which it uses for the pur-poses of marketing, market research and/or designing its website to meet demand. This kind of analysis is also carried out, in particular, for users who are not logged in to display demand-based marketing and inform other users of the social network about your activities on our website.

5.5 Newsletter tracking

To send out our newsletters, we use the software BSI Studio from the provider BSI (BSI Business Systems Integration AG, Täfernweg 1, CH-5405 Baden). Newsletters can be sent and analysed with this software. We collect device and access data to carry out this analysis. The newsletter contains a pixel to collect these data. The newsletter or the websites accessible from this newsletter are also tracked with cookies. A pixel is an image file, which is stored on the recipient’s device.

With the help of these technologies, we receive information indicating whether the newsletter has ar-rived, whether it has been opened and which content has been clicked on. We use this information to improve our newsletter and our offers.

The setting of a pixel can be prevented by deactivating HTML in the mail program (varies depending on the mail program).

6. How we use artificial intelligence (AI)

Artificial intelligence technologies may also be used when we perform our services. We may use these technologies to fulfil our obligations and improve our services, especially for the analysis of data or for programming. Artificial intelligence can also help with communication and content creation. It also helps us to handle our work in a simpler and better way by preparing, summarising or translating documents. We can make decisions more easily with the support of artificial intelligence technologies, for example by employing it to pre-select applicant profiles. Artificial intelligence technologies may also be used to ensure security.

We always use these technologies as an aid. Services are provided by BDO employees, and it is BDO employees who make decisions. We will also provide as much information as possible about when and how we use artificial intelligence technologies in rendering our services to you. We review, supervise and regularly assess artificial intelligence technologies.

In order to fulfil their purpose, artificial intelligence technologies must process information. This information may include data from our own databases. We will not process any of your personal data using artificial intelligence technologies in cases where this is not necessary. Under certain circumstances, however, your data may be used to train artificial intelligence. However, we will prevent this information from being passed on outside BDO.

7. With whom we may share data

We will only disclose your data to third parties if this is necessary to provide our service, if these third parties provide a service for us, if we are required to do so by law or by the authorities, or if we have an overriding interest in disclosing the personal data. We will also disclose personal data to third parties if you have consented to this or have requested us to do so.

The following categories of recipients may receive personal data from us:

Other BDO companies within the global BDO network, subsidiaries and affiliates.
Service providers such as contractors or suppliers (e.g. IT service providers, hosting providers, suppli-ers, consultants, lawyers, insurance companies and credit agencies).
Third parties within the scope of our legal or contractual obligations, authorities, state institutions and courts.
In particular, if you use the services of the digital branch, we may transfer data to our partners (e.g. Accounto, Foundera, Peax). This is to enable the provision of the respective service, to offer you the services of these third parties or to track the success and development of the collaboration.

We conclude contracts with service providers who process personal data on our behalf, obliging them to ensure data protection. Most of our service providers are located in Switzerland or in the EU/EEA. Certain personal data may also be transferred to the USA (e.g. Google Analytics data) or, in exceptional cases, to other countries worldwide. Transfers are generally made to countries with adequate data protection. If a data transfer to other countries that do not have an adequate level of data protection is necessary, this will be carried out on the basis of the EU standard contractual clauses or other suitable instruments (e.g. Binding Corporate Rules in the case of a transfer within the worldwide BDO network. BDO’s Binding Corporate Rules can be found here).

8. How long we keep the data

We retain personal data for as long as is necessary to achieve the purpose for which we collected it, i.e. at least for the duration of the agreement. If there are legal or regulatory obligations to store the data for longer, we retain the personal data for as long as this obligation applies. This period is usually at least ten years, e.g. to fulfil archiving obligations in accordance with tax law and accounting regulations or to secure the enforcement of claims. We may also retain data in order to protect our legitimate inter-ests, e.g. for verification purposes or to ensure security. In this case, we will retain the data for as long as the interest exists. Other data, e.g. video surveillance or web analytics data are retained for a short period of time only. After the retention period has expired, the personal data are deleted or anonymised.

9. Data security

We have taken appropriate, state-of-the-art measures to ensure data security and confidentiality of per-sonal data. These include, for example. Encryption of data transmission and restriction of access rights. We regularly review these measures and adjust them if necessary. Employees and service providers are also obliged to comply with data protection and confidentiality requirements at all times.

10. Your rights

You have the following rights in connection with our processing of personal data:

The right to information about personal data stored by us about you, the purpose of the processing, the origin of the data and the recipients or categories of recipients to whom personal data are dis-closed.
The right to rectification if your data are incorrect or incomplete.
The right to restrict the processing of your personal data.
The right to request the erasure of personal data that have been processed.
The right to data portability.
The right to object to data processing or to withdraw consent to the processing of personal data at any time without giving reasons.
The right to complain to a competent supervisory authority if provided for by law.

To exercise these rights, please contact the address specified in section 2.

11. Amendments to the privacy policy

We explicitly reserve the right to amend this online privacy policy at any time.