INFORMATION IN ACCORDANCE WITH ART. 13 GDPR
1. Data protection and privacy
Data protection is important to us. The BDO Austria Group has taken the necessary organizational and technical measures to ensure the security of your data. The data security measures are state of the art. All employees of the BDO Austria Group as well as our processors (especially Software companies) are obliged to maintain confidentiality as part of their employment contract and our employees have been trained in data protection.
2. Controller
The local companies of the BDO Austria Group as defined in the General Data Protection Regulation ("GDPR") are each independently responsible for the collection and processing of the data.
We would like to inform you that as public accountants and tax advisors, we are bound by the strict professional codes and regulations of the Austrian Auditing, Tax Advising and Related Professions Act (“WTBG”) as well as the Austrian Auditor Oversight Act (“APAG”) and the respective regulations issued by the Austrian Chamber of Public Accountants and Tax Advisors (“KSW”). These rules oblige members of the public accounting and tax advisory professions to always render their respective services independently and self-responsible. This independence and responsibility lead to the conclusion, that from a data protection perspective, all professional tasks performed by public accountants and tax advisors will lead to their classification as “controller” with respect to the terms and categories of the GDPR. Therefore – in accordance with the legal opinion of KSW – public accountants and tax advisors are, in the execution of their trade not to be classified as “processors” or “joint controllers” of their clients.
For the reasons of our virtue of profession and our responsibility, we have to comply with all data protection regulations and all requirements of the GDPR. Therefore, we take comprehensive technical and organizational security measures to protect all personal data from unlawful access, processing, loss, use and manipulation. Due to our independent role as "controller", these services do not require the completion of a separate "Data Processing Agreement" or "Joint Responsibility Agreement".
Besides the data protection regulations, our legal duty of confidentiality continues to exist. We treat all matters entrusted or that become known to us during the course of our work with strictly confidential. Those matters include trade and business secrets, as well as personal circumstances.
According to the GDPR, we can be qualified as processors regarding our consulting services as the case may be. For this reason, we will separately inform you about the mutual responsibilities when negotiating a prospective contract.
3. Processing the personal data – categories of data subjects
The BDO Austria Group processes personal data from the following categories of data subjects:
- newsletter subscribers
- clients
- suppliers
- applicants
- potential business partners (interested parties)
- other persons related to our assignments
Newsletter subscribers
Name, e-mail address, address and telephone number are used to send newsletters or information about events and services of the BDO Austria Group. Due to the legal obligation to provide information, we send BDO Tax Newsletters to all our customers. Other newsletters are only available with explicit consent, which can be revoked at any time (datenschutz@bdo.at).
Processors of the BDO Austria Group, e.g. providers of newsletter tools, have access to the relevant personal data, as soon as the newsletter will be sent. These processors are obliged to comply with data protection regulations.
Clients
Client data are processed during the fulfilment of the contract. This also includes the use for detailed examination of whether a contract may be accepted (contract initiation) and the following quality assurance. Depending on the contract, the data provided may vary.
We process, amongst other information, the following data of our clients: name, address, e-mail address, telephone number, performance data, bank data, master data of the creditors, master data of the debtors, names of the employees including employee master data, as well as salary data, representation powers, dunning and complaint data, tax number, accounting data and other accounting documents, authorizations, contact persons and contact details of the contact persons.
In addition, our services as accountants and tax advisors are subject to numerous legal obligations, which include the processing of e.g. name, date of birth, copy of identity cards, address of residence and place of birth of managing directors and supervisory board members for the purposes of inquiries concerning money laundering etc.
Suppliers
The BDO Austria Group processes data of their suppliers such as the name, address, e-mail address, telephone number, contact details of contact persons, accounting documents and, if necessary, further data required for the business relationship. The data are processed exclusively within the framework of the contractual relationship with the respective supplier.
Applicants
During the application process, your provided data (including name, date of birth, address, e-mail address and telephone numbers) and documents (including motivation letter, CV, professional, education and work certificates) will be stored. If there is a first interview, further data (including birthplace, social security number, citizenship, residence permit if necessary, work permit, salary expectations) are collected via a personnel questionnaire (paper form) on site. In case of employment, the personnel questionnaire will be included in the personnel file. In case of rejection, the personnel questionnaire will be destroyed and will not be processed electronically or physically. This data will only be processed in the context of your application (see also point 4 concerning the transfer of data to certain recipients). We have made sufficient technical arrangements to restrict the access to the data to human resources personnel and company personnel responsible for selecting candidates.
If we choose you during the application process, your documents and personal data submitted will be transferred to our personnel database and placed in your personnel file.
If you have applied, but we have taken another candidate, your complete documents will be stored for 12 months after completing the application process and will then be deleted. If you have given us the consent for further processing - for example, if we continue to keep your records for future open positions - we will save the transferred data until further notice and process them in the context of suitable application processes for a period of 36 months after which your personal data will be deleted. This also applies to unsolicited applications. For revocation of such consent, please send an e-mail to datenschutz@bdo.at.
Your personal data will not be shared under any circumstances with any other company or person (outside of BDO Austria Group as controller) or used for other purposes than your application.
Potential business partners
As a potential business partner, we store your personal data, such as i.a. name, company, address, telephone number, e-mail address and the contact details of contact persons. The data will not be used for any other purpose than a possible business relationship and will not be shared with third parties unless you have expressly consented.
Employees of clients or suppliers in course of service provision or project implementation – Communication via Microsoft Teams
In course of providing services or implementing projects we and our clients or suppliers may agree to use Microsoft Teams for communication within the project team (for a client project or BDO internal project) or for providing courses or trainings. Where such agreement to use Microsoft Teams is entered into, we process personal data of employees of our clients or suppliers for the purpose of providing the contracted services (e.g. courses, trainings) or to facilitate communication within the respective project team. Such processing is based on our legitimate interest as per Article 6(1) f GDPR, which lies in the performance and fulfillment of the contracts we concluded with our clients, in facilitating the communication for internal projects as well as in the technical security and administration of Microsoft Teams.
In this context we process the following personal data of employees of our clients or suppliers: first name, surname, professional e-mail address, assignment to the relevant partner group/department/project (at BDO) as well as a mobile phone number (when two-factor-authentication is used); we receive the aforementioned personal data either from our clients and suppliers or their employees themselves. Furthermore, we process the content of user posts in Microsoft Teams, the username, the IP address and data on logins and logouts. The personal data are processes within the EU/EEA. We do not share the personal data with third parties.
The personal data of clients’ or suppliers’ employees concerned are processed and stored as long as necessary for the due completion of the relevant project or training. After completion of the respective project, after leaving the project team or after completion of the training, whichever applies as the case may be, the personal data are deleted in Microsoft Teams and the Azure Cloud.
You can find more general information on Microsoft teams at https://www.microsoft.com/en-us/microsoft-365/microsoft-teams/group-chat-software. More information on privacy, security and compliance is available at https://www.microsoft.com/en-us/microsoft-365/microsoft-teams/security
Other persons related to our assignments
As part of our professional activities, we process personal data of other groups of persons, such as name, address, contact details and balance of creditors and debtors of our customers in the context of auditing (balance confirmations) or salary data of our customers' employees as part of our payroll activities for clients.
The data categories may vary depending on the type of activity. However, we use this data only for the purpose of our professional activities. The personal data are going to be deleted after the statutory retention obligations have expired, if there is no other justification for storage.
4. Legal basis of processing
Unless already mentioned in the comments on the categories of data subjects hereinabove, the possible legal bases for data processing are listed here:
If you are a prospective client or potential future client, we will only use your contact data for direct mailing via e-mail or telephone with your consent in accordance with art. 6 para. 1 lit. a GDPR.
If you are our client or supplier, we process your personal data in order to fulfil the contract concluded with you (art. 6 (1) (b) GDPR). This applies also to other persons related to our assignments. The data is kept for 7 or 22 years according to the legal requirements.
In addition, we process your personal data because of our predominant legitimate interest to achieve the purposes mentioned under point 3 (art. 6 (1) f GDPR) and on the legal basis of the WTBG 2017 (art. 9 (2) g GDPR).
5. Processing of data
Your personal data are stored and processed on the systems of the BDO Austria Group, which have been outsourced to our IT service provider (A1). Furthermore, the data will be passed on to companies of the BDO Austria Group, if this is necessary for the respective contract execution.
Disclosure to the following recipients may be made as far as the above-mentioned purposes require:
- global BDO network
- IT service providers and other service providers
- administrative authorities, courts and public law bodies
- Public Accountants and Tax Advisors
- Insurance companies on the occasion of the conclusion of an insurance contract if necessary (e.g. liability insurance)
- clients, as far as data of the partners, organs and other employees of the respective clients are concerned
- cooperation partners and legal representatives working for us
- client-specific other recipients (for example, group companies of the client)
- additionally in case of personal data of employees of our clients in the field of payroll accounting:
- creditors of the employee as well as other parties involved in any legal action that may be involved, including in the case of voluntary salary assignments for claims due
- organs of the operational and legal interest representation
- insurance companies in the framework of existing group or individual insurance as well as employee benefit funds
- banks related to the payment of salaries and wages
- company doctors and pension funds
- co-insured and
- additionally in the field of accounting for clients:
- collection companies for debt collection
- banks on behalf of the customer
- factoring companies, assignees and leasing companies
Some of the above recipients may be located outside Austria or process your personal information outside Austria. The level of data protection in other countries may not be the same as in Austria. We therefore take steps to ensure that the processors provide an adequate level of data protection. For example, we conclude standard contractual clauses ((EU) 2021/914. These are available on request.
„Where personal data are transferred to other BDO Member Firms located in third countries, such transfers are based on the “Binding Corporate Rules for Controllers” or the “Binding Corporate Rules for Processors”, respectively, which are valid and binding for all BDO Member Firms and have been approved by the EDPB. These documents are available here.”
In no case will we sell your data.
6. Rights of the data subject
Data subjects have the right of information and to access by the controller regarding the personal data concerning them as well as the right of rectification of incorrect data or on deletion, if one of the cases defined in art. 17 GDPR applies, e.g. if the data are no longer needed for the purposes pursued. Data subjects also have the right of restriction of the processing if one of the conditions set out in art. 18 GDPR applies and, in case of Art. 20 GDPR, the right to data portability. If the data processing is based on art. 6 para. 1 lit. f (data processing for the protection of legitimate interests), the data subject has the right to object to the processing at any time for reasons arising from their particular situation. We will then no longer process the personal data unless there are evidently compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the data subject, or the processing is for the purpose of enforcing, pursuing or defending legal claims. Please direct inquiries to datenschutz@bdo.at.
If you make a request to us as a data subject, we are obliged to verify your identity. The type of proof of identity depends on the request. We will keep your request and our answer for 13 months year as evidence for the responding to your request.
The companies of the BDO Austria Group are also subject to the supervision of the Austrian Data Protection Authority, which is the competent authority for any GDPR related complaints against BDO Austria Group. As such you also have the right to lodge complaints with the Austrian Data Protection Authority.
Please note that the obligation to provide information in accordance with art. 14 (5) GDPR with respect to data subjects, whose personal data we do not collect from the data subjects in the course of our professional activities for our clients, is not applicable. The right of data subjects to access pursuant to art. 15 GDPR is also limited insofar as this would affect the conflicting rights and freedoms of our customers or third parties. Insofar as data has been transmitted to us by third parties within the scope of the assignment (such as in the context of payroll accounting, accounting or auditing), we request that you directly claim the affected rights from these companies (employers, business partners etc.).
7. Data storage
In principle, we store your personal data until the termination of the business relationship, in which we have collected your data, until expiry of the applicable statutory limitation and retention periods or until the purpose for processing has been fulfilled; in addition, we store personal data until the termination of any legal disputes in which the data are required as proof. Insofar as you are a client, former client, prospective client or potential future client or a contact person as described hereinabove, we store your personal data for the purposes of marketing until your objection or revocation of your consent, as far as the marketing measures are based on your
For questions and complaints, please contact our data protection officer at datenschutz@bdo.at.
Last modified: August, 3rd, 2022