Privacy policy

 

About Us

1. Who is responsible for processing my personal data?

The joint controllers of your personal data are the following companies:

  • BDO Abogados y Asesores Tributarios, S.L.P., a company located at Paseo de Recoletos nº 37-41, 1st floor, 28004 Madrid, with Tax ID (NIF) B-82394735; and 
  • BDO Auditores, S.L.P., a company located at Calle San Elías, 29 Escalera B Planta 8 08006 Barcelona with Tax ID B82387572. 

For the purposes of this privacy policy, BDO Abogados and BDO Auditores will jointly be referred to as “BDO”.

2. How can I contact BDO's Data Protection Officer?

You can contact our Data Protection Officer (a) by mail at the address indicated in the previous section of this document, or (b) by sending an email to the following address: protecciondedatos@bdo.es.



About How We Process Your Personal Data

3. What purpose does BDO use my personal data for?

We will use your personal data, as applicable, according to the following purposes:

  1. To manage the contractual relationship with you, for the maintenance, compliance, development, control, and execution of such. 
  2. In connection with the above, to properly identify you in compliance with our obligations concerning anti-money laundering and terrorism financing.
  3. To manage any type of inquiry, claim, question, or need for information that you may require, whether through our “Contact” form or via our corporate email addresses or our social networks. 
  4. To send you, through traditional means, email and/or SMS or MMS, technical circulars and updates on regulatory and normative matters related to business management and risks, information about our firm or the BDO network, and valuable content (reports, publications, sectoral studies), events and/or updates from our blog that we believe may be of interest to you. 
  5. If applicable, to register you and manage your attendance at in-person, virtual, and/or webinars organized by us. In the case of events held jointly with other entities, we will inform you about such entities in the corresponding invitation.  In connection with the above, your data will be processed to analyze the attendance and participation index at the event. 
  6. To manage your application in the corresponding selection process, in case you have sent us your resume through the “View offers” section. 
  7. To include you in our employment pool to send you potential job offers that we believe may be of interest to you. 
  8. To conduct non-invasive statistical analyses and market studies that allow us to improve our services and technology. 
  9. Depending on your cookie settings, to perform statistical analyses and develop profiles based on your browsing habits; 
  10. To carry out quality actions and surveys aimed at knowing the degree of satisfaction of our clients and detecting areas in which we can improve.

4. How long will BDO keep my data once the purpose for which they are processed has been fulfilled?

We will use your personal data only for the time necessary to fulfill the purposes described in point 3 above and provided that their deletion or opposition is not requested through the means indicated in the section “What rights do I have over the personal data I have provided to BDO” in the case of those treatments whose legal basis is not the execution of the contract.

In any case, we will keep your data for the periods of legal prescription that are applicable and as long as this is adequate, relevant, and limited to the necessary for the purposes for which they are processed. Once these periods have ended, BDO will block your personal data in order to prevent their processing, except for making them available to Public Administrations and Courts, to comply with the legal obligations that may arise. After the legal prescription periods, your personal data will be destroyed.

5. What technical and/or organizational security measures does BDO apply to the processing of my personal data?

BDO has adopted the necessary technical and organizational measures to ensure the security of the personal data processed and to prevent their alteration, loss, processing, or unauthorized access, taking into account the state of the technology, the nature of the stored data, and the risks to which they are exposed, whether from human action or the physical or natural environment. Specifically, measures that aim to achieve basic security objectives have been adopted, such as confidentiality (understood as limiting access to information by unauthorized persons), integrity (understood as maintaining reliable and high-quality information), and availability (understood as guaranteeing access to the information system upon request by an authorized user).



About Why We Process Your Personal Data

6. On what legal basis does BDO process my data?

The legal bases for the processing of your personal data, depending on the purposes described above, are as follows:

  • For purposes a) c), d), and e), the execution of the contractual relationship with you, or, if applicable, the adoption of pre-contractual measures if you are not yet a client; 
  • For purpose b), the compliance with your obligations in matters of anti-money laundering and terrorism financing based on the provisions of the Law 10/2010, of April 28, and its implementing regulations. 
  • For purposes d), g) and i), if applicable, the consent you grant us. 
  • For purposes h) and j), we rely on our legitimate interest in performing non-invasive statistical analyses and market studies that allow us to improve our services and technology, as well as for conducting quality surveys as long as these are carried out within 1 year after the service provision. 

For this purpose, BDO has balanced the interests and rights of the interested parties and the measures adopted as Data Controller and we have concluded that: (i) the impact on the fundamental rights and public freedoms of the individuals is reduced; (ii) such processing can be reasonably foreseen by the interested party who understands the usefulness of satisfaction surveys in the provision of services; and (iii) the processing of the data for the aforementioned purposes does not lead to exclusion, discrimination, defamation, or situations that jeopardize the reputation of the interested party.


7. Am I obliged to authorize the processing of my data?

As long as you wish to contact us or make use of our products and/or services for the purposes described above, it is necessary that we process your personal data. Consequently, your refusal to provide them will result in the impossibility for us to contact you, manage the contracting of the products or provide the services in question.



About With Whom We Share Your Personal Data

8. To whom may BDO communicate and/or transfer my data?

We will not transfer your data to third parties, unless we are legally obliged to do so or you have given your express authorization.

However, to provide the mentioned services and send the necessary communications, we may share your data with companies of the BDO network (www.bdo.global) or external collaborators, such as providers of logistical and IT services.

In the case of events, personal data may be shared with other organizing entities to manage your participation and send related commercial communications. In this last case, any additional processing will be detailed by the corresponding entity. Outside of these cases, we will not transfer your data to third parties.


9. Will my data be transferred to third countries?

Generally, BDO will not communicate your personal data to third parties, except in the following cases:

  1. to competent authorities, courts, tribunals, or any other third parties legitimized according to the applicable regulation; 
  2. to other companies of BDO Global, in order to comply with the purposes stated in section 3, we need to communicate them to other firms of the BDO network (www.bdo.global). In this sense, the BDO network has binding corporate rules (BCR’s) approved by the Belgian data protection authority that you can consult at the following link https://www.bdo.global/en-gb/bcrs

Nevertheless, BDO has contracted certain services (e.g., virtual infrastructure services, cloud computing, customer relationship management, organization of games and contests, management of loyalty programs, sending of emails for marketing purposes, etc.) to providers, which could have access to and/or process personal data in their capacity as processors. Some of these providers may process and store personal information on servers located outside your country of residence.

Therefore, depending on the user's location, data transfers to other countries may occur. In such case, your personal data may be transferred internationally to third parties located outside the European Economic Area ("EEA"), provided that BDO has the authority to do so and subject to compliance with the adequate guarantees established in Articles 44 to 50 of the GDPR. These third parties will only access the data to carry out their services on behalf and under the instructions of BDO, under a duty of confidentiality and always following its instructions and without at any time being able to use such data for their own and/or unauthorized purposes.

In any case, the adequate guarantees include, among others:

  • Adequacy Decision: a declaration by the European Commission that a non-EU state provides an adequate level of data protection equivalent to that provided by European data protection legislation, allowing the international transfer of data to a third party established in that state outside the EU; 
  • Binding Corporate Rules (also known as "BCR"): applicable to business groups or the union of companies engaged in a joint economic activity, which allows the flow of personal data based on self-regulation accepted and assumed by each of the signing entities; 
  • Standard Contractual Clauses: it is a mechanism signed between the personal data exporter from any of the EEA countries and a third country. It is a contractual agreement whose model has been approved and published by the European Commission and aligned with the precepts of the GDPR. 
  • Code of conduct or a certification mechanism, along with binding and enforceable commitments undertaken by the recipient concerning the application of adequate guarantees for the protection of the transferred data. 

In the absence of the above, your personal data may be transferred exceptionally to a third country or international organization, applying the mechanisms that data protection legislation may recognize in this regard.

BDO, in order of preference, will carry out the international transfers under the following

Guarantee
Criterion used by BDO
Adequacy Decision issued by EC
Measure included as preferred by BDO. You can find the list of countries subject to an adequacy decision at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
Binding Corporate Rules
In the absence of an Adequacy Decision, it will be the preferred guarantee measure that BDO will request from the importer of personal data. The list of entities that have BCRs can be found here: https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en?page=1
Standard Contractual Clauses

As a secondary guarantee mechanism in the absence of the above, we will proceed to subscribe and/or request a copy as appropriate from the importer of the personal data of the signed version of the Standard Contractual Clauses aligned with the models of the European Commission, available here: https://eur-lex.europa.eu/legal-content/ES/ALL/?uri=CELEX%3A32021D0914

10. What happens with the links to external service providers that are on BDO's website?

The website may contain links to other websites or social forums that may be of interest to users. BDO assumes no responsibility for these links, without being able to guarantee compliance with appropriate privacy policies, so the user accesses the content of these websites under their sole responsibility, under the terms of use set therein.

Our Privacy Policy does not apply, and we are not responsible for the privacy, information, or other practices provided by third parties, including any third party that may appear in search results and the web pages that are accessed from this web space. The inclusion of a link on this website does not imply endorsement of the linked web space by us or our affiliates.



About the Rights You Have Regarding Your Personal Data

11. What rights do I have over the personal data I have provided to BDO?

We remind you that, at all times, you can exercise the following rights over your personal data:

a) Access. You have the right to access your information to know what specific personal data we are processing as the Data Controller in accordance with Article 15 GDPR.

b) Rectification. In certain circumstances, you have the right to rectify those personal data that we are processing inaccurately in accordance with Article 16 GDPR.

c) Deletion. In certain circumstances, you have the right to request the deletion of those personal data that you do not want us to continue processing in accordance with Article 17 GDPR. Remember that, as long as the commercial and/or contractual relationship we maintain with you remains in force, there is a series of personal data that we need to process to comply with the contract, so while it lasts we cannot delete them, block them or cancel them, because otherwise, we would be unable to comply with the contract.

d) Opposition. In certain circumstances, and for reasons related to your particular situation, you have the right to oppose us processing your personal data in those treatments that are based on consent or the existence of a legitimate interest (by way of example, but not limited to, sending commercial communications) in accordance with Article 21.2 GDPR. In those cases where the treatment is based on the existence of a legitimate interest, you will have the right to request the weighting report made by the Data Controller.

Additionally, in cases where the Treatment is aimed at sending own or third-party commercial information, you may voluntarily and free of charge adhere to an advertising exclusion mechanism (you can find more information here https://www.listarobinson.es/).

e) Limitation of treatment. In certain circumstances, you have the right to request the limitation of the processing of your data to those specific purposes you wish always as long as one of the conditions indicated in Article 18 GDPR is met.

f) Portability. In certain circumstances, you have the right to receive the personal data you have provided to us, in a structured, commonly used, and machine-readable format, and to have them transmitted to another data controller other than BDO.

g) Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The Data Controller informs the Interested Party that, notwithstanding that decisions are made based on automated systems, these decisions (i) either do not produce legal effects or significant effects on the Interested Party; (ii) or are not adopted exclusively in an automated manner.

To exercise any of them, you must proceed to send a written communication to BDO. You may send such communication (a) by mail to the attention of the Data Protection Officer and to the address indicated in the first section of this document, or (b) by sending an email to the following address: protecciondedatos@bdo.es. We will attend to your request as soon as possible and, in any case, within the legally established period.


12. Do I have the right to withdraw the consent I have given for the processing of my data?

Yes, at any time, you can withdraw the consent you have given us without affecting the lawfulness of the processing. To do this, you only have to send a communication following any of the two methods described in the previous section.


13. And if I am not satisfied with the processing that BDO has made of my data? Can I complain to someone?

If you are not satisfied or believe that we have not processed your personal data in accordance with the regulations, you can contact our Data Protection Officer through the email address protecciondedatos@bdo.es. You can also file a complaint with the Spanish Data Protection Agency (www.agpd.es).

Finally, we remind you that in case you provide us with data relating to another natural person, you must, prior to their inclusion, inform them of the contents contained in this Policy.