Processing of personal data when providing services

Audit services

When we carry out audit engagements or confirm information to public authorities, the Auditors Act and the International Standards on Auditing (ISAs) require that we obtain adequate documentation for our conclusions in audit reports and other statements (audit evidence). This documentation mainly comprises company related information, but may also contain personal data, such as:

name and position of persons we have obtained information from in connection with the engagement
information on payroll and working conditions of individuals employed by the company we are auditing
assessments of the competence and integrity of persons responsible for the accounts or other matters we shall confirm

We can also process special categories of personal data, including information on trade union memberships and information on health issues, individual persons’ criminal acts and violations of law.

The data is primarily obtained from our clients, but also from external sources such as the tax authorities and Altinn (the Norwegian internet portal for digital dialogue between businesses, private individuals, and public agencies).

As a main rule, BDO is the controller when we process personal data in connection with the execution of an audit or review of financial statements, other attestation engagements and agreed-upon procedures and in the preparation of financial statements and tax returns for our own audit clients. The legal basis for the processing is:

GDPR Article 6 (1)(c) (legal obligation) and the Auditors Act
GDPR Article 9 (2)(g) (substantial public interest) and the Auditors Act

BDO is subject to storage obligations in the Auditors Act and needs to retain documentation to respond to any claims or other charges. As a main rule, BDO will therefore retain documentation from audit engagements for ten years. The documentation will be deleted within one year after the set retention period has expired.

Accounting and payroll services

When BDO oversees the entire or parts of the accounting or is processing payroll for our clients, we can process personal data about the client’s employees or others appearing in the client’s accounts, such as names, personal identification numbers and information on payroll and related deductions.

As a main rule, BDO is the processor in the execution of accounting or payroll services. We will therefore enter into a data processor agreement with the client setting the scope for BDO’s processing of personal data, including the security measures and retention routines that shall apply. BDO will nevertheless retain the documentation that we are lawfully required to keep in order to document our accounting engagement after completing the assignment. This documentation is normally retained for ten years. BDO will delete the documentation within one year after the set retention period has expired.

Legal services

BDO Advokater provides legal assistance for enterprises as well as for private clients, within tax law, VAT, company law, contract law, labour legislation, property, family, and law of succession. In addition, BDO Advokater assists in assignments involving forensic services.
In connection with such engagements, we normally process personal data about the private persons involved, such as employees, board members and shareholders in the enterprise with which we have a client relationship, or such persons in a counterparty’s business, if applicable, in addition to others affected by the case.

Personal data received in such cases may be name, birth date, personal identification number, contact information, financial information, information on health, working conditions, family relations, trade union membership and criminal acts. This type of information may be included in documents and correspondence (letters, e-mails, pleadings, notes, and agreements) prepared or received by us in connection with the engagement.

Personal data processed by us when carrying out our engagements is obtained from our clients or from publicly available registers/databases. The legal basis for the processing is:

GDPR Article 6 no. (1)(b) (agreement with private clients) or (f) (our legitimate interest in carrying out the engagement for the client)
GDPR Article 9 no. (2)(a) (consent from private clients) or (f) (processing is necessary for the establishment, exercise, or defence of legal claims)

The documentation from legal engagements is normally retained for ten years and shall be deleted by BDO within one year after the set retention period has expired.

Advisory and other services

BDO is providing several advisory and other services to clients, in areas related to internal audit, transaction services, performance management, management development, whistleblowing, leasing, system implementation, web development, background research and forensic services.
In carrying out such engagements, BDO may process personal data about our clients’ employees, such as names, contact data, information related to the employee’s working conditions and reports from interviews. In some engagements we may also get access to information about financial circumstances and health issues. Our clients can provide BDO with personal data that we not necessarily need to execute our engagement. In such instances, we will do our best to delete the personal data that is not relevant as soon as possible.

Whether BDO is the controller or processor when we perform such services, depends on the engagement. When BDO is the controller, we normally use the following legal basis:

GDPR Article 6 (1)(f) (our legitimate interest in carrying out the engagement for the client)
GDPR Article 9 (2)(a) (consent) or (f) (processing is necessary for the establishment, exercise, or defence of legal claims)

When BDO acts as the processor, the processing will be regulated by data processor agreements with our clients. The data processor agreement determines the scope for BDO’s processing of personal data, including the security measures and retention routines that shall apply. In data processor assignments, BDO may retain personal data also after the assignment with the client has been completed if considered necessary to respond to any claims or other charges.

Use of data for other internal purposes

In addition to processing client data to carry out services as described above, BDO can process client data for other internal purposes such as statistics or knowledge management, unless the client has made a reservation against this. If the client data contains personal data, we will always consider the lawfulness of further processing personal data for such other purposes.