bdo data protection policy #06 30072019
TRANSCRIPT
Data Protection & Privacy
Policy Document
30 July 2019
Document Control
Organisation BDO Singapore
Title Data Protection & Privacy Policy
Author Data Protection Officer
Filename BDO Singapore – Data Protection & Privacy Policy
Owner Data Protection Committee
Review date 30 July 2019
Revision History
Revision Date Revised by Previous Version Description of Revision
1. 25 December 2015 Data Protection
Committee
1 July 2014 Inclusion of new entity
2. 25 May 2018 Data Protection
Committee
25 December 2015 Consideration of provisions of
General Data Protection Regulations
3. 8 June 2018 Data Protection
Committee
25 May 2018 Additions to General Data Protection
Regulations & PDPA policy
4. 12 July 2019 Data Protection
Committee
8 June 2018 Additions to consent obligations
5. 30 July 2019 Data Protection
Committee
12 July 2019 Addition of entity to the BDO Group
in Singapore
Document Distribution
This document will be distributed to all Partners, Directors and Heads of Department of BDO Singapore.
Contributors
The following individuals/groups contributed to the contents of this document
Data Protection Committee
Partners, Directors & Heads of Department
1
1. Introduction BDO Singapore1 respects the privacy and confidentiality of prospects and clients’ personal data as
well as visitors’ personal data collected. We are committed to implementing policies, practices
and processes to safeguard the collection, use and disclosure of the personal data you provide us,
in compliance with the Personal Data Protection Act (2012) (“PDPA”). If you reside in the UK or
Europe, we will comply with the General Data Protection Regulation (“GDPR”) (EU) 2016/679 in
processing and holding your personal data.
By providing your personal data to us, you acknowledge and agree that you have fully read and
understood this policy, and are consenting to the collection, use, processing and disclosure of your
personal data as described in this policy.
1.1 Compliance with Personal Data Protection Act and
General Data Protection Regulation
We will first and foremost comply with the PDPA and any applicable Singapore law. With regards
to personal data of individuals residing in the UK or Europe (hereinafter referred to as “European
personal data”), where there is no applicable Singapore law, the European personal data will be
processed in accordance with the GDPR. Where Singapore law requires a higher level of protection
for European personal data than is provided for in the GDPR, the higher level of protection will
take precedence and be applied to the processing of European personal data. We will ensure that
complying with the GDPR does not conflict with the PDPA and the applicable Singapore data
protection laws.
We have developed this Data Protection & Privacy Policy to assist you in understanding how we
collect, use, disclose, process and retain your personal data.
1 BDO Singapore refers to the entities under the BDO Group in Singapore including BDO LLP, BDO Consultants Pte. Ltd., BDO Corporate Services Pte. Ltd., BDO Advisory Pte. Ltd., BDO Tax Advisory Pte. Ltd. and BDO Recruits Pte. Ltd..
2
This policy supplements but does not supersede nor replace any other consent you may have
previously provided to BDO Singapore in respect of your personal data.
3
2. How We Collect Your Personal Data The PDPA defines personal data as “data, whether true or not, about an individual who can be
identified:
a. from that data; or
b. from that data and other information to which the organisation has or is likely to have access.”
The GDPR defines personal data as any information relating to an identified or identifiable natural
person (“data subject”). An identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.
(henceforth, collectively referred to as “personal data”)
We generally collect personal data through the following methods and / or channels:
When you engage BDO Singapore to render professional services to you;
When we record CCTV footage while you are within our premises;
When you interact with BDO Singapore via face to face meetings, emails, letters, fax and
telephone conversations;
When we receive your personal data in the course of our professional work;
When we receive references from business partners, associates and / or third parties;
When you submit documents to us for the purpose of employment opportunities, seminars and
/ or any events organised by BDO Singapore;
When photographs or videos of you are taken by BDO Singapore and / or our representatives
during events hosted by us;
When you visit our website and leave your personal data, including your IP address assigned
to your computer;
When you visit our website which may use cookies to facilitate the management and
maintenance of our website as well as improved navigation by visitors;
When you submit your personal data to us for any other reasons;
4
When we collect information about you from other sources, including commercially available
sources, such as public databases (where permitted by law).
2.1 Social Media We may host various blogs, forums, wikis and other social media applications such as Facebook
and Linkedin that allow you to share content with other users (collectively “Social Media
Applications”). Any personal information that you contribute to these Social Media Applications
can be read, collected and used by other users of the application, including BDO Singapore. Any
personal data that you share over Social Media Applications will not be covered and / or protected
by this Data Protection and Privacy Policy.
2.2 Cookies We use cookies to identify you from other users on our website to improve your navigation. A
cookie is a small file of letters and numbers that we store on your browser or the hard drive of
your computer or device. By continuing to use our website, you are agreeing to the use of
cookies on our website.
You can block or deactivate cookies in your browser settings. Please be aware that blocking or
deactivating the cookies may, inter alia, affect the quality of your user experience on our
website.
5
3. Types of Personal Data Collected The types of personal data that we collect about you may include, but not limited to, your name,
current job title, address, email address, telephone numbers and fax numbers. We will only collect
sensitive personal data (such as passport or other identification numbers, date of birth, bank
account numbers, employment details, family background and details, race and / or ethnicity)
where it is voluntarily provided to us by you, or where such personal data is required or permitted
to be collected by law or professional standards. For UK and European residents, such sensitive
personal data will not be collected without your explicit consent and will only be collected (subject
to prohibitions) in accordance with the GDPR. For avoidance of doubt, our collection of sensitive
data such as NRIC numbers, birth certificate numbers, foreign identification numbers and work
permit numbers will be done in accordance with the PDPA and, in particular, the ‘Advisory
Guidelines on the Personal Data Protection Act for NRIC and other national identification
numbers’2.
If you provide us with the personal data of anyone other than yourself (including your family
members), you warrant that you have informed the owner of the personal data about the purposes
for which his / her personal data will be used and that he / she has consented to your disclosure
of his / her personal data to BDO Singapore for those purposes.
We understand the importance of protecting the information of children below the age of 16 years
and do not knowingly collect or maintain information about such children.
2 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf
6
4. How We Use Your Personal Data Personal data that we collect from you will only be used for the intended purpose(s) stated and /
or communicated to you at the time that the personal data is collected. In addition, we may use
the personal data that we have collected about you for the following purposes:
Providing professional services to you;
Sending you updates, materials and communications regarding the professional services
rendered by BDO Singapore;
Sending you information on seminars and conferences conducted by BDO Singapore;
Responding to, processing and handling your queries, feedback and suggestions;
Meeting or complying with any applicable laws, regulations or professional standards issued
by any legal or regulatory bodies in Singapore;
Verifying your identity, processing payments as well as managing our administrative and
business operations;
Managing the security of our premises, facilities and technology infrastructure;
All other purposes related to our business.
If you are seeking employment or any other appointment with BDO Singapore or other members of
the BDO network, we may use the personal data that we have collected from you for the following
purposes:
Processing and assessing your application;
Performing background checks;
Verifying your credentials and qualifications as well as obtaining employment references; and
All other purposes related to the process of employment or appointment.
BDO Singapore may process and / or transfer such personal data to other members of the BDO
network and / or BDO’s subcontractors (which may be located in other territories) for the purposes
of (i) providing professional services; (ii) maintaining BDO’s operations or client relationship
management system; (iii) quality and risk management reviews, or (iv) providing you with
information about BDO and / or BDO’s range of services.
7
Where your personal data is to be used for a different purpose and / or shared with a third party
in a situation not mentioned above, we will seek your consent before proceeding to use and / or
share your personal data.
It is BDO Singapore’s policy to avoid collecting excessive and / or irrelevant personal data. BDO
Singapore does not collect and / or compile personal data for the purpose of sale to outside parties.
8
5. Who We Disclose Your Personal Data To BDO Singapore will take reasonable steps to protect your personal data from unauthorised
disclosure. Personal data that we collect from you is only disclosed to other members of the BDO
network and/ or third parties for the intended purpose(s) which was stated and / or communicated
to you at the time that the personal data was collected. Such third parties shall provide BDO
Singapore with written confirmation that they will provide adequate protection over the personal
data in question. Personal data may also be disclosed to third parties (whether in Singapore or
otherwise) where BDO Singapore is compelled to do so by the relevant authorities (including the
Singapore Courts).
For avoidance of doubt, BDO Singapore’s privacy practices stated herein do not apply when you
connect to the websites of BDO’s overseas offices and / or other third party websites. You are
encouraged to review the data protection and privacy policies of websites you choose to visit.
9
6. Consent
6.1 Obtaining Consent Before we collect, use or disclose your personal data, we will notify you of the purpose(s) of such
collection, usage and disclosure. As far as possible, we will not collect excessive and / or irrelevant
personal data for the stated purpose(s). By providing your personal data to us, you acknowledge
and agree that you have fully read and understood this policy, and are consenting to the collection,
use, processing and disclosure of your personal data as described in this policy.
You may, in certain circumstances, be deemed to have provided consent to the collection, use and
/ or disclosure of personal data for a purpose – you may find an explanation of such ‘deemed
consent’ at https://sso.agc.gov.sg/Act/PDPA2012#pr15-.
There are also certain circumstances where your Personal Data may be collected, used and / or
disclosed without your express consent – these exceptions can be found at
https://sso.agc.gov.sg/Act/PDPA2012#pr17-.
For European residents, we shall obtain written confirmation from you on your express consent,
unless processing of your personal data without your consent is permitted by the GDPR.
6.2 Third-Party Consent If you are carrying out a transaction with us, having a face-to-face meeting with us, and / or
providing us with any personal data on behalf of another individual, you must first notify and obtain
consent from that other individual before we can collect, use and / or disclose his or her personal
data. Such consent must be provided to us in writing.
6.3 Withdrawing Consent
10
If you wish to withdraw consent, you should give us reasonable advance notice in writing. The
withdrawal of consent to BDO Singapore’s collection, use and / or disclosure of Personal Data may,
amongst other things, affect the quality of services rendered to you. Upon your withdrawal of
consent, we will cease (and cause our intermediaries and agents to cease) collecting, using or
disclosing the personal data unless it is authorised or required under applicable laws.
You may withdraw consent by either:
Sending an email or letter to us (please refer to Section 13 of this Data Protection and Privacy
Policy); or
Through the “UNSUB” feature in our emails to you.
11
7. Accessing and Making Correction to Your
Personal Data You may write in to us, based on reasonable grounds, to find out how we have been using or
disclosing your personal data and / or to request a copy of your personal data.
Before we accede to your request, we will need you to firstly verify your identity. Thereafter, we
will let you have an estimate of the time required to retrieve all the relevant personal data and
the fee that we will charge for processing your request (our costs in administering your request).
Upon confirmation of your acceptance of the aforesaid fee, we shall respond to your written
request within 30 days. You will also be informed in the event that BDO Singapore is unable to
accede to your request.
We may choose to deny you access to, and /or correction of, Personal Data, in accordance with
the exceptions under the PDPA, including but not limited to the following circumstances:
We are satisfied on reasonable grounds that the correction should not be made;
The request for access is frivolous or vexatious or the information requested is trivial; and /
or
The personal data, if disclosed, would reveal confidential commercial information which
would, in the opinion of a reasonable person, harm our competitive position.
If you reside in the UK or Europe, you may request access and / or a copy of your personal data
subject to the requirements of the GDPR (subject to applicable exemptions), to update and / or
correct the personal data that is in the possession or under the control of BDO Singapore. You may
do so by writing to us (please refer to Section 13 of this Data Protection and Privacy Policy).
12
8. Accuracy of Your Personal Data We will take reasonable precautions and verification checks to ensure that the personal data that
we have collected from you is reasonably accurate, complete and up-to-date. If you are a client
or if you would like to continue to receive updates, materials and communications regarding our
professional services, seminars and / or conferences, it is important that you update us if there
are any changes to your personal data such as email address etc. We will not be responsible for
relying on inaccurate or incomplete personal data arising from your failure in updating us of any
changes to your personal data that was initially provided to us.
13
9. Protection of Personal Data BDO Singapore will take reasonable steps to ensure that personal data and confidential information
are protected within our organisation. We will take the necessary security measures to protect
your personal data that is under our care and control to prevent loss, modification, collection,
unauthorised access, misuse, copying, alteration, disclosure and / or destruction.
External data intermediaries who process and maintain your personal data on our behalf will be
bound by contractual data protection arrangements we have with them.
Although we use appropriate measures to protect your personal data, the transmission of data over
the internet is never completely secure. We endeavour to protect your personal data, but cannot
fully guarantee the security of data transmitted to us or by us.
14
10. Retention of Personal Data We will not retain any of your personal data under our care and / or control where it is no longer
necessary for any business or legal purposes.
We will ensure that your personal data that no longer has any business or legal use be destroyed
or disposed in a secure manner. This applies to both physical documents and electronic data stored
in databases.
Should you require your personal data to be deleted from our records, please contact us in writing
(please refer to Section 13 of this Data Protection and Privacy Policy).
15
11. Transfer of Personal Data Outside of Singapore In the event that there is a need for us to transfer your personal data to another country, we will
ensure that the standard of data protection in the recipient country is comparable to that of
Singapore’s PDPA, or in the case of European personal data, the GDPR.
16
12. Updates on Data Protection & Privacy Policy As part of our efforts in implementing the latest policies, practices and processes, we will be
reviewing these policies, practices and processes from time to time. We reserve the right to
amend the terms of this Data Protection and Privacy Policy at our absolute discretion. Any
amended Data Protection and Privacy Policy will be posted on our website. You are encouraged
to visit our website from time to time to ensure that you are well informed of our latest policies
in relation to personal data protection.
17
13. Contact Information You may contact our Data Protection Officer via email at [email protected] or write in to us at 600
North Bridge Road, #23-01 Parkview Square, Singapore 188778, if you would like to:
Withdraw your consent to any use of your personal data;
Obtain access to your personal data;
Make corrections to your personal data;
Clarify any questions relating to our collection, use and / or disclosure of your personal data;
Provide feedback regarding this policy document; and / or
Make any complaint relating to how we manage your personal data.
Any query or complaint should include, at least, your full name, contact information and a brief
description of the query or complaint. We treat such queries and complaints seriously and will
deal with them confidentially and within reasonable time.