BDO processes personal data about business contacts in the course of our business activities. These business contacts include existing and potential private clients, business relationship partners, employees, officers and Directors or other representatives and contacts at corporate clients, legal and business advisers, suppliers and other third parties that BDO interacts with in the course of business.
We collect business contacts’ personal data directly from the individuals themselves or from the organisation for whom they work or represent or, indirectly from publicly available sources including social media sites and/or third parties such as organisations operating business development databases. See below for further details.
Such personal data will typically include name, employer, or organisation the individual is associated with, job title, contact details such as email address, office address, phone number, and areas of business interest.
We process personal data about our business contacts using a customer relationship management system. In addition, the system may collect data from our email and calendar systems about interactions between the firm and our business contacts.
We collect this personal data using the various channels below:
Direct Interactions: we receive personal data directly from the individual to whom it relates. Such direct interactions include, for example, instances when the individual:
i. Provides personal data necessary for specific client services or the purposes of “Know your Customer” requirements;
ii. Provides a business card to us either in person or virtually;
iii. Makes personal data available to us through the digital portals and platforms we make available;
iv. Registers to participate in our marketing or other promotional events or subscribes to any of our publications;
v. Provides us with feedback.
Websites, digital services and marketing: we receive personal data when individuals use our website, electronic portals and platforms or individuals request our publications or marketing. We also collect personal data by using cookies, server logs and other similar technologies. For more information, please see our website visitors policy.
Third party sources: we receive personal data concerning individuals who are contacts from third parties when we:
i. Provide services to third parties who send us personal data to enable the provision of such services;
ii. Perform “Know your customer” or other legitimate background checks;
iii. Are contacted by third parties when contacts have requested that they provide us with their personal data on their behalf;
iv. Interact with public and regulatory bodies and other authorities concerning contacts.
Publicly available sources: we may also collect personal data about individuals who are contacts from publicly available sources including:
i. Public registers of individuals and legal entities
ii. Public registers of sanctioned persons
iii. Online professional networking platforms such as LinkedIn
iv. Marketing databases.
We may use such personal data and make it accessible to our people for the following purposes:
• Managing, administering, and developing our business.
• Providing information to clients, audited entities, and prospective clients about our services.
• Identifying our clients or prospective clients’ business needs.
• Analysing interactions between our people and our contacts to provide information to our management on relationships and trends, including the use of an automated analytical tool to evaluate the frequency and timing of interactions with contacts.
We do not sell or otherwise release any personal data collected from contacts to third parties.
We will not use contact personal data to send marketing materials if the contact has expressly requested through our preference centre not to receive marketing. If our contacts request that we stop processing personal data for marketing purposes, we will cease processing such personal data for those purposes.
Where we process personal data for the above purposes, we rely on the following lawful bases:
Where it is in our, or a third party’s, legitimate interests, provided that:
i. the processing is necessary to pursue the legitimate interests;
ii. the interests of the data subjects do not override the legitimate interests; and
iii. the data subjects have the right to:
a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party’s;
b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and
c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes.