This Privacy Notice describes how BDO South Africa collects, processes, retains and discloses your personal information in accordance with the requirements of the Protection of Personal Information Act (“POPIA”), the General Data Protection Regulation (‘GDPR’) and any other applicable laws or Regulations. This Notice will enable you to make an informed decision when signing the accompanying consent.
Please note that your consent is voluntary and may be withdrawn, with notice to us, at any time.
BDO is committed to protecting your privacy and to ensure that your personal information is collected and used properly, lawfully and transparently.
BDO South Africa, for purposes of this notice includes any member firm and/or affiliated entity within the BDO Network and is herein after referred to as ‘BDO’, 'we', 'us'.
- PERSONAL INFORMATION WE COLLECT
We may collect your personal information from a variety of sources which includes, but is not limited to, that which we obtain from you directly as well as personal information we collect from other sources, including commercially available sources, such as public databases (where permitted by law). Primarily, we endeavor to collect information directly from you.
We will inform you if the provision of your personal information is mandatory or voluntary. Failure to provide this personal information may, however, prevent or delay services being provided and the fulfilment of our obligations in relation thereto.
- Information we collect directly from you
The categories of personal information that we may collect directly from you include the following:
- personal details (e.g. name, age, date of birth, gender, identity number, registration number contained in identity documents, birth certificates and founding documents);
- contact details (e.g. phone number, email address, physical address, postal address or mobile number);
- employment details (e.g. job title; employer name, employee number);
- economic or financial information (e.g. bank details, details of income, financial statements, VAT registration number, tax clearance certificate or investment information).
- Information we collect from other sources
The following categories of personal information are collected from other sources as the Companies and Intellectual Property Commission; Search Works, Financial Institutions; SARS, include the following:
- Identity verification of personal details (e.g. name, age, date of birth, gender, identity number, registration number) from the Department of Home Affairs and the Companies and Intellectual Property Commission;
- contact details (e.g. phone number, email address, postal address, physical addressor mobile number) from Search Works;
- employment details (e.g. job title; employer name, employee number) from Search Works or employer;
- economic or financial information (e.g. details of income, financial statements, VAT registration number, tax clearance certificate or investment information) from SARS, Financial Institution, and your Auditor.
- PERSONAL INFORMATION, PROCESSING OF PERSONAL INFORMATION
Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-
- (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- (b) information relating to the education or the medical, financial, criminal or employment history of the person;
- (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- (d) the biometric information of the person;
- (e) the personal opinions, views or preferences of the person;
- (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- (g) the views or opinions of another individual about the person; and
- (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information;
Personal information may only be processed if-
- the data subject or a competent person where the data subject is a child consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law on the responsible party;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
- PURPOSE OF BDO PROCESSING YOUR PERSONAL INFORMATION
- to perform the services and comply with the obligations set out in the relevant services contract;
- to conduct due diligences including, but not limited to, relevant conflict and risk assessments prior to accepting you as a client (which may include any criminal checks);
- to correspond and communicate with you;
- to ensure that our records are current and accurate;
- to ensure we issue accurate invoices, statements or fee notes for our services;
- to send you information about products and services which we think will be of interest to you;
- to comply with legal and regulatory obligations to which we are subject to;
- for insurance purposes;
- for the detection and prevention of fraud, crime, money laundering or other malpractice;
- in connection with legal proceedings;
- for reference purposes in tenders, proposals, resume’s, marketing material and other similar submissions that BDO may make to prospective clients for the purpose of demonstrating BDO’s experience and expertise;
- for reference purposes in tenders, proposals, resume’s and other similar submissions that BDO Employees may make to demonstrate their experience and expertise;
- to comply with applicable legislation. A list of the applicable legislation in terms of which records are held by us can be found in our PAIA Manual.
- online events, such as webcast events
- YOUR RIGHTS
Please let us know if any of the personal information that we hold about you changes so that we can correct and update the personal information on our systems.
- Right of access to information
You have the right to request confirmation as to whether we hold personal information related to you. You also have the right to request a copy of the personal information or a description of the personal information we hold about you. Submission of access request forms together with the details of the access request procedure can be found in our PAIA Manual.
- Right to request correction or deletion of personal information
You have the right to request, subject to any applicable law and where appropriate, the correction, updating or deletion of your personal information held by us. Submission of a request for correction or deletion forms together with the details of the request for correction and deletion procedure can be found in our PAIA Manual.
- Right to object to the processing of personal information
In certain circumstances, such as when we process your information for our or your legitimate interests, you may object to the processing of your personal information, unless we are required to process the information on another bases, such as a legal basis. Submission of objection forms together with the details of the objection procedure can be found in our PAIA Manual.
- Right to ask us to share your personal information in a usable format with another entity
We are able to provide the personal information in commonly used and machine-readable format.
- Right to object to automated decision-making and profiling
Where we use automated decision-making or profiling to make decisions, you may object to this profiling. Alternatively, you may ask that a person review a decision made, or that you be provided with the logic around such a decision, so that you can make a representation in respect of the decision.
- Right to unsubscribe from direct marketing
Where you do not wish to receive marketing communication from BDO, you can unsubscribe from marketing emails by clicking on the unsubscribe link provided in each email.
We will still be able to contact you when there is important communication required to be sent.
- Right to withdraw consent
Where you have given your consent to a particular type of processing, you may withdraw that consent at any time by contacting us using the contact details set out below.
- Right to lodge a complaint with the information regulator
You have the right to lodge a complaint with the Information Regulator, in the prescribed manner and form, if you believe that we are interfering with the protection of your personal information. You can contact the Information Regulator on 010 023 5207 (telephone number) and can lodge a complaint via email on [email protected].
- INFORMATION SHARING
- to service providers who may need to perform part of the Services, which may include other BDO network firms;
- to third parties who provide IT services, data processing or IT functionality services, for example cloud-based software providers, web hosting services, data analysis providers and data storage or backup providers;
- to other BDO regional offices for purposes of sending you information about products and services which we think will be of interest to you;
- to BDO Member Firms and entities within the BDO Network and/or BDO affiliates, for the purpose of ensuring that the BDO Network and/or BDO affiliate, to whom the personal information is supplied, is able to perform the services and comply with the obligations set out in the relevant services contract;
- to fulfil our contractual obligations to you;
- to prospective clients for reference purposes in tenders, proposals, resume’s, marketing material and other similar submissions that BDO may make, for the purpose of demonstrating BDO’s experience and expertise;
- to insurers;
- to our Regulators;
- where permitted by law, to protect and defend our rights and property; and
- when required by law, and/or public authorities.
- INFORMATION SECURITY
We have implemented generally accepted standards of technology and operational security to protect personal information from loss, misuse, alteration or destruction. You may request a copy of our Information Security and Privacy Overview Policy from us using the contact details set out below.
We require all staff, (Partners and/or Directors and employees) to keep personal information confidential and only authorised staff have access to this personal information.
We will retain your personal information in accordance with our data retention policy which sets out data retention periods required or permitted by applicable law.
- INFORMATION TRANSFER
Where it is necessary, for the purposes of processing, your personal information may be transferred outside of South Africa in accordance with the appropriate data protection laws.
We anticipate that personal information may need to be transferred outside of South Africa for purposes of cloud storage, and where we do so, we will ensure that the necessary safeguards are in place to protect personal information.
When your personal information is transferred to a country whose data protection laws do not provide an adequate level of protection for your personal information, we use the European Commission's approved Standard Contractual Clauses in order to ensure that the appropriate mechanisms and safeguards are in place. If you wish to see a copy of the relevant mechanism that we use to transfer your personal information, please contact us using the contact details set out below.
- CONTACT US
If you have questions or concerns regarding the way in which your personal information has been used, or should you have any questions about this Privacy Notice, please use the contact details set out below and provide the details relating to your query.
- CHANGES TO THE PRIVACY NOTICE
Should we be required to collect additional personal information from you, we will send you an updated Privacy Notice.
Should you at any point wish to revoke this consent, please contact us and we will assist you accordingly.
- CONTACT DETAILS
You can contact our privacy champion at [email protected].