Data Protection & Privacy

Policy Document

30 July 2019

Document Control

Organisation BDO Singapore

Title Data Protection & Privacy Policy

Author Data Protection Officer

Filename BDO Singapore – Data Protection & Privacy Policy

Owner Data Protection Committee

Review date 30 July 2019

Revision History

Revision Date Revised by Previous Version Description of Revision

1. 25 December 2015 Data Protection

Committee

1 July 2014 Inclusion of new entity

2. 25 May 2018 Data Protection

Committee

25 December 2015 Consideration of provisions of

General Data Protection Regulations

3. 8 June 2018 Data Protection

Committee

25 May 2018 Additions to General Data Protection

Regulations & PDPA policy

4. 12 July 2019 Data Protection

Committee

8 June 2018 Additions to consent obligations

5. 30 July 2019 Data Protection

Committee

12 July 2019 Addition of entity to the BDO Group

in Singapore

Document Distribution

This document will be distributed to all Partners, Directors and Heads of Department of BDO Singapore.

Contributors

The following individuals/groups contributed to the contents of this document

Data Protection Committee

Partners, Directors & Heads of Department

1

1. Introduction BDO Singapore1 respects the privacy and confidentiality of prospects and clients’ personal data as

well as visitors’ personal data collected. We are committed to implementing policies, practices

and processes to safeguard the collection, use and disclosure of the personal data you provide us,

in compliance with the Personal Data Protection Act (2012) (“PDPA”). If you reside in the UK or

Europe, we will comply with the General Data Protection Regulation (“GDPR”) (EU) 2016/679 in

processing and holding your personal data.

By providing your personal data to us, you acknowledge and agree that you have fully read and

understood this policy, and are consenting to the collection, use, processing and disclosure of your

personal data as described in this policy.

1.1 Compliance with Personal Data Protection Act and

General Data Protection Regulation

We will first and foremost comply with the PDPA and any applicable Singapore law. With regards

to personal data of individuals residing in the UK or Europe (hereinafter referred to as “European

personal data”), where there is no applicable Singapore law, the European personal data will be

processed in accordance with the GDPR. Where Singapore law requires a higher level of protection

for European personal data than is provided for in the GDPR, the higher level of protection will

take precedence and be applied to the processing of European personal data. We will ensure that

complying with the GDPR does not conflict with the PDPA and the applicable Singapore data

protection laws.

We have developed this Data Protection & Privacy Policy to assist you in understanding how we

collect, use, disclose, process and retain your personal data.

1 BDO Singapore refers to the entities under the BDO Group in Singapore including BDO LLP, BDO Consultants Pte. Ltd., BDO Corporate Services Pte. Ltd., BDO Advisory Pte. Ltd., BDO Tax Advisory Pte. Ltd. and BDO Recruits Pte. Ltd..

2

This policy supplements but does not supersede nor replace any other consent you may have

previously provided to BDO Singapore in respect of your personal data.

3

2. How We Collect Your Personal Data The PDPA defines personal data as “data, whether true or not, about an individual who can be

identified:

a. from that data; or

b. from that data and other information to which the organisation has or is likely to have access.”

The GDPR defines personal data as any information relating to an identified or identifiable natural

person (“data subject”). An identifiable natural person is one who can be identified, directly or

indirectly, in particular by reference to an identifier such as a name, an identification number,

location data, an online identifier or to one or more factors specific to the physical, physiological,

genetic, mental, economic, cultural or social identity of that natural person.

(henceforth, collectively referred to as “personal data”)

We generally collect personal data through the following methods and / or channels:

When you engage BDO Singapore to render professional services to you;

When we record CCTV footage while you are within our premises;

When you interact with BDO Singapore via face to face meetings, emails, letters, fax and

telephone conversations;

When we receive your personal data in the course of our professional work;

When we receive references from business partners, associates and / or third parties;

When you submit documents to us for the purpose of employment opportunities, seminars and

/ or any events organised by BDO Singapore;

When photographs or videos of you are taken by BDO Singapore and / or our representatives

during events hosted by us;

When you visit our website and leave your personal data, including your IP address assigned

to your computer;

When you visit our website which may use cookies to facilitate the management and

maintenance of our website as well as improved navigation by visitors;

When you submit your personal data to us for any other reasons;

4

When we collect information about you from other sources, including commercially available

sources, such as public databases (where permitted by law).

2.1 Social Media We may host various blogs, forums, wikis and other social media applications such as Facebook

and Linkedin that allow you to share content with other users (collectively “Social Media

Applications”). Any personal information that you contribute to these Social Media Applications

can be read, collected and used by other users of the application, including BDO Singapore. Any

personal data that you share over Social Media Applications will not be covered and / or protected

by this Data Protection and Privacy Policy.

2.2 Cookies We use cookies to identify you from other users on our website to improve your navigation. A

cookie is a small file of letters and numbers that we store on your browser or the hard drive of

your computer or device. By continuing to use our website, you are agreeing to the use of

cookies on our website.

You can block or deactivate cookies in your browser settings. Please be aware that blocking or

deactivating the cookies may, inter alia, affect the quality of your user experience on our

website.

5

3. Types of Personal Data Collected The types of personal data that we collect about you may include, but not limited to, your name,

current job title, address, email address, telephone numbers and fax numbers. We will only collect

sensitive personal data (such as passport or other identification numbers, date of birth, bank

account numbers, employment details, family background and details, race and / or ethnicity)

where it is voluntarily provided to us by you, or where such personal data is required or permitted

to be collected by law or professional standards. For UK and European residents, such sensitive

personal data will not be collected without your explicit consent and will only be collected (subject

to prohibitions) in accordance with the GDPR. For avoidance of doubt, our collection of sensitive

data such as NRIC numbers, birth certificate numbers, foreign identification numbers and work

permit numbers will be done in accordance with the PDPA and, in particular, the ‘Advisory

Guidelines on the Personal Data Protection Act for NRIC and other national identification

numbers’2.

If you provide us with the personal data of anyone other than yourself (including your family

members), you warrant that you have informed the owner of the personal data about the purposes

for which his / her personal data will be used and that he / she has consented to your disclosure

of his / her personal data to BDO Singapore for those purposes.

We understand the importance of protecting the information of children below the age of 16 years

and do not knowingly collect or maintain information about such children.

2 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf

6

4. How We Use Your Personal Data Personal data that we collect from you will only be used for the intended purpose(s) stated and /

or communicated to you at the time that the personal data is collected. In addition, we may use

the personal data that we have collected about you for the following purposes:

Providing professional services to you;

Sending you updates, materials and communications regarding the professional services

rendered by BDO Singapore;

Sending you information on seminars and conferences conducted by BDO Singapore;

Responding to, processing and handling your queries, feedback and suggestions;

Meeting or complying with any applicable laws, regulations or professional standards issued

by any legal or regulatory bodies in Singapore;

Verifying your identity, processing payments as well as managing our administrative and

business operations;

Managing the security of our premises, facilities and technology infrastructure;

All other purposes related to our business.

If you are seeking employment or any other appointment with BDO Singapore or other members of

the BDO network, we may use the personal data that we have collected from you for the following

purposes:

Processing and assessing your application;

Performing background checks;

Verifying your credentials and qualifications as well as obtaining employment references; and

All other purposes related to the process of employment or appointment.

BDO Singapore may process and / or transfer such personal data to other members of the BDO

network and / or BDO’s subcontractors (which may be located in other territories) for the purposes

of (i) providing professional services; (ii) maintaining BDO’s operations or client relationship

management system; (iii) quality and risk management reviews, or (iv) providing you with

information about BDO and / or BDO’s range of services.

7

Where your personal data is to be used for a different purpose and / or shared with a third party

in a situation not mentioned above, we will seek your consent before proceeding to use and / or

share your personal data.

It is BDO Singapore’s policy to avoid collecting excessive and / or irrelevant personal data. BDO

Singapore does not collect and / or compile personal data for the purpose of sale to outside parties.

8

5. Who We Disclose Your Personal Data To BDO Singapore will take reasonable steps to protect your personal data from unauthorised

disclosure. Personal data that we collect from you is only disclosed to other members of the BDO

network and/ or third parties for the intended purpose(s) which was stated and / or communicated

to you at the time that the personal data was collected. Such third parties shall provide BDO

Singapore with written confirmation that they will provide adequate protection over the personal

data in question. Personal data may also be disclosed to third parties (whether in Singapore or

otherwise) where BDO Singapore is compelled to do so by the relevant authorities (including the

Singapore Courts).

For avoidance of doubt, BDO Singapore’s privacy practices stated herein do not apply when you

connect to the websites of BDO’s overseas offices and / or other third party websites. You are

encouraged to review the data protection and privacy policies of websites you choose to visit.

9

6. Consent

6.1 Obtaining Consent Before we collect, use or disclose your personal data, we will notify you of the purpose(s) of such

collection, usage and disclosure. As far as possible, we will not collect excessive and / or irrelevant

personal data for the stated purpose(s). By providing your personal data to us, you acknowledge

and agree that you have fully read and understood this policy, and are consenting to the collection,

use, processing and disclosure of your personal data as described in this policy.

You may, in certain circumstances, be deemed to have provided consent to the collection, use and

/ or disclosure of personal data for a purpose – you may find an explanation of such ‘deemed

consent’ at https://sso.agc.gov.sg/Act/PDPA2012#pr15-.

There are also certain circumstances where your Personal Data may be collected, used and / or

disclosed without your express consent – these exceptions can be found at

https://sso.agc.gov.sg/Act/PDPA2012#pr17-.

For European residents, we shall obtain written confirmation from you on your express consent,

unless processing of your personal data without your consent is permitted by the GDPR.

6.2 Third-Party Consent If you are carrying out a transaction with us, having a face-to-face meeting with us, and / or

providing us with any personal data on behalf of another individual, you must first notify and obtain

consent from that other individual before we can collect, use and / or disclose his or her personal

data. Such consent must be provided to us in writing.

6.3 Withdrawing Consent

10

If you wish to withdraw consent, you should give us reasonable advance notice in writing. The

withdrawal of consent to BDO Singapore’s collection, use and / or disclosure of Personal Data may,

amongst other things, affect the quality of services rendered to you. Upon your withdrawal of

consent, we will cease (and cause our intermediaries and agents to cease) collecting, using or

disclosing the personal data unless it is authorised or required under applicable laws.

You may withdraw consent by either:

Sending an email or letter to us (please refer to Section 13 of this Data Protection and Privacy

Policy); or

Through the “UNSUB” feature in our emails to you.

11

7. Accessing and Making Correction to Your

Personal Data You may write in to us, based on reasonable grounds, to find out how we have been using or

disclosing your personal data and / or to request a copy of your personal data.

Before we accede to your request, we will need you to firstly verify your identity. Thereafter, we

will let you have an estimate of the time required to retrieve all the relevant personal data and

the fee that we will charge for processing your request (our costs in administering your request).

Upon confirmation of your acceptance of the aforesaid fee, we shall respond to your written

request within 30 days. You will also be informed in the event that BDO Singapore is unable to

accede to your request.

We may choose to deny you access to, and /or correction of, Personal Data, in accordance with

the exceptions under the PDPA, including but not limited to the following circumstances:

We are satisfied on reasonable grounds that the correction should not be made;

The request for access is frivolous or vexatious or the information requested is trivial; and /

or

The personal data, if disclosed, would reveal confidential commercial information which

would, in the opinion of a reasonable person, harm our competitive position.

If you reside in the UK or Europe, you may request access and / or a copy of your personal data

subject to the requirements of the GDPR (subject to applicable exemptions), to update and / or

correct the personal data that is in the possession or under the control of BDO Singapore. You may

do so by writing to us (please refer to Section 13 of this Data Protection and Privacy Policy).

12

8. Accuracy of Your Personal Data We will take reasonable precautions and verification checks to ensure that the personal data that

we have collected from you is reasonably accurate, complete and up-to-date. If you are a client

or if you would like to continue to receive updates, materials and communications regarding our

professional services, seminars and / or conferences, it is important that you update us if there

are any changes to your personal data such as email address etc. We will not be responsible for

relying on inaccurate or incomplete personal data arising from your failure in updating us of any

changes to your personal data that was initially provided to us.

13

9. Protection of Personal Data BDO Singapore will take reasonable steps to ensure that personal data and confidential information

are protected within our organisation. We will take the necessary security measures to protect

your personal data that is under our care and control to prevent loss, modification, collection,

unauthorised access, misuse, copying, alteration, disclosure and / or destruction.

External data intermediaries who process and maintain your personal data on our behalf will be

bound by contractual data protection arrangements we have with them.

Although we use appropriate measures to protect your personal data, the transmission of data over

the internet is never completely secure. We endeavour to protect your personal data, but cannot

fully guarantee the security of data transmitted to us or by us.

14

10. Retention of Personal Data We will not retain any of your personal data under our care and / or control where it is no longer

necessary for any business or legal purposes.

We will ensure that your personal data that no longer has any business or legal use be destroyed

or disposed in a secure manner. This applies to both physical documents and electronic data stored

in databases.

Should you require your personal data to be deleted from our records, please contact us in writing

(please refer to Section 13 of this Data Protection and Privacy Policy).

15

11. Transfer of Personal Data Outside of Singapore In the event that there is a need for us to transfer your personal data to another country, we will

ensure that the standard of data protection in the recipient country is comparable to that of

Singapore’s PDPA, or in the case of European personal data, the GDPR.

16

12. Updates on Data Protection & Privacy Policy As part of our efforts in implementing the latest policies, practices and processes, we will be

reviewing these policies, practices and processes from time to time. We reserve the right to

amend the terms of this Data Protection and Privacy Policy at our absolute discretion. Any

amended Data Protection and Privacy Policy will be posted on our website. You are encouraged

to visit our website from time to time to ensure that you are well informed of our latest policies

in relation to personal data protection.

17

13. Contact Information You may contact our Data Protection Officer via email at dpo@bdo.com.sg or write in to us at 600

North Bridge Road, #23-01 Parkview Square, Singapore 188778, if you would like to:

Withdraw your consent to any use of your personal data;

Obtain access to your personal data;

Make corrections to your personal data;

Clarify any questions relating to our collection, use and / or disclosure of your personal data;

Provide feedback regarding this policy document; and / or

Make any complaint relating to how we manage your personal data.

Any query or complaint should include, at least, your full name, contact information and a brief

description of the query or complaint. We treat such queries and complaints seriously and will

deal with them confidentially and within reasonable time.