Privacy Statement - Assurance Services – ROC
Scope
BDO & Associados, SROC (hereinafter referred to as BDO) company of statutory auditors (SROC) registered at Ordem dos Revisores Oficiais de Contas under the number 29 and at CMVM (Comissão de Mercado de Valores Mobiliários) under the number 20161384, performs the functions of public interest under the terms of the Ordem dos Revisores Oficiais de Contas Statutes (EOROC), approved by Law number 140/2015, of September 7th and in international auditing standards, as EOROC legally imposes.
With the entry into force of the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27th, personal data is an additional concern to the ethical and statutory principles to be observed by BDO, whose compliance overlaps with the referred principles, but which will simultaneously safeguard the BDO's obligations underlying the GDPR.
In the exercise of public interest functions, BDO verifies the financial statements (accounts), other equity acts or facts of companies or other entities (hereinafter referred to as Clients), having to consult, use and often retain information, which, being not an object of its work but being necessary for its verification, it may include personal data of workers, clients, suppliers or other third parties transmitted by the indicated entities, issuing at the end a report on the financial statements, other acts or patrimonial facts, in observance of the applicable International Quality Control, Auditing, Review, Other Assurance and Related Services Pronouncements.
Introduction
This statement applies to BDO, partners, workers, collaborators and other persons to whom information containing the personal data to which this statement refers is made available, and must therefore be complied with by all those concerned.
This statement is limited to the personal data that BDO has to process in order to fully exercise the functions of public interest, expressly excluding from it the personal data treated for other purposes, namely those related to its employees, the own clients (and prospective) and related to contracts entered into with suppliers, among others, highlighting at this level the general Privacy Statement available at the website (www.bdo.pt) or, failing that, the principles and rules implemented according to the GDPR and to the national Data Protection Law.
Responsibility for data processing and contact
BDO must guide its behaviour by observing the ethical principles and conduct fundamental to the exercise of functions of public interest, namely those of independence, integrity, objectivity, professional competence, professional behaviour and zeal and confidentiality, maintaining professional scepticism and resorting to their professional judgment, in order to have conditions to issue an opinion on the financial statements or other equity facts of the responsibility of companies or other entities that effectively increases the degree of confidence of the respective recipients, this being the main objective of their intervention.
In this context, BDO may access to information containing client data, consult, copy and maintain as audit evidence or in the audit file, which is legally mandatory in the scope of the legal and voluntary account review, information which may include personal data processed by the client as Data Controller or Data Processor for the respective treatment and for which BDO will assume its responsibility, in the exercise of public interest functions.
For the purposes of this Privacy Statement, BDO may be reached at the following address:
- Avenida da República, nº 50 - 10º1069-211 Lisboa; and
By the following e-mail address:
Purpose of personal data processing
Under the terms of article 41 of the EOROC, the following are functions of public interest for the Statutory Auditors and the Societies of Statutory Auditors: (i) the audit of the accounts (comprising, under the terms of Article 42 of the EOROC, the legal and voluntary accounts and related services, with limited scope or specific purpose); and (ii) the exercise of any other functions that by law require the own and autonomous intervention of the ROC on certain equity facts of companies or other entities.
In terms of auditing the accounts, the ROC / SROC has to sign a contract for the provision of services with the client, reduced to writing (Article 53 of the EOROC), and must do so also for other functions of public interest.
The personal data that the ROC / SROC may access is intended to become possible the exercise of the said functions of public interest (as well as other functions, although not provided for in this policy, such as the fulfilment of contractual and / or legal duties).
Personal data categories
BDO may request access to any data, including personal data processed by the Entities, namely, clients, users or their employees, being able to consult and use them to perform the necessary procedures in the analysis of the accounts, complying with its legal obligations as a Revisor Oficial de Contas.
It is not BDO's responsibility to require information or access to data, but if any restrictions are placed on access to information or data, it is BDO's responsibility to consider the effect of this restriction on the issuance of its report.
Principles for the treatment of personal data provided by Clients
1 - Lawfulness: legal basis for treatment
The services of Revisor Oficial de Contas (ROC) comprise access, consultation and verification of a set of information, which BDO, in the context of its independent professional judgment, selects as necessary for the performance of its public interest functions and which will retain as audit evidence (which eventually contains information regarding personal data).
The fulfilment of the duties resulting from the Ordem dos Revisores Oficiais de Contas Statutory and auditing standards, in particular the subjection to professional secrecy, within the scope of its public interest functions, sufficiently accommodates the duties of the GDPR, without requiring additional steps, namely, obtaining consent from the data subjects.
Thus, the legal basis for the intervention of the ROC / SROC, within the scope of the exercise of public interest functions and regarding the personal data previously processed by the client, is based on the public interest underlying its intervention and the need for its treatment to comply with a legal obligation (article 6, paragraph 1, c) and e) of the GDPR), namely, of the EOROC.
2 - Purpose limitation
The personal data referred to in this policy will initially be collected directly by its Clients or by another entity (if the client is a Data Processor), but not by BDO.
The personal data processing (for example: consultation, use and retention) by BDO will be limited to the underlying purpose, that is, the fulfilment of the public interest functions to be performed.
BDO specifically undertakes not to use personal data, as well as any other information, which it accesses due to the exercise of the referred functions for any other purpose, commercial or other, which does not result in the performance of audit procedures and the respective opinion.
3 - Data minimisation
BDO will analyse on a case-by-case basis the need to use and keep copies of the elements that include personal data provided by the client, seeking, whenever possible, to minimize their collection, use and conservation to what is necessary in the context of planning and evidence of job.
4 - Data accuracy
The principle of accuracy, as recommended by the GDPR, is not applicable to BDO's performance in the exercise of public interest functions and with regard to the data transmitted by its Clients.
5 - Data storage limitation
The file in support of the work carried out by BDO, whether or not it includes personal data, in accordance with EOROC and international auditing standards, must be kept for a minimum period of five years (minimum term).
Even though the auditing standards determine a minimum period for the retention of information (coinciding with the legal term of five years), they do not determine a maximum period, stating that the working documents must be kept for a sufficient period to satisfy the needs of BDO or as required by law or regulation, depending, for example, on whether work documentation is required as a record of matters of continued importance for future work.
Also, in this context, EOROC determines the conservation of the documents for a period of more than five years, providing that the Revisores Oficiais de Contas keep the information until judicial, supervisory or administrative proceedings are underway. For the most part, since the Revisores Oficiais de Contas are subject to such proceedings, until the right of action of the holders of the respective rights is prescribed, the information (the file) must be maintained for the maximum period of prescription of the legal proceedings and administrative offense, which may correspond to the general prescription period of contractual civil liability of twenty years.
In particular, with regard to all the information that shows the compliance by the BDO with Law No. 83/2017, of 18 August, which establishes measures to combat money laundering and terrorist financing, namely, the identification duty, must be maintained for a minimum period of seven years.
6 - Integrity and confidentiality
The reports issued by BDO, although they may be public knowledge, do not contain personal data, as previously mentioned, the audit evidence that must support it and that may contain personal data is subject to professional secrecy. In addition to the freedom of access to information, essential for the ROC's independence in the exercise of its functions, the duty of confidentiality is imposed on the ROC. Thus, the ROC is legally prohibited from using the information it accesses for any purpose other than to evidence the procedures that has performed to support the conclusions drawn in the report it issues. The ROC is also prohibited from disclosing (except for rare judicial exceptions) any information it has obtained in the exercise of its functions.
The international quality control standard (ISQC1) and the international audit standards (ISA) impose confidentiality on the Revisores Oficiais de Contas, as well as on all employees and collaborators, as a transversal and essential requirement in the exercise of their respective functions, which should provide for effective measures for their guarantee.
In this context, BDO annually presents to its employees and collaborators a confidentiality agreement, which is signed and returned, which expressly refers to the confidentiality of the personal data included in the client’s information.
BDO only allows access to the information of a specific client, in particular that which includes personal data, to its employees who are part of the work team (including those responsible for quality control) and to the extent that they need it to carry out their tasks.
Treatment safety measures
BDO has implemented the appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access and against any other form of unlawful treatment, always with a level of security adequate to the risks that the treatment implies for the people to whom the data respect, taking into account the most advanced techniques, the costs of application and the nature, scope, context and purposes of the treatment, as well as the risks, probability and variable severity, for the rights and freedoms of natural persons, which is ensured by the fulfilment of the duty of secrecy required by EOROC.
Rights of data subjects
This Privacy Statement aims to comply with the rights of data subjects, namely, the right to information. BDO, as part of the exercise of public interest functions, regarding personal data transmitted by Clients, as a rule, does not collect them from their respective data subjects, limiting themselves to consulting them, using them in the procedures and tests that performs and keeps them in its working documents, subject to confidentiality, legally imposed (EOROC and other legislation, namely, from EU).
Taking into account the above, the exercise of the rights of data subjects consigned in the GDPR (see articles 15, 16, 17, 18, 20 and 21), regarding access, rectification, erasure, restriction of processing, portability and objection, will not, in general, be applicable to BDO, overlapping the exercise of such rights, the public interest underlying the exercise of public interest functions, that such rights may compromise.
Despite this fact, BDO undertakes to always clarify data subjects of any doubts they may have regarding any aspect of the treatment, without prejudice to the confidentiality underlying their work and working documents, with the exception that the data subjects may complain of any circumstances that they deem disrespectful of their rights, with the Comissão Nacional de Proteção de Dados.
Transfers of personal data outside the European Union
Personal data used by BDO in the course of exercising public interest functions will be kept in the audit file or as evidence of the performance of its functions in accordance with the auditing standards. As a rule, such data will be not transferred outside the European Union. However, in cases where there is an effective need for personal data to be transferred outside the European Union, BDO ensures that this will be carried out in accordance with the requirements of the General Data Protection Regulation (GDPR) and other legislation on data protection.
30 September 2020 version