Data Protection Policy

This data protection policy applies to BDO firms which are established in Singapore. It governs the collection, disclosure and use of personal data that is sent to BDO in Singapore and its website. It explains how we collect, disclose and use your personal data and the different types of personal data.

1. Introduction

BDO Singapore¹ respects the privacy and confidentiality of prospects and clients’ personal data as well as visitors’ personal data collected. We are committed to implementing policies, practices and processes to safeguard the collection, use and disclosure of the personal data you provide us, in compliance with the Personal Data Protection Act (2012) (“PDPA”). If you reside in the UK or Europe, we will comply with the General Data Protection Regulation (“GDPR”) (EU) 2016/679 in processing and holding your personal data.

By providing your personal data to us, you acknowledge and agree that you have fully read and understood this policy, and are consenting to the collection, use, processing and disclosure of your personal data as described in this policy.

1.1 Compliance with Personal Data Protection Act and General Data Protection Regulation

We will first and foremost comply with the PDPA and any applicable Singapore law. With regards to personal data of individuals residing in the UK or Europe (hereinafter referred to as “European personal data”), where there is no applicable Singapore law, the European personal data will be processed in accordance with the GDPR. Where Singapore law requires a higher level of protection for European personal data than is provided for in the GDPR, the higher level of protection will take precedence and be applied to the processing of European personal data. We will ensure that complying with the GDPR does not conflict with the PDPA and the applicable Singapore data protection laws.

We have developed this Data Protection & Privacy Policy to assist you in understanding how we collect, use, disclose, process and retain your personal data.

This policy supplements but does not supersede nor replace any other consent you may have previously provided to BDO Singapore in respect of your personal data.

2. How We Collect Your Personal Data

The PDPA defines personal data as “data, whether true or not, about an individual who can be identified:

from that data; or
from that data and other information to which the organisation has or is likely to have access.”

The GDPR defines personal data as any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(henceforth, collectively referred to as “personal data”)

We generally collect personal data through the following methods and / or channels:

When you engage BDO Singapore to render professional services to you;
When we record CCTV footage while you are within our premises;
When you interact with BDO Singapore via face-to-face meetings, emails, letters, fax and telephone conversations;
When we receive your personal data in the course of our professional work;
When we receive references from business partners, associates and / or third parties;
When you submit documents to us for the purpose of employment opportunities, seminars and / or any events organised by BDO Singapore;
When photographs or videos of you are taken by BDO Singapore and / or our representatives during events hosted by us;
When you visit our website and leave your personal data, including your IP address assigned to your computer;
When you visit our website which may use cookies to facilitate the management and maintenance of our website as well as improved navigation by visitors;
When you submit your personal data to us for any other reasons;
When we collect information about you from other sources, including commercially available sources, such as public databases (where permitted by law).

2.1 Social Media

We may host various blogs, forums, wikis and other social media applications such as Facebook and Linkedin that allow you to share content with other users (collectively “Social Media Applications”). Any personal information that you contribute to these Social Media Applications can be read, collected and used by other users of the application, including BDO Singapore. Any personal data that you share over Social Media Applications will not be covered and / or protected by this Data Protection and Privacy Policy.

2.2 Cookies

We use cookies to identify you from other users on our website to improve your navigation. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer or device. By continuing to use our website, you are agreeing to the use of cookies on our website.

You can block or deactivate cookies in your browser settings. Please be aware that blocking or deactivating the cookies may, inter alia, affect the quality of your user experience on our website.

2.3 IP Address

An IP Address is a number that is automatically assigned to your computer when you are connected to the Internet. Your IP address is automatically logged in to our server when you visit our website and it is only used for diagnosing problems with our server and website. Based on your IP address, we may identify the general geographical location from which you appear to originate. However, we will not be able to pinpoint the exact location from which you are accessing our website. We will not connect your IP address to anything that will allow us to recognize you unless it is required by laws and regulations.

3. Types of Personal Data Collected

The types of personal data that we collect about you may include, but not limited to, your name, current job title, address, email address, telephone numbers and fax numbers. We will only collect sensitive personal data (such as passport or other identification numbers, date of birth, bank account numbers, employment details, family background and details, race and / or ethnicity) where it is voluntarily provided to us by you, or where such personal data is required or permitted to be collected by law or professional standards. For UK and European residents, such sensitive personal data will not be collected without your explicit consent and will only be collected (subject to prohibitions) in accordance with the GDPR. For avoidance of doubt, our collection of sensitive data such as NRIC numbers, birth certificate numbers, foreign identification numbers and work permit numbers will be done in accordance with the PDPA and, in particular, the ‘Advisory Guidelines on the Personal Data Protection Act for NRIC and other national identification numbers.²

If you provide us with the personal data of anyone other than yourself (including your family members), you warrant that you have informed the owner of the personal data about the purposes for which his / her personal data will be used and that he / she has consented to your disclosure of his / her personal data to BDO Singapore for those purposes.

3.1 Minors

We understand the importance of protecting the information of minors. Our site is not designed for or directed at minors below the age of 16. We do not knowingly collect or maintain personal data about minors below the age of 16, except as part of an engagement to provide professional services. If you are below 16 years old, please do not provide any personal data even if you are prompted to do so. Should you believe that you have inadvertently provided your personal data to us, your parent(s) or legal guardian(s) may notify us (please refer to Section 13 of this Data Protection and Privacy Policy) and we will remove the personal data accordingly.

4. How We Use Your Personal Data

Personal data that we collect from you will only be used for the intended purpose(s) stated and / or communicated to you at the time that the personal data is collected. In addition, we may use the personal data that we have collected about you for the following purposes:

Providing professional services to you;
Sending you updates, materials and communications regarding the professional services rendered by BDO Singapore;
Sending you information on seminars and conferences conducted by BDO Singapore;
Responding to, processing and handling your queries, feedback and suggestions;
Meeting or complying with any applicable laws, regulations or professional standards issued by any legal or regulatory bodies in Singapore;
Verifying your identity, processing payments as well as managing our administrative and business operations;
Managing the security of our premises, facilities and technology infrastructure;
All other purposes related to our business.
If you are seeking employment or any other appointment with BDO Singapore or other members of the BDO network, we may use the personal data that we have collected from you for the following purposes:
Processing and assessing your application;
Performing background checks;
Verifying your credentials and qualifications as well as obtaining employment references;
Responding to any queries posed to us; and
All other purposes related to the process of employment or appointment.

BDO Singapore may process and / or transfer such personal data to other members of the BDO network and / or BDO’s subcontractors (which may be located in other territories) for the purposes of (i) providing professional services; (ii) maintaining BDO’s operations or client relationship management system; (iii) quality and risk management reviews, or (iv) providing you with information about BDO and / or BDO’s range of services.

Where your personal data is to be used for a different purpose and / or shared with a third party in a situation not mentioned above, we will seek your consent before proceeding to use and / or share your personal data.

It is BDO Singapore’s policy to avoid collecting excessive and / or irrelevant personal data. BDO Singapore does not collect and / or compile personal data for the purpose of sale to outside parties.

4.1 Sensitive Data

While the PDPA does not have a distinct classification of sensitive data, the GDPR defines the following as special categories of personal data: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning one’s health or sex life; and sexual orientation.

Where applicable under the GDPR, we will only process special categories of data upon obtaining your explicit consent, except under certain circumstances listed in Article 9 of the GDPR such as matters relating to employment, social security and social protection; protection of vital interests; personal data made public by you; for legal claims; or for reasons of substantial public interest.

5. Who We Disclose Your Personal Data To

BDO Singapore will take reasonable steps to protect your personal data from unauthorised disclosure. Personal data that we collect from you is only disclosed to other members of the BDO network and/ or third parties for the intended purpose(s) which was stated and / or communicated to you at the time that the personal data was collected. Such third parties shall provide BDO Singapore with written confirmation that they will provide adequate protection over the personal data in question. Personal data may also be disclosed to third parties (whether in Singapore or otherwise) where BDO Singapore is compelled to do so by the relevant authorities (including the Singapore Courts).

For avoidance of doubt, BDO Singapore’s privacy practices stated herein do not apply when you connect to the websites of BDO’s overseas offices and / or other third party websites. You are encouraged to review the data protection and privacy policies of websites you choose to visit.

6. Consent

6.1 Obtaining Consent

Before we collect, use or disclose your personal data, we will notify you of the purpose(s) of such collection, usage and disclosure. As far as possible, we will not collect excessive and / or irrelevant personal data for the stated purpose(s). By providing your personal data to us, you acknowledge and agree that you have fully read and understood this policy, and are consenting to the collection, use, processing and disclosure of your personal data as described in this policy.

You may, in certain circumstances, be deemed to have provided consent to the collection, use and / or disclosure of personal data for a purpose – you may find an explanation of such ‘deemed consent’ at https://sso.agc.gov.sg/Act/PDPA2012#pr15-.

There are also certain circumstances where your Personal Data may be collected, used and / or disclosed without your express consent – these exceptions can be found at https://sso.agc.gov.sg/Act/PDPA2012#pr17-.

For European residents, we shall obtain written confirmation from you on your express consent, unless processing of your personal data without your consent is permitted by the GDPR.

6.2 Third-Party Consent

If you are carrying out a transaction with us, having a face-to-face meeting with us, and / or providing us with any personal data on behalf of another individual, you must first notify and obtain consent from that other individual before we can collect, use and / or disclose his or her personal data. Such consent must be provided to us in writing.

6.3 Withdrawing Consent

If you wish to withdraw consent, you should give us reasonable advance notice in writing. The withdrawal of consent to BDO Singapore’s collection, use and / or disclosure of Personal Data may, amongst other things, affect the quality of services rendered to you. Upon your withdrawal of consent, we will cease (and cause our intermediaries and agents to cease) collecting, using or disclosing the personal data unless it is authorised or required under applicable laws.

You may withdraw consent by either:

Sending an email or letter to us (please refer to Section 13 of this Data Protection and Privacy Policy); or
Through the “UNSUB” feature in our emails to you.

7. Accessing and Making Correction to Your Personal Data

You may write to us, based on reasonable grounds, to find out how we have been using or disclosing your personal data and / or to request a copy of your personal data.

Before we accede to your request, we will need you to firstly verify your identity. Thereafter, we will let you have an estimate of the time required to retrieve all the relevant personal data and the fee that we will charge for processing your request (our costs in administering your request). Upon confirmation of your acceptance of the aforesaid fee, we shall respond to your written request within 30 days. You will also be informed in the event that BDO Singapore is unable to accede to your request. We may choose to deny you access to, and /or correction of, Personal Data, in accordance with the exceptions under the PDPA, including but not limited to the following circumstances:

We are satisfied on reasonable grounds that the correction should not be made;
The request for access is frivolous or vexatious or the information requested is trivial; and / or
The personal data, if disclosed, would reveal confidential commercial information which would, in the opinion of a reasonable person, harm our competitive position.

If you reside in the UK or Europe, you may request access and / or a copy of your personal data subject to the requirements of the GDPR (subject to applicable exemptions), to update and / or correct the personal data that is in the possession or under the control of BDO Singapore. You may do so by writing to us (please refer to Section 13 of this Data Protection and Privacy Policy).

8. Accuracy of Your Personal Data

We will take reasonable precautions and verification checks to ensure that the personal data that we have collected from you is reasonably accurate, complete and up-to-date. If you are a client or if you would like to continue to receive updates, materials and communications regarding our professional services, seminars and / or conferences, it is important that you update us if there are any changes to your personal data such as email address etc. We will not be responsible for relying on inaccurate or incomplete personal data arising from your failure in updating us of any changes to your personal data that was initially provided to us.

9. Protection of Personal Data

BDO Singapore will take reasonable steps to ensure that personal data and confidential information are protected within our organisation.We have implemented the appropriate information security and technical measures to protect your personal data that is under our care and control to prevent loss, modification, collection, unauthorised access, misuse, copying, alteration, disclosure and / or destruction.

External data intermediaries who process and maintain your personal data on our behalf will be bound by contractual data protection arrangements we have with them.

Although we use appropriate measures to protect your personal data, the transmission of data over the internet is never completely secure. We endeavour to protect your personal data, but cannot fully guarantee the security of data transmitted to us or by us.

9.1 Data Breach

In the event that we become aware that the security of personal data stored within our organisation has been compromised, we shall take reasonable steps to notify the affected persons if there is a risk of significant harm to the affected persons or if it is otherwise required by law. We reserve the right to take necessary steps, including conducting investigations as well as notifying and cooperating with the relevant law enforcement authorities (where necessary).

10. Retention of Personal Data

We will not retain any of your personal data under our care and / or control where it is no longer necessary for any business or legal purposes.

We will ensure that your personal data that no longer has any business or legal use be destroyed or disposed in a secure manner.This applies to both physical documents and electronic data stored in databases.

Should you require your personal data to be deleted from our records, please contact us in writing (please refer to Section 13 of this Data Protection and Privacy Policy).

11. Transfer of Personal Data Outside of Singapore

In the event that there is a need for us to transfer your personal data to another country, we will ensure that the standard of data protection in the recipient country is comparable to that of Singapore’s PDPA, or in the case of European personal data, the GDPR.

12. Updates on Data Protection & Privacy Policy

As part of our efforts in implementing the latest policies, practices and processes, we will be reviewing these policies, practices and processes from time to time. We reserve the right to amend the terms of this Data Protection and Privacy Policy at our absolute discretion. Any amended Data Protection and Privacy Policy will be posted on our website. You are encouraged to visit our website from time to time to ensure that you are well informed of our latest policies in relation to personal data protection.

13. Contact Information

You may contact our Data Protection Officer via email at dpo@bdo.com.sg or write in to us at 600 North Bridge Road, #23-01 Parkview Square, Singapore 188778, if you would like to:

Withdraw your consent to any use of your personal data;
Obtain access to your personal data;
Make corrections to your personal data;
Clarify any questions relating to our collection, use and / or disclosure of your personal data;
Provide feedback regarding this policy document; and / or
Make any complaint relating to how we manage your personal data.

Any query or complaint should include, at least, your full name, contact information and a brief description of the query or complaint.We treat such queries and complaints seriously and will deal with them confidentially and within reasonable time.

_¹BDO Singapore refers to the entities under the BDO Group in Singapore including BDO LLP, BDO Consultants Pte. Ltd., BDO Corporate Services Pte. Ltd., BDO Advisory Pte. Ltd., BDO Tax Advisory Pte. Ltd., and BDO Recruits Pte. Ltd..

²https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf