What is BDO Luxembourg allowed to do?
Depending on the case, clients grant BDO Luxembourg a general or specific written authorisation to engage subprocessors for the performance of the services.
A list of subprocessors used by BDO Luxembourg at the time of the conclusion of the contract will be included in the engagement letter(s) signed by the parties.
During the performance of the services:
- in case of a general authorization, BDO Luxembourg informs the client of any intended changes concerning the addition or replacement of subprocessors. BDO gives a prior notification of the intended changes, giving the client the opportunity to object to such changes during 15 working days. Any lack of response from the client is considered by BDO Luxembourg as an acceptance of the intended change.
- In case of a specific authorization, BDO Luxembourg requests the client's consent in writing.
What is the procedure of BDO Luxembourg for contracting with subprocessors?
BDO Luxembourg requires its subprocessors to comply with obligations equivalent to those applicable to BDO Luxembourg (as a processor) as set out in the general terms of business and engagement letter(s), including but not limited to the following requirements:
- to process personal data in accordance with the documented instructions of the data controller (the client),
- to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
- to use only personnel who are under a contractual obligation to respect the confidentiality and security of the data,
- inform BDO Luxembourg without delay of any security breach, and
- cooperate with BDO Luxembourg in responding to requests from data controllers, data subjects or data protection authorities, as appropriate.
BDO Luxembourg remains fully liable to the client for the performance of the subprocessor's obligations.
What data are shared?
The categories of data shared with the subprocessor will depend on the service that BDO Luxembourg provides for its clients as well as the part of the service which is subprocessed.
BDO Luxembourg will only share with its subprocessors the minimum amount of data required to perform the part of the service subprocessed.