Principle

Subprocessing Activities

WHAT ARE BDO ENTITIES IN LUXEMBOURG ALLOWED TO DO?
Depending on the case, clients grant BDO entities in Luxembourg a general or specific written authorisation to engage subprocessors for the performance of the services.

A list of subprocessors used by BDO entities in Luxembourg at the time of the conclusion of the contract will be included in the engagement letter(s) signed by the parties.

DURING THE PERFORMANCE OF THE SERVICES:

in case of a general authorisation, BDO entities in Luxembourg inform the client of any intended changes concerning the addition or replacement of subprocessors. BDO entities in Luxembourg give a prior notification of the intended changes, giving the client the opportunity to object to such changes during 15 working days. Any lack of response from the client is considered by BDO entities in Luxembourg as an acceptance of the intended change.
In case of a specific authorisation, BDO entities in Luxembourg request the client's consent in writing.

WHAT IS THE PROCEDURE OF BDO ENTITIES IN LUXMEBOURG FOR CONTRACTING WITH SUBPROCESSORS?
BDO entities in Luxembourg require their subprocessors to comply with obligations equivalent to those applicable to BDO entities in Luxembourg (as a processor) as set out in the general terms of business and engagement letter(s), including but not limited to the following requirements:

to process personal data in accordance with the documented instructions of the data controller (the client),
to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
to use only personnel who are under a contractual obligation to respect the confidentiality and security of the data,
inform BDO entities in Luxembourg without delay of any security breach, and
cooperate with BDO entities in Luxembourg in responding to requests from data controllers, data subjects or data protection authorities, as appropriate.

BDO entities in Luxembourg remain fully liable to the client for the performance of the subprocessor's obligations.

WHAT DATA ARE SHARED?
The categories of data shared with the subprocessor will depend on the service that BDO entities Luxembourg provide for their clients as well as the part of the service which is subprocessed.

BDO entities Luxembourg will only share with its subprocessors the minimum amount of data required to perform the part of the service subprocessed.

BDO entities in Luxembourg are composed of several distinct entities with common means, among which:

BDO Advisory S.A,
BDO Tax & Accounting S.A,
BDO Technology S.A,
BDO Audit S.A,
BDO Services Luxembourg S.A,
CF Corporate Services S.A,
Audiex S.A,
CF Fund Services S.A.

All these entities are domiciled at the following address: 1,-1A rue Jean Piret L-2350 LUXEMBOURG.

In order to provide the most effective and efficient service for its clients, any entity of BDO entities in Luxembourg may subprocess part of the services to any other entity of BDO entities in Luxembourg mentioned above, depending on the specific needs of each service provision. This subprocessing does not imply data transfers outside Luxembourg.

In addition, BDO entities in Luxembourg may also subprocess part of the services to CF Luxembourg Services, a fully owned subsidiary in Marrakech, Morocco.

WHAT APPROPRIATE SAFEGUARDS FOR THE TRANSFER OF PERSONAL DATA?
Any transfer of personal data is subject to appropriate safeguards. GDPR regulation is fully applicable for any transfer of data to the entities of BDO entities in Luxembourg domiciled in Luxembourg. If a transfer is made to CF Luxembourg Services for carrying out specific processing activities, the transfer of personal data outside the European union is based on the EU-approved safeguard, being the BDO’s Binding Corporate Rules for Controllers and Processors available here: https://www.bdo.lu/en-gb/bcrs. For any request you may have regarding international transfer of data, please send an email to the following address : dpo@bdo.lu.

BDO entities in Luxembourg are a member of BDO International Limited and forms part of the international BDO network of independent member firms.

BDO entities in Luxembourg may share personal data with member firms of the BDO network where it is necessary for providing effective and efficient services for its clients.

An exhaustive list of the BDO network is available here: https://www.bdo.global/en-gb/locations

WHAT APPROPRIATE SAFEGUARDS FOR THE TRANSFER OF PERSONAL DATA?
When the subprocessing to a member firm of the BDO network implies a transfer of personal data to a third country which does not ensure an adequate level of protection, the transfer is based on EU-approved safeguard: the Binding Corporate Rules (BCRs) of BDO which set out the data privacy principles with which BDO firms must comply when using and sharing personal data within the BDO network.

BDO’s BCRs are available here: https://www.bdo.lu/en-gb/legal-privacy-en/bcrs

Services	Subprocessor	Subject matter of the subprocessing	Data Location
All Services	COIN Availability Services Luxembourg https://www.coin-as.com/contact/	Back up (BCP/DRP)	EU (Luxembourg)
Payroll	SeeZam https://www.seezam.com/en/	Electronic safe for payslips	EU (Luxembourg)
Payroll	Regify https://www.regify.com	Regipay: encryption mechanism for payslip accounts	EU (Germany)
Accounting	Sage Cloud Demat https://www.sage.com/fr-be/	Sharing platform for accounting documents	EU (Ireland, Germany)
Accounting	Silverfin https://www.silverfin.com/fr/	Cloud accounting platform for the automation and digitalization of the accounting work	EU (Germany, Belgium)
All Services	BDO Worldwide Services https://www.bdo.global/	Share of clients information and documents via BDO Portal	EU West Europe (Amsterdam, Ireland)
External Audit	Circit https://www.circit.io/	Platform to manage audit confirmations	EU Noth/West Europe (The Netherlands, Ireland)
All Services	Microsoft 365 https://www.microsoft.com/en-us/microsoft-365	Email, Collaboration services	EU (North Europe)

A list of subprocessors used by BDO entities in Luxembourg at the time of the conclusion of the contract will be included in the engagement letter(s) signed by the parties.

DURING THE PERFORMANCE OF THE SERVICES:

in case of a general authorisation, BDO entities in Luxembourg inform the client of any intended changes concerning the addition or replacement of subprocessors. BDO entities in Luxembourg give a prior notification of the intended changes, giving the client the opportunity to object to such changes during 15 working days. Any lack of response from the client is considered by BDO entities in Luxembourg as an acceptance of the intended change.
In case of a specific authorisation, BDO entities in Luxembourg request the client's consent in writing.

to process personal data in accordance with the documented instructions of the data controller (the client),
to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
to use only personnel who are under a contractual obligation to respect the confidentiality and security of the data,
inform BDO entities in Luxembourg without delay of any security breach, and
cooperate with BDO entities in Luxembourg in responding to requests from data controllers, data subjects or data protection authorities, as appropriate.

BDO entities in Luxembourg remain fully liable to the client for the performance of the subprocessor's obligations.

BDO entities Luxembourg will only share with its subprocessors the minimum amount of data required to perform the part of the service subprocessed.

Subprocessing Activities

Principle

BDO entities in Luxembourg

The BDO Network

Third Parties