Subprocessing Activities

WHAT ARE BDO ENTITIES IN LUXEMBOURG ALLOWED TO DO? 
Depending on the case, clients grant BDO entities in Luxembourg a general or specific written authorisation to engage subprocessors for the performance of the services.

A list of subprocessors used by BDO entities in Luxembourg at the time of the conclusion of the contract will be included in the engagement letter(s) signed by the parties.

DURING THE PERFORMANCE OF THE SERVICES:

  • in case of a general authorisation, BDO entities in Luxembourg inform the client of any intended changes concerning the addition or replacement of subprocessors. BDO entities in Luxembourg give a prior notification of the intended changes, giving the client the opportunity to object to such changes during 15 working days. Any lack of response from the client is considered by BDO entities in Luxembourg as an acceptance of the intended change.
  • In case of a specific authorisation, BDO entities in Luxembourg request the client's consent in writing.

WHAT IS THE PROCEDURE OF BDO ENTITIES IN LUXMEBOURG FOR CONTRACTING WITH SUBPROCESSORS?
BDO entities in Luxembourg require their subprocessors to comply with obligations equivalent to those applicable to BDO entities in Luxembourg (as a processor) as set out in the general terms of business and engagement letter(s), including but not limited to the following requirements:

  • to process personal data in accordance with the documented instructions of the data controller (the client),
  • to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
  • to use only personnel who are under a contractual obligation to respect the confidentiality and security of the data,
  • inform BDO entities in Luxembourg without delay of any security breach, and
  • cooperate with BDO entities in Luxembourg in responding to requests from data controllers, data subjects or data protection authorities, as appropriate.

BDO entities in Luxembourg remain fully liable to the client for the performance of the subprocessor's obligations.

WHAT DATA ARE SHARED?
The categories of data shared with the subprocessor will depend on the service that BDO entities Luxembourg provide for their clients as well as the part of the service which is subprocessed.

BDO entities Luxembourg will only share with its subprocessors the minimum amount of data required to perform the part of the service subprocessed.

BDO entities in Luxembourg are composed of several distinct entities with common means, among which:

  • BDO Advisory S.A,
  • BDO Tax & Accounting S.A,
  • BDO Technology S.A,
  • BDO Audit S.A,
  • BDO Services Luxembourg S.A,
  • CF Corporate Services S.A,
  • Audiex S.A,
  • CF Fund Services S.A.

All these entities are domiciled at the following address: 1,-1A rue Jean Piret L-2350 LUXEMBOURG.

In order to provide the most effective and efficient service for its clients, any entity of BDO entities in Luxembourg may subprocess part of the services to any other entity of BDO entities in Luxembourg mentioned above, depending on the specific needs of each service provision. This subprocessing does not imply data transfers outside Luxembourg.

In addition, BDO entities in Luxembourg may also subprocess part of the services to CF Luxembourg Services, a fully owned subsidiary in Marrakech, Morocco.

WHAT APPROPRIATE SAFEGUARDS FOR THE TRANSFER OF PERSONAL DATA?
Any transfer of personal data is subject to appropriate safeguards. GDPR regulation is fully applicable for any transfer of data to the entities of BDO entities in Luxembourg domiciled in Luxembourg. If a transfer is made to CF Luxembourg Services for carrying out specific processing activities, the transfer of personal data outside the European union is based on the EU-approved safeguard, being the BDO’s Binding Corporate Rules for Controllers and Processors available here: https://www.bdo.lu/en-gb/bcrs. For any request you may have regarding international transfer of data, please send an email to the following address : dpo@bdo.lu.

BDO entities in Luxembourg are a member of BDO International Limited and forms part of the international BDO network of independent member firms.

BDO entities in Luxembourg may share personal data with member firms of the BDO network where it is necessary for providing effective and efficient services for its clients.

An exhaustive list of the BDO network is available here: https://www.bdo.global/en-gb/locations

WHAT APPROPRIATE SAFEGUARDS FOR THE TRANSFER OF PERSONAL DATA?
When the subprocessing to a member firm of the BDO network implies a transfer of personal data to a third country which does not ensure an adequate level of protection, the transfer is based on EU-approved safeguard: the Binding Corporate Rules (BCRs) of BDO which set out the data privacy principles with which BDO firms must comply when using and sharing personal data within the BDO network.

BDO’s BCRs are available here: https://www.bdo.lu/en-gb/legal-privacy-en/bcrs

Services Subprocessor Subject matter of the subprocessing Data Location
All Services

COIN Availability Services Luxembourg

https://www.coin-as.com/contact/

Back up (BCP/DRP) EU
(Luxembourg)
Payroll

SeeZam

https://www.seezam.com/en/

Electronic safe for payslips  EU
(Luxembourg)
Payroll

Regify

https://www.regify.com

Regipay: encryption mechanism for payslip accounts EU
(Germany)
Accounting

Sage Cloud Demat

https://www.sage.com/fr-be/

Sharing platform for accounting documents EU
(Ireland, Germany)
Accounting

Silverfin
https://www.silverfin.com/fr/

Cloud accounting platform for the automation and digitalization of the accounting work EU
(Germany, Belgium)
All Services

BDO Worldwide Services
https://www.bdo.global/

Share of clients information and documents via BDO Portal

EU West Europe
(Amsterdam, Ireland)

External Audit

Circit

https://www.circit.io/

Platform to manage audit confirmations EU Noth/West Europe
(The Netherlands, Ireland)
All Services

Microsoft 365

https://www.microsoft.com/en-us/microsoft-365

Email, Collaboration services EU
(North Europe)