What is BDO Luxembourg allowed to do? 
Depending on the case, clients grant BDO Luxembourg a general or specific written authorisation to engage subprocessors for the performance of the services.

A list of subprocessors used by BDO Luxembourg at the time of the conclusion of the contract will be included in the engagement letter(s) signed by the parties.

During the performance of the services:

• in case of a general authorization, BDO Luxembourg informs the client of any intended changes concerning the addition or replacement of subprocessors. BDO gives a prior notification of the intended changes, giving the client the opportunity to object to such changes during 15 working days. Any lack of response from the client is considered by BDO Luxembourg as an acceptance of the intended change.
• In case of a specific authorization, BDO Luxembourg requests the client's consent in writing.

What is the procedure of BDO Luxembourg for contracting with subprocessors?
BDO Luxembourg requires its subprocessors to comply with obligations equivalent to those applicable to BDO Luxembourg (as a processor) as set out in the general terms of business and engagement letter(s), including but not limited to the following requirements:

• to process personal data in accordance with the documented instructions of the data controller (the client),
• to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
• to use only personnel who are under a contractual obligation to respect the confidentiality and security of the data,
• inform BDO Luxembourg without delay of any security breach, and
• cooperate with BDO Luxembourg in responding to requests from data controllers, data subjects or data protection authorities, as appropriate.

BDO Luxembourg remains fully liable to the client for the performance of the subprocessor's obligations.

What data are shared?
The categories of data shared with the subprocessor will depend on the service that BDO Luxembourg provides for its clients as well as the part of the service which is subprocessed.

BDO Luxembourg will only share with its subprocessors the minimum amount of data required to perform the part of the service subprocessed.

Entities of BDO in Luxembourg are composed of several distinct entities with common means, among which:

• BDO Advisory S.A,
• BDO Tax & Accounting S.A,
• BDO Technology S.A,
• BDO Audit S.A,
• BDO Services Luxembourg S.A,
• CF Corporate Services S.A,
• Audiex S.A,
• CF Fund Services S.A.

All these entities are domiciled at the following address: 1,-1A rue Jean Piret L-2350 LUXEMBOURG.

In order to provide the most effective and efficient service for its clients, any entity of BDO in Luxembourg may subprocess part of the services to any other entity of BDO in Luxembourg mentioned above, depending on the specific needs of each service provision. This subprocessing does not imply data transfers outside Luxembourg.

In addition, BDO in Luxembourg may also subprocess part of the services to CF Luxembourg Services, a fully owned subsidiary in Marrakech, Morocco.

What appropriate safeguards for the transfer of personal data?
Any transfer of personal data is subject to appropriate safeguards. GDPR regulation is fully applicable for any transfer of data to the entities of BDO in Luxembourg domiciled in Luxembourg. If a transfer is made to CF Luxembourg Services for carrying out specific processing activities, the transfer of personal data outside the European union is based on the EU-approved safeguard, being the BDO’s Binding Corporate Rules for Controllers and Processors available here: https://www.bdo.lu/en-gb/bcrs. For any request you may have regarding international transfer of data, please send an email to the following address : dpo@bdo.lu.

BDO Luxembourg is a member of BDO International Limited and forms part of the international BDO network of independent member firms.

BDO Luxembourg may share personal data with member firms of the BDO network where it is necessary for providing effective and efficient services for its clients.

An exhaustive list of the BDO network is available here: https://www.bdo.global/en-gb/locations

What appropriate safeguards for the transfer of personal data?
When the subprocessing to a member firm of the BDO network implies a transfer of personal data to a third country which does not ensure an adequate level of protection, the transfer is based on EU-approved safeguard: the Binding Corporate Rules (BCRs) of BDO which set out the data privacy principles with which BDO firms must comply when using and sharing personal data within the BDO network.

BDO’s BCRs are available here: https://www.bdo.lu/en-gb/legal-privacy-en/bcrs