Client/Supplier Privacy Notice
PRIVACY NOTICE FOR CLIENT/SUPPLIER PERSONAL INFORMATION AT BDO Dr. Mohamed Al-Amri & Co.
Introduction
Information we collect
How we use your personal information and the basis on which we use it
Your rights over your personal information
Information sharing
Information security
Information transfer
Contact us
Changes to privacy notice
This Privacy Notice describes how BDO Dr. Mohamed Al- Amri & Co. (“BDO Saudi”), collects and processes personal information about you; how we use and protect this information, and your rights in relation to this information. This privacy notice applies to all personal information we collect about you. Personal information is information, or a combination of pieces of information that could reasonably allow you to be identified.
Throughout this Privacy Notice we use the term “processing” to cover all activities involving your personal information, including collecting, handling, storing, sharing, accessing, using, transferring and disposing of the information.
Information we collect
We may collect your personal information from a variety of sources, including information we collect from you directly (e.g. when you contact us and we provide services to you or you provide services to us), and information we collect about you from other sources, including commercially available sources, such as public databases (where permitted by law).
Certain personal information is required as a consequence of any contractual relationship we have with you or your organization, to enable us to carry out our contractual obligations to you or your organization. Failure to provide this information may prevent or delay the fulfilment of these obligations.
Information we collect directly from you
The categories of information that we may collect directly from you include the following:
(a) personal details (e.g. name, age, date of birth, photographs, nationality);
(b) contact details (e.g. phone number, email address, postal address or mobile number);
(c) employment details (e.g. job title, employer name);
(d) KYC Information (e.g. Passport, other KYC documents, Photographs, Curriculum vitae);
(e) legal documents (e.g. POA, Will, Confidential contracts);
(f) Personal financial information;
(g) any other specific categories of personal data where required.
Information we collect from other sources
The following are examples of the categories of information we may collect from other sources:
(a) personal details (e.g. name, age, date of birth, photographs, nationality);
(b) contact details (e.g. phone number, email address, postal address or mobile number);
(c) employment details (e.g. job title, employer name);
(d) Information on criminal convictions;
(e) Other details (e.g. Professional details including memberships, Business activities,
complaints, proceedings and incident details, Professional advice or opinions, Social
media details etc.)
How we use your personal information and the basis on which we use it
We use your personal information to:
(a) carry out our obligations to you under this contract to provide any services you request
from us;
(b) carry out background checks prior to accepting you as a client/supplier and during re-acceptance and during the course of the engagement;
(c) contact you with questions and other information regarding the services we are
providing to you; or the services you are providing to us;
(d) ensure that our records are kept accurate and up to date where you, your employees or contractors work on or visit our facilities;
(e) ensure we issue accurate invoices for our services;
(f) pay invoices;
(g) send you messages about products and services which we think will be of interest to you;
(h) comply with legal obligations to which we are subject;
(i) comply with requests from authorities or proceedings from organisations, public
authorities or institutions.
We must have a legal basis to process your personal information. In most cases the legal basis will be one of the following:
(a) To fulfil our contractual obligations to you, for example to ensure that invoices are
issued or paid correctly and for ensuring you are able to access our premises when required;
(b) to fulfil our responsibility to adherence with professional standards as applicable to BDO Saudi, for example performing Independence and conflict of interest checks, onboarding/ engagement acceptance/ client/supplier re-acceptance process;
(c) to comply with our legal obligations to you, for example our obligation to maintain client/supplier records, statutory returns, crime prevention, ensure our compliance with anti-money laundering and anti-bribery legislations, Know Your clients/suppliers procedures (KYC), health and safety obligations while you are on our premises, or to a third party (e.g. to comply with an order of competent court or tribunal);
(d) to meet our legitimate interests so that: we are able to provide the services you
request; our services function correctly in relation to your business; any complaints or
concerns can be promptly relayed to you; we can respond to any questions or concerns you might have; we may carry out research and analysis to ensure products and services we offer are relevant to you, and; our records are kept up to date and accurate;
(e) to meet our legitimate interests, for example to ensure that the services you provide are appropriate for our needs, that your services function correctly with our systems, that any complaints or concerns can be promptly relayed to you, and our records are kept up to date and accurate.; and
(f) send you direct electronic marketing messages to the agreed personnel by post, fax, e-mail or telephone to bring to your attention additional products or services (including those provided by associated BDO entities) which we may consider to be of benefit to you to the extent you have consented to receiving such messages in accordance with applicable law.
Your rights over your personal information
Please let us know if any of the personal information that we hold about you changes so that we can correct and update the information on our systems.
We have taken all reasonable measures to ensure that personal data is processed in accordance with applicable Data Protection Law and any other relevant laws, and to notify you if an instruction infringes any law to which we are subject.
You can view, delete, correct or update the personal information you provide to us by contacting the respective engagement manager or dataprivacy@bdoalamri.com to action the requests.
In certain circumstances you may object to specific processing activities, require us to restrict how we process your personal information and ask us to share your personal information in a usable format with another company. Where you have given your consent to a particular type of processing, you may withdraw that consent at any time.
If you wish to opt-in to receive communications on service offering, events, seminars, newsletters amongst others, you may register with us by visiting our website – www.bdoalamri.com. However, if you wish to unsubscribe to any of these communications, you may do so by sending an email to marketing@bdoalamri.com.
You have a right of access under data protection legislation to personal data we hold about you. To exercise any of the above rights, please contact us using the contact details set out below in the notice.
Information sharing
In general, we do not share your personal information with third parties (other than service providers acting on our behalf) unless we have a lawful basis for doing so.
We rely on third-party service providers to perform a variety of services on our behalf, such as website hosting, electronic message delivery, payment processing, data analytics and research. This may mean that we have to share your personal information with these third parties. When we share your personal information in this way, we put in place appropriate measures to make sure that our service providers keep your personal information secure.
Information Security
We have implemented generally accepted standards of technology and operational security to protect personal information from loss, misuse, alteration or destruction. We have taken all reasonable steps to ensure that the personal data is protected against misuse and accidental loss or disclosure, and from unauthorized or unlawful processing, destruction or alteration, and in case of any personal data breach (as defined by applicable Data Protection Law) we will notify you without undue delay upon becoming aware of it. We require all employees and principals to keep personal information confidential and only authorized personnel have access to this information.
We will retain your personal information in accordance with our data retention policy. It is our normal practice to retain documents relating to client/supplier engagements as per the retention period prescribed in the local Saudi Regulations (which is ten years) from the end of the relevant engagement. Thereafter, unless separate arrangements have been made, we may destroy or erase the documents or papers without reference to you.
Upon termination or expiry of this engagement, promptly return to you or, if requested by you, destroy all copies of the personal data, in which case any right to use, copy or disclose that personal data ceases. However, you agree that we shall have the right to retain copies of documents relating to the Engagement after the Engagement has ended, subject to our continuing confidentiality obligations.
Information Transfer
As part of the processing, your personal information may be transferred to, stored, and processed in a country other than the one in which it was provided i.e. your personal data may be transferred to BDO staff member including within BDO member firms in other jurisdictions (including relevant KYC information where you have also contacted BDO for provision of other services), use authorized third party licenses or tools or third parties who are bound by appropriate confidentiality and security obligations consistent with the terms of this clause.
We shall not sub-contract our processing of personal data without your prior written consent. When we do so, we transfer the information in compliance with applicable data protection laws. For the purpose of clarity, we will transfer your personal data to Associated BDO Entities or use third party for the purposes stated in this clause provided the transferee (i) is in a country which provides an adequate level of protection for personal data, or (ii) is US Safe Harbor certified, or (iii) has agreed terms equivalent to the EU requirements for the transfer of personal data outside the EEA with BDO or any other BDO Network firm.
Contact Us
If you have questions or concerns regarding the way in which your personal information has been used, please send your queries relating to data privacy to dataprivacy@bdoalamri.com. We will endeavor to respond to your reasonable enquiries to and also provide you with reasonable assistance to enable you to comply with applicable Data Protection Laws as and when required.
Changes to the Privacy Notice
You may request a copy of this privacy notice from us using the contact details set out above. We may modify or update this privacy notice from time to time. You will be able to see when we last updated the privacy notice because we will include a revision date. Changes and additions to this privacy notice are effective from the date on which they are posted. Please review this privacy notice from time to time to check whether we have made any changes to the way in which we use your personal information.