Principle

Subprocessing Activities

WHAT IS BDO LUXEMBOURG ALLOWED TO DO?
Depending on the case, clients grant BDO Luxembourg a general or specific written authorisation to engage subprocessors for the performance of the services.

A list of subprocessors used by BDO Luxembourg at the time of the conclusion of the contract will be included in the engagement letter(s) signed by the parties.

DURING THE PERFORMANCE OF THE SERVICES:

in case of a general authorization, BDO Luxembourg informs the client of any intended changes concerning the addition or replacement of subprocessors. BDO gives a prior notification of the intended changes, giving the client the opportunity to object to such changes during 15 working days. Any lack of response from the client is considered by BDO Luxembourg as an acceptance of the intended change.
In case of a specific authorization, BDO Luxembourg requests the client's consent in writing.

WHAT IS THE PROCEDURE OF BDO LUXMEBOURG FOR CONTRACTING WITH SUBPROCESSORS?
BDO Luxembourg requires its subprocessors to comply with obligations equivalent to those applicable to BDO Luxembourg (as a processor) as set out in the general terms of business and engagement letter(s), including but not limited to the following requirements:

to process personal data in accordance with the documented instructions of the data controller (the client),
to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject,
to use only personnel who are under a contractual obligation to respect the confidentiality and security of the data,
inform BDO Luxembourg without delay of any security breach, and
cooperate with BDO Luxembourg in responding to requests from data controllers, data subjects or data protection authorities, as appropriate.

BDO Luxembourg remains fully liable to the client for the performance of the subprocessor's obligations.

WHAT DATA ARE SHARED?
The categories of data shared with the subprocessor will depend on the service that BDO Luxembourg provides for its clients as well as the part of the service which is subprocessed.

BDO Luxembourg will only share with its subprocessors the minimum amount of data required to perform the part of the service subprocessed.

Entities of BDO in Luxembourg are composed of several distinct entities with common means, among which:

BDO Advisory S.A,
BDO Tax & Accounting S.A,
BDO Technology S.A,
BDO Audit S.A,
BDO Services Luxembourg S.A,
CF Corporate Services S.A,
Audiex S.A,
CF Fund Services S.A.

All these entities are domiciled at the following address: 1,-1A rue Jean Piret L-2350 LUXEMBOURG.

In order to provide the most effective and efficient service for its clients, any entity of BDO in Luxembourg may subprocess part of the services to any other entity of BDO in Luxembourg mentioned above, depending on the specific needs of each service provision. This subprocessing does not imply data transfers outside Luxembourg.

In addition, BDO in Luxembourg may also subprocess part of the services to CF Luxembourg Services, a fully owned subsidiary in Marrakech, Morocco.

WHAT APPROPRIATE SAFEGUARDS FOR THE TRANSFER OF PERSONAL DATA?
Any transfer of personal data is subject to appropriate safeguards. GDPR regulation is fully applicable for any transfer of data to the entities of BDO in Luxembourg domiciled in Luxembourg. If a transfer is made to CF Luxembourg Services for carrying out specific processing activities, the transfer of personal data outside the European union is based on the EU-approved safeguard, being the BDO’s Binding Corporate Rules for Controllers and Processors available here: https://www.bdo.lu/en-gb/bcrs. For any request you may have regarding international transfer of data, please send an email to the following address : dpo@bdo.lu.

BDO Luxembourg is a member of BDO International Limited and forms part of the international BDO network of independent member firms.

BDO Luxembourg may share personal data with member firms of the BDO network where it is necessary for providing effective and efficient services for its clients.

An exhaustive list of the BDO network is available here: https://www.bdo.global/en-gb/locations

WHAT APPROPRIATE SAFEGUARDS FOR THE TRANSFER OF PERSONAL DATA?
When the subprocessing to a member firm of the BDO network implies a transfer of personal data to a third country which does not ensure an adequate level of protection, the transfer is based on EU-approved safeguard: the Binding Corporate Rules (BCRs) of BDO which set out the data privacy principles with which BDO firms must comply when using and sharing personal data within the BDO network.

BDO’s BCRs are available here: https://www.bdo.lu/en-gb/legal-privacy-en/bcrs

Services	Subprocessor	Subject matter of the subprocessing	Data Location
All Services	COIN Availability Services Luxembourg https://www.coin-as.com/contact/	Back up (BCP/DRP)	EU (Luxembourg)
Payroll	SeeZam https://www.seezam.com/en/	Electronic safe for payslips	EU (Luxembourg)
Payroll	Regify https://www.regify.com	Regipay: encryption mechanism for payslip accounts	EU (Germany)
Accounting	Sage Cloud Demat https://www.sage.com/fr-be/	Sharing platform for accounting documents	EU (Ireland, Germany)
Accounting	Silverfin https://www.silverfin.com/fr/	Cloud accounting platform for the automation and digitalization of the accounting work	EU (Germany, Belgium)
All Services	BDO Worldwide Services https://www.bdo.global/	Share of clients information and documents via BDO Portal	EU West Europe (Amsterdam, Ireland)
External Audit	Circit https://www.circit.io/	Platform to manage audit confirmations	EU Noth/West Europe (The Netherlands, Ireland)
All Services	Microsoft 365 https://www.microsoft.com/en-us/microsoft-365	Email, Collaboration services	EU (North Europe)