Written Information - Clients

WRITTEN INFORMATION FOR SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED IN THE COURSE OF PROVISION OF AUDIT AND CONSULTING SERVICES

1. Identification of BDO AFA

BDO AFA OOD, having UIC 030278596 and BDO AFA CONSULTANTS OOD, having UIC 121813481 (hereinafter referred to as BDO AFA or the Controller), acting as Assignees under contracts for audit and/or consulting services, concluded with their clients - acting as Assignors under the contracts, shall process certain categories of personal data in their capacity as personal data controllers. 

BDO AFA OOD and BDO AFA CONSULTANTS OOD are limited liability companies, registered in the Bulgarian Commercial Register with the Registry Agency, with registered seat and address of management: 38 Oborishte Str, Oborishte Region, 1504 Sofia. BDO AFA OOD and BDO AFA CONSULTANTS OOD are members of BDO International Limited, a UK company limited by guarantee, and form part of the international BDO network of independent member firms.


2. Contact with the Controller

You can contact the Controller directly in one of the following ways:

•    In writing at the address specified hereinabove;

•    By phone: (+359 2) 943 37 00 or (+359 2) 425 02 00;

•    By e-mail address: office@bdoafa.bg;

•    By website:  www.bdoafa.bg. 


3. Personal data subjects

In the course of the performed independent financial audit and the provision of other consulting services under the contracts concluded with its clients, BDO AFA in its capacity as personal data controller shall collect and process the personal data of the following categories of data subjects:

1)    Legal representatives and/or proxies of the clients – Assignors under the contracts concluded by the Controller;

2)    Stockholders, shareholders and members of the management/ supervisory bodies of the clients or of companies affiliated thereto and persons, related to the ones indicated herein, including beneficial owners pursuant to the Measures Against Money Laundering Act (hereinafter referred to as MAMLA);

3)    Contact persons of the clients, other employees оf the latter and persons, providing services to the clients under civil contracts;

4)    Natural persons – contractors of the clients;

5)    Natural persons, legal representatives, proxies, members of the management bodies of legal entities – contractors of the Controller’s clients.


4. Processed personal data

The personal data, that the Controller collects and processes, may be (without the list being exhaustive):

•    Three names; 

•    PIN/personal number of a foreigner (PNF), date of birth;

•    Address, e-mail address, IP address;

•    Passport/ ID card data;

•    Job position, place of work, telephone number;

•    Origin;

•    Education;

•    Labour activity;

•    Kinship;

•    Marital status;

•    Property/ Financial status;

•    Participation in and/or ownership of shares or securities in companies, etc.


5. Legal grounds for the personal data processing by the Controller

The Controller shall process your personal data on the basis of: 

1)    Art. 6, paragraph 1, letter b) of the General Data Protection Regulation (hereinafter referred to as the GDPR), namely – for the performance of the respective audit and/or consulting engagement, assigned in accordance with the concluded contract;

2)    Art. 6, paragraph 1, letter c) of the GDPR, namely – in order to comply with the legal obligations of the Controller under the Independent Financial Audit Act, International Standards on Auditing, the IESBA Code, the MAMLA, the Accountancy Act (hereinafter referred to as AA) and other applicable normative acts;

3)    Art. 6, paragraph 1, letter f) of the GDPR, namely – for the protection of the Controller’s legitimate interests in demonstrating the proper performance of the assigned engagements within the established term of limitation, as well as to promote the services, provided by it.


6. Purposes of the personal data processing by the Controller

The specified personal data shall be processed by the Controller for the following purposes:

1)    Performance of the concluded contract;

2)    Fulfillment of the legal obligations pursuant to the applicable legislation;

3)    Administration of the concluded contract and carrying out communications with the Controller’s clients;

4)    Protection of the Controller’s legitimate interests in demonstrating the proper performance of the assigned engagements;

5)    In view of promotion of the services, provided by the Controller – sending newsletters, informational materials, invitations for participation in trainings and the like.


7. The specified personal data of yours may be provided to the following categories of recipients:

1)    Competent state bodies – in fulfillment of the obligations of the Controller in accordance with the Bulgarian legislation;

2)    Various service providers of the Controller – legal, tax, IT and other services, including providers from the international BDO network;

3)    Companies – members of the international BDO network, for the purposes of observance of the statutory requirements for ensuring of independance and lack of conflict of interests upon the performance of the assigned engagements; 

4)    Subcontractors of the Controller.


8. Terms of storage of the provided personal data

1)    With respect to the personal data, included in accounting documents and documents subject to tax control – according to the statutory terms set forth in the AA, the Tax and Social Security Procedural Code and the other relevant normative acts;

2)    With respect to the personal data, collected in connection with the Controller’s obligations pursuant to the MAMLA – according to the terms set forth in the MAMLA;

3)    With respect to the other personal data, collected in the course of performance of the independent financial audit or the provision of consulting services – for a term of 5 years after the date of the audit report, or within the 5-year limitation period after the termination of the concluded contract;

4)    For a longer term, if provided for by another normative act.


9. Provision of Personal Data outside of the EU/EEA

The personal data shall not be transferred to any countries outside of the European Union and/or the European Economic Area, unless their transfer is performed: 

1)    In any country that is considered as providing an adequate level of protection of personal data, in accordance with a decision by the European Commission; or

2)    In accordance with the principle of data transfer after ensuring appropriate safeguards within the meaning of Art. 46 of GDPR; or

3)    According to another approved mechanism for the transfer of personal data under the applicable data protection legislation.


10. Rights of the data subjects

The data subjects have the right at any time to request from the Controller:    


10.1. Rectification of the personal data in case the personal data processed is inaccurate. The subjects also have the right to have any incomplete personal data completed, including by adding a declaration thereto.


10.2. Erasure of the personal data in case:

•    The personal data is no longer necessary for the purposes, for which it has been collected and processed;

•    The personal data is being processed unlawfully;

•    The personal data must be deleted in order to comply with a legal obligation of the Controller in accordance with the Bulgarian legislation and/or the legislation of the European Union.


10.3. Restriction of the processing of the personal data in case:

•    The subject disputes the accuracy of the personal data – for a period that allows the Controller to verify the accuracy of the data;

•    The processing of personal data is illegal, yet the data subject does not wish to have them erased, but instead to limit their use;

•    The Controller no longer needs the personal data for the specified purposes, but the data subject requests their retention in order to establish, exercise or protect legal claims.


10.4. The data subject objects to the processing of their personal data in case:

•    The processing of the personal data is necessary for the legitimate interests of the Controller or a third party;

•    The personal data is processed for direct marketing purposes;

•    The personal data is being processed for scientific and/or historical research purposes or for statistical purposes.


All rights under this item 10 can be exercised by the data subjects by sending of a written request to the Controller’s address or by sending of an electronic request to the Controller’s e-mail address, specified hereinabove, in item 2 of the present document.


11. Right of appeal to a supervisory authority

The data subjects have the right to lodge a complaint with the Bulgarian Personal Data Protection Commission (hereinafter referred to as CPDP) if they believe that their personal data is being processed unlawfully or their rights in relation to their personal data are being violated.

Contacts of the CPDP:

2 Prof. Tsvetan Lazarov Blvd., Sofia 1592,

E-mail: kzld@cpdp.bg

Website: www.cpdp.bg. 


12. Source of the personal data

The personal data are provided to the Controller by its clients, for the purposes specified hereinabove.


13. Usage of a system for automated decision-making

The Controller does not use an automated decision-making system that includes profiling upon the processing of the personal data.