Privacy Policy
A. Overview
On the 25th of May 2018, the new European data privacy law, known as the General Data Protection Regulation (“GDPR”), has come into force. GDPR defines a specific framework and set of rules for the protection of individuals within the European Economic Area (EEA) with regard to the processing of their personal data.
Any physical or legal person, be it an individual, a company or an organization that collects, stores, manipulates or otherwise processes personal data (hereafter collectively referred to as “processing”) is affected, and is required to adopt appropriate technical and organizational measures that make such processing compliant to the provisions of the GDPR. GDPR affects therefore any physical or legal person or body who performs processing irrespective if they are established within or outside the European Union, so long as such physical or legal persons perform processing of personal data for individuals who are in the European Union.
This Privacy Policy has been prepared by Baker Tilly South East Europe (hereafter referred to as “Baker Tilly”), with the objective of assisting our customers, employees, vendors, partners and all other interested parties that may be affected, gain an understanding of the measures we have adopted and operate as part of our own GDPR compliance program and practices. When we mention “Baker Tilly” “we”, “us” or “our” in this Privacy Policy, we are referring to the relevant legal entity in the Baker Tilly South East Europe group responsible for processing your data.
B. Baker Tilly as a Data Controller or Data Processor
In running our business, Baker Tilly is a Data Controller or a Data Processor under the GDPR, with possible access to, and processing of personal data of, our employees and our suppliers as well as our customers’ Ultimate Beneficial Owners (UBOs), directors and officers, employees, clients and / or suppliers. Baker Tilly is committed to performing such processing in transparent and fair ways, based on processes which are private by design and using appropriate technical and organizational measures in support of security and privacy objectives. This commitment is applicable throughout the lifecycle of personal data processing, including during collection, transmission, use and storage (collectively referred to as “processing”).
Baker Tilly also commits to taking all reasonable steps to ensure that personal data processing is based on a valid legal basis . When Baker Tilly is the Data Processor, this commitment typically means that we rely on the Data Controller in each case, to establish a valid legal basis 1 for the processing we perform in that capacity. We also depend on the Data Controllers to notify us in a timely manner when any changes to the status of such legal bases occur. In certain other cases, the processing we perform is dictated by legislation or may be based on our legitimate interests, especially those which emanate from our professional obligations and responsibilities and / or other regulatory frameworks subject to which we perform our work.
C. What is the Basis on Which we Justify Processing of Your Personal Data
In accordance with Article 6 of the GDPR, personal data processing is lawful if at least one of the processing bases described below applies:
- the existence of evidenced consent of the data subject (i.e. the physical living person), whose personal data is processed
- processing is necessary in order to enter into a contract to which the data subject is a contractual party or to take action at the request of the data subject before or after a contract is entered into force
- processing is necessary to comply with a statutory obligation of the Data Controller or Data Processor as relevant
- processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or Data Processor as relevant, unless such interest overrides the interest or fundamental rights and freedoms of the data subject who require the protection of personal data, in particular if the subject of the data is a child
- processing is necessary to safeguard the vital interest of the data subject or other natural person
- processing is necessary for the performance of an obligation performed in the public interest or in the exercise of public authority assigned to the Company.
Based on the above, Baker Tilly seeks to ensure that each type of personal data processing we perform is supported by one or more of the above legal bases. With very few exceptions, the legal bases applicable to our operational routines and the resulting personal data processing we conduct are those described in the first four bullets.
D. How Do we Collect Personal Data
In most cases, we receive personal information for the data subjects from 3rd party sources. Key examples include receiving personal data as follows:
- from our customers (or other colleagues of the respective data subjects) for their shareholders, Directors, Officers, customers, employees, suppliers
- references from previous employers during an employment application process
- lawful 3rd party databases during Know Your Customer (KYC) checks we may perform, and other lawful services of similar nature.
In other cases, we receive the personal data directly from the affected individual (i.e. the “data subject”). Typically, such personal data is requested of the data subject when we initiate our relationship, or in some cases at a later stage, after we commence interacting with each other. There are various means we may accept and use for receiving personal data including paper-based forms, electronic self-service functions (e.g. in a website), or through email communications or physical exchange of contact information (such as a business card).
We may also collect personal data via automated means when data subjects interact with resources we provide (websites logs, email submission tools, mobile applications, access control systems, time and attendance applications, CCTV systems, etc.). We may also enhance the personal information we process about data subjects, as a result of the interactions and / or transactions between the data subjects and Baker Tilly.
E. Why we Process Personal Data
We describe below the key ways we use personal information, and the legal bases of processing on which we rely for such processing. We have also identified what our legitimate interests are where appropriate.
In general terms, we use the personal information we collect to help Baker Tilly deliver our services as tabulated below:
a. Statutory Audit – To deliver an audit opinion with regards to the truth and fairness of a set of financial statements
Data Subject Categories:
- UBOs
- Directors & Officers
- Employees
- Clients
- Suppliers
b .Internal Audit – To perform work under an Internal Audit outsourcing contract, with the purpose of evaluating internal controls (business and / or technology) as those may be agreed between us and the customer’s Board of Directors and / or management
Data Subject Categories:
- UBOs
- Directors & Officers
- Employees
- Clients
- Suppliers
c. Accounting Services – To perform work under an Accounting Services outsourcing contract, under which we receive from the customer and process accounting-related information which invariably includes personal data
Data Subject Categories:
- UBOs
- Directors & Officers
- Employees
- Clients
- Suppliers
d. Tax Advisory – To evaluate the tax position of one or more individuals and advise on legal methods for optimizing their financial affairs with the purpose of tax minimization in the relevant jurisdictions
Data Subject Categories:
- UBOs
- Directors & Officers
- Employees
e. Payroll Processing – To perform clerical and mathematical calculations for executing a periodic payroll process, within the criteria and requirements stipulated by legislation. Depending on the specific engagement objectives, the related processing may also include bank account information for the purposes of executing the resulting payments
- UBOs
- Directors & Officers
- Employees
f. Advisory & Consulting – To perform various tasks and procedures in support of financial, operational and other objectives as those are explicitly defined for us, by our customers as part of purpose-specific contracts of engagement
Data Subject Categories:
- UBOs
- Directors & Officers
- Employees
- Clients
- Suppliers
As part of our operational business processes and routines which are not service-related, and depending on the specific relationship and or commercial or other engagement in place, we may process personal data for one or more data subject categories, as those are tabulated below (not a definitive or exhaustive list).
a. Customers – The information listed below relates to business-to-business relationships between Baker Tilly and its customers, which includes, results or requires personal data processing of Directors, Officers, employees, suppliers and other individuals of Baker Tilly’s customers involved in the relationship, as well as other physical persons who have responsibility for managing or executing dealings between the two parties:
- Identify and position / role information
- Location information (physical address and electronic location data)
- Business eMail address and phone numbers
- Mobile phone numbers (corporate or personal)
- Authority to place orders, make financial inquiries, execute financial transactions, etc.
- Vetting data (in specific cases only)
- Salesperson performance targets and actual sales (for specific cases only)
- Financial data including invoices, payments, due dates, etc.
- Payroll and related records
Legal Basis
- Contract
- Legislation
- Legitimate Interest
b. Applicants:
- CV information
- Contact details
- Previous employment records
- Referee
- Clear Police / Criminal Record
- Work permit information
- Skills & Professional and Academic Achievements (e.g. languages, academic degrees
- Medical information (for specific vacancies / jobs only)
Legal Basis
- Consent
- Legitimate Interest (for application information voluntarily submitted by the applicant to us, unsolicited by Baker Tilly
c. Employees, Contractors & Workers:
- “Master Data” [full name, ID, Social Security number, address, marital status, children, age, gender, personal emails]
- “Recruitment Data” [academic records, experience, previous employers, references]
- Evaluation & Performance Information [salary, appraisals, promotions, disciplinary data, complaints and resulting investigations, appeals against HR decisions]
- Occupational data [languages, special skills, driver license]
- Operational data [sales, locations of travel, training records, leave of absence, timesheets / arrival and departure times, passports and IDs in support of business travel arrangements]
- Financial data [payroll, payroll-related, life insurance details, family status, bank account details]
Legal Basis
- Contract
d. Former Employees, Contractors and Workers – For former employees, contractors or workers, the personal data types listed in (b) above are processed with the following differences:
- Financial data are kept for a period of 12 years after termination or resignation, for tax and regulatory purposes
- All other data are kept for a period of 3 years after resignation or termination for the purposes of archiving and / or providing references
Legal Basis
- Employment and Social Insurance Legislation
- Employment / Work Contracts
e. Next of Kin and Dependents:
- Full name, mobile phone details, relationship with employee, contractor or worker (next of kin)
- Full name, gender, age and birthdate
Legal Basis
- Employment / Work Contracts
f. Suppliers and subcontractors – The information listed below relates to business to business relationships between Baker Tilly and its suppliers, which includes, results or requires personal data processing of Directors, Officers and personnel of the Baker Tilly’s suppliers’ personnel involved in the relationship, as well as other physical persons who have responsibility for managing or executing dealings between the two parties:
- Identify and position / role information
- Location information (physical address and electronic location data)
- Business eMail address and phone numbers
- Mobile phone numbers (corporate or personal)
- Authority to place orders, make financial inquiries, execute financial transactions, etc.
- Vetting data (in specific cases only)
- Financial data including invoices, payments, due dates, etc.
Legal Basis
- Contract
- Legitimate Interest
g. Onsite Visitors & Guests:
- Full name
- Employer
- Person(s) to visit
- Entry and exit time
- Pass number used and access logs
- Camera / CCTV recordings
Legal Basis
- Legitimate Interest
h. Event Attendees:
- Full name
- Employer
- Work position and title
- Work / office location
- Work and Mobile Phone numbers
- eMail address (work and / or personal)
- Photos and images
Legal Basis
- Consent
i. General Public:
- Full name, eMail, phone numbers, employer, title (for cases where you initiate an electronic communication and / or correspondence with us)
- Photos and images of you from CCTV cameras we operate at our office locations
Legal Basis
- Legitimate Interest
j. Website Users:
- Full name
- Gender
- eMail address (business or personal)
- Mobile, and work phone numbers
- Location information (physical address and electronic location data)
- Electronic identifiers such as IP addresses, usernames, emojis
Legal Basis
- Consent
- Contract (where this information is collected for the purpose of entering into a contract with you)
Kindly be aware that your personal data may be processed based on more than one lawful purposes. If you need more information as to the specific legal basis on which we are relying to process your personal data, please send us your specific request to dpo@bakertilly.com.cy
F. How Long we Keep your Personal Data
Personal data may be maintained by us in physical and / or electronic form and be processed in ways designed to respect the principles of purpose limitation; data minimization; data accuracy; integrity and confidentiality; and retention limitation.
Specifically with regards to retention, the technical and organizational measures operated by Baker Tilly are designed to result in personal data being kept only for as long as required to fulfill our statutory, professional and / or regulatory obligations, and – if for longer periods – in accordance with the provisions of the specific legal basis of processing relating to each category of affected persons.
At the end of the retention periods applicable in each case, defined operational processes or routines shall result in personal data being deleted or destroyed in controlled ways, in electronic and physical form, as appropriate. In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
G. Sharing of Personal Data
Within Baker Tilly, your personal information can be accessed by or may be disclosed internally on a need-to-know basis, based on user access rights management processes.
Your personal information may also be accessible and / or accessed by third parties, including suppliers and advisers, as those are outlined below. When this happens, we take specific measures and steps to protect such information, as described in more detail in section “SUB-PROCESSORS TO BAKER TILLY” of this Privacy Policy. In summary, such measures and steps include requiring all such 3rd parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our 3rd party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions. The types of 3rd parties that may typically be involved in processing of your personal data include:
- Service providers acting as Data Processors based in the EEA who provide IT, system administration services, marketing and payment providers in order to service you, interact with you and communicate with you.
- Professional advisers including lawyers, bankers, auditors and insurers based in the EEA who provide consultancy, banking, legal, insurance and accounting services.
- Tax and Customs authorities, regulators, law enforcement bodies and other authorities acting as processors or joint controllers based in the EEA who have the right to require reporting of processing activities in certain circumstances and otherwise in defense of legal claims.
- Market researchers, fraud prevention agencies and analytics providers.
- Specifically with regards to HR data, these may be shared with Payroll & Provident Fund Providers; Accountants & Auditors; Recruitment Agencies; Call Centre Providers; and HCM Consultants.
In addition, there are circumstances where we may need to disclose your personal information to 3rd parties, to help manage our business and deliver our services. In this context, we may disclose your personal information:
- to 3rd parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If such a change happens to our business, then the new owners may use your personal information in the same way as set out in this Privacy Policy
- to 3rd parties when we are under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation, or in order to enforce or apply our legal rights, in which case we may share your personal information with our regulators and law enforcement agencies in the EEA, or to our legal advisers and
- when it is necessary in order to protect the rights, property, or safety of Baker Tilly or any member of Baker Tilly group of companies, in which case we may disclose your personal information to our legal advisers and other professional services firms.
We may also disclose your personal data to national authorities and government bodies if legislation allows or compels us to do so.
H. Technical & Organisational Measures Protecting Personal Data
GDPR imposes obligations to Data Controllers and Data Processors which are in several cases dependent upon consistent implementation of relevant measures and controls across their own operations as well as those of their Data Processors. Our policy is to process personal data with due regard to the security, privacy and protection of the data we receive, store and process. This privacy policy explains the types of such technical and organizational measures that we employ so as to enhance the level of protection of personal data that we process. These measures are also designed to maximise the control over privacy in accordance to GDPR and have the objective of providing a level of security that is appropriate to the related risks.
- As part of our overall data protection framework, Baker Tilly has appointed a Data Protection Officer (DPO), in accordance with the requirements of GDPR. Our DPO can be contacted at dpo@bakertilly.com.cy.
- All our personnel, including customer service agents and / or relationships managers and handlers periodically observe GDPR-specific awareness sessions so as to maintain the currency of their understanding of GDPR and how it may impact our various operations that affect personal data we process.
- We support the implementation of 3rd party entities’ (such as our customers, suppliers) lawfully issued instructions to us, in relation to data subjects for whom such 3rd party entities are Data Controllers, exercising their rights under GDPR, so long as such instructions do not come in conflict with our own legal, professional or regulatory obligations. In such cases, we shall seek to notify the 3rd party entity of the options available to them.
- We seek to ensure that 3rd parties who support Baker Tilly operations or systems or who are otherwise involved in our personal data processing operations (including those of our own customers or other affected persons), have and operate necessary technical and organizational measures for protecting the security and privacy of personal data.
- Our Incident Response Management and breach notification procedures, are designed to include escalation of identified incidents to our Data Protection Officer, who is authorized and trained to involve customer handling executives when such incidents involve personal data of one or more of Baker Tilly affected entities and / or persons.
- Our processes are designed not to allow cross-border data transfers of personal information to which we have access and / or process during any customer engagement. If such cross-border data transfers are necessary, we shall seek to ensure that a valid lawful basis for such transfers evidently exists, in accordance with GDPR.
- Our recruitment and ongoing personnel training and development, as well as the evaluation and disciplinary processes we operate, are designed to promote and maintain a high standard of professional ethics and competency at all levels of Baker Tilly, which is in line with industry standards and our professional and legal responsibilities.
- In addition, Baker Tilly operates several complementary technical and organisational measures, designed to protect the privacy of personal information that we collect, store and process. Such measures include logical access controls and user rights management with the objective of minimizing access to personal (and other Baker Tilly) information and data, only to authorized Baker Tilly personnel. We also utilize user access credentials management with enforced frequent changes, password complexity and maximum / minimum lengths, restrictions on reuse of same passwords, etc., complemented by a structured process for periodic review and confirmation of continued business need to such personal data.
- Furthermore, Baker Tilly uses purpose-specific technologies and tools (such as firewalls, intrusion prevention, mail security gateways, etc.), all designed to monitor and manage the security of its electronic perimeter. Baker Tilly also has in place an active and ongoing patch management program across security, server and endpoint devices for addressing newly released threats, and benefits from the use of endpoint malware protection at laptop, servers and desktop level. Finally, we also employ endpoint encryption, to protect against privacy risks in cases of hardware theft or loss.
- A significant part of our operations involves 3rd parties (legal or physical persons) who are involved and / or provide support in many aspects including invariably in personal data processing. The related technical and organizational measures which we apply and operate with the objective of enhancing and maintaining privacy are described in the next section.
I. Sub-Processors to Baker Tilly
Like almost all organizations, Baker Tilly utilizes 3rd parties as part of its business operations and routines. Such 3rd parties include legal and / or physical persons who provide services and / or products relating to technology, marketing, facilities management, legal and other areas which may have an impact on personal data processing (including processing as specified in this Privacy Policy).
When necessary in the context of such personal data processing, our selection process and criteria for cooperation with 3rd parties (suppliers, vendors or other advisors), incorporates consideration and evaluation of those 3rd parties’ level of GDPR readiness and compliance. In this respect, we seek to ensure that 3rd parties who support Baker Tilly operations or systems or who are otherwise involved in our personal data processing operations, have and operate necessary technical and organizational measures for protecting the security and privacy of personal data. Whenever relevant therefore, our contracts with 3rd parties include specific provisions designed to
- identify the respective role of the 3rd party as a Data Processor or Sub-processor to Baker Tilly
- define the 3rd party’s GDPR-related obligations towards Baker Tilly, including:
- enforcement of Baker Tilly’s Data Retention Periods (which themselves – when applicable – reflect those of our customers as explained in this Privacy Policy)
- integration of the 3rd party’s Incident Response Management Process into that of Baker Tilly
- stipulating allowable access and connectivity methods for remote support (where relevant and necessary)
- definition of the processes via which Baker Tilly shall issue relevant instructions to the 3rd party in relation to the expected and required processing of personal information (where applicable), under each respective agreement
- stipulation of the technical protection methods and treatment of software system replicas (for example for QA and / or development purposes) by the 3rd party, such as encryption and / or pseudonomisation of personal data
- prohibition for conducting cross border data transfers by the 3rd party, except with the express, prior written permission of Baker Tilly (which itself is subject to, must be in line with and in compliance to, Baker Tilly’s contractual and other obligations to affected data subjects).
- conferring to Baker Tilly the right to conduct periodic audits (including surprise audits) against the execution of GDPR related processes which the 3rd party supports and / or operates on Baker Tilly’s behalf. In this context, Baker Tilly also seeks to implement review processes with the 3rd party sub-processor so as to jointly monitor on a periodic basis the effectiveness of execution of privacy processes and routines, in order for such processes to become and continue to be “Private by Design”, as relevant.
J. Your Rights
Individuals whose data are processed, have defined rights under the GDPR. Specifically, GDPR requires Data Controllers and Data Processors to implement the necessary processes and mechanisms in support of data subjects’ exercising the following rights, the exact definitions of which have the meanings assigned to them by the GDPR:
- Right to information as to the personal data processing performed and the rationale of such processing
- Right to access to the personal data being processed for his / her person
- Right to rectification allowing individuals to request the correction or amendment of their data
- Right to object to a specific type of processing, under specific circumstances
- Right to object to automated processing or profiling in cases where automated processing results in decisions that in the opinion of the affected data subject, do not adequately reflect the unique characteristics of the case involved
- Right to withdraw consent allowing a data subject to give notice and withdraw a previously given consent for a specific type of processing
- Right to data portability allowing the transfer of personal data processed by a Data Controller to the data subject or directly to another Data Controller in electronic, machine readable format
- Right of Erasure (“right to be forgotten”) entitling a data subject – under certain circumstances – to request the deletion of their personal data.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights as listed above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. In extreme cases, we may even refuse to comply with your request in such circumstances.
K. Queries & Complaints
Baker Tilly is committed to acknowledge, consider and respond to all queries and complaints that it receives from any natural person who believes is affected by Baker Tilly’s processing of his / her data. To communicate such queries or complaints please contact us on dpo@bakertilly.com.cy, and we shall seek to respond to the substance of your query as soon as practical, within a 30 day window as stipulated by GDPR.
If despite our responses and actions to address your concerns, you are not satisfied, you have the right to address the matter to the Data Protection Commissioner in your jurisdiction, details of which are listed below.
Cyprus
Jason street 1, 2nd Floor, Nicosia 1082
+357 22818456
commissioner@dataprotection.gov.cy
www.dataprotection.gov.cy
Greece
Kifissias 1-3, 115 23 Athens, Greece
+30 210 6475600
contact@dpa.gr
www.dpa.gr
Bulgaria
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
+359 899 877 156
kzld@cpdp.bg
www.cpdp.bg/en
Romania
28-30 G-ral Gheorghe Magheru Bld. District 1, post code 010336 Bucharest, Romania
+40 318059211
anspdcp@dataprotection.ro
www.dataprotection.ro
Moldavia (not part of the EEA)
Str. Serghei Lazo nr. 48 MD-2004 CHISINAU
+373 22 820 801
centru@datepersonale.md
www.datepersonale.md
L. Other Important Information
This Privacy Policy does not alter in any way other than explicitly defined herein, the obligations and responsibilities of Baker Tilly or its customers, employees, vendors or partners, all of which are governed by the respective contracts (where applicable) and related arrangements between Baker Tilly and each of those customers, employees, vendors or partners.
M. Glossary & Useful Definitions
- Personal Data – Also referred to as “personally identifiable information (or “PII”), personal data is any information relating to an identified or identifiable living natural person (the “data subject”)
- Legal Basis of Processing – The basis on which the processing of personal data may be based and may be one of the following:
- the consent of the data subject to the processing of his / her personal data
- processing is necessary in order to enter into a contract to which the data subject is a contractual party or to take action at the request of the data subject before or after a contract is entered into force
- processing is necessary to comply with a statutory obligation of the Data Controller or the Data Processor as the case may be
- processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, unless such interest overrides the interest or fundamental rights and freedoms of the data subject who require the protection of personal data, in particular if the subject of the data is a child
- processing is necessary to safeguard the vital interest of the data subject or other natural person
- processing is necessary for the performance of an obligation performed in the public interest or in the exercise of public authority assigned to the Company.
- Legitimate Interest – Our lawful interests in conducting and managing our business to enable us to give you the best services and / or products and secure and private by design experience. In choosing to perform personal data processing under the legal basis of legitimate interest, we seek to ensure that we consider and balance any potential impact on you (both positive and negative) and your rights before doing so. As a general principle, we do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- Data Controller – The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- Data Processor – A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
- Data Protection Officer – A Data Protection Officer (or “DPO”) is a security leadership role required by the GDPR. The DPO is responsible for:
a. overseeing data protection strategy and implementation within an organization;
b. ensuring compliance with GDPR requirements;
c. the provision of advice to the Data Controller or the Data Processor and their staff in relation to personal data processing; and
d. to cooperate with Data Protection Authorities and supervisory bodies in all privacy and data protection matters.
- Cross-border Data Transfers – Transfers of personal data outside the European Economic Area in physical and / or electronic form