Privacy Notices

Personal registers relating to business

BDO Oy collects and processes personal data relating to its business in its various functions and systems as well as in the role of the data controller and the processor of personal data.

Regarding these personal registers where it acts as the data controller, logical personal data registers have been compiled by functions which have been described in the privacy notices under the EU Data Protection Regulation. In each notice, the following information has been provided:

  1. Data controller
  2. Contact person in matters concerning the register
  3. Name of the personal register
  4. Purpose of the personal data processing
  5. Data content of the register
  6. Regular data sources
  7. Regular disclosure of information
  8. Data transfer outside the EU or the EEA
  9. Principles on how the register is protected

Data subjects have the right to inspect the data stored in the personal register and request incorrect information to be rectified. A data subject may also object to the processing of their data and request the restriction and deletion of the processing of their data in full, but these rights are not automatic; instead, they depend on the employer's legal rights and obligations.

Requests concerning a data subject's rights are to be delivered in writing to the contact person mentioned in section 2 of the privacy notice of the register. More information is provided by the data controller, see section 1.

According to the Data Protection Regulation, a data subject has the right to make a complaint about the personal data processing to the Data Protection Ombudsman.

Privacy notices relating to the BDO Oy's business in respect of the registers where it acts as the data controller and where the personal data of its own clients, potential clients, subcontractors and job applicants are processed:


In addition, BDO Oy acts as the personal processor in engagements with the clients of Business Services & Outsourcing and Advisory Services. In these engagements, the client is the data controller.