Privacy Statement - Clients and Third Parties
Introduction
BDO Portugal respects your privacy and is committed to protecting your personal data. This privacy notice explains, in a clear and transparent manner, how we collect and process personal data in the context of providing services to clients nd engaging with suppliers and other third parties.
We encourage you to read this notice carefully to understand the measures we take to ensure compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Law No. 58/2019 of 8 August, and other applicable national and European data protection legislation.
Data Controller
BDO Portugal comprises the entities listed under the Legal Entities section and is a member of BDO International Limited (BDOI), a UK company limited by guarantee, which forms part of the international BDO network. The BDO network consists of independent firms providing professional services under the common brand "BDO".
If you have any questions regarding this privacy notice, you may contact BDO Portugal’s Data Protection Officer (DPO) using the following contact details:
- Email: dpo@bdo.pt
- Address: Avenida da República no. 50, 10th floor, 1069-211 Lisbon, Portugal
What Personal Data Do We Process?
BDO Portugal only collects personal data that is strictly necessary for the purposes identified in this notice, namely: identification data; contact details; professional information; financial data; and other information relevant relevant to the performance of contracted services.
In the context of statutory audit activities carried out by Revisores Oficiais de Contas (Statutory Auditors), we may have access to various categories of personal data held by audited entities, including data relating to clients, service users, employees, contractors, or other third parties.
Purposes of Processing and Legal Bases
BDO Portugal processes personal data for specific purposes, based on the legal grounds established in the GDPR:
| Purpose | Legal Basis |
| Provision of professional services | Article 6(1)(b) and/or Article 6(1)(e) – Performance of a contract or pre-contractual steps; in the case of services provided by Statutory Auditors, processing is carried out in the public interest (Article 41 of the ROC Statute). |
| Business management and development | Article 6(1)(f) – Legitimate interest in managing client relationships, continuously developing services, and maintaining internal systems. |
| Client acquisition and institutional communications | Article 6(1)(b)(f) – Pre-contractual steps and/or legitimate interest in evaluating potential clients aligned with the organisation’s needs. |
| Information security and risk management | Article 6(1)(f) – Legitimate interest in detecting, preventing, and mitigating risks to information security. |
| Compliance with legal obligations | Article 6(1)(c) – Compliance with legal and regulatory obligations, including Law No. 83/2017 (AML/CFT), the ROC Statute, and International Standards on Auditing (ISA). |
Retention of Personal Data
Personal data is retained only for the period strictly necessary to fulfil the purposes for which it was collected or for the duration of the applicable legal retention period, namely:
- Audit documentation: minimum of 5 years (ROC Statute and ISA), which may be extended in the event of ongoing legal, administrative, or supervisory proceedings, or civil liability (up to 20 years);
- Compliance with AML/CFT obligations: minimum of 7 years;
- Other statutory retention periods may apply depending on the nature of the obligation or processing activity.
Security Measures
We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, unlawful processing, accidental loss, destruction or damage. These measures are adopted with consideration for the nature and context of processing, available technology, implementation costs, and the potential risks to the rights and freedoms of data subjects.
Sharing of Personal Data
As a general rule, BDO Portugal does not share personal data with third parties unless it is necessary for the purposes stated or legally required. Data may be disclosed in the following cases:
- Processors acting on behalf of BDO Portugal, under a written data processing agreement that includes confidentiality and security obligations;
- Entities within the BDO network, solely for the same purposes and under an appropriate legal basis (see BCR section for more information);
- Public authorities, in compliance with legal obligations or pursuant to judicial or administrative orders.
In the context of corporate transactions (such as mergers, acquisitions, restructurings, or asset transfers), personal data may be disclosed as permitted by law, with appropriate safeguards to protect data subjects’ rights.
BDO Portugal does not sell personal data or conduct marketing on behalf of third parties.
International Data Transfers
In some cases, it may be necessary to transfer personal data to countries outside the European Economic Area (EEA). Where such transfers occur, BDO Portugal ensures that they are carried out in accordance with the GDPR, using appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission;
- Binding Corporate Rules (BCRs);
- Other mechanisms recognised under EU data protection law.
Transfers within the BDO network are carried out in accordance with BCRs, depending on the role of each entity as either controller or processor (see BCR section for more details).
What Are Your Rights?
Under the GDPR, you have the following rights as a data subject:
- To access your personal data;
- To request the rectification of inaccurate or incomplete data;
- To request the erasure of your data, where applicable;
- To object to or request the restriction of processing in certain circumstances;
- To request the portability of your data, where applicable.
Where the processing is based on your consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.
To exercise your rights, you may contact BDO Portugal’s Data Protection Officer at: dpo@bdo.pt
If you believe your data protection rights are not being respected, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) via www.cnpd.pt.
Changes to This Privacy Notice
This privacy notice may be amended whenever necessary, in response to legal developments or changes in how BDO Portugal processes personal data. The most recent version will always be available on this page, with the date of the last update clearly indicated.
Last updated: May 2025