Data Protection Addendum
1. INTRODUCTION
1.1 BDO Cayman Ltd. operating in the Cayman Islands (“BDO”, “we”, “us”, “our”) agrees that the terms and conditions as set out below shall be added as an addendum (“Addendum”) to the Engagement Letter (the “Agreement”). Capitalised terms not defined in this Addendum bear the meanings prescribed in the Agreement. Except as modified below, the terms of the Agreement remain in full force and effect.
1.2 This Addendum sets forth the privacy and security requirements for Personal Information:
2. PRIVACY AND SECURITY REQUIREMENTS FOR PERSONAL INFORMATION
2.1 “Personal Information” shall mean information related to an identified or identifiable living individual provided by you to BDO in connection with our performance of the Services. Personal Information shall exclude any information that has been anonymized such that the data no longer relates to an identified or identifiable living individual.
2.2 “Process”/“Processed”/“Processing” shall mean any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, blocking, erasure, or destruction.
2.3 BDO shall Process Personal Information in accordance with data protection laws, rules, and regulations applicable to BDO, including the Cayman Islands Data Protection Act (as revised) (the “DPA” and collectively, the “Data Protection Laws”), and this Addendum and the Agreement. You represent that your disclosure of Personal Information under the Agreement complies with all applicable Data Protection Laws.
2.4 Except as permitted in the Agreement or required by applicable law, BDO will not collect, use, disclose, Process, or retain Personal Information for any purpose other than performance of the Services. For further details regarding collection, use, disclosure, Processing, and retention of your Personal Information, refer to BDO's privacy notice.
2.5 Except as otherwise permitted under the Agreement, BDO shall limit access to Personal Information to only those service providers, sub-processors, subcontractors, or other members of the BDO Group (each, a “Third Party”) who require access to deliver the Services or comply with applicable laws. Without limiting the foregoing, BDO, or applicable Third Parties, may also use, Process or disclose Personal Information for administrative, regulatory compliance and/or back-office support purposes, including the use of cloud-based, hosted technology solutions. Under this Addendum, Personal Information may be Processed, subject to the Data Protection Laws, in various jurisdictions and therefore, may also be subject to the data protection laws of such jurisdictions.
2.6 BDO shall require the Third Parties who are provided access to Personal Information to protect all such Personal Information according to terms substantively similar to the terms of this Addendum and in compliance with all applicable Data Protection Laws. BDO requires that our partners, employees, and relevant Third Parties maintain the confidentiality of Personal Information and receive adequate training and/or instruction on the handling of Personal Information.
2.7 BDO will implement the security controls set forth in the attached Schedule A, which are designed to comply with applicable Data Protection Laws and to protect the security of Personal Information. You acknowledge that we may change the security controls through the adoption of new or enhanced security technologies and authorize us to make such changes without further notice to you, provided that they do not diminish the level of protection of Personal Information in our possession or control and any such changes are in compliance with all applicable Data Protection Laws.
2.8 BDO will notify you, without undue delay, and in any event in compliance with any applicable notification requirements under applicable Data Protection Laws, should there be any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information in breach of this Addendum (a “Security Incident”). BDO shall take reasonable steps to mitigate the effects and to minimize any damage resulting from such a Security Incident. At your reasonable request, and subject to applicable law and our confidentiality obligations, we agree to meet with you to discuss the procedures that were followed during the investigation of any Security Incident, information regarding the chain of custody (if applicable), the forensic analysis of event logs used to determine the root cause of the Security Incident, and restoration of data that may be required, and the remedial/corrective actions to be taken to prevent the Security Incident from reoccurring.
2.9 Upon your written request, at termination or expiration of the Agreement, BDO shall, where feasible, promptly and securely destroy and confirm such secure destruction of all Personal Information in our possession or control or, if requested by you, return such Personal Information to you. Notwithstanding the foregoing, we shall be permitted to retain copies of Personal Information consistent with our document retention policies or as required by applicable law, regulation, or professional standards. To the extent computer backups are created as part of our standard operating procedures, we will confidentially maintain those backups until such time they are securely destroyed in accordance with the applicable retention or destruction schedule.
3. PROCESSING PERSONAL INFORMATION
3.1 In the event that Personal Information related to individuals in the European Economic Area, the Cayman Islands or Switzerland (“EEA Personal Information”) is transferred from you to us pursuant to the Agreement, we agree to:
(a) provide at least the same level of protection for EEA Personal Information as is required by this Addendum, the Agreement and by the EU General Data Protection Regulation 2016/679 (the “GDPR”) and the DPA;
(b) comply with this Addendum and any relevant portions of the Agreement for as long as we have access to EEA Personal Information; and
(c) where BDO permits a Third Party to access EEA Personal Information, including any other member of the BDO Group, require such Third Party to provide at least the same level of protection as is required by this Addendum, the Agreement and applicable Data Protection Laws.
3.2 To the extent the Services require the Processing of EEA Personal Information and unless otherwise agreed in writing, we will act as a controller[1], and where BDO permits a Third Party to access EEA Personal Information such Third Party will act as a processor[2] (as such terms are defined in applicable Data Protection Laws).
3.3 For the purposes of this Addendum, EEA Personal Information shall be Processed for the purpose of delivering the Services and for administrative, regulatory compliance and/or back-office support purposes, along with any other purposes identified in the Agreement. BDO shall Process the EEA Personal Information for the duration of the Agreement (or longer to the extent permitted or required by applicable law). To the extent that we are required by law to Process the EEA Personal Information outside of the documented instructions given by you, we shall inform you of that legal requirement before Processing unless we are prohibited by law from making such disclosure.
3.4 At your request and cost, we shall take into account the nature of the Processing and the information available, assist you:
- by implementing appropriate technical and organizational measures, insofar as this is possible, to assist with your obligation to respond to requests from data subjects of EEA Personal Information seeking to exercise their rights under applicable Data Protection Laws (to the extent that the EEA Personal Information is not accessible to you as the result of the Services); and
(b) with your obligations under Articles 32-36 of the GDPR and any relevant provisions of the DPA.
3.5 You consent to us engaging Third Parties to perform commissioned Processing, provided that any such Third Parties are bound by commitments no less protective of the transferred Personal Information than those stipulated in the Agreement, this Addendum and any applicable Data Protection Laws. You acknowledge that our contracts with Third Parties are confidential and may not be disclosed except to the extent required by applicable law.
4. INTERNATIONAL TRANSFERS
4.1 Personal Data may be held in and freely transferred between countries that are located within the EEA and third countries which have adequate protection for the rights and freedoms in relation to the Processing of Personal Information, and otherwise where the transfer is:
(a) made with the consent of the individuals to whom the Personal Information relates;
(b) necessary for the performance of a contract between the individuals to whom the Personal Information relates and BDO, or for pre-contractual steps taken at such individuals’ request;
(c) necessary for the performance of a contract made in the interests of the individuals to whom the Personal Information relates between BDO and a Third Party;
(d) necessary for the establishment, exercise, or defence of legal claims or rights;
(e) made in regard to public data on a public register, and subject to any open inspection conditions with which the register must comply;
(f) made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for Personal Information;
(g) authorized by the Ombudsman as ensuring adequate safeguards for Personal Information; or
(h) required under international cooperation arrangements between intelligence agencies or regulatory agencies, if permitted, or required under an enactment or an order issued by the Grand Court of the Cayman Islands.
4.2 Where a Personal Information transfer is made to a jurisdiction which provides a level of data protection lower than that prescribed by applicable Data Protection Laws, BDO will take steps to ensure the security and confidentiality of your Personal Information in accordance with applicable Data Protection Laws. Such steps may include establishing contractual undertakings with Third Parties who process Personal Information on BDO’s behalf.
Schedule A
Information Security Controls
1. INTERNAL ORGANISATION
1.1 BDO maintains a dedicated Data Protection Team (“DPT”), led by its Data Protection Champion. The DPT includes specialists in data privacy and protection. Threat and vulnerability management, incident response, application security, and IT risk management are outsourced to a third party specialist firm.
2. HUMAN RESOURCES SECURITY
2.1 BDO personnel receiving access to client information undergo pre-employment background checks.
2.2 BDO partners, employees, and staff are required to agree to maintain the confidentiality of client information and to complete information security and privacy awareness training.
3. ACCESS CONTROL
3.1 A formal process is in place to grant or revoke access to BDO resources. System access is based on the concepts of least-privilege (providers are only permitted a level of access to systems consistent with the business need for access) and need-to-know-access so that authorized access is commensurate with defined responsibilities.
3.2 System management procedures are documented, which govern the secure creation and deletion of user accounts, including processes to disable and/or delete accounts for terminated personnel.
3.3 BDO’s security policy establishes password requirements that include password change, reuse, complexity, and two-factor authentication.
4. ENVIRONMENTAL SECURITY
4.1 Security systems and supporting controls are implemented at BDO to provide access control management.
5. OPERATIONS MANAGEMENT
5.1 Standard operating procedures, governance process (including a repository of procedures), formal review and approval processes, and revision management, as well as a change control process which includes risk assessment, test and backout procedures, communication planning, management review, and approval components are maintained and reviewed on an annual basis.
5.2 Appropriate security solutions to provide a secure computing environment are in place,managed, and configured to retrieve updates automatically. BDO laptops run a security suite which includes virus protection anti-spyware, firewalls, host intrusion detection, application whitelisting, endpoint rights management, privileged user management, whole disk encryption and device access control that prevents writing to any device other than BDO encrypted devices.
5.3 Laptops use software that provides automated, mandatory encrypted backup. BDO server systems are hosted at third party premises (including data securely replicated to a recovery facility).
5.4 Audit logs are utilised to record the occurrence of system faults and security events, and help to facilitate examination of abnormal activities.
5.5 Processes and procedures are in place for performing periodic vulnerability scans of BDO systems and specify the use of vulnerability scanning software, the creation of vulnerability assessment reports, and the presentation of vulnerability scanning results to the DPT. Vulnerability scanning of networked devices is performed on a monthly basis.
5.6 Patch management processes and tools automatically assess and deploy requisite operating system and application-specific patches and updates to the BDO environment.
6. COMMUNICATIONS SECURITY
6.1 No third-party wireless networks are permitted on the BDO network, and technologies are in place to identify and disable ports with rogue wireless networks attached.
6.2 All Internet ingress points feature firewall segregation. Intrusion detection system appliances are located at strategic points in the network. Firewall logging is enabled to track communications (failed and successful access attempts) between the Internet and the internal BDO network. Console access to the firewalls is limited to administrative personnel using the Secure Shell protocol.
6.3 Encryption-in-transit is in place for Personal Information transmitted over public or wireless networks through use of a virtual private network (VPN).
7. SUPPLIER RELATIONSHIPS
7.1 Security controls are implemented to ensure that external parties who provide IT and other back-office services to BDO do so in a manner consistent with BDO’s standards for the security of information systems.
7.2 Access to BDO systems is controlled using the least-privilege principle (providers are only permitted a level of access to systems consistent with the business need for access). Access is controlled at the physical, network, platform, and application levels.
8. BUSINESS CONTINUITY
8.1 A Business Continuity Program (BCP) is maintained that evaluates and manages potential threats and responds to actual events to minimize disruption to BDO’s services and operations, and is designed so that, should a disaster occur, BDO can continue to deliver on client obligations.
9. ASSESSMENT
9.1 During the term of the Agreement, you may request to assess BDO’s compliance with the terms of this Addendum and such an assessment shall be limited to: (i) BDO’s completion of a client-provided written security self-assessment questionnaire related to the Services performed by BDO under the Agreement, provided that completing such questionnaire does not violate applicable law or BDO’s confidentiality obligations; (ii) the parties meeting to discuss the results of the assessment and BDO’s information security program; and (iii) BDO’s reasonable treatment of any noted deficiencies based upon risk severity.
[1] data controller for the purposes of the DPA
[2] data processor for the purposes of the DPA