INTRODUCTION
On 27th of April 2016, Regulation (EU) 2016/679 (hereinafter General Data Protection Regulation or GDPR or Regulation) of the European Parliament and of the Council was approved, which governs the protection of personal data of natural persons as well as the free movement of such data in the European Union. This Regulation, effective from 25th of May 2018, repeals the previous Directive 95/46/EC and is directly applicable in all the Member states.
The European legislation attributes to Data Controllers and Data Processors the responsibility to implement the suitable legal, organisational and technological activities, in order to adequately meet the requirements set according to a risk-based approach (so-called accountability principle).
In particular, all processing of personal data by Data Controllers or Data Processors established within the European Union shall comply with the Regulation, regardless of the fact that the processing is performed within the EU or not, or performed by Data Controllers or Data Processors that are not established in the European Union and process the personal data of data subjects who are in the EU.
The right to the protection of personal data, or the right to privacy, is a fundamental right of people, directly connected to the protection of human dignity, as also laid down by the Charter of Fundamental Rights of the European Union.
Though formally aiming to protect the personal data referring to natural persons, the GDPR introduces principles and standards of protection that are applicable, as best practices, to all the data processed by a Data Controller, including the processing of the data of legal persons since such data may also have possible significant compensation and reputational impacts.
This policy defines the reference principles and responsibilities in managing the risk of noncompliance with the protection of personal data for the Company.
1. WHO WE AREC-CLERC S.A., société anonyme, registered with the Luxembourg Trade and Companies Register under the number B200724 with its registered office at 1, rue Pletzer, L-8080 Bertrange (“Company”).
As Cabinet de Révision Agréé, we collect, receive, record, store and otherwise process personal data in the course of our business activity in order to perform services requested by our clients and prospective clients (together: “Clients”) and to comply with the legal and regulatory obligations.
The law on the audit profession obliges us to be independent from our clients, therefore in most cases we act as data controller. We may also be considered a data processor while providing services where we obtain detailed instructions from our client (what, why and how personal data is processed). Before qualifying our position, we perform a case-by-case analysis based on the applicable data protection legislation.
2. GENERAL PRINCIPLESThe Company attributes strategic importance to the protection of personal data of natural persons with which it interacts (customers, collaborators, suppliers etc.), in the awareness that this protection is aimed, ultimately, to protect people and their fundamental rights of freedom and dignity.
To this purpose, the Company uses a model aiming to ensure that the personal data is:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and lawful purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
- accurate and, where necessary, kept up to date by taking every reasonable step to delete or promptly rectify personal data that is inaccurate, having regard to the purposes for which they are processed;
- kept in a form which permits identification of data subjects for not longer than is necessary for the purposes for which the personal data are processed (storage limitation);
- processed ensuring appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
3. WHAT IS PERSONAL DATA‘
Personal data’ means any information relating to an identified or identifiable natural person (‘
data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. HOW DO WE OBTAIN AND PROCESS PERSONAL DATAThe most of the data we obtain are provided by our Clients by electronic means or in paper form.
However, we use public and other sources as well, e.g. public trade and companies registers, subscription-based databases, and other internet sources.
We cannot control the information provided by our Clients, therefore, it can happen that we receive documents containing personal data that we do not need and/or have not requested. In such cases we store the personal data provided by the Client according to the applicable data protection legislation assuming that the person who provided the personal data acted in compliance with the applicable data protection legislation.
We process personal data according to the applicable data protection legislation respecting the main principles such as:
- lawfulness, fairness and transparency,
- purpose limitation,
- data minimization,
- accuracy,
- storage limitation,
- integrity and confidentiality.
In the spirit of these principles, we ask our Clients to provide us documents containing personal data which is adequate, relevant and limited to what is necessary in relation to the purpose for which they are provided.
5. WHAT IS THE LAWFUL BASIS FOR PROCESSING PERSONAL DATA- To comply with legal obligations to which our Company is subject:
- international standards on auditing as adopted for Luxembourg by the Commission de Surveillance du Secteur Financier;
- the law concerning the audit profession;
- the law on the fight against money laundering and the terrorist financing; the law on commercial companies;
- the general tax law;
- the law on value added tax; the commercial code.
- the labour code;
- other applicable legislation.
- To meet contractual obligations: performance of a contract to which you and our Company are the parties or in order to take steps at your request prior to entering into contract.
We have a contract with you to provide certain professional services (e.g. agreed upon procedure, filing of documents at authorities (e.g. RCSL)), and we need to process your personal data to comply with our obligations as part of that contract.
Or you asked for a quote, therefore we need to process your personal data.
- You have given consent to the processing of your personal data for one or more specific purposes (e.g. recruitment). You have the right to withdraw your consent at any time.
- For the purposes of the legitimate interests pursued by our Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (e.g. internal audit procedures; maintenance and improvement of our IT system; fraud prevention).
- Processing is necessary in order to protect the vital interest of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. DATA TRANSFERC-CLERC S.A. is the representative firm of the Crowe Global network in Luxembourg. In some cases, we may be required to transfer personal data within our network as part of our quality control, independence monitoring and risk management procedures to the extent that such transmission is adequate, relevant and limited to what is necessary for the purpose for which they are provided (see paragraph 5.) including outside the European Union.
In cases when we need to travel in order to perform the services agreed in the engagement letter, we may transfer personal data to the extent that such transmission is adequate, relevant and limited to what is necessary for the purpose for which they are provided (see paragraph 4.) including outside the European Union depending on the nature and scope of our mandate.
7. HOW LONG DO WE STORE PERSONAL DATAAs a principle, we retain data no longer than it is necessary for the achievement of the purposes for which they were collected and processed. At the end of the retention period, the personal data are deleted. The storage period is subject to the provisions of the relevant legislation, if there is any.
Inter alia:
accounting and finance documents for a period of ten years from the closure of the relevant accounting period;
commercial agreements and related documents with suppliers for a period of ten years from the end of the contract / performance;
for the purposes of the
prevention of money laundering and terrorist financing for a
period of five years from the closure of the business relationship with the Client or after the date of an occasional transaction;
recruitment data not resulting in candidate’s hiring for the duration of the recruitment phase.
8. WHAT ARE YOUR DATA PROTECTION RIGHTS AS DATA SUBJECTYou have the right to obtain a confirmation from us as to whether or not your personal data are being processed, and where that is the case, to access to the personal data and the information defined by the GDPR Regulation.
- The right to rectification
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
- The right to erasure, the right to be forgotten
You have the right to obtain from us the erasure of personal data concerning you without undue delay under the conditions defined by the GDPR Regulation.
- The right to restrict processing
You have the right to obtain from us restriction of processing under the conditions defined by the GDPR Regulation.
- The right to data portability
You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where the processing is based on your consent or on a contractual relationship and where the processing is carried out by automated means.
You have the right to object to processing of personal data concerning you, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our Company or for the purposes of the legitimate interests pursued by our Company or by a third party. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
9. HOW TO CONTACT US
If you need more information about how we process personal data or you would like to exercise your rights detailed above, you may contact us by using the following e-mail address: data.protection@clerc.lu
10. HOW TO CONTACT THE COMPETENT AUTHORITYAs data subject, you also have the right to contact the National Commission for Data Protection and submit a complaint sending it to the following address:
Commission nationale pour la protection des données Service des plaintes
1, avenue du Rock'n'Roll
L-4361 Esch-sur-Alzette
or by using their online form that you can find on their webpage:
www.cnpd.lu11. CHANGES TO OUR PRIVACY POLICYOur Company keeps its privacy policy under regular review and makes available the updated version on its website.