Privacy policy
Processing of personal data in Baker Tilly Grimsrud & Co.
This privacy policy explains how Baker Tilly Grimsrud & Co. collects and uses personal data. The aim is to provide you with general information about our processing of personal data.
Here you get more information about what personal data we typically collect, what we use the data for and how we process it. You will also receive information about what rights you have if we have personal data about you.
Inquiries about our processing of personal data can be addressed to:
Baker Tilly Grimsrud & Co. Sigurd Syrs gate 4 0273 Oslo, post@bakertilly.no
The inquiry will be followed up by our data protection officer. You can also direct your inquiry to your contact person with us.
The date of the last change in our privacy policy is October 2018.
Overview of the privacy policy
- Legislation and industry standards
- When do we collect personal data?
- Data controller and data processor
- Your rights
- Access
- Deletion and correction
- Complaint
- Personal information that we collect and what we use it for
- Assignments according to the Auditors Act
- Assignments according to the Accountants Act
- Assignments that are not regulated by law
- Duties under the Money Laundering Act
- Customer contact and marketing
- Use of our website www.bakertilly.no
- Employees and job seekers
- Information security, confidentiality and storage
- Transfer of personal data
- Storage in the EEA
- Transfer of personal data as a result of law
- Our use of data processors
Legislation and industry standards
Baker Tilly Grimsrud & Co. has public approval from the Norwegian Financial Supervisory Authority in accordance with the Auditors' Act and the Accountants' Act. The Norwegian Financial Supervisory Authority oversees that we conduct our business in accordance with the legislation to which we are subject. Below you can read more about the requirements the legislation places on our collection, storage and security of information, in addition to the requirements in the privacy regulations.
An industry standard has been drawn up for the processing of personal data in the auditing industry. A code of conduct has also been drawn up for the processing of personal data in the accounting industry. We follow these industry standards in our operations.
When do we collect personal data?
We collect personal data in connection with
- execution of our assignments, including audit services (audit of annual accounts, simplified auditor control of accounts, other attestation assignments/auditor confirmations and agreed control actions), accounting and various advisory assignments
- customer control and reporting of suspicions under the Money Laundering Act
- customer contact and marketing
- use of our website www.bakertilly.no
- employment and employees
Data controller and data processor
We are responsible for processing according to the privacy rules when we process personal data in connection with audit services, preparation of annual accounts and tax returns for our own audit clients and attestation services. We are normally the data controller for due diligence assignments, investigation assignments and internal audit assignments. As the data controller, we are responsible for complying with the requirements of the privacy regulations that apply to our processing of your personal data, including ensuring that your rights are safeguarded.
In some cases, however, we are a data processor for our customer. This means that we process your personal data on behalf of our client (processor). This applies to accountant assignments and advisory assignments, etc. where it is our client (data controller) who decides which information we will process. In these cases, we will enter into a data processor agreement with our client (the data controller). We process your personal data in accordance with the data processor agreement.
Your rights
You can exercise your rights by contacting our data protection officer. Send an e-mail to ad@bakertilly.no. You must receive an answer without undue delay, and within 30 days at the latest. Below we provide information on how we safeguard the rights that are most relevant to our business. Read more about your rights under the privacy rules on the Norwegian Data Protection Authority's website.
Access
Anyone who requests it has the right to know what kind of processing of personal data we carry out, as well as basic information about the processing. Such information is provided in this privacy policy.
If you ask us for access to information that we may have about you, we will make reasonable inquiries to determine whether we have such information. However, we can reject manifestly groundless or excessive requests (Privacy Regulation Article 12.5).
When you request access, we will consider whether we can grant access without being hindered by our statutory duty of confidentiality, and if so inform you about the personal data that has been processed. We are subject to a statutory duty of confidentiality which means that you cannot gain access to information we process about you that also applies to others. This will, for example, be the case for information relating to a conflict between you and your employer. Then you must go directly to the employer and ask to see the information.
It may be necessary to assess people's competence and integrity in order to carry out our assignments. Our duty of confidentiality prevents us from providing insight into such assessments. The auditor's assessment must also be independent of the possibility of access, cf. also the Personal Data Act § 16 first paragraph letter e.
Deletion and correction
You have the right to have information about yourself deleted that is no longer necessary to properly follow up the assignment and that we do not have a statutory obligation to keep. We may also have a legitimate interest in retaining information beyond this if it is necessary to defend ourselves against compensation claims or accusations (personal protection regulation article 6.1.f).
If we process personal data about you that is incorrect or incomplete, you can, within the limitations set out in the privacy rules and other legislation, demand that the personal data be corrected.
Complaint
First contact our data protection officer if you think we are not complying with the data protection regulations.
You can also complain about our processing of personal data to the Norwegian Data Protection Authority.
Personal information that we collect and what we use it for
Assignments according to the Auditors Act
When we carry out audit assignments or confirm information to public authorities, we are required by the Auditors Act and standards for good auditing practice to obtain proper documentation for our conclusions in audit reports and other statements we make (audit certificates). This assignment documentation mainly contains company-related information. However, it will also contain certain personal data, such as:
- name and job title etc. on persons from whom we have obtained information in connection with the assignment
- information about pay and working conditions for employees at the company we are auditing
- assessments of the competence and integrity of persons responsible for the accounts or other matters that we must confirm
It will also be able to include information about individuals' criminal records and offences
Assignments according to the Accountants Act
We also carry out accounting assignments. We are then subject to the Accountants' Act. According to the Accountants Act, we must carry out the assignment in accordance with the laws and regulations that the customer's accounts must fulfill (bookkeeping, accounting and tax legislation, etc.), and follow good accounting practice. The accounting material we process on behalf of our customers includes personal data, such as information about salary and working conditions.
Assignments that are not regulated by law
We also carry out assignments that are not regulated in this way in the Auditors Act or the Accountants Act. It includes confirmations/attestations to other than public authorities, agreed control actions, investigations and various consultancy assignments. To the extent that it is necessary to collect personal data to carry out these assignments, we shall assess whether the customer has a justified need for the auditor's opinion. Otherwise, we will not undertake the assignment. In a similar way as for audit assignments (see above), it will be a question of personal data that appears in documentation that is necessary as a basis for our statements, reports etc.
Duties under the Money Laundering Act
Through the Money Laundering Act, we are required to carry out customer checks on all our customers. In this connection, we must confirm the identity of the person acting on behalf of the customer (on audit assignments it is the general manager) and real rights holders who ultimately control the company/customer. We must register information about these persons, including copies of identification documents used to confirm their identity.
Through the Money Laundering Act, we are also required to report suspicions of money laundering and terrorist financing to Økokrim. Reports to Økokrim about suspicious transactions must include everything we are aware of about the relationship that has given rise to suspicion, including about the persons involved. Such messages are exempt from view for those involved.
Customer contact and marketing
In our contact with existing, former and potential customers, we record contact information about contact persons such as name, e-mail address, telephone number and job title. We have a legitimate interest in maintaining customer contact and marketing our services (personal protection regulation article 6.1.f).
Use of our website www.bakertilly.no
We can use cookies that enable our website to recognize your computer or mobile phone. We can use cookies to e.g. remember your login information and collect visitor statistics on our websites.
Employees and job seekers
Personal information about employees that we process includes personnel, salary information, evaluations, information about relatives and education/position level. The basis is fulfillment of the employment agreement (personal protection regulation article 6.1.b) as well as fulfilling our duty to report information about employees to public authorities such as NAV and the Tax Agency (personal protection regulation article 6.1.c, possibly article 9.2.b, cf. personal data act § 6) . Personal data is kept as long as the employee is employed by us, and is deleted one and a half years after the employee has left.
Personal information about employees that is included in accounting material subject to retention is stored in accordance with the requirements of the bookkeeping regulations.
If you apply for a job with us, we need to process information about you to assess your application. The basis is measures at the applicant's request before a possible an employment agreement is entered into (personal protection regulation article 6.1.b). Personal information about applicants who are not employed is kept for up to one year.
Information security, confidentiality and storage
We have routines to ensure the confidentiality and integrity of our customers' data.
The security mechanisms include role and access management and requirements for built-in privacy in our IT systems. When material containing sensitive personal data is transferred electronically to or from us, the data must always be secured against access by means of encryption (this applies to so-called special categories of personal data, social security numbers and personal data on criminal matters and offences).
Extended information on information security is available to our customers on request.
We are subject to a duty of confidentiality under the Auditors' Act about everything we become aware of in our activities, both in connection with statutory assignments and other assignments. Certain exceptions to the duty of confidentiality apply, see below on the transfer of personal data as a result of the law.
According to the Auditors' Act and regulations to the Auditors' Act, we must store our documentation in an orderly and reassuring manner, secured against destruction, loss and alteration, for at least ten years. According to the Money Laundering Act, we must keep information and documents that are used for customer control or investigation of suspicious transactions according to the Money Laundering Act for five years after the customer relationship or transaction has ended. We will delete personal data within one year after the end of the retention period. We may have a legitimate interest in keeping the documentation containing personal data for longer in order to properly follow up the assignment or defend ourselves against compensation claims or accusations (personal protection regulation article 6.1.f).
To the extent that we store personal data on assignments that are not covered by the Auditors Act, we do so because it is necessary to properly follow up on the assignment. The personal information is normally deleted five years after the assignment has ended.
Transfer of personal data
Storage in the EEA
We store our customer data, including all personal information, in Norway or other EEA countries. The same applies to information about employees and job applicants. We only use data processors who store the information in Norway or other EEA countries.
For customers who are part of an international business, it may be necessary to transfer personal data to another country. If the transfer does not take place to an EEA country or a country approved by the European Commission, the transfer takes place based on standard privacy regulations adopted by the European Commission, binding business rules for a group or group of companies or to someone who is bound by the Privacy Shield (U.S. ).
Transfer of personal data as a result of law
- The Norwegian Financial Supervisory Authority has access to our documentation in connection with supervision
- Auditors or accountants who carry out quality control with us have access to our documentation
- Reporting of suspicious transactions to Økokrim, see point 5.4
- The police can in certain cases be given access to our documentation
- If a customer's book audit is carried out, we may be required to transfer information to the tax authorities that may contain personal data
- We may have an obligation to provide information that may contain personal data to the debt board, bankruptcy estate or trustee in connection with debt negotiation or bankruptcy
- If we are summoned as a witness in a court case, we have a general duty to testify
Auditors, accountants and the authorities mentioned here are subject to a statutory duty of confidentiality.
Our use of data processors
We use service providers to operate our information systems and store data for us. It includes the processing of personal data as described in point 5 above. We have data processing agreements with all service providers who process personal data on our behalf.