PKF Attest

Privacy Policy

General Information on Data Protection

This privacy policy aims to provide information in relation to the processing of personal data and to describe the rights of data subjects in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDDD).

1. Identity and contact details of the person in charge

The personal data you provide will be processed only by PKF Attest Servicios Profesionales S.L. with NIF B95529343 and address at Alameda Recalde 36, 8ª 48009, Bilbao and its subsidiaries whose information can be found in the latest version of the transparency report published on our website (hereinafter, we will refer to the entities belonging to PKF Attest). To contact them you can use the following channels:

  • By mail addressed to the addresses of each of the entities.
  • Through the e-mail address privacidad@pkf-attest.es where you can contact the Group's Data Protection Officer.

Depending on the relationship established, the entities belonging to PKF Attest may act as Controllers or Processors. When the entities process personal data in the name and on behalf of their clients who determine the purposes and means of the processing, they will act as Data Processors under the terms of article 28 of the RGPD.

2. Processing of personal data

Within the digital platforms, the collection and processing of personal data of users will be carried out according to the context and nature, with the following purposes:

2.1 Personnel selection.

The entities belonging to PKF Attest will process the data relating to the candidates for the purpose of managing the selection processes for job vacancies.

Legal basis: The basis that legitimizes the processing is the consent of the data subject and the implementation of pre-contractual measures in the event that he/she is finally selected.

Retention period: The data provided will be kept only for the time necessary for the management of the selection process unless you previously withdraw your consent. Subsequently, your data will be kept blocked for the time necessary to meet possible legal responsibilities.

Recipients: Your data may be shared with entities belonging to PKF Attest insofar as this is necessary for the management of your application in application of the legitimate interest provided for in CD 48 of the RGPD.  

Rights: You may exercise your data protection rights as indicated in the "Exercise of Rights" section of this Privacy Policy.

2.2 Customer data management

The entities belonging to PKF Attest will process customer data in order to manage the services and projects contracted and to comply with the legal obligations established by the regulations for the prevention of money laundering and terrorist financing, which may include the verification of identity, the retention of information and the reporting of suspicious transactions to the competent authorities.

Legal basis: The basis legitimizing the processing is the fulfillment of contractual obligations, compliance with legal obligations under Law 10/2010 of 28 April on the Prevention of Money Laundering and Terrorist Financing and legitimate interest in terms of contact data in application of the provisions of Article 19 of the LOPDGDD. Recipients: Your data may be shared with the entities belonging to PKF Attest in application of the legitimate interest provided for in CD 48 of the RGPD and to the Executive Service of the Commission for the Prevention of Money Laundering (SEPBLAC), and to the Public Administration with competence in the matter. Outside these cases, your data will not be shared with third parties unless legally required.

Retention period: The data provided will be retained for the duration of the contractual relationship and thereafter for the period of time necessary to meet possible legal liabilities. Rights: You may exercise your rights regarding data protection as indicated in the "Exercise of Rights" section of this Privacy Policy.

2.3 Communication and Marketing

The entities belonging to PKF Attest will process your data in order to send you commercial communications about our events, activities and services that may be of interest to you.

Legal basis: The basis that legitimizes the processing is the consent previously granted or in application of the legitimate interest provided for in Article 21.2 of the LSSI in case you are a customer and the service offered is similar to one previously contracted.

Retention period: Your data will be kept indefinitely until you revoke your consent, object to the processing or request the deletion of your data. In each communication, the user may object to receive this type of information through the specific mechanisms to process the cancellation, as well as request, where appropriate, their right to revoke consent, opposition or deletion.

Recipients: Your data may be shared with other PKF Attest entities if you have consented to receive commercial communications from the Group. Otherwise, your data will not be communicated to third parties unless legally obliged to do so.

International transfers: The entities belonging to PKF Attest inform the user that commercial communications will be sent through the Mailchimp tool, managed by the company The Rocket Science Group LLC whose servers are located in the United States, a country whose legislation does not offer a level of data protection equivalent to that of Europe; however, adequate guarantees of data protection are provided through the signing of the Standard Contractual Clauses approved by Decision 2021/914/EU of the European Commission.

Rights: You may withdraw your consent and exercise your data protection rights as indicated in the "Exercise of Rights" section of this Privacy Policy.

2.4 Management of information requests

The entities belonging to PKF Attest will process your data in order to manage your request for information and respond to the query raised.

Legal basis: The basis that legitimizes the processing is the consent previously granted by ticking the box enabled on the form before sending your request.

Retention period: Your data will be kept only for the time necessary to process your request for information. Subsequently, they will be deleted, unless your query generates a contractual or pre-contractual relationship, in which case, your data will be retained in accordance with the applicable legal deadlines.

Recipients: In some cases, your data may be communicated to other entities of the group when this is necessary to manage your query more efficiently and provide you with an appropriate response. This communication is based on the legitimate interest of the corporate group in the centralized management of queries and services under CD 48 of the RGPD.outside this case your data will not be communicated to third parties unless legally required.

Rights: You may withdraw your consent and exercise your data protection rights as indicated in the "Exercise of Rights" section of this Privacy Policy.

Also, the entities belonging to PKF Attest carries out other types of processing related to the management of human resources, video surveillance that are not detailed in this Privacy Policy.

3.Exercise of rights

We inform you that you may exercise the following rights:

  1. Right of access to your personal data to know which are being processed;
  2. Right to rectify any inaccurate personal data;
  3. Right of deletion of your personal data, when possible;
  4. The right to request the limitation of the processing of your personal data when the accuracy, lawfulness or necessity of the data processing is in doubt, in which case, we may retain the data for the exercise or defense of claims.
  5. Right to object to the processing of your personal data, when the legal basis that enables us to process it is legitimate interest. Entities belonging to PKF Attest will stop processing your data unless they have a compelling legitimate interest or for the formulation, exercise or defense of claims.
  6. Right to the portability of your data, when the legal basis that enables us to process the indicated data is your consent.

These rights may be exercised free of charge by the interested party, and, where appropriate, whoever represents him/her, by written request addressed to privacidad@pkf-attest.es.

In addition to the above rights, the data subject shall have the right to withdraw the consent given at any time without such withdrawal of consent affecting the lawfulness of the processing prior to the withdrawal of consent. Entities belonging to PKF Attest may continue to process the data subject's data to the extent permitted by applicable law.

The entities belonging to PKF Attest remind the data subject that he/she has the right to file a complaint with the Spanish Data Protection Agency if he/she considers that a breach of data protection legislation has been committed with respect to the processing of his/her personal data.

4. What security measures do we have in place?

The entities belonging to PKF Attest undertake to comply with their obligation of secrecy of personal data and their duty to protect them, and will adopt the necessary measures to prevent their alteration, loss, treatment or unauthorized access, in accordance with the provisions of applicable regulations.

To these effects, the entities belonging to PKF Attest, as part of their commitment to the security and confidentiality of the information that they may store or process and that contains personal data of the client (even temporarily), have adopted the necessary measures to avoid the alteration, loss, processing or unauthorized access of such data, thanks to the measures audited periodically to guarantee:

  • Confidentiality: through adequate controls and administration of users with access to the systems. All PKF Attest personnel have signed an annex to their employment and/or commercial contract that includes the confidentiality and duty of secrecy regarding access to information and personal data that they may have in the performance of their work.

In addition, the application of encryption technologies has been implemented, both in information storage and transmission. Use of confidentiality preservation technologies, applying access control or identity management solutions, among others.

  • Integrity: Information systems have security policies and password policies that limit and protect the information available by assigning access profiles both on local servers and in the Microsoft cloud used in the organization.
  • Availability: through resource allocation policies and backup policies covering all systems, including projects and services provided to customers. Systematic data recovery tests are carried out in the event of serious incidents that could limit data availability.
  • Implementation of resilience mechanisms that allow for the monitoring and rapid detection of incidents and guarantee the articulation of the foreseen recovery mechanisms.
  • Implementation of incident response protocols, both physical and logical, to ensure rapid and effective resolution of incidents.
  • Implementation of auditing practices to periodically verify the implementation of the different security measures and their effectiveness.

Likewise, PKF Attest has obtained the status of Microsoft Gold Partner, which necessarily implies passing the audits that Microsoft establishes in relation to software licenses and their use.

PKF Attest has defined the actions to be followed for its suitability as a service provider, which include:

  • Risk analysis.
  • Appropriate organizational measures.
  • Reinforcement of the current incident management process.
  • Periodic internal communications.

5. Links to other websites

This website may include hyperlinks to other sites that are not operated or controlled by entities belonging to PKF Attest. Therefore, the entities belonging to PKF Attest do not guarantee, nor are they responsible for the legality, reliability, usefulness, veracity and timeliness of the contents of such websites or their privacy practices. Please be aware that before providing your personal information to these PKF Attest websites, please be aware that their data protection compliance may differ from ours.

6. Responsibilities

PKF Attest is a member of PKF Global, the network of member firms of PKF International Limited, each of which is a separate and independent legal entity and accepts no responsibility or liability for the actions or inactions of any individual member or correspondent firm(s).

7. Privacy Policy Update

The content of the data protection policy may be subject to modification in order to adapt it to legislative changes that may occur, as well as to criteria and positions issued by the control authorities. In any case, any modification of the Privacy Policy will be duly notified to the Affected Party so that he/she is informed of the changes made in the processing of his/her personal data and, in the event that the applicable regulations so require, the Affected Party may grant his/her consent.