GDPR

As a Client, you authorize us to treat personal data on your behalf, as defined by the applicable regulations, necessary to provide the services covered by the engagement letter.
We are committed to treat personal data in accordance with the attached engagement letter(s) and only based on your instructions.
Within the scope of the mission, the Client and the Chartered Accountant undertake to comply with the regulations in force applicable to the treatment of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the treatment of personal data and on the free circulation of such data, and repealing Directive 95/46/EC (the "GDPR").

The Chartered Accountant treates personal data on behalf of the Client and based on his instructions. Therefore, the Chartered Accountant is qualified as a subcontractor.
The Client specifies in the engagement letter the purposes, the means of data treatment and the data subject to treatment. Therefore, the Client is qualified as the data controller.
The personal data treatment carried out by the Chartered Accountant within the scope off his mission, will be carried out in accordance with the engagement letter and the GDPR. The engagement letter should contain:
the purpose and duration of the data treatment;
the nature and purpose of the data treatment;
the type of personal data;
the categories of concerned person;
the obligations and rights of the Chartered Accountant and the Client;

The Chartered Accountant commits to comply with all the obligations imposed to subcontractor under the GDPR and commits within the scope of the engagement letter to:
treat personal data only for the sole purpose(s) which is/are the subject of the mission;
treat the data in accordance with the Client's documented instructions set out in the engagement letter;
guarantee the confidentiality of personal data treatment within the scope of the engagement letter;
ensure that persons authorized to treat personal data under the scope of the engagement letter: commit to respect confidentiality and are subject to an appropriate legal obligation of confidentiality and receive the necessary data protection training of a personal nature;
consider, with regard to its services, the principles of data protection from the outset and by default;
not engage another sub-contractor without the prior written authorization, specific or general, of the Client;
assist, as far as possible, the Client to fulfil his obligation to follow up on requests to exercise the rights of data subjects: right of access, rectification, erasure and opposition, right to limitation of treatment right to portability data, right not to be subject to automated individual decision-making (including profiling);
notify the Client of any personal data breach as soon as possible after becoming aware of it;
assist the Client in carrying out impact analyses relating to data protection if these prove necessary;
according to the Client's choice, delete all personal data or return them to the Client at the end of the provision of services relating to the treatment, and destroy the existing copies, unless otherwise provided by law or regulation;
communicate to the Client the name and contact details of his data protection officer, if he has appointed one in accordance with Article 37 of the GDPR. The communication can be made by means of a reference in the engagement letter to the website of the Chartered Accountant on which the name and contact details of the data protection officer are published;
maintain a written record of all categories of treatment activities carried out on behalf of the Client in accordance with Article 30(2) of the GDPR;
make available to the Client the documentation necessary to demonstrate compliance with all its obligations and to allow audits to be carried out,
including inspections, by the Client or another auditor he has appointed, and contribute to these audits.
On the other hand, if the Chartered Accountant is required to specify the purposes and means of the treatment, he is considered to be a data controller with regard to this treatment, and he is required to comply with all the obligations imposed to data controller under GDPR obligations..

The Client commits to comply with all obligations imposed to data controller under GDPR obligations.
The Client guarantees that the personal data are:
treated in a lawful, fair and transparent way regarding the data subject;
collected for specified, explicit and legitimate purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated;
accurate and, where necessary, kept up to date;
kept in a form allowing the identification of the concerned persons for a period not exceeding that necessary with regard to the purposes for which they are treated;
treated in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful treatment and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The Client guarantees to the Chartered Accountant that he has provided the necessary information in accordance with Articles 13 and 14 of the GDPR to the persons concerned on the treatment operations and that he will respond to requests to exercise the rights of the persons concerned: right of access, rectification, erasure and opposition, right to limit treatment, right to data portability, right not to be the subject of an automated individual decision (including profiling).
Towards the Chartered Accountant, the Client commits to:
provide him with correct, adequate, relevant data strictly limited to what is necessary to enable the Chartered Accountant to perform the service(s) covered by the engagement letter;
document in writing any instructions concerning the treatment of data to be carried out by the Chartered Accountant;
ensure, before and throughout the duration of the treatment carried out by the Chartered Accountant, compliance with the obligations provided for by the GDPR;
supervising the treatment, including carrying out the necessary audits and inspections with the Chartered Accountant.

Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the treatment as well as the risks, the degree of likelihood and severity of which varies, for the rights and freedoms of natural persons, the Chartered Accountant and the Client implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, including among others, as required:
pseudonymization and encryption of personal data;
the means making it possible to guarantee the constant confidentiality, integrity, availability and resilience of the treatment systems and services (such as controls at the entrance to installations, media, memory, access, transmission, introduction, transport);
the means to restore the availability of personal data and access to them within appropriate timeframes in the event of a physical or technical incident (such as the control of availability);
a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organizational measures to ensure the security of the treatment.

When assessing the appropriate level of security, it is taken into account the risks presented by the treatment, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or treated in any other way, or unauthorized access to such data, accidentally or unlawfully.
The Client and the Chartered Accountant take measures to ensure that any natural person acting under the authority of the Client or under that of the Chartered Accountant, who has access to personal data, does not treat them, except on instructions from the Client, unless required to do so by Union law or Luxembourg law. The responsibilities of each of the Parties regarding the security measures to be implemented are precisely defined in the engagement letter.

The obligation of confidentiality arising from this article shall not prohibit the Chartered Accountant from disclosing information if this information is required or permitted under applicable legal or professional rules, in particular in the context of disciplinary proceedings, civil, commercial or criminal, or within the framework of legislation relating to the fight against money laundering and the financing of terrorism. As such, the Chartered Accountant is considered a data controller and is required to comply with the obligations imposed on the data controller under the GDPR within the limits provided for by the laws in force.

As part of the execution of the mission You have entrusted to Us, we are authorized to treat the personal data necessary to provide the services covered by the mission statement ("Services").
The Services are defined in the attached engagement letter(s).

Regarding his professional expertise, the Chartered Accountant sets the purposes and means of the treatment of personal data to be implemented to provide the Services.
As such, the Chartered Accountant acts as data controller
The Chartered Accountant commits to comply with the regulations in force applicable to the treatment of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data, natural persons with regard to the treatment of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR").

The Chartered Accountant is required to comply with all the obligations imposed on the data controller under the GDPR.
The Chartered Accountant commits to take all necessary precautions to guarantee the security of personal data and to protect them against any accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access.
It is up to the Chartered Accountant:
to provide information to the Client and, where applicable, to other persons concerned by the treatment operations in accordance with Articles 13 and 14 of the GDPR. This information may be provided, in particular, by means of a declaration of confidentiality appended to the engagement letter;
to ensure the implementation of the rights of the Client and, where applicable, of the other persons concerned by the treatment operations provided for in Chapter III of the GDPR.

The Client commits to communicate to the Chartered Accountant the personal data, to which he has access, necessary to provide the Services.
The Client guarantees to the Chartered Accountant that the communication of referred data is lawful and does not contravene the regulations in force applicable to the treatment of personal data.

As part of the execution of the mission You have entrusted to Us, we are authorized to treat the personal data necessary to provide the services covered by the mission statement ("Services").
The Services are defined in the attached engagement letter(s).

The Chartered Accountant and the Client jointly set the purposes and/or means of the treatment of personal data to be implemented to provide the Services.
As such, the Chartered Accountant and the Client are qualified as joint data controllers.

As joint data controllers, the Chartered Accountant and the Client are required to comply with the obligations provided for by the regulations in force applicable to the treatment of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the treatment of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR").
The Chartered Accountant and the Client have the obligation to define, in the engagement letter, their respective obligations regarding the protection of personal data transparently.

Therefore, the engagement letter will specify in particular:
that the Chartered Accountant is authorized to treat the personal data necessary for the performance of the Services;
the nature of the treatment that will be carried out on the personal data;
the categories of personal data being treated;
the categories of concerned person;
the purpose(s) totally or partially shared between the Chartered Accountant and the Client;
the possibility for the Chartered Accountant to subcontract all or part of the Services.

The Chartered Accountant and the Client commits to take all necessary precautions to guarantee the security of personal data and in particular to protect them against any accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access.

You commit to communicate to Us the personal data to which You have access, necessary for the performance of the Services.
The Client guarantees to the Chartered Accountant that the communication of said data is lawful and does not contravene the regulations in force applicable to the treatment of personal data.
It is your responsibility in particular:
to provide information to concerned person in accordance with Articles 13 and 14 of the GDPR that their personal data will be treated as part of the Services that We provide;
to ensure the implementation of the rights of the persons concerned by the treatment operations as provided for in Chapter III of the GDPR;
to inform the National Commission for Data Protection and, where applicable, the person(s) concerned of any incident (loss/unauthorized access), security breaches that We may report to you.

It is Our responsibility to communicate to You, as soon as possible and at the latest within 72 hours of becoming aware of the event, information relating to:
the exercise of a right by a concerned person;
the possible complaint of the concerned person;
the occurrence of any incident (loss/unauthorized access, security breaches) of which We may have become aware that may have direct or indirect consequences on the treatment carried out.

"GDPR" stands for General Data Protection Regulation (GDPR). The GDPR is the new data protection regulation in force and replaces the old Directive 95/46/EC. The GDPR entered into force on May 25, 2018. The law of August 2, 2002, on the protection of personal data was revised by the law of August 1, 2018. Although the main principles of the GDPR are the same as those previous legislations, it also presents certain new features (in terms of the rights granted to the persons whose data are treated and the obligations of subcontractors, for example).

We have integrated the following 5 main axes into the company's procedures:
Registers: the review of all data treatment (data flows) and establishment of data registers for each activity/entity of the FIDUCIAIRE WBM group.
Governance: the review and adaptation of internal policies, procedures and procedures and, where appropriate, the establishment of new procedures, policies or procedures.
Vendors & Partners: the review of the contractual clauses with the suppliers, subcontractors and partners of FIDUCIAIRE WBM.
Clients: the review of all the contractual clauses with the Clients of the various entities of the FIDUCIAIRE WBM group in accordance with the general rules of the OEC.
Training & Awareness: training and information for FIDUCIAIRE WBM staff on data protection issues.

Complying in real time with the requirements set by the GDPR is a permanent challenge that FIDUCIAIRE WBM takes up on a daily basis. Our team constantly integrate compliance with the GDPR into our day-to-day activities, as well as into the development and implementation of our procedures.

Yes, indeed. One of the features of the GDPR is to impose, in certain cases, on companies to appoint a "Data Protection Officer" (DPO) such as, for example, when the basic activities of the company in question consist of treatment operations which, in their nature, their scope and/or their purposes, require regular and systematic monitoring on a large scale of the persons concerned. This is the case for us which, in its various activities, treat a large amount of personal data of workers, self-employed or business managers.

Although the European authorities would eventually like to see the development of GDPR certification systems, these do not yet exist. FIDUCIAIRE WBM will carefully monitor the development of future certification plans and will assess, when the time comes, the opportunity to join.

The servers of FIDUCIAIRE WBM (on which are located, for example, the data of your employees for the services of social secretariat) are located in Luxembourg. For certain specific services, subcontractors may have access to certain personal data, in a limited way. In this case, the policy of FIDUCIAIRE WBM is to require that this data be treated in the European Union by these subcontractors or under conditions of adequate protection (for example: by a US company certified "EU-US Privacy Shield or with which "EU Model Clauses" have been signed).

A data breach is all cases where a breach of security results in the accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access of personal data transmitted, stored or otherwise treated. The following are, for example, data breaches within the meaning of the GDPR: the intrusion on a server with consultation of the personal data therein, the accidental destruction (outside of all the computer security procedures provided for doing so) of a hard drive on which personal data is located, the unauthorized disclosure of personal data on the infrastructure of the FIDUCIAIRE WBM Group.

This is a question to be answered activity by activity. In several activities, FIDUCIAIRE WBM is a subcontractor (ex. the salary administration activity in the various social secretariat entities) because it treats the personal data of employees on the basis of instructions from employers who are the data controllers. For other kind of activities, FIDUCIAIRE WBM is responsible for treatment because it specifies itself the purposes of data treatment and the methods thereof or the law gives it this quality.

DIn general, regarding payroll services, the employer is the data controller since he gives the necessary instructions for drawing up and sending the payslips. FIDUCIAIRE WBM payroll services is the subcontractor, since it acts based on these instructions.
Similarly, if you use an HR consultant from FIDUCIAIRE WBM, you are the data controller for the data treated by this consultant and FIDUCIAIRE WBM is the subcontractor.

FIDUCIAIRE WBM has put in place organizational measures (appointment of a DPO, a CISO, etc.) and procedural measures (procedures, policies, security manual) to ensure the computer and physical security of the personal data treated. In addition, some of its activities are subject to certifications.

In cases that FIDUCIAIRE WBM is a subcontractor (for the payroll services, for example), it will notify you via a specific form as soon as possible. This form will contain all the information necessary to enable you to fulfil your notification obligations to the National Commission for Data Protection (CNPD).
The data controller (you for the payroll services, FIDUCIAIRE WBM for other missions, see above) must, under certain conditions, notify the CNPD of the occurrence of a data breach.
FIDUCIAIRE WBM has a procedure and appropriate forms to communicate to you within the necessary time the information to include in the notification that you should produce to the CNPD (or to fulfil its own obligation to notify the CNPD if necessary).

Regarding your obligations as an employer, please find below a link to the National Data Protection Commission (CNPD) to find out more:https://cnpd.public.lu/fr.html If you are looking for a model Privacy Policy, contact your Consultant.

FIDUCIAIRE WBM cannot carry out general GDPR consultancy assignments. However, we advise you to use the GDPR compliance tool, set up by the National Data Protection Commission (CNPD) and available online:https://cst.cnpd.lu/portal/.