CohnReznick Client Data Privacy Notice
Who is providing this notice and who does it apply to?
This privacy notice (“Notice”) is made on behalf of CohnReznick LLP (“CR”) and CohnReznick (Cayman) Certified Public Accountants (“CR Cayman”). CR and CR Cayman are collectively referred to herein as “CohnReznick”. However, CR and CR Cayman are separate legal entities, and each entity is solely responsible for its own acts and/or omissions.
This Notice applies to the extent CR or CR Cayman, as applicable, processes Personal Data that is subject to the (i) EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) or (ii) the Data Protection Law, 2017 of the Cayman Islands (the “DPL”) in furtherance of the performance of services and obligations and exercise of rights under an engagement letter, agreement for services or other contract between CR and/or CR Cayman, as applicable, and Client (the “Contract”). The GDPR and DPL are collectively referred to herein as “Privacy Laws.”
References to “Client” herein refer to the individual(s) or entity(ies) for whom services are performed and the individual(s) or entity(ies) who signed a Contract. The term “Client” includes existing and prospective clients of CohnReznick. Please refer to your Contract to identify the name and contact details of the relevant CohnReznick entity for the purposes of this Notice.
This Notice sets out the basis on which Personal Data will be processed by CohnReznick. All capitalized terms used but not defined herein shall have the meanings set forth for such terms in the applicable Privacy Laws.
Where do we collect Personal Data from?
CohnReznick collects Personal Data by lawful means (for example, when CohnReznick is engaged to perform services or participate in discussions in connection with a potential engagement to perform services). CohnReznick may collect Personal Data from the Client or from third-party sources. These sources include:
- publicly available and accessible directories and sources, including websites;
- governmental agencies and departments and tax and other regulatory authorities;
- bankruptcy registers and credit reference agencies; and
- fraud prevention and detection agencies and organizations, including law enforcement.
CohnReznick may combine Personal Data provided to CohnReznick with Personal Data obtained from third-party sources. This may include Personal Data collected in an online or offline context.
Why and how do we process Personal Data?
CohnReznick may use, disclose, process and/or retain Personal Data of Client, customers and service providers of Client, employees of Client, and third parties whose information is provided by Client or is required to perform a service on Client’s behalf (i) if necessary for the performance of services and other purposes set forth in the Contract, (ii) as required to comply with applicable law, regulations or obligations to the Client, (iii) for CohnReznick’ legitimate business purposes or those of a third party to whom your information is disclosed, and (iv) in accordance with the instructions of Client or as consented by the Data Subject. Such use, disclosure, processing and/or retention shall be performed as follows:
- For execution of the Contract (e.g., performing services, maintaining the client relationship, keeping the client informed, invoicing and bill collection);
- To perform client acceptance procedures, including verifying identities and addresses and performing other due diligence to protect our business interests;
- To comply with legal, tax, accounting, or regulatory obligations to which CohnReznick or a third party is subject, including complying with auditing standards;
- To manage risk and operations, including ensuring internal compliance with our policies and procedures;
- To protect the security and integrity of CohnReznick information technology systems;
- To respond to regulatory and governmental oversight applicable to CohnReznick and other requests from tax and law enforcement authorities;
- To investigate complaints or pursue or defend any claims, proceedings, or disputes (domestic or foreign);
- To enforce the terms and conditions of the Contract and protect the respective rights of CohnReznick and its service providers under the Contract;
- To provide information (including via mail, electronic mail or telephone) about relevant services offered by CohnReznick and relevant developments in the marketplace and industry unless Client notifies CohnReznick at any time that Client does not wish to receive such information;
- To evaluate, develop and improve CohnReznick’s services;
- To evaluate or facilitate the sale or potential sale of all or part of CohnReznick; and
- To seek professional advice, such as from legal advisors;
- To the extent Client or a Data Subject provides other consent to the collection, use, disclosure and storage of Personal Data.
What sort of Personal Data do we collect?
The types of Personal Data CohnReznick collects depends on the nature of the Contract and services to be performed by CohnReznick.
Such Personal Data may include:
- Names, signatures, photographs, copies of identification, and contact information, such as home or business addresses, email addresses and telephone numbers;
- Biographical information, which may include date of birth, places of birth, country of domicile and/or your nationality, tax identification number, tax status, passport number or national identity card details, and employment history;
- Financial Information relating to income, expenditure, assets and liabilities, ownership interest in an entity, source of funds and wealth, as well as bank account details; and
- Background Information for client acceptance procedures, such as to assess whether an individual is or may represent a politically exposed person or money laundering risk.
Do you have to provide us with this Personal Data?
CohnReznick will request and collect Personal Data for the purposes set forth in this Notice and the relevant Contract. Some of the Personal Data CohnReznick requests must be provided in order for CohnReznick to perform the services and/or obligations set forth in the relevant Contract. If you do not provide the Personal Data, CohnReznick will not be able to perform such services and/or obligations. In other instances, Personal Data provided by you is purely voluntary, and there are no implications for you if you do not wish to provide such Personal Data to CohnReznick.
Who do we share Personal Data with?
CohnReznick may disclose Personal Data to its affiliates, contractors, and service providers (collectively, “Service Providers”) provided such disclosures are lawful and made in furtherance of approved purposes. Such disclosures may include transfers of Personal Data to Service Providers located in other countries (including countries located outside of the EEA) where the laws governing the use and disclosure of Personal Data may be different and possibly less stringent. CohnReznick will endeavor to comply with the requirements of the applicable Privacy Laws in the process of performing such transfers. CohnReznick shall remain responsible for the confidentiality and security of Personal Data transferred to or accessed by such Service Providers. To request more information about the Service Providers, please contact us using a method identified in the “Contact Us” section.
Client is responsible for ensuring that, in connection to any third-party Personal Data made available to CohnReznick, it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection and it has, and will continue to have, the right to transfer, or provide access to, such Personal Data to CohnReznick for processing in accordance with the terms of the Contract and this Notice. In relation to any special categories of Personal Data made available to CohnReznick, Client is responsible for obtaining the explicit consent from each data subject(s) for the processing of such Personal Data by CohnReznick in accordance with the terms of the Contract and this Notice.
How do we protect and handle Personal Data?
CohnReznick will use commercially reasonable efforts to keep Personal Data confidential and to not disclose Personal Data to any third party except as permitted by the Contract, this Notice or with Client’s prior written consent, except as stated herein. CohnReznick will implement appropriate technical and organizational security measures designed to protect against the accidental loss, destruction, damage and/or unauthorized use of Personal Data. CohnReznick will also enter into contracts with its Service Providers that require them to use commercially reasonable efforts to keep Personal Data confidential and implement appropriate security measures in connection with any processing of Personal Data performed on CohnReznick’s behalf. CohnReznick will notify Client without undue delay after becoming aware of a breach of Personal Data as required by the applicable law.
Upon reasonable request and to the extent required by the applicable Privacy Laws, CohnReznick will make available to the Client all information necessary to demonstrate compliance with the applicable Privacy Laws governing the Personal Data and contribute to audits and inspections conducted by Client, or its designee, relating to such compliance. All such activities shall be conducted at Client’s cost and expense.
To the extent CohnReznick is a Controller, Data Subjects whose Personal Data we process or retain are entitled to (i) be informed about the purposes for which CohnReznick processes Personal Data; (ii) request a description and a copy of the Personal Data in CohnReznick’s possession, (iii) request that CohnReznick rectify any incomplete or incorrect Personal Data or delete any Personal Data in our possession, (iv) request that CohnReznick stop using Personal Data or limit the processing of such data, (v) object to automated decision making, (vi) request transfer of a copy of Personal Data to another party (if technically feasible and subject to applicable law, regulations and professional standards), (vii) withdraw consent previously provided in relation to Personal Data, and (viii) be informed of a breach of Personal Data (unless the breach is unlikely to be prejudicial to you). CohnReznick will comply with all such requests, to the extent it is a Controller of the Data Subject’s Personal Data, provided we are not required to retain any such Personal Data pursuant to applicable law (e.g., if CohnReznick prepares a Data Subject’s U.S. tax returns, then CohnReznick is required to retain the Data Subject’s Personal Data and all backup information used to prepare the tax return for seven (7) years after the tax return is filed).
To the extent that CohnReznick is a Processor or if CohnReznick is a joint Controller of Personal Data on behalf of the Client, CohnReznick will provide to Client all information received from Data Subjects who have contacted CohnReznick to exercise any rights pursuant to the applicable Privacy Laws (including Articles 13 to 23 of the GDPR) and provide all reasonable assistance to Client in responding to Data Subject requests pursuant to such applicable Privacy Laws. To the extent that CohnReznick is a sole Controller of Personal Data, CohnReznick will respond to Data Subject requests under the applicable Privacy Laws (including Chapter 3 of the GDPR).
Retention of Personal Data
Client information, which may include Personal Data of Client’s customers, employees or other third parties, will be retained by CohnReznick in accordance with applicable law, regulations, professional standards and our internal document retention policies. CohnReznick’s document retention policies generally provide that Client information be retained for a period of seven (7) years from issuance of the work product or completion of the services. Under certain circumstances, this retention period may be extended. Any Personal Data retained by CohnReznick shall remain subject to the protections of the Contract and this Notice.
If any Data Subject whose Personal Data CohnReznick holds has any questions about CohnReznick’s collection, use, disclosure, processing and/or retention of his or her Personal Data under the Contract, the Data Subject may contact CohnReznick using the following methods:
(i) If the relevant Contract is with CR:
a. By written notice to:
Attn: Legal Department
1301 Avenue of the Americas
New York, New York 10019,
b. By email to: Privacy@CohnReznick.com;
(ii) If the relevant Contract is with CR Cayman:
a. By written notice to:
CohnReznick (Cayman) Certified Public Accountants
Attn: Cayman Data Protection Enquiry
P.O. Box 1748 GT
27 Hospital Road
Georgetown, Grand Cayman
The Data Subject also has the right to lodge a complaint with applicable data protection authorities, including the Data Protection Ombudsman under the DPL.
Changes to this Notice
This Notice is subject to regular reviews and updates. This Notice was last updated November 2019.