Last Updated: March 2023
The International Foundation for Ethics and Audit and the standard-setting boards (“SSBs”) it supports (collectively, “we”, “us”, “our”) respect and value the privacy of all parties we interact with, which most often are our volunteers, stakeholders, website users, subscribers, licensees, vendors, and others. We only collect and use personal data in ways that are described here, and in ways that are consistent with our obligations and your rights under the law.
1. Information About Us
The Foundation is registered as a Corporation in Delaware, USA, under the number 7087834.
The main offices of the Foundation are at:
529 Fifth Avenue 6th Floor
New York, NY, 10017
2. What Does This Policy Cover?
3. What is Personal Data?
We apply the definition of ‘personal data’ as any information relating to an identifiable natural person who can be directly or indirectly identified in particular by reference to an identifier.
In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details but it also covers less obvious information, such as identification numbers, electronic location data, and other online identifiers. We may collect personal data through www.ethicsandaudit.org, www.iaasb.org, and www.ethicsboard.org (collectively, the “website”), as well as through email; requests for information, proposals, or periodic updates via email; attendance at a webcast, live conference or other Foundation, IAASB, or IESBA-sponsored or hosted event; and/or any other activity through which personal information is provided to us.
The personal data that we may collect and use is set out in Part 5 below.
4. What Are My Rights?
We want to ensure you have control over how your information is used. As a result, you have the right to:
a) Be informed about our collection and use of your personal data.
b) Access the personal data we hold about you (Part 11 will tell you how to do this).
c) Have your personal data rectified if any data held by us is inaccurate or incomplete.
d) Be forgotten—that is, the right to ask us to delete or otherwise dispose of any of your personal data.
e) Restrict (i.e., prevent) the processing of your personal data.
f) Object to us using your personal data for a particular purpose or purposes.
g) Where the processing is based on consent, withdraw your consent at any time. Please note that withdrawal of your consent does not affect the lawfulness of processing of your personal data based on consent before your withdrawal.
Please note that the above rights can be limited—for example, where we need your personal data to comply with the law or assert or defend against legal claims or have other compelling legitimate grounds for the processing that override your interests, rights and freedoms. We may therefore be able to continue processing your personal data even after you have chosen to restrict, object to the processing or withdraw your consent to the extent required or otherwise permitted by law.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 12.
5. What Personal Data Do You Collect?
Information You Provide
Depending upon the nature of your relationship with us, the information we collect can include your name, title, company name, address, phone and/or fax number, job title, email address, nationality, biography, resume/CV, passport information and other personal data provided by any individual who contacts us.
Automatically Collected Information
As explained below, we use anonymized data to understand how visitors to the website use the site.
We, primarily through Google Analytics, uses "cookies" (further explanation of cookies below) to collect and temporarily store anonymous traffic data and technical information about your visit for use in website management and for security purposes. The type of information collected through cookies may include:
- The internet domain from which you access the website;
- The IP address (a unique number for each computer connected to the internet) from which you access the website;
- The type of browser (e.g., Firefox, Chrome, Internet Explorer) used to access the website;
- The operating system (Windows, Unix, etc.) used to access the website;
- The date and time you access the website;
- The URLs of the pages you visit;
- Your username, if it was used to log in to the website; and
- If you visited our website from another website, the URL of the forwarding site.
As explained above, the website, like many other commercial websites, may utilize a standard technology called “cookies” to collect information. A cookie is a special packet of data designed to help a website operator determine whether a particular user has visited the website previously and what that user’s preferences are. Your browser’s Help resources tell you more about managing cookies. If you are concerned about cookies, most browsers permit individuals to decline cookies. In most cases, a visitor may refuse a cookie and still fully navigate our website, however other functionality on the website may be impaired. After termination of the visit to the website, you can always delete the cookie from your system if you wish.
6. How Do You Use My Personal Data?
We may use your personal data to:
- Carry out our obligations arising from any contracts entered into;
- Seek your views or comments on the activities we undertake (e.g., voluntary surveys, issuance of new standards, comments on blogs, articles or public consultations, etc.);
- Send you communications that you requested and that may be of interest to you (these may include our newsletters, eNews, information about our activities, networks, or events, comments on public consultations, etc.);
- Arrange travel (e.g., booking flights and accommodation) and/or reimbursing for travel-related expenses;
- Register individuals for meetings and events;
- Host events;
- Process a grant or job application;
- Provide information regarding key contacts on our website; and
- Publish relevant articles or press releases.
7. What is Your Basis for Processing My Personal Data?
We rely on several lawful bases of processing when we collect and use personal data, including:
- Contract: in order to perform our contractual obligations;
- Legal obligations: in order to comply with our legal obligations (e.g., for compliance and insurance purposes);
- Consent: where an individual has freely given consent at the time their personal data was provided to us;
- Legitimate interests: including our legitimate interest as well as that of our members, volunteers, or other third parties (e.g., to provide services, develop the Foundation, IAASB or IESBA, and keep people informed about relevant products, services, initiatives and events).
8. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected, keeping in mind the following factors:
- The activity or service for which it is being processed;
- Any legal, regulatory or contractual requirements; and/or
- The time in which any litigation or investigations might arise from providing a service.
The retention periods for personal data are monitored on a regular basis.
9. How and Where Do You Store or Transfer My Personal Data?
We store your personal data in the US.
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have physical, administrative and technical safeguards to protect your personal data. We have implemented commercially-reasonable technology and security policies and procedures to reduce the risk of unintentional destruction or loss, or the unauthorized disclosure or access to such information appropriate to the nature of the data concerned.
Equally, to the extent your personal data is transferred, such transfers will be effected through use of appropriate safeguards. You might obtain a copy of such appropriate safeguards by contacting us at the contact details below.
Please be aware, however, that the nature of online security risks is constantly evolving and the complete security of any personal information we collect, store or use cannot be guaranteed. In the unlikely event an unauthorized third party compromises our security, we are not responsible for any direct or indirect damages related to such unauthorized third party's use or dissemination of your personal information.
10. Do You Share My Personal Data?
We only share personal data with third parties when absolutely necessary for the purposes for which we hold it, and where appropriate contractual and security arrangements are in place.
We may share your personal data with:
- the International Federation of Accountants, which provides services to the Foundation under a service level agreement;
- suppliers that support us and help provide services or products, such as providers of cloud-based software, IT systems, security, archiving, storage, recruitment, marketing and payment services;
- conference and event organizers/vendors (e.g., hotels);
- professional advisors (e.g., our auditors); and
- law enforcement or other government and regulatory agencies or to other third parties, where we are required by law, the courts or any legal or regulatory authority we are subject to. We will only provide personal data in these circumstances where permitted or there is a legal requirement.
We may also share your personal data to:
- protect and defend our rights; and
- protect the interests of our stakeholders or others.
We do not typically collect sensitive personal data (e.g., data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation). In the event we collect such sensitive personal data, it will only be:
- with your explicit consent;
- where it is necessary for carrying out obligations under employment, social security or social protection law;
- where it is in furtherance of our aims as a nonprofit and limited solely to our use (never to be disclosed to a third party without consent); and/or
- for legal reasons.
11. How Can I Access My Personal Data?
There are options to access your personal information.
You may review the personal information you have provided by logging into your account and navigating to My Profile. For updates to your personal data that may not be actionable via the weblink provided, we will correct or remove that data associated with your account at your request (see Part 12 for contact information).
Additionally, you can ask us what personal data we have about you and/or request a copy (when any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
There is not normally any charge for a subject access request. If your request is “manifestly unfounded or excessive” (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request no later than one month after receiving it. We aim to provide a complete response, including a copy of your personal data within that timeframe. In some cases, however, particularly if your request is more complex, more time may be required—up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
12. How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
To the attention of: Privacy Officer
Email address: firstname.lastname@example.org
Telephone number: +1 212 286 9344
International Foundation for Ethics and Audit
529 Fifth Avenue, 6th Floor
New York, NY, 10017 USA
Please be aware that the website contains links to other sites, and we are not responsible for the privacy practices of such other sites (including, without limitation, those managed by national standard-setting bodies and audit regulators). We encourage you to be aware when you leave our website and to read the privacy statements of each and every website that collects personal data.
14. Children’s Privacy Protection
No website is directed toward children under 13 years of age, and we do not knowingly collect any information from children under 13 years of age through any website. If a child under the age of 13 has provided personal information without such consent, please contact us at the address in Part 12 so that we can delete such information. Youth under the age of 18 are encouraged to use our site only with the involvement of a parent or guardian.
15. Changes to this Privacy Notice
We update and modify this Privacy Statement from time to time. Such updates or modifications are effective upon posting. Please refer back often for the latest information. We will provide reasonable notice to subscribers about significant changes, either via the email address you provided us or by notice on our site.