Last updated: March 2021
At Grant Thornton we are committed to protecting personal data and to fair and transparent processing. Please read our privacy statement: it will help you to understand how we collect and use personal data from individuals, our clients, suppliers or others during the course of our business. We will only use personal data for the purposes described in this privacy statement or as stated at the point of collection.
We regularly review this privacy statement and may make changes at any time without giving notice.
Who we are
Grant Thornton UK LLP is a limited liability partnership registered in England with registration number OC307742. Our registered office is Grant Thornton UK LLP, 30 Finsbury Square, London, EC2A 1AG. We are registered as a data controller with the registration number Z8632993.
This privacy statement only applies to Grant Thornton UK LLP and its wholly owned subsidiaries in the UK. It does not apply to other member firms of Grant Thornton International Limited (GTIL) practising under the Grant Thornton name. We are not responsible for the privacy practices of those member firms or any other organisation our website may link to.
Our lawful basis for processing
We rely on several lawful basis of processing when we collect and use personal data to operate our business and provide products and services to our clients. These include:
- Public interests – where the processing of data is necessary for providing certain services to clients (eg statutory audit) or for certain requirements we are subject to.
- Legal obligations – in order to comply with the legal and regulatory obligations we are subject to as a provider of regulated services and as a commercial business.
- Contract – in order to perform contractual obligations we may have with an individual or to take steps to enter into a contract with an individual.
- Consent – where an individual has freely given consent at the time their personal data was provided to us.
- Legitimate interests – the legitimate interests can be ours, our clients or other third parties (eg to provide our services, to develop or protect our business, or to keep people informed about relevant products and services) and we always balance the rights of individuals with ours’ and others’ legitimate interests.
To find out more about how and why we may process personal data, please visit the relevant section:
- Client Due Diligence (CDD)
- Client service activity
- Business contacts
- Visitors and others
- Our people, contractors and alumni
How we keep data secure
Security is of the upmost importance to us. Whilst no data transmission over the internet or any other network can be guaranteed as 100% secure, we take all reasonable steps to safeguard the personal data we hold and we have in place appropriate technical and organisational measures. These include detailed policies, procedures and training of our people relating to data protection, confidentiality and information security. These are regularly reviewed to ensure they are effective and fit for purpose.
Who we share data with
We only share personal data with others when absolutely necessary for the purposes for which we hold it and where appropriate contractual arrangements and security mechanisms are in place.
We will pass your personal data to:
- Member firms of GTIL where needed to provide services to our clients and for administrative purposes.
- Suppliers that support us and help provide services to our clients, such as providers of cloud-based software, IT systems, security, archiving storage and destruction, recruitment, due diligence and background checks, marketing and payment services.
- Professional advisors, auditors or insurers, where we are required by law or as reasonably required in the management of our business.
- Law enforcement or other government and regulatory agencies or to other third parties, where we are required by law, the courts or any legal or regulatory authority we are subject to. We will only provide personal data in these circumstances where permitted or there is a legal requirement.
Whilst we store personal data on servers within the UK, in line with the above, we may need to transfer personal data outside the UK. This includes to countries that are not recognised by the Government of the UK as providing an equivalent level of protection for personal data as in the UK (also known as having adequacy).
Where we do so, we ensure that appropriate measures are in place to comply with our obligations under data protection legislation. This can include entering into an agreement governing the transfer containing the ‘standard contractual clauses’ (also known as ‘model clauses’) approved for this purpose by the Government of the UK.
How long do we keep personal data?
We keep personal data only for as long as necessary and this will reflect the requirements of:
- the activity or service for which it is being processed
- any legal, regulatory or contractual requirements
- the time in which any litigation or investigations might arise from providing a service.
Individuals have certain rights over their personal data that we process as data controllers.
If we process your personal data and you exercise any of your rights we will aim to respond promptly and within any required time limit. However, please note that the length of time it will take us to respond will be dependent on the nature and extent of your request.
You have a right to:
- access – you can ask us for a copy of the personal data that we hold on you
- rectification – if you become aware of any errors or inaccuracies concerning your personal data, please let us know either by updating your details on the website or applications you are registered with or contacting us
- withdraw consent – where we process personal data based on consent, you have a right to withdraw consent at any time. To stop receiving direct marketing emails from us, please click on the unsubscribe link in the relevant email or update your preferences. For any other withdrawals of consent please contact us
- erasure/deletion – you can ask us to erase or delete your personal data when we no longer need it for the purposes it was obtained
- data portability – you can ask for your personal data to be sent to you or to another organisation
- automated decision making – if we make automated decisions about you, you can ask for those decisions to be reviewed
- restrict or object to our processing - you can ask to restrict or object to our processing of your personal data (eg removal from a marketing subscription list).
If you wish to exercise any of your rights, please contact us.
Who to contact
If you have any questions about this privacy statement, wish to complain about our use of personal data or exercise one of your rights, please send your correspondence to our Data Protection Officer:
Data Protection Officer
Grant Thornton UK LLP
30 Finsbury Square
You also have the right to report concerns or make complaints to the Information Commissioner's Office (ICO). For more information on your rights and how to contact the ICO, please refer to their website.