Grant Thornton (Gibraltar) Limited & Grant Thornton Limited
(the “Companies”, “we”, “Grant Thornton Gibraltar Group)
What is a privacy notice?
We want to ensure that our clients and business contacts (“you”) understand what information we have about you, how we will use it and for what purpose. We are also required by data protection legislation to explain certain matters to you. This privacy notice intends to set these matters out.
We are a “data controller” and registered as such with the Gibraltar Regulatory Authority http://www.gra.gi. This means that we are responsible for deciding how we hold and use certain personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
Data Protection Principles
We will ensure that the personal information we hold about you is:
- used lawfully, fairly and in a transparent way.
- collected only for specified and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- adequate, relevant and limited to what is necessary in relation to the purposes we have told you about.
- accurate and kept up to date.
- not kept in a form which permits your identification for longer than necessary and kept only as long as necessary for the purposes we have told you about.
- kept securely.
- not transferred to another country without appropriate safeguards being in place.
What information about you will we use?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are also “special categories” of more sensitive personal data which will require a higher level of protection.
The types of personal data that we may collect, store and use about you include:
- name (including where relevant) maiden name;
- date of birth;
- contact details;
- marital status and dependants;
- emergency contacts, and immigration status;
- passport/ID card;
- tax information;
- bank account details;
- payroll information; and
Special categories of personal data
There are also “special categories” of more sensitive personal data which we may also collect, process and store. These special categories may include:
- your race or ethnicity, religious beliefs, sexual orientation and political opinions;
- any information about your health, including your sickness absence records.
These special categories of personal data require a higher level of protection and we will ensure that this is achieved. Only when required by law and with the individuals’ consent will we collect special categories of personal data.
How is your personal information collected?
We collect personal information about you from contact details received from you, either by means of e-mail, post, our website’s contact form, or personal interaction with you, either in person or over the telephone. We may sometimes receive personal information about you from other Grant Thornton International Limited member firms.
How and why will we use your personal information in the delivery of our services?
We will process information for the purposes of providing you with those services agreed with you (or as the case may be, with the entity with which we are engaged and/or otherwise represent), the efficient administration of our client relationships, prudent record keeping and to ensure that we comply with our legal and regulatory obligations (other than those provided for in the Data Protection Legislation). For a full list of our services, please visit our website at www.grantthornton.gi/services. Our policy is only to collect the personal data necessary for agreed purposes and we request that our clients share personal data only where it is strictly needed for those purposes.
Generally, we collect personal data from our clients or from third parties acting on the instructions of the relevant client. In those situations in which we need to process personal data to provide our services, we ask our clients to provide the necessary information to other data subjects concerned, such as employees and family members regarding its use. In those situations in which we act solely as a Data Processor, we and our employees shall do so pursuant to an agreement containing appropriate Data Processing clauses and, where required, according to your written instruction. If we believe such instruction infringes Data Protection Legislation or other applicable law, we shall immediately inform you.
We collect, process and hold personal data as part of our client engagements and acceptance procedures. As part of our client take-on procedures, we carry out searches using publicly available sources, such as internet searches and sanctions lists, in order to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular client. Such issues may include independence issues, sanctions and criminal convictions, conduct or other reputational issues, including in respect of company members, directors, secretaries and/or other officers or agents.
In most cases, we will use your personal information in the following situations:
- to provide professional services;
- to administer and manage our business and services;
- for security, quality and risk management related activities;
- to provide our clients with information about us and our services;
- to comply with obligations imposed upon us by law, regulation, or professional bodies of which we are a member.
For how long will your personal information be kept in the delivery of our services?
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data that is no longer required.
Our baseline retention period for records and other documentary evidence created in the provision of services is seven (7) years from the completion of those services.
Who else might your personal information be shared with in the delivery of our services?
We may have to share your data with third parties where we are required by law or professional standard, where it is necessary to administer the working relationship with you or where we have a legitimate interest in doing so.
Such third parties include third-party service providers.
We require third parties to respect the security of your data and to treat it in accordance with the data protection law.
Some of your Information may be shared with member firms of Grant Thornton International Limited when required by legal or professional requirements, and subject to your agreement, with other sub-contractors on a confidential basis subject to the same level of data protection obligations as apply between you and us. Not all of these are located within the European Economic Area (EEA). Therefore, personal information may be transferred outside the EEA. In circumstances where we do need to transfer any personal information outside of the EEA, we will ensure appropriate safeguards, as required by Data Protection Legislation, are in place before any transfer and that the recipient of that data affords your personal data an adequate level of protection.
Other situations in which we collect and process personal data
When applying for a role at Grant Thornton (Gibraltar) Limited or Grant Thornton Limited, applicants will often provide the companies with personal data. This information will be used in selecting candidates for available roles within the companies. Information will be kept only for a period sufficient for the purpose or purposes for which it was collected.
We collect and process personal data about the individuals representing and/or acting for our suppliers, which includes subcontractors and individuals associated with our suppliers and subcontractors, in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide professional services to our clients.
We use personal data to receive supplies, to provide professional services to clients, to administer and manage our business, for security, quality and risk management activities and to comply with obligations imposed upon us by law, regulation, or professional bodies of which we are a member.
How will your personal information be kept safe?
We take the security of your personal information very seriously and we have put in place internal controls and security measures to protect it.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way. Personal data will only be transferred to a data processor if the latter agrees to comply with those measures, or puts adequate measures in place.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
Even with such measures in place, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data cannot always be prevented. We will inform you of any Personal Data Breach concerning information you have provided to us, without undue delay and in any case within 24 hours of our becoming aware of it, and will assist you with dealing with any Personal Data Breach that is our responsibility.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
What are your rights in relation to your personal information?
You have certain rights in relation to your personal data as summarised here:
- Right to be informed – you have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights; this is why we are providing you with the information in this privacy notice;
- Right to withdraw consent – where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time;
- Right of access – you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
- Right to be erased – This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
- Correcting or erasing your information – where we hold information about you that is inaccurate or incomplete, you have the right to ask us to rectify, complete or delete it;
- Right to restrict processing – in certain circumstances, you have the right to restrict some processing of your personal information, which means that you can ask us to limit what we do with it. For example, you may ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it;
- Right to object to processing – you can object to us processing your personal information in certain circumstances, including where we are using it for the purpose of the Company’s legitimate business interests;
- Right to data portability – you have the right to obtain from us and re-use your personal data for your own purposes. This only applies, however, where the processing is carried out by automated means, to personal data that you have provided to us yourself (not any other information) and where the processing is based on your consent or for the performance of a contract;
- Right to complain – you are able to submit a complaint to the Regulator (see contact details below) about any matter concerning your personal information, using the details below. However, we take our obligations seriously, so if you have any questions or concerns, we would encourage you to raise them with us first, so that we can try to resolve them.
Subject Access Requests
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may refuse to comply with your request in circumstances where your request is clearly unfounded, repetitive or excessive.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests as soon as reasonably practicable and, in any event, within 30 days of receipt of the request.
Our regulator is the Gibraltar Regulatory Authority (the “GRA”). The GRA’s contact details are:
Gibraltar Regulatory Authority
1 Europort Road
Tel: (+350) 20074636
If you have any questions about anything in this privacy notice, please do not hesitate to contact us. Our contact details are:
Grant Thornton (Gibraltar) Limited or Grant Thornton Limited
6A Queensway Rd
Tel: +350 20045502