This privacy statement applies to all Belgian member firms of Grant Thornton International Ltd.
Grant Thornton wishes to handle the privacy and personal data of its clients, potential clients, suppliers, the latter's employees, its own employees, job applicants and visitors to its website in a responsible manner.
This privacy statement describes how we collect, process, store and protect personal data.
1. Which personal data do we collect?
The personal data we collect may include:
- Identification data and contact data: name and surname, username, address, telephone and/or mobile phone number, email address, national registration number, passport number, ID-card number, bis-registration number, company number, license plate, etc.
- Personal specifications and data relating to the family composition: gender, age, date of birth, place of birth, nationality, immigration status, civil status, marriage or other form of cohabitation, names of the spouses and children, number of children, dependents, date of marriage, date of cohabitation contract, date of divorce, etc.
- Financial and fiscal data and data relating to insurances, contracts and property: bank account numbers, financial resources (revenues, professional costs, debts, etc.), mortgages and loans, type of insurances, premiums paid, taxes paid, tax returns, received alimonies and dividends, rights in movable and immovable property, intellectual property rights, shares, contractual terms and conditions, precontractual information, disputes, etc.
- Pictures and audiovisual recordings: pictures, video’s on our website and social media, etc.
- Data relating to the delivery of our products and services and prospecting thereto: offers, invoices, payment details, delivered products and services, contracts, etc.
- Data relating to the function and employment: job title, career, remuneration, benefits, education, diploma’s, certificates and permits, specific professional qualifications, conditions relating to the termination of employment, etc.
- Marketing data and data regarding the use of our website and social media: marketing preferences, opt-in and opt-out requests, participation to Grant Thornton events, posts on social media applications we utilise (Facebook, Instagram, blogs, forums, etc.), browser type, language preference, Ip-adres, etc.
- Data relating to complaints and requests specifically expressed by the data subject and the handling thereof.
It is also possible that we collect personal data of a so-called "sensitive" nature (special data categories), like:
- health (e.g. a disablement or other specific medical condition that we should take into account (allergy, etc.) when the data subject enters our business premises or when we organise a business lunch)
- political and philosophical beliefs (e.g. within the scope of social elections, trade union representatives, due diligence assignments, social law advice, etc.)
- criminal data (e.g. traffic fines of our employees, criminal records (within the framework of (our assistance with regard to) immigration requests, …)
Our products, services and website are not designed or intended for children. We therefore do not actively nor intentionally collect and store, except possibly that of our employees or in the framework of specific services provided to certain clients, the personal data of children.
The personal data that we process always depends on specific circumstances, for example, the nature of the service or the product that we are to provide, the legal obligations to which we are subject, our related legitimate interests or the specific consent that you grant us to that end.
2. Who do we collect personal data from?
We collect personal data from:
- our clients, suppliers, business contacts and potential clients (or from our contact persons at the latter);
- our client's employees, customers and suppliers;
- our clients' and employees' family members;
- government agency contact persons;
- other advisors to the data subject;
- our employees and job applicants and
- the visitors to our website and social media.
3. How do we collect personal data?
We collect personal data in various ways, particularly personal data that we receive:
- from the data subject him-/herself;
- from the data subject's employer (e.g. when our client or supplier is a company and the data subject is appointed by this company as the contact person, when we exercise due diligence, or when we have to process the personal data within the context of our service to the data subject's employer);
- from our clients, about their customers, suppliers and other data subjects whose personal data they collect;
- from other parties (e.g. government agencies or the advisers or other consultants to the data subject, or when our client provides information on his/her family members, for example within the context of our fiscal or legal service);
- via the use of our website, social media and other tools;
- publicly available information.
4. Why do we process personal data?
Except in situations where we process personal data based on consent, we may process personal data for the following purposes and based on the following legal grounds (this is not an exhaustive overview):
4.1. Delivery of products or services to our (potential) clients
We process personal data within the context of delivering our products and/or services to our (potential) clients (contract/pre-contractual phase/legitimate interests). The personal data are processed within the context of delivering products or services to the data subject him/herself, to the data subject's employer (e.g. provision of advice in the context of social law or due diligence processes) or to the data subject's contracting party (our client's customers and suppliers).
4.2. Fulfilling our legal obligations
In some cases, we are legally obliged to process certain personal data, such as:
- As an employer we are, among other things, obliged to collect certain data (such as our employees' national register number, marital status and family situation) and, should the need arise, disclose data to the competent government agencies
- Within the scope of our professional activities we are obliged to collect certain information on our clients, their management and stakeholders, and, should the need arise, disclose data to the competent government agencies (duty to provide proof of identity within the context of the anti-money laundering legislation and terrorism and fraud prevention).
4.3. Administrative and financial processing
We process personal data within the scope of our own administrative, accounting and corporate obligations based on our legitimate interests and legal obligations.
4.4. Personnel administration and employee recruitment
We have to process our employees' and ex-employees' data within the scope of our personnel administration (contract/legal obligation).
We collect job applicants' personal data (contract and where applicable consent for data that the job applicant provides us with voluntarily, but without it being necessary and unsolicited) with a view to recruiting new employees.
4.5. Direct marketing
We have a legitimate interest for processing our client's (or contact persons' at our clients) personal data for electronically transmitting advertising messages, newsletters, invitations to commercial events and such like, provided these pertain to similar products and services as delivered to them before.
We always ask the data subject's consent for all other marketing campaigns transmitted by electronic means.
Finally, we have a legitimate interest for undertaking marketing campaigns by non-electronic means.
4.6. Collection of personal data via our website
We have a legitimate interest for processing the personal data of data subjects:
- who leave behind their data on our website and this with a view to fulfilling their specific request;
- that visit our website and this within the context of managing and improving our website. In this respect, we refer to our cookies policy
4.7. Internal risk analyses, audits and penetration tests
We have a legitimate interest for processing personal data within the scope of internal risk analysis, audits and penetration tests, which are either conducted on our own initiative or on the initiative of a third party that is authorised to that end (for example, the competent data protection authority), or for contractual purposes (for example, our client for whom we are acting as a processor or controller).
5. Who do we disclose personal data to?
We only disclose personal data to commercial partners with your consent or when this is necessary for delivering our services.
Personal data may be shared with the various companies that are Belgian member firms of Grant Thornton International Ltd. based on our legitimate interests.
Furthermore, we disclose personal data to our own processors (for example, our payroll agency, ICT and social media partners, etc.) subject to a data processing agreement, our other consultants that act as controllers (for example, our attorney-at-law, accountant, etc.), government and judicial authorities and² (professional and government) inspection services.
We do not disclose any data to receivers established in third countries (non EU countries) except with your consent, if this is necessary for the delivery of our services to the data subject or our client (for example, our Global Mobility services) or if we are legally obliged (for example, pursuant to an enforceable judgement or attachment).
If, for any of the abovementioned reasons, we have to disclose personal data to a receiver established in a third country, we shall comply with the legal obligations regarding such transfer.
6. How long do we store personal data?
We store personal data, as the appropriate case may be:
- for the purpose of our liability period after providing our products/services, plus 2 months;
- as long as we are legally obliged to store the personal data;
- in case of a judicial contention, administrative or arbitral proceeding, until a definitive decision is given in the context of this proceeding, unless we are legally required to store the personal data for a longer period;
- in all other cases for a reasonable and proportionate period.
7. How do we protect your personal data?
We have developed a security policy, which is tested and adjusted at regular intervals, in the context of which technical and organisational measures are taken that are aimed at:
- raising awareness regarding the treatment of personal data amongst our employees and other persons working for us and, from time to time, implementing adjustments (by way of inspections and periodic training);
- restricting access to personal data (both at organisational and IT-technical level);
- protecting personal data (by way of appropriate IT-technical measures taking into account the state of the art and the related costs and risks of processing, such as encryption, anti-virus software, firewalls, transfer via secure connections, etc.);
- ensuring the correctness of the data;
- ensuring confidential treatment of the personal data;
- remedying, preventing and tracing data leaks (being accidental or unlawful destruction, loss, alteration, provision of or access to personal data that has been transferred, stored or otherwise processed), to the extent possible.
8. What are your rights as a data subject?
Your rights as a data subject whose personal data we process are:
- right to transparency (right to be informed about the processing of your personal data by our offices in a clear and comprehensible language);
- right to inspect, improve and delete your personal data;
- right to transferability of your data into a normal machine-readable format;
- right to withdraw your previously given consent;
- right to request the processing to be restricted or to object to the processing;
- right to file a complaint with the competent data protection authority.
It should be noted that these rights are not always absolute, that under certain circumstances we are entitled or even legally obliged to process your personal data further or that our secrecy obligation prevents us from providing certain information and that we therefore cannot always (fully) honour your request. If such is the case, we will inform you accordingly.
You can exercise these rights free of charge, except in case of misuse, in which case we are entitled to charge administration costs to meet your requests.
If, within our relationship with our client, from whom we received your data as a data subject, we only act as a processor, we shall inform you accordingly and you should address your requests to exercise your rights to our client.
All queries relating to exercising your rights can be addressed to: firstname.lastname@example.org
9. Changes to this privacy statement
We have the right to change this privacy statement at any time in order to bring it into line with the (changes to) the relevant legislation, national and international official positions and judicial decisions.
You can consult the most recent version of this privacy statement at any time on our website.