Privacy statement

This privacy statement applies to all Belgian member firms of Grant Thornton International Ltd.

Grant Thornton wishes to handle the privacy and personal data of its clients, potential clients, suppliers, the latter's employees, its own employees, job applicants and visitors to its website in a responsible manner.

This privacy statement describes how we collect, process, store and protect personal data.

1. Which personal data do we collect?

The personal data we collect may include:

  • Name and surname
  • Username
  • Address
  • Telephone and/or mobile phone number
  • Email address
  • Date of birth
  • Gender
  • IP address
  • Browser type
  • Language preference
  • Posts on social media applications we utilise (Facebook, Instagram, blogs, forums, etc.)
  • Job title and employer
  • Marital status and family composition
  • Career and education
  • Wages
  • Financial and fiscal data
  • Hobbies
  • The products and/or services that we deliver to the data subject
  • Complaint details and requests specifically expressed by the data subject
  • Contractual agreements with other parties

It is also possible that we collect personal data of a so-called "sensitive" nature (special data categories), like:

  • health (e.g. a disablement or other specific medical condition that we should take into account (allergy, etc.) when the data subject enters our business premises or when we organise a business lunch)
  • political and philosophical beliefs (e.g. within the scope of social elections, trade union representatives, due diligence assignments, social law advice, etc.)

Our products, services and website are not designed or intended for children. We therefore do not actively nor intentionally collect and store, except possibly that of our employees, the personal data of children.

The personal data that we process always depends on specific circumstances, for example, the nature of the service or the product that we are to provide, the legal obligations to which we are subject, our related legitimate interests or the specific consent that you grant us to that end.

2. Who do we collect personal data from?

We collect personal data from:

  • our clients, suppliers, business contacts and potential clients (or from our contactpersons at the latter);
  • our client's employees, customers and suppliers;
  • our clients' and employees' family members;
  • government agency contact persons;
  • other advisors to the data subject;
  • our employees and job applicants and
  • the visitors to our website and social media.

3. How do we collect personal data?

We collect personal data in various ways, particularly personal data that we receive:

  • from the data subject him-/herself;
  • from the data subject's employer (e.g. when our client or supplier is a company and the data subject is appointed by this company as the contact person, when we exercise due diligence, or when we have to process the personal data within the context of our service to the data subject's employer;
  • from our clients, about their customers, suppliers and other data subjects whose personal data they collect;
  • from other parties (e.g. government agencies or the advisers or other consultants to the data subject, or when our client provides information on his/her family members, for example within the context of our fiscal or legal service);
  • via the use of our website, social media and other tools;
  • publicly available information.

4. Why do we process personal data?

Except in situations where we process personal data based on consent, we may process personal data for the following purposes and based on the following legal grounds (this is not exhaustive):

4.1. Delivery of products or services to our (potential) clients

We process personal data within the context of delivering our products and/or services to our (potential) clients (contract/pre-contractual phase/legitimate interests). The personal data are processed within the context of delivering products or services to the data subject him/herself, to the data subject's employer (e.g. provision of advice in the context of social law or due diligence processes) or to the data subject's contracting party (our client's customers and suppliers).

4.2. Fulfilling our legal obligations

In some cases, we are legally obliged to process certain personal data, such as:

  • As an employer we are, among other things, obliged to collect certain data (such as our employees' national register number, marital status and family situation) and, should the need arise, disclose data to the competent government agencies.
  • Within the scope of our professional activities we are obliged to collect certain information on our clients, their management and stakeholders, and, should the need arise, disclose data to the competent government agencies (duty to provide proof of identity within the context of the anti-money laundering legislation and terrorism and fraud prevention).

4.3. Administrative and financial processing

We process personal data within the scope of our own administrative, accounting and corporate obligations based on our legitimate interests and legal obligations.

4.4. Personnel administration and employee recruitment

We have to process our employees' and ex-employees' data within the scope of our personnel administration (contract/legal obligation).
We collect job applicants' personal data (contract and where applicable consent for data that the job applicant provides us with voluntarily, but without it being necessary and unsolicited) with a view to recruiting new employees.

4.5. Direct marketing

We have a legitimate interest for processing our client's (or contact persons' at our clients) personal data for electronically transmitting advertising messages, newsletters, invitations to commercial events and such like, provided these pertain to similar products and services as delivered to them before.
We always ask the data subject's consent for all other marketing campaigns transmitted by electronic means.
Finally, we have a legitimate interest for undertaking marketing campaigns by non-electronic means.

4.6. Collection of personal data via our website

We have a legitimate interest for processing the personal data of data subjects:

  • who leave behind their data on our website and this with a view to fulfilling their specific request;
  • that visit our website and this within the context of managing and improving our website. In this respect, we refer to our cookies policy

4.7. Internal risk analyses, audits and penetration tests

We have a legitimate interest for processing personal data within the scope of internal risk analysis, audits and penetration tests, which are either conducted on our own initiative or on the initiative of a third party that is authorised to that end (for example, the competent data protection authority), or for contractual purposes (for example, our client for whom we are acting as a processor or controller).

5. Who do we disclose personal data to?

We only disclose personal data to commercial partners with your consent or when this is necessary for delivering our services.

Personal data may be shared with the various companies that are Belgian member firms of Grant Thornton International Ltd. based on our legitimate interests.

Furthermore, we disclose personal data to our own processors (for example, our payroll agency, ICT and social media partners, etc.) subject to a data processing agreement, our other consultants that act as controllers (for example, our attorney-at-law, accountant, etc.), government and judicial authorities and² (professional and government) inspection services.

We do not disclose any data to receivers established in third countries (non EU countries) except with your consent, if this is necessary for the delivery of our services to the data subject or our client (for example, our Global Mobility services) or if we are legally obliged (for example, pursuant to an enforceable judgement or attachment).

If, for any of the abovementioned reasons, we have to disclose personal data to a receiver established in a third country, we shall comply with the legal obligations regarding such transfer.

6. How long do we store personal data?

We store personal data, as the appropriate case may be:

  • for the purpose of our liability period after providing our products/services, plus 2 months;
  • as long as we are legally obliged to store the personal data;
  • in case of a judicial contention, administrative or arbitral proceeding, until a definitive decision is given in the context of this proceeding, unless we are legally required to store the personal data for a longer period;
  • in all other cases for a reasonable and proportionate period.

7. How do we protect your personal data?

We have developed a security policy, which is tested and adjusted at regular intervals, in the context of which technical and organisational measures are taken that are aimed at:

  • raising awareness regarding the treatment of personal data amongst our employees and other persons working for us and, from time to time, implementing adjustments (by way of inspections and periodic training);
  • restricting access to personal data (both at organisational and IT-technical level);
  • protecting personal data (by way of appropriate IT-technical measures taking into account the state of the art and the related costs and risks of processing, such as encryption, anti-virus software, firewalls, transfer via secure connections, etc.);
  • ensuring the correctness of the data;
  • ensuring confidential treatment of the personal data;
  • remedying, preventing and tracing data leaks (being accidental or unlawful destruction, loss, alteration, provision of or access to personal data that has been transferred, stored or otherwise processed), to the extent possible.

8. What are your rights as a data subject?

Your rights as a data subject whose personal data we process are:

  • right to transparency (right to be informed about the processing of your personal data by our offices in a clear and comprehensible language);
  • right to inspect, improve and delete your personal data;
  • right to transferability of your data into a normal machine-readable format (provided that our processing is based on the legal grounds of contract or consent);
  • right to withdraw your previously given consent;
  • right to request the processing to be restricted or to object to the processing;
  • right to file a complaint with the competent data protection authority.

It should be noted that these rights are not always absolute, that under certain circumstances we are entitled or even legally obliged to process your personal data further or that our secrecy obligation prevents us from providing certain information and that we therefore cannot always (fully) honour your request. If such is the case, we will inform you accordingly.

You can exercise these rights free of charge, except in case of misuse, in which case we are entitled to charge administration costs to meet your requests.

If, within our relationship with our client, from whom we received your data as a data subject, we only act as a processor, we shall inform you accordingly and you should address your requests to exercise your rights to our client.

All queries relating to exercising your rights can be addressed to:

9. What is our cookie policy?

9.1 What is a cookie?

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit

We only use cookies to monitor the performance of our website and to improve user experience.

If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.

9.2. Cookies used by the GTIL website

Name Expiry date Purpose
ARRAffinity When the browsing session ends It is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
ASP.NET_SessionId When the browsing session ends It is used to maintain an anonymised user session by the server.
JSESSIONID When the browsing session ends It is used to maintain an anonymised user session by the server.
_ga 24 months This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in the site and used to calculate visitor, session and campaign data for the sites analytics reports.
_gat_UA-19853215-2 After 1 minute This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to.
_gid After 1 day This cookie stores and updates a unique value for each page visited.
EPi_NumberOfVisits After 1 day This cookie monitors the number of visits to our website

10. Changes to this privacy statement

We have the right to change this privacy statement at any time in order to bring it into line with the (changes to) the relevant legislation, national and international official positions and judicial decisions.

You can consult the most recent version of this privacy statement at any time on our website.