Privacy statement

(update 20/04/2026)

European Privacy Addendum for Belgium

This European Privacy Addendum for Belgium (“Addendum”) supplements the Grant Thornton Privacy Statement (“Privacy Statement”) and is intended to inform individuals about how their information, including Personal Data (as defined below), will be processed by Grant Thornton and/or on its behalf by its third party service providers, including all Belgian companies that are members of Grant Thornton International Ltd (together, the “Belgian member firms”) , where applicable, and/or on their behalf by their third party service providers.

References to “Grant Thornton”, "the firm" or “we” are to Grant Thornton International Ltd., Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities, including all Belgian member companies). Grant Thornton LLP and Grant Thornton Advisors LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

We will process your Personal Data when you access or use our Sites; when you, or the organisation with which you are connected, are a current or potential client, supplier or other business contact in relation to our products or Services; when you engage with, or subscribe to our newsletters, or other marketing communications or initiatives; and in connection with employment-related matters, due diligence, legal, tax, accounting, advisory and other professional activities carried out in Belgium .

We are required to give you the information in this Addendum, including to inform you about your data protection rights, under the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of Personal Data (the “Belgian Data Protection Act”) (together, "Applicable Data Protection Laws"). We are committed to protecting your privacy. You should read this Addendum fully to understand the basis upon which we process your Personal Data, how we use it and to whom it will be disclosed.

All capitalised terms have the same meaning given to them in the Privacy Statement or this Addendum. In the event of a conflict between this Addendum and the Privacy Statement, this Addendum will prevail to the extent that you are considered a data subject under the EU GDPR.  

Who is Responsible for Your Personal Data? 

Each of the Grant Thornton group entities are joint controllers where they jointly determine the purposes and means of processing and have an arrangement in place to ensure that your data protection rights are protected. For more details about these entities see 'Who we are: joint controllers'.

In some instances, these entities may be independent controllers of your Personal Data under Applicable Data Protection Laws. In other instances, a relevant entity may process Personal Data as processor on behalf of a client or another controller.

If you have any questions about how we use your Personal Data or to exercise your data protection rights (as set out in this Addendum), please contact us at Grant Thornton Belgium BV, Grant Thornton Accountancy, Tax & Legal BV, Grant Thornton Bedrijfsrevisoren BV or Grant Thornton Efficiëntia BV, Privacy Office - Risk, Regulatory & Legal Affairs, Uitbreidingstraat 72 box 7, 2600 Antwerp, Belgium or privacyrights@be.gt.com.

What is Personal Data?

For European data subjects, the term “Personal Data” means any information relating to an identified or identifiable natural person. It can include information about you that can identify you, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors. Depending on the context, this may include identification and contact data, personal and family details, financial, tax, insurance, contract and property data, images and audio-visual recordings, data related to the provision and prospection of products and services, employment-related data, marketing data, website and social media use data, and data relating to complaints, requests and their handling.

In some circumstances, we may also process special categories of Personal Data, including health data where relevant for access to premises or events, political or philosophical convictions where relevant in social elections, trade union matters, due diligence or social law advice, and criminal data such as traffic fines of employees or extracts from criminal records where relevant to immigration assistance or similar services, where permitted or required by applicable law.

How and Why Do We Use Your Personal Data? 

Personal Data processed about you will vary according to our interactions and relationship with you, including products and Services we offer (and the nature of our engagements). The table below explains our processing activities, one or more of which may apply to you, including processing in connection with the supply of products or services to current and potential customers, client and supplier relationships, employment-related matters, due diligence, administrative, accounting and corporate law obligations, internal risk analyses, audits, quality and safety control, the handling of complaints, queries and requests, compliance with employer obligations, and professional legal and regulatory obligations, including collecting and, where required, disclosing customer, management and stakeholder information to competent public authorities, for example in connection with anti-money laundering and anti-fraud laws. Please note that the Personal Data listed is non-exhaustive.

Personal Data may be obtained directly from you; from your employer; from customers about their customers, suppliers and other data subjects; from other parties such as government agencies, advisers, consultants, and family members' information provided in the context of tax or legal services; through use of websites, social media and other tools; and from publicly available information. Where applicable, processing may be based on performance of a contract, our legitimate interests, compliance with legal obligations, or your consent. Direct marketing by email  will be based on our legitimate interest (soft opt-in) or may be based on consent where required. Essential cookies are used for site navigation, and non-essential cookies for marketing and analytics are used on the basis of consent. For more information on the latter, please see our cookie policy, available here: https://www.grantthornton.be/privacy-verklaring/cookie-policy/

Types of Personal Data
Legal basis
Data source
Purpose of processing
Recipients
First and last name, email address, mailing address or phone number, and current employer and role/job title (“Contact Information”).
We process your Personal Data where it is necessary for the purposes of our legitimate interests to engage you as prospective client.
Directly or indirectly from you, prospective clients, or their agents.
To respond and manage any communications you send to us as a prospective client (e.g., when you email us or contact us via the Site). To record your details in our systems (as a prospective client).
Service providers, including marketing services; our affiliates in India and entities in the Grant Thornton Group.
Contact Information
We process your Personal Data where it is necessary for the purposes of our legitimate interests, in providing, maintaining and/or improving our Services
Directly from you. Directly or indirectly from clients or their agents.
To respond to individual or client requests.To provide, improve or maintain our Services.To send administrative information or notices.To communicate in connection with a client or potential client engagement.To keep records associated with our Services (including, associated communications, records, etc.).To prevent, detect and respond to actual or potential fraudulent or other activities.
Service providers, including marketing services; our affiliates in India and other entities of the Grant Thornton Group.
Contact Information and information confirming your identity and status within a company, (e.g., director / beneficial owner), your responsibilities, PPSN, identify verification documents, tax information, and/or other information you provide to us.
We process your Personal Data where it is necessary for the purposes of our legitimate interest to operate our business, for relationship management purposes and to provide Services.
Directly from you. Directly or indirectly from our clients or their agents collected while providing services and in connection with pre- engagement activities.
To initiate, onboard and fulfil a contract for Services.To order to perform Services.To perform pre-engagement activities.
To conduct client due diligence, background checks, KYC checks and background checks (where required by professional standards, law, or regulation).
To comply with our professional standards, legal and regulatory obligations.
To manage and administer our business relationship with you.
To keep records associated with our Services (including, associated communications, records, etc.).
To enforce our rights arising from any contract, including billing and collections. 
Service providers, our affiliates in   India, other entities of the Grant Thornton Group.
Contact Information and details about your contact preferences (e.g., areas of interest) and information relating to your subscription to, receipt of or interest in any of our mailing lists or newsletters, or registration to access any of our restricted content.
We process your Personal Data where it is necessary for the purposes of our legitimate interests (soft opt-in) in relation to events, market updates & insights, and newsletters.
Directly or indirectly from you, including through your engagement with advertisements on platforms such as LinkedIn. Directly or indirectly from our clients or their agents.
To invite you to meetings, events, webinars, conferences, seminars, online surveys, or self-assessment tools.To promote our Services. To develop and maintain our relationship with you and/or your organisation. To engage with you by sending you our newsletters, industry, market updates & insights, when you have engaged with us, or you are a client representative.To assess your participation in, reception of, interest in, or engagement with our marketing activities, materials we send you and our events (e.g., newsletter, surveys, conferences).  
Service providers of marketing, social media, audio/visual or related services.
Automatically collected information from your activity on our Sites such as browser information, IP address, and browser type.
We process your Personal Data where it is necessary for the purposes of our legitimate interests in relation to improve our Sites and personalise your visit to our Sites.
Indirectly from you through our sites, cookies, and other tracking technologies.
To personalize content on our Sites.To track activity on and technical performance of our Sites. To evaluate our marketing efforts; to improve our Sites.

Service providers for providing internet services. Service providers for marketing services (e.g., Site visitor insight solutions).

Contact Information or other Personal Data
We process your Personal Data where it is necessary for the purposes of our legitimate interests in relation any actual or potential litigation, disputes, or complaints.

Directly or indirectly from you.

Directly or indirectly from our clients or their agents.

To establish, defend or exercise our legal rights and any legal proceedings or out-of-court proceedings which may arise.
Service providers; our affiliates in India; other entities of the Grant Thornton Group.
Contact Information or other Personal Data
We process your Personal Data where it is necessary to comply with legal obligations to which we are subject under European laws.
Directly or indirectly from you. Directly or indirectly from our clients or their agents.
To respond and manage any valid legal or data subject rights requests you and any steps relating to same.
Service providers; our affiliates in India; other entities of the Grant Thornton Group.
Contact Information and other Personal Data
We process your Personal Data where it is necessary for the purposes of our legitimate interests in the event Grant Thornton goes through a business transition, such as a merger, or the acquisition or sale of all or a portion of its assets.
Directly or indirectly from you. Directly or indirectly from our clients or their agents.
To manage a relevant business transition, acquisition or sale of all or a portion of our assets.
Service providers; our affiliates in Bengaluru, India; other entities of the Grant Thornton Group, interested parties in transaction

 

Note: When we process your Personal Data based on our legitimate interests, we make sure to consider and balance any potential impact on you and your data protection rights. We will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). You have certain rights when we process your Personal Data on this basis. For more information on exercising your data protection rights please see ‘Your Data Protection Rights’.

Data Retention 

We will retain your Personal Data for as long as is needed or as permitted based on the purpose(s) for which it was obtained and in accordance with applicable law. The criteria used to determine our retention periods include: maintaining related transaction and business records, monitoring and improving the performance and quality of our products and Services, ensuring the security of our systems, products and Services, handling possible customer or stakeholder queries or complaints, requirements of laws, contracts and other retention guidelines, applicable industry standards, and the following:

  • the nature and length of our ongoing relationship with you and provide you/your organisation Services;  
  • whether there is a legal obligation under applicable laws or a requirement under professional standards to which we are subject; and
  • whether retention is advisable considering our legal position (such as with respect to statutes of limitations, litigation, or regulatory investigations). 

In all cases, personal data may be retained for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if you object to the processing of your personal data and there is no longer a legitimate reason to retain it. Your personal data will be deleted or anonymised once the retention period has expired.
If you would like to find out more about our retention of your Personal Data, please contact us by e-mailing privacyrights@be.gt.com.

Security

We maintain a framework of policies, procedures and trainings designed to ensure professional confidentiality, data protection, confidentiality and security, together with various security technologies and measures that are regularly reviewed and evaluated.

Unsubscribe and Opt-out 

If you wish to opt out of receiving marketing emails, newsletters or other such communications, you may do so at any time by clicking on the unsubscribe link provided in our communications or e-mailing us at privacyrights@be.gt.com

Automated Decision-making

We do not use profiling or make any decisions based solely on the automated processing of your Personal Information.

Children

Our products, Services and Sites are not targeted or tailored to children and, except possibly in relation to employees or specific services to certain customers, children's Personal Data is not intentionally collected and stored.

International Data Transfers & Who do we share your Personal Data with?

To facilitate our global operations, certain of our Services and Sites are provided from the United States and other locations. We may share, transfer or store Personal Data outside your country of residence (i.e., outside Europe) to certain recipients (such as our affiliates and external service providers, who may be located in the United States, India, and other countries which we deem appropriate from time to time. Where required, we will endeavour to conclude the necessary processing agreements with these third parties, whereby they are obliged to process the Personal Data only in accordance with the instructions given and to have and maintain appropriate organisational and technical security measures for the protection of the Personal Data.

The recipients include:

  • our service providers, including, but not limited to, IT providers and social services providers, insurers, brokers, banks, accountants, consultants, advisors, and other business partners;
  • individuals or companies to whom we are required to provide a reference or other information at your request;
  • other parties involved in legal proceedings or inspections.

In addition, Personal Data may be disclosed or transferred to a prospective acquirer or  investor, or their advisors, in the event of a change in ownership of, or the granting of a security interest in, all or part of Grant Thornton’s business, through, for example, a sale of the business or shares, or any other form of business transfer, merger, demerger, or joint venture, to the extent that such disclosure or transfer of Personal Data is necessary to complete the transaction and permitted by applicable data protection laws or regulations. The disclosure or transfer of Personal Data will only take place on the condition that the prospective acquirer or investor or its advisors is bound by appropriate agreements or its own obligations regarding the protection of your Personal Data.

If, and to the extent that we transfer Personal Data outside of the EEA, including to a jurisdiction that is not recognised by the European Commission as providing for an equivalent level of protection for Personal Data as is provided for in the EEA, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include entering into a contract governing the transfer which contains the standard contractual clauses' approved for this purpose by the European Commission. Where these transfers of Personal Data occur, we ensure that a transfer mechanism and appropriate safeguards are in place to protect your Personal Data: 

  • For transfers (including, onward transfers) of Personal Data within the Grant Thornton Group to affiliates in the United States, we rely on the EU-US Data Privacy Framework and the UK-US Data Privacy Framework (UK and Gibraltar), as operated by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (“DPF”), and to view our certification, please visit https://www.dataprivacyframework.gov/. Please also visit our dedicated webpage for more information about our participation in the DPF: https://www.grantthornton.com/privacy-policy/data-privacy-framework. In addition, the Grant Thornton group has executed EU SCCs so that transfers may still apply in the event that the DPF is invalidated.

  • For transfers (including, onward transfers) of your Personal Data within the Grant Thornton Group to affiliates based in other, non-European countries, we rely on the EU Standard Contractual Clauses ("SCCs"), the UK Addendum to the EU SCCs (e.g., India and Bermuda) or adequacy decisions (e.g., the Isle of Man). 

  • For transfers (including, onward transfers) of Personal Data to external providers, we rely on the DPF, the EU SCCs, UK Addendum, or adequacy decisions of the European Commission.

  • We may transfer your Personal Data between the EEA and other related entities in countries which have Adequacy decisions in place between the European Commission and specific jurisdictions including our offices in the United Kingdom, Northern Ireland (UK), Isle of Man, and Gibraltar. Where an Adequacy decision is in place any data transfers will be conducted to the same standards as required under GDPR without additional transfer mechanisms being required. The Firm will also always process contingent worker data in compliance with the relevant Data Protection Laws governing this jurisdiction (UK Data Protection Act 2018, IOM Data Protection Act 2018 and Gibraltar Data Protection Act 2004 (as amended in 2021) and other Data Protection Laws as applicable.
        
  • We may transfer your Personal Data between the Firm and other related entities  based in Bermuda. Where data is transferred outside of the Firm, appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include entering into a contract governing the transfer which contains the 'standard contractual clauses' approved for this purpose. The Firm will also always process contingent worker data in compliance with the relevant Data Protection Laws governing this jurisdiction (the Personal Information Protection Act ("PIPA")). 

here there is no adequacy decision for the destination country, we use appropriate safeguards under Article 46 GDPR, including standard contractual clauses, to help ensure an essentially equivalent level of protection.
If you would like to find out more about any transfers relating to your Personal Data, please contact us by e-mailing privacyrights@be.gt.com.

Your Data Protection Rights

As a data subject under the EU GDPR , you have a number of data protection rights under Applicable Data Protection Laws, which are explained in the table below. 

Data Protection Right
Further Information
Right of Access
You have the right to request a copy of the Personal Data held by us about you and to access the Personal Data which we hold about you. 
Right to withdraw consent
You have the right to withdraw your consent at any time for processing of Personal Data which was based on your consent.
Right to Object
You have a right to object at any time to the processing of your Personal Data where we process your Personal Data on the legal basis of pursuing our legitimate interests.
Right to Rectification
You have the right to have any inaccurate Personal Data which we hold about you updated or corrected.
Right to Erasure
In certain circumstances, you may also have your Personal Data deleted. For example, if you exercise your right to object and we do not have an overriding legitimate interest to continue processing your Personal Data or if we no longer require your Personal Data for the purposes as set out in this Addendum.
Right to Restriction of Processing
You have the right to ask us to restrict processing your Personal Data in certain circumstances, including if you believe that the Personal Data that we hold about you is inaccurate or if our use of your Personal Data is unlawful. However, please note that in certain cases, the processing of personal data is necessary to comply with legal obligations or for the fulfilment of contractual obligations.
Right to Data Portability
You may request us to provide you with your Personal Data which you have given Grant Thornton in a structured, commonly used, and machine-readable format where our processing is based on performance of a contract or consent.
Right to Object to Automated Decision-Making, including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning Data Subjects or similarly significantly affects them. Please note that we do not use profiling or make any decisions based solely on the automated processing of your Personal Data.
Right to lodge a complaint

If at any time you believe that Grant Thornton Belgium is infringing your privacy, you always have the right to lodge a complaint with the Belgian supervisory authority:

Autorité de protection de données / Gegevensbeschermingsautoriteit

Rue de la Presse 35, 1000 Brussels

Phone: +32 (0)2 274 48 00

E-mail: contact@apd-gba.be. 

 

Please bear in mind that your rights in relation to your Personal Data are not absolute and may be restricted in compliance with the EU GDPR and/or other applicable data privacy legislations. 

Your request will be processed free of charge, except when we consider the request to be manifestly unfounded or excessive (as is the case with a repeated request, among other things).

Your request will be processed within one month. This period can be extended by two months, taking into account, among other things, the complexity and the number of applications. In the event of an extension of the period, you will be informed of this, including the reasons for the extension. 

Grant Thornton shall notify the third parties to whom the data has been communicated of any rectification, deletion or restriction carried out, unless this is impossible or requires a disproportionate effort.

How to Submit a Rights Request, Complaint or Question

To submit a rights request, complaint or question or to have an authorised agent submit a rights request, complaint, or question on your behalf where permitted by applicable law, please contact us at privacyrights@be.gt.com.

We may request that you provide proof of your identity for security reasons and to prevent the unauthorised disclosure or misuse of Personal Data. We handle requests free of charge except in cases of abuse or where permitted by law, including where requests are manifestly unfounded or excessive. If, after contacting us, you are still not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority.

Addendum Changes

We reserve the right to amend or modify this Addendum from time to time. We will post any revised Addendum on this Site, or a similar website that replaces this Site, and the most recent version will be available on the website. By continuing to use any of our Sites, you acknowledge the terms of this Addendum and the Privacy Statement as of the effective date will apply to information, including Personal Data, previously collected, or collected in the future as permitted by applicable law.

Who we are: Joint Controllers

References to "Grant Thornton" in this Addendum refer to the brand name under which the Grant Thornton member firms operate the business, provide services to (prospective) clients and/or refers to one or more member firms, as the context requires. The below joint controllers practice as an alternative practice structure: 

Grant Thornton LLP is a licensed independent CPA firm that provides attest services to clients.

Address: 171 N. Clark Street, Suite 200, Chicago, IL, 60601, United States.

Grant Thornton Advisors LLC provides tax and business consulting services to clients. Its address is 171 N. Clark Street, Suite 200, Chicago, IL, 60601, United States.

Grant Thornton Bedrijfsrevisoren BV/SRL, Having its address at Uitbreidingstraat 72, box 7, 2600 Antwerp, Belgium

  • Grant Thornton Belgium BV/SRL
  • Grant Thornton Accountancy, Tax & Legal BV/SRL
  • Grant Thornton Efficiëntia BV/SRL
  • Grant Thornton F.I.S. BV/SRL
Having their address at Uitbreidingstraat 72, box 7, 2600 Antwerp, Belgium 
For more information about the relevant Belgian joint controller and contact details, please use the Belgian privacy contact channels identified in this Addendum.
Where processing is carried out by a Belgian member firm, the relevant Belgian entity will be identified through the applicable engagement, service or communication materials, and rights requests may be submitted using the Belgian privacy contact channels identified in this Addendum.


Mailing Address

If you have any questions, comments, or concerns about the way your Personal Data are being used or processed by Grant Thornton, please submit your question, comment or concern in writing to us using the contact details below:

Corporate Mailing Address: Grant Thornton LLP
Privacy Office - Risk, Regulatory & Legal Affairs
171 N. Clark Street, Suite 200
Chicago, IL 60601

For Belgian-related privacy queries or rights requests, please use the relevant Belgian contact details and contact channels identified in this Addendum, including privacyrights@be.gt.com.