Privacy policy

At Grant Thornton we are committed to protecting personal data and to fair and transparent processing. Please read our privacy statement, it will help you to understand how we collect and use personal data from individuals, our clients, suppliers or others during the course of our business. We will only use personal data for the purposes described in this privacy statement or as stated at the point of collection.

We regularly review this privacy statement and may make changes at any time without giving notice.

Who we are

Grant Thornton (Cyprus) Ltd is a limited liability partnership registered in Cyprus with registration number 267530. Our registered office is 41-49, Agiou Nicolaou Str., Nimeli Court, Block C, Engomi 2408, P.O.Box 23907, 1687, Nicosia, Cyprus.

This privacy statement only applies to Grant Thornton (Cyprus) Ltd and does not apply to other member firms of Grant Thornton International Limited (GTIL) practising under the Grant Thornton name. We are not responsible for the privacy practices of those member firms or any other organisation our website may link to.

Our lawful basis for processing

We rely on several lawful fundamentals of processing when we collect and use personal data to operate our business and provide products and services to our clients. These include:

  • Public interests – where the processing of data is necessary for providing certain services to clients (e.g. statutory audit) or for certain requirements we are subject to.
  • Legal obligations – in order to comply with the legal and regulatory obligations we are subject to as a provider of regulated services and as a commercial business.
  • Contract – in order to perform contractual obligations, we may have with an individual or to take steps to enter into a contract with an individual.
  • Consent – where an individual has freely given consent at the time their personal data was provided to us.
  • Legitimate interests – the legitimate interests can be ours, our clients or other third parties (e.g. to provide our services, to develop or protect our business, or to keep people informed about relevant products and services) and we always balance the rights of individuals with ours’ and others’ legitimate interests.

Cookies

What is a Cookie

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org.

We only use cookies to monitor the performance of our website and to improve user experience.

If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.

Cookies used by the website

Cookie type

Cookie Name

Purpose

Google analytics

utma
_utmb
_utmc
_utmz

These cookies are used to monitor the performance of our site. We use the information to help us improve the site. The cookies collect information in an anonymous form, including the number of visits to our site, where visitors have come from to the site and the pages they visited.

To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

Youtube preferences

PREF
use_hitbox
VISITOR_INFO1_LIVE

We use YouTube to embed a selection of videos in our Thinking and campaign pages. The embedded videos do not set cookies themselves and can be played with no cookies set. However, if the 'Share' button is clicked YouTube will set cookies. The VISITOR_INFO1_LIVE cookie attempts to estimate your bandwidth and the use_hitbox and PREF cookies increment the 'views' counter on the YouTube video and stores session preferences. These cookies don’t gather information that identifies a user.

Twitter

guest_id

We embed a Twitter feed in our Thinking and campaign pages. This cookie is used to identify you to twitter. if you do not have a twitter account or never accessed the twitter.com website directly then twitter will assign you a unique code to track your visit to the Twitter feed.

How do we use your personal data?

We use your personal data to provide information to you or your organisation.

We may also use your personal data to carry out research about our visitors' demographics, interests and behaviour. We do this to better understand our visitors. This research is compiled and analysed on an aggregated and anonymous basis.

When you give us personal data, those data may be sent electronically to servers anywhere in the world and may be used, stored and processed anywhere in the world.

Whenever and wherever we collect, process or use personal data, we take steps to ensure that it is treated securely and in accordance with our privacy policy.

To whom might we disclose your personal data?

We may pass your personal data to anyone who needs the data in order to fulfil your request for our services, or process any payment. Some of these may be located outside the European Economic Area.

We may pass your personal data to Grant Thornton member firms or to our data processors.

Except as set out above, we will not disclose your personal information unless we are obliged to do so or allowed to do so, by law, or where we need to do so in order to run our business (for instance where we outsource services or other people process data for us).

Direct Marketing

You may at any time request us to stop using your personal data for direct marketing purposes. If you wish to do this, please contact us.

Links

Our website contains links to Grant Thornton member and correspondent firm websites, but this privacy policy applies only to personal data collected via websites operated by GTIL which include www.gti.org , www.internationalbusinessreport.com and www.globaldynamismindex.com  and to how GTIL processes personal data. It does not apply to specific member or correspondent firms practising under the Grant Thornton name. We are not responsible for the privacy practices of these or other sites. We encourage our visitors to be aware when they leave our website, and to read the privacy policy of other sites that collect or use personal data.

Security

Unfortunately, no data transmission over the Internet or any other network can be guaranteed as 100% secure, but we take appropriate steps to try to protect the security of your personal data.

Client service activity

Corporate and Business clients (and individuals associated with them)

We only ask our clients to share personal data with us where it is necessary in order to provide our services or other agreed purposes. We rely on our clients providing any necessary information to the individuals whose data is shared with us regarding its use. Our clients may use relevant sections of this privacy statement or refer data subjects to this privacy statement if they consider it appropriate to do so.

In providing a range of services to our clients, we may need to process many categories of personal data about individuals associated with them (such as employees, directors, senior management, trustees, members and their beneficiaries, professional advisors, suppliers), which could include personal identification and contact details, employment related information or financial data.

Typically, we will collect personal data directly from our clients or from third parties acting on their instructions (e.g. their suppliers, professional advisors or former service providers).  

We use such personal data collected for the following purposes:

  • Providing professional services: we offer many different services to our clients and many of these services require us to process personal data in order to give advice and deliver reports to our clients.
  • Managing our business: in order to run our business effectively we may need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
  • Quality, risk and security management systems: to protect our information and our clients’ information (including personal data), we use security measures that involve detecting, investigating and resolving security threats. As a part of the security monitoring we do personal data may be processed (e.g. automated scanning of emails to identify threats). We monitor the services we provide to our clients for quality purposes this may involve processing personal data held on the relevant client file. We have policies and procedures in place for monitoring the quality of our services and manage risks. As a part of our client take-on procedures we will process personal data obtained from publicly available sources (e.g. sanctions list, criminal convictions databases, and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
  • Providing information about our services: unless we are asked not to, we may use business contact details to provide information about us, our services and activities, including events that may be of interest.
  • Complying with legal, regulatory or professional obligations: as a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records which may contain personal data.

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 7 years.

Personal clients

We only ask our clients to share personal data with us where it is necessary in order to provide our services or other agreed purposes. We rely on our clients providing the required information to the other affected individuals regarding its use (e.g. family members).

In providing a range of services to personal clients, we process many categories of personal data as appropriate for the type of service including personal identification and contact details, business activities, family information and financial data (e.g. income, taxation, financial interests and investments).

When required by law or with an individuals’ explicit consent for certain services we may need to process special categories of personal data (defined as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation) and criminal records.

Typically, we will collect personal data directly from our clients or from third parties acting on their instructions (e.g. their professional advisors or former service providers).

We use such personal data collected for the following purposes:

  • Providing professional services: we offer many different services to our clients (see dropdown list at the top of this page) and many of these services require us to process personal data in order to give advice and deliver reports to our clients.
  • Managing our business: in order to run our business effectively we may need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
  • Quality, risk and security management systems: to protect our information and our clients’ information (including personal data), we use security measures that involve detecting, investigating and resolving security threats. As a part of the security monitoring we do personal data may be processed (e.g. automated scanning of emails to identify threats). We monitor the services we provide to our clients for quality purposes this may involve processing personal data held on the relevant client file. We have policies and procedures in place for monitoring the quality of our services and manage risks. As a part of our client take-on procedures we will process personal data obtained from publicly available sources (e.g. sanctions list, criminal convictions databases, and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
  • Providing information about our services: we may use contact details to provide information about us, our services and activities, including events that may be of interest.
  • Complying with legal, regulatory or professional obligations: as a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records which may contain personal data.
  • We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 7 years.

Suppliers

Suppliers (and individuals associated with our suppliers)

We only process personal data about our suppliers (this includes subcontractors and any individuals associated with them) where it is necessary for us to receive goods and services, contract, manage our relationship and help provide services to our clients (where relevant).

Typically, we will collect personal data directly from our suppliers but sometimes from third parties as a part of due diligence.  

We use personal data in these circumstances for the following purposes:

  • Providing professional services: where a supplier helps us to deliver services to our clients, we process the personal data of its people involved to help manage our relationship and to deliver those services to our clients.
  • Managing our business: in order to run our business effectively we may need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
  • Quality, risk and security management systems: to protect our information and our clients’ information (including personal data), we use security measures that involve detecting, investigating and resolving security threats. As a part of the security monitoring we do personal data may be processed (e.g. automated scanning of emails to identify threats). We monitor the services we provide to our clients for quality purposes this may involve processing personal data held on the relevant client file. We have policies and procedures in place for monitoring the quality of our services and manage risks. As a part of our client take-on procedures we will process personal data obtained from publicly available sources (e.g. sanctions list, criminal convictions databases, and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
  • Providing information about our services: we may use business contact details to provide information about us, our services and activities, including events that may be of interest.
  • Receiving services: we process personal data in relation to our suppliers and their staff necessary to receive the services.
  • Complying with legal, regulatory or professional obligations: as a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records which may contain personal data.

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).  

Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

Business contacts

Client or prospective client contacts

We process personal data about contacts, these are existing clients, prospective clients and individuals connected with them. This personal data will usually include name, employer identity, job title and business contact details.

Typically, we will collect the personal data directly from the individuals themselves or from public sources such as public registers, social media and professional networking sites, news articles and internet searches.

Such personal data will be accessible to our people and used for the following purposes:

  • Developing, managing and administering our business
  • Providing information about us and the services we provide
  • Identifying the business needs of our clients or prospective clients

Unless we have the consent of the individual we do not sell or otherwise release any personal data collected for purposes above.

Personal data will be retained for as long as it is necessary for the above purposes.

Visitors and others

Website

Visitors to our website are usually in control of the personal data shared with us.  We may automatically collect a limited amount of personal data about visitors to our website by using cookies. We accept personal data, such as name, title, company address, email address, and telephone and fax numbers, from website visitors; for example, when an individual fills out our contact form.

When you register with us, use our services, make an enquiry, order products or services from us, you may be asked to provide some personal data such as your name, address, job title, company, phone number and email address. We log your Internet Protocol (IP) address in order to receive and send information from and to you over the internet. We may also log the details of the pages you visit and which browser you are using.

We would not expect to receive any sensitive personal data from any enquiry made using our website, such as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation, or criminal records. If you choose to provide such sensitive data, you are giving your explicit consent for us to process it for reasons you are choosing to provide it.

Where you do provide personal data to us, we will only use it for the stated purpose at collection or any purpose obvious in the circumstances of the collection, e.g.:

  • registering to use parts of the website
  • subscribing to newsletters, blogs, events invites or other direct marketing
  • registering to attend an event
  • making an enquiry
  • entering a discussion forum
  • requesting a document such as reports

We will indicate where it is necessary for you to provide information or where it is voluntary to enable us to handle your request. We usually only ask for extra information, so we can provide the most suitable response to your request.

Unless asked not to, we may use your contact details to provide information about us, our services and activities, including events that may be of interest.

Personal data collected via our website will be retained by us for as long as necessary.

Recruitment

When applying online for a role with us on our careers website, applicants will need to supply sufficient information for us to be able to evaluate their application. We will usually require that you provide your name, contact details, details of your qualifications, skills, experience, employment history and information about your expectations. We may ask for other personal data (including special categories of data and criminal records) during your application or after we’ve made an offer, we will explain why and how it will be processed when it is requested. We may also collect personal data about you from third parties, such as references supplied by former employers or conduct background checks.

For more detail about our recruitment processes, please visit our Careers page.

How we keep data secure

Security is of upmost importance to us. Whilst no data transmission over the internet or any other network can be guaranteed as 100% secure, we take all reasonable steps to safeguard the personal data we hold, and we have in place appropriate technical and organisational security measures in order to protect personally identifiable data and information from loss, misuse, alteration or destruction. These include detailed policies, procedures and training of our people relating to data protection, confidentiality and information security. These are regularly reviewed to ensure they are effective and fit for purpose to prevent any unauthorised or unlawful disclosure or processing of such information and data and the accidental loss or destruction of or damage to such information and data.

Transfer to third parties

We only share personal data with others when absolutely necessary for the purposes for which we hold it and when necessary for our legitimate professional and business needs, for the purpose of executing your instructions or requests and/or as required or permitted by applicable legislation, professional standards or any applicable agreement between us, and where appropriate contractual arrangements and security mechanisms are in place.

We share personal data only with affiliates for our lawful professional and business necessities which comprise of:

  • member firms of GTIL where needed to provide services to our clients and for administrative purposes
  • suppliers that support us and help provide services to our clients, such as providers of cloud-based software, IT systems, security, archiving storage, recruitment, marketing and payment services
  • professional advisors, auditors or insurers, where we are required by law or as reasonably required in the management of our business
  • law enforcement or other government and regulatory agencies or to other third parties, where we are required by law, the courts or any legal or regulatory authority we are subject to. We will only provide personal data in these circumstances where permitted or there is a legal requirement.

Whilst we store personal data on servers within the European Economic Area (EEA), we may transfer personal data outside the EEA to member firms of GTIL or other third parties that help us run our business. Contractual obligations are imposed on the recipients of any data transferred in order to ensure all personal data is protected to the standard required in the EEA.

How long do we keep personal data?

The personal data you submit to us will only be held for as long as is required for the purposes for which it was collected and as required by applicable law.

We keep personal data only for as long as necessary and this will reflect the requirements of:

  • the activity or service for which it is being processed
  • any legal, regulatory or contractual requirements
  • the time in which any litigation or investigations might arise from providing a service.

Individuals’ rights

Individuals have certain rights over their personal data that we process as data controllers.

If we process your personal data and you exercise any of your rights, we will aim to respond promptly and within any required time limit. However, please note that the length of time it will take us to respond will be dependent on the nature and extent of your request.

You have a right to:

  • access – you can ask us for a copy of the personal data that we hold on you
  • rectification – if you become aware of any errors or inaccuracies concerning your personal data, please let us know either by updating your details on the website or applications you are registered with or contacting us.
  • withdraw consent – where we process personal data based on consent, you have a right to withdraw consent at any time. To stop receiving direct marketing emails from us, please click on the unsubscribe link in the relevant email. For any other withdrawals of consent please contact our dpo office.
  • erasure/deletion- you can ask us to erase or delete your personal data when we no longer need it for the purposes it was obtained.
  • data portability- you can ask for your personal data to be sent to you or to another organisation
  • review automated decision making – if we make automated decisions about you, you can ask for those decisions to be reviewed
  • restrict or object to our processing - you can ask to restrict or object to our processing of your personal data (e.g. removal from a marketing subscription list).

If you wish to exercise any of the rights, please send an email to dpo@cy.gt.com

Inaccuracies and Corrections

We would like to keep your personal data accurate and up to date. If you become aware of any errors or inaccuracies please let us know by contacting us at our registered office.

Who to contact

If you have any questions about this privacy statement, wish to complain about our use of personal data or exercise one of your rights, please send your correspondence to our Data Protection Officer:

Data Protection Officer

Grant Thornton (Cyprus) Ltd

41-49, Agiou Nicolaou Str.

Nimeli Court, Block C, Engomi 2408

P.O.Box 23907, 1687, Nicosia, Cyprus

E-mail: dpo@cy.gt.com