Updated 9 January 2024

At Grant Thornton we are committed to protecting personal data and to fair and transparent processing. Please read our privacy statement, it will help you to understand how we collect and use personal data from individuals, our clients, suppliers or others during the course of our business. We will only use personal data for the purposes described in this privacy statement or as stated at the point of collection.

Who we are

Grant Thornton (Cyprus) Ltd registration number is 267530. Our registered office is 41-49, Agiou Nicolaou Str., Nimeli Court, Block C, Engomi 2408, P.O.Box 23907, 1687, Nicosia, Cyprus.

This privacy statement only applies to Grant Thornton (Cyprus) Ltd and does not apply to other member firms of Grant Thornton International Limited (GTIL) practising under the Grant Thornton name. We are not responsible for the privacy practices of those member firms or any other organisation our website may link to.

Our lawful basis for processing

We rely on several lawful fundamentals of processing when we collect and use personal data to operate our business and provide products and services to our clients. These include:

• Legal obligations – in order to comply with the legal and regulatory obligations we are subject to as a provider of regulated services and as a commercial business.
• Contract – in order to perform contractual obligations, we may have with an individual or to take steps to enter into a contract with an individual.
• Consent – where an individual has freely given consent at the time their personal data was provided to us.
• Legitimate interests – the legitimate interests can be ours, our clients or other third parties (e.g. to provide our services, to develop or protect our business, or to keep people informed about relevant products and services) and we always balance the rights of individuals with ours’ and others’ legitimate interests.
• Public interests – for the performance of a task carried out in the public interest.

How do we use your personal data?

We use your personal data to provide information to you or your organisation.

We may also use your personal data to carry out research about our visitors' demographics, interests and behaviour. We do this to better understand our visitors. This research is compiled and analysed on an aggregated and anonymous basis.

When you give us personal data, those data may be sent electronically to servers anywhere in the world and may be used, stored and processed anywhere in the world.

Whenever and wherever we collect, process or use personal data, we take steps to ensure that it is treated securely and in accordance with our privacy policy.

Client service activity

Corporate and Business clients (and individuals associated with them)

We only ask our clients to share personal data with us where it is necessary in order to provide our services or other agreed purposes. We rely on our clients providing any necessary information to the individuals whose data is shared with us regarding its use. Our clients may use relevant sections of this privacy statement or refer data subjects to this privacy statement if they consider it appropriate to do so.

In providing a range of services to our clients, we may need to process many categories of personal data about individuals associated with them (such as employees, directors, senior management, trustees, members and their beneficiaries, professional advisors, suppliers), which could include personal identification and contact details, employment related information or financial data.

Typically, we will collect personal data directly from our clients or from third parties acting on their instructions (e.g. their suppliers, professional advisors or former service providers).  

We use such personal data collected for the following purposes:

• Providing professional services: we offer many different services to our clients and many of these services require us to process personal data in order to give advice and deliver reports to our clients.
• Managing our business: in order to run our business effectively we may need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
• Quality, risk and security management systems: to protect our information and our clients’ information (including personal data), we use security measures that involve detecting, investigating and resolving security threats. As a part of the security monitoring we do personal data may be processed (e.g. automated scanning of emails to identify threats). We monitor the services we provide to our clients for quality purposes this may involve processing personal data held on the relevant client file. We have policies and procedures in place for monitoring the quality of our services and manage risks. As a part of our client take-on procedures we will process personal data obtained from publicly available sources (e.g. sanctions list, criminal convictions databases, and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
• Providing information about our services: unless we are asked not to, we may use business contact details to provide information about us, our services and activities, including events that may be of interest.
• Complying with legal, regulatory or professional obligations: as a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records which may contain personal data.

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).

Personal clients

We only ask our clients to share personal data with us where it is necessary in order to provide our services or other agreed purposes. We rely on our clients providing the required information to the other affected individuals regarding its use (e.g. family members).

In providing a range of services to personal clients, we process many categories of personal data as appropriate for the type of service including personal identification and contact details, business activities, family information and financial data (e.g. income, taxation, financial interests and investments).

When required by law or with an individual’s explicit consent for certain services we may need to process special categories of personal data (defined as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation) and criminal records.

Typically, we will collect personal data directly from our clients or from third parties acting on their instructions (e.g. their professional advisors or former service providers).

We use such personal data collected for the following purposes:

• Providing professional services: we offer many different services to our clients (see dropdown list at the top of this page) and many of these services require us to process personal data in order to give advice and deliver reports to our clients.
• Managing our business: in order to run our business effectively we may need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
• Quality, risk and security management systems: to protect our information and our clients’ information (including personal data), we use security measures that involve detecting, investigating and resolving security threats. As a part of the security monitoring we do personal data may be processed (e.g. automated scanning of emails to identify threats). We monitor the services we provide to our clients for quality purposes this may involve processing personal data held on the relevant client file. We have policies and procedures in place for monitoring the quality of our services and manage risks. As a part of our client take-on procedures we will process personal data obtained from publicly available sources (e.g. sanctions list, criminal convictions databases, and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
• Providing information about our services: we may use contact details to provide information about us, our services and activities, including events that may be of interest.
• Complying with legal, regulatory or professional obligations: as a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records which may contain personal data.

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).

Suppliers

Suppliers (and individuals associated with our suppliers)

We only process personal data about our suppliers (this includes subcontractors and any individuals associated with them) where it is necessary for us to receive goods and services, contract, manage our relationship and help provide services to our clients (where relevant).

Typically, we will collect personal data directly from our suppliers but sometimes from third parties as a part of due diligence.  

We use personal data in these circumstances for the following purposes:

• Providing professional services: where a supplier helps us to deliver services to our clients, we process the personal data of its people involved to help manage our relationship and to deliver those services to our clients.
• Managing our business: in order to run our business effectively we may need to process personal data for multiple reasons, including managing our client relationships, developing our business and services, hosting events, and to manage and administer our website, IT systems and applications.
• Quality, risk and security management systems: to protect our information and our clients’ information (including personal data), we use security measures that involve detecting, investigating and resolving security threats. As a part of the security monitoring we do personal data may be processed (e.g. automated scanning of emails to identify threats). We monitor the services we provide to our clients for quality purposes this may involve processing personal data held on the relevant client file. We have policies and procedures in place for monitoring the quality of our services and manage risks. As a part of our client take-on procedures we will process personal data obtained from publicly available sources (e.g. sanctions list, criminal convictions databases, and internet searches) to identify any risks relating to organisations and associated individuals that may prevent us from working with a client or providing a particular service.
• Receiving services: we process personal data in relation to our suppliers and their staff necessary to receive the services.
• Complying with legal, regulatory or professional obligations: as a regulated business, we are subject to various legal, regulatory and professional obligations that may require us to keep records which may contain personal data.

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).  

Business contacts

Client or prospective client contacts

We process personal data about contacts, these are existing clients, prospective clients and individuals connected with them. This personal data will usually include name, employer identity, job title and business contact details.

Typically, we will collect the personal data directly from the individuals themselves or from public sources such as public registers, social media and professional networking sites, news articles and internet searches.

Such personal data will be accessible to our people and used for the following purposes:

• Developing, managing and administering our business
• Providing information about us and the services we provide
• Identifying the business needs of our clients or prospective clients

Unless we have the consent of the individual we do not sell or otherwise release any personal data collected for purposes above.

Personal data will be retained for as long as it is necessary for the above purposes.

Visitors and others

Visitors to our website are usually in control of the personal data shared with us.  We may automatically collect a limited amount of personal data about visitors to our website by using cookies. We accept personal data, such as name, title, company address, email address, and telephone and fax numbers, from website visitors; for example, when an individual fills out our contact form.

When you register with us, use our services, make an enquiry, order products or services from us, you may be asked to provide some personal data such as your name, address, job title, company, phone number and email address. We log your Internet Protocol (IP) address in order to receive and send information from and to you over the internet. We may also log the details of the pages you visit and which browser you are using.

We would not expect to receive any sensitive personal data from any enquiry made using our website, such as race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, sex life or sexual orientation, or criminal records. If you choose to provide such sensitive data, you are giving your explicit consent for us to process it for reasons you are choosing to provide it.

Where you do provide personal data to us, we will only use it for the stated purpose at collection or any purpose obvious in the circumstances of the collection, e.g.:

• registering to use parts of the website
• subscribing to newsletters, blogs, events invites or other direct marketing
• registering to attend an event
• making an enquiry
• entering a discussion forum
• requesting a document such as reports

We will indicate where it is necessary for you to provide information or where it is voluntary to enable us to handle your request. We usually only ask for extra information, so we can provide the most suitable response to your request.

Unless asked not to, we may use your contact details to provide information about us, our services and activities, including events that may be of interest.

Personal data collected via our website will be retained by us for as long as necessary.

Recruitment

When applying online for a role with us on our careers website, applicants will need to supply sufficient information for us to be able to evaluate their application. We will usually require that you provide your name, contact details, details of your qualifications, skills, experience, employment history and information about your expectations. We may ask for other personal data (including special categories of data) during your application or after we’ve made an offer, we will explain why and how it will be processed when it is requested. We may also collect personal data about you from third parties, such as references supplied by former employers or conduct background checks.

For more detail about our recruitment processes, please visit our Careers page.

Direct Marketing

We may use your personal data to share an idea of what services we think you may want or need, or what may be of interest to you. We also send newsletter campaign using email data from subscribers that have already provided their consent. You will only receive marketing communication from us if you have opt-in of receiving marketing material.

We will get your express opt-in consent before we share your personal data with any company outside our Company for marketing purposes.

You can ask us or third parties to stop sending you marketing material at any time by contacting us above or clicking on the opt-out link included in each marketing message.

Links

Our website contains links to Grant Thornton member and correspondent firm websites, but this privacy policy applies only to personal data collected via websites operated by GTIL. It does not apply to specific member or correspondent firms practising under the Grant Thornton name. We are not responsible for the privacy practices of these or other sites. We encourage our visitors to be aware when they leave our website, and to read the privacy policy of other sites that collect or use personal data.

How we keep data secure

Security is of upmost importance to us. Whilst no data transmission over the internet or any other network can be guaranteed as 100% secure, we take all reasonable steps to safeguard the personal data we hold, and we have in place appropriate technical and organisational security measures in order to protect personally identifiable data and information from loss, misuse, alteration or destruction. These include detailed policies, procedures and training of our people relating to data protection, confidentiality and information security. These are regularly reviewed to ensure they are effective and fit for purpose to prevent any unauthorised or unlawful disclosure or processing of such information and data and the accidental loss or destruction of or damage to such information and data.

Transfer to third parties

We only share personal data with others when absolutely necessary for the purposes for which we hold it and when necessary for our legitimate professional and business needs, for the purpose of executing your instructions or requests and/or as required or permitted by applicable legislation, professional standards or any applicable agreement between us, and where appropriate contractual arrangements and security mechanisms are in place.

We share personal data only with affiliates for our lawful professional and business necessities which comprise of:

• member firms of GTIL where needed to provide services to our clients and for administrative purposes
• suppliers that support us and help provide services to our clients, such as providers of cloud-based software, IT systems, security, archiving storage, recruitment, marketing and payment services
• professional advisors, auditors or insurers, where we are required by law or as reasonably required in the management of our business
• law enforcement or other government and regulatory agencies or to other third parties, where we are required by law, the courts or any legal or regulatory authority we are subject to. We will only provide personal data in these circumstances where permitted or there is a legal requirement.

Whilst we store personal data on servers within the European Economic Area (EEA), we may transfer personal data outside the EEA to member firms of GTIL or other third parties that help us run our business. Contractual obligations are imposed on the recipients of any data transferred in order to provide appropriate and suitable safeguards for personal data that may be transferred to countries outside the EEA where an adequate level of protection is not already guaranteed.

How long do we keep personal data?

The personal data you submit to us will only be held for as long as is required for the purposes for which it was collected and as required by applicable law.

We keep personal data only for as long as necessary and this will reflect the requirements of:

• the activity or service for which it is being processed
• any legal, regulatory or contractual requirements
• the time in which any litigation or investigations might arise from providing a service.

Individuals’ rights

Individuals have certain rights over their personal data that we process as data controllers.

If we process your personal data and you exercise any of your rights, we will aim to respond promptly and within any required time limit. However, please note that the length of time it will take us to respond will be dependent on the nature and extent of your request.

You have a right to:

• access – you can ask us for a copy of the personal data that we hold on you
• rectification – if you become aware of any errors or inaccuracies concerning your personal data, please let us know either by updating your details on the website or applications you are registered with or contacting us.
• withdraw consent – where we process personal data based on consent, you have a right to withdraw consent at any time. To stop receiving direct marketing emails from us, please click on the unsubscribe link in the relevant email. For any other withdrawals of consent please contact our dpo office.
• erasure/deletion- you can ask us to erase or delete your personal data when we no longer need it for the purposes it was obtained.
• data portability- you can ask for your personal data to be sent to you or to another organisation
• review automated decision making – if we make automated decisions about you, you can ask for those decisions to be reviewed
• restrict or object to our processing - you can ask to restrict or object to our processing of your personal data (e.g. removal from a marketing subscription list).

If you wish to exercise any of the rights, please send an email to dpo@cy.gt.com. 

Inaccuracies and Corrections

We would like to keep your personal data accurate and up to date. If you become aware of any errors or inaccuracies please let us know by contacting us at our registered office.

Cookies

What is a Cookie

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org.

We only use cookies to monitor the performance of our website and to improve user experience.

If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.

Cookies used by the website

Cookie key	Cookie type	Expiration	Description
ARRAffinity	First-party	Session	This cookie is set by websites run on the Windows Azure cloud platform. It is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
ARRAffinitySameSite	First-party	Session	When using Microsoft Azure as a hosting platform and enabling load balancing, this cookie ensures that requests from one visitor browsing session are always handled by the same server in the cluster.
ASP.NET_SessionId	First-party	Session	General purpose platform session cookie, used by sites written with Miscrosoft .NET based technologies. Usually used to maintain an anonymised user session by the server.
ai_user	First-party	1 year	This cookie name is associated with the Microsoft Application Insights software, which collects statictical usage and telemetry information for apps built on the Azure cloud platform. This is a unique user identifier cookie enabling counting of the number of users accessing the application over time.
ai_session	First-party	30 minutes	This cookie name is associated with the Microsoft Application Insights software, which collects statictical usage and telemetry information for apps built on the Azure cloud platform. This is a unique anonymous session identifier cookie.
EPi_NumberOfVisits	First-party	1 year	This cookie is used to track the number of visits by an individual to understand browsing habits and areas of interest.

 

Failure to provide personal information

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you or we may not be able to perform the services as agreed. In case you fail to provide the required data, we may have to terminate that contract with you as a result, but we will notify you if this is the case at the time.

 

Who to contact

If you have any questions about this privacy statement, wish to complain about our use of personal data or exercise one of your rights, please send your correspondence to our Data Protection Officer:

Data Protection Officer

Grant Thornton (Cyprus) Ltd

41-49, Agiou Nicolaou Str.

Nimeli Court, Block C, Engomi 2408

P.O.Box 23907, 1687, Nicosia, Cyprus

E-mail: dpo@cy.gt.com