EU-US Data Privacy Framework

 

Last Updated/Effective May 30, 2024 

 

Grant Thornton LLP, Grant Thornton Advisors LLC1 and certain subsidiaries (Grant Thornton Financial Advisors LLC) (collectively Grant Thornton for the purpose of this Notice2participate in the EU-U.S. Data Privacy FrameworkSwiss-U.S. Data Privacy Framework and the UK Data Privacy Extension programs administered by the U.S. Department of Commerce regarding our collection, use, and retention of personal information transferred from the European Union, the United Kingdom and Switzerland to the United States. Grant Thornton’s participation in the Data Privacy Framework programs applies to the collection, use, and retention of any personal information transferred from the European Union, European Economic Area, the United Kingdom, and Switzerland whether through our Sites or in connection with providing our Services or operating and administering our business. To learn more, please visit the Data Privacy Framework site.

 

Grant Thornton complies with the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and Switzerland to the United States. Grant Thornton has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability, and the 16 Supplemental Principles (collectively, Data Privacy Framework Supplemental Principles”).

 

Grant Thornton’s participation in the Data Privacy Framework is subject to the investigatory and enforcement powers of the Federal Trade Commission and other U.S. authorized statutory bodies as applicable.

 

Grant Thornton’s adherence to the Data Privacy Framework Principles may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements.

 

Personal Information collected about you will vary according to our interactions with you and the products and services we offer. Specific types or examples of Personal Information that could be collected by category are provided below.

 

Category of Personal Information

Purpose of collection

Category of third parties to whom data is potentially disclosed

Personal identifiers: contact information (such as first and last name, e-mail address, mailing address or phone number), and current employer and job title

To respond to requests; to send information about Grant Thornton’s services or events; to send administrative information or notices; to advertise our services on other websites; to communicate in connection with an engagement

Service providers; service providers for marketing services; our affiliates in Bengalore, India and Kolkata, India; other member firms of GTIL

Education and professional information: name, address and other contact information, work history, educational experience, licenses, and certifications, other professional or employment-related information, full or partial Social Security number, gender, race, ethnicity, citizenship, veteran, and disability status

To create an account on Grant Thornton’s online job board; to process applications for employment and communicate about employment opportunities; to evaluate information for employment opportunities

Service providers; our affiliates in Bengalore, India and Kolkata, India; background check vendors

Audio, visual: This category would include audio and video recordings and surveillance

Employment and security

Service providers for providing audio/visual services; law enforcement authorities

Internet activity: automatically collected information from activity on our Sites such as browser information, IP address, and browser type

To personalize content on our Sites; to track activity on and technical performance of our Sites; to evaluate our marketing efforts; to improve our Sites

Service providers for providing internet services; service providers for marketing services

Personal identifiers: personal information collected while providing services and in connection with pre-engagement activities

To fulfill a contract for services; to perform pre-engagement activities; to enforce our rights arising from any contract, including billing and collections

Service providers; our affiliates in Bengalore, India and Kolkata, India; other member firms of GTIL

 

Grant Thornton’s participation in the Data Privacy Framework program applies to all personal information that we receive from the European Union, European Economic Area, the United Kingdom and Switzerland. Grant Thornton collects and receives personal information from the European Union, the United Kingdom and Switzerland in connection with client engagements for audit, tax and advisory services. We also collect and receive personal information related to employees from other member firms of Grant Thornton International Ltd. seeking employment or internship opportunities with us. We may also collect personal information from individuals located in the European Union, the United Kingdom and Switzerland who voluntarily provide such information through Grant Thornton’s Web sites in connection with applying for job openings or subscribing to events or media alerts. Please see the Privacy Statement on our external Web site at https://www.grantthornton.com/privacy-policy for more information.



As described in the Data Privacy Framework Principles, Grant Thornton also has certain responsibilities related to personal information that it receives under the Privacy Framework and subsequently transfers to a third party. In particular, Grant Thornton remains responsible and liable under the Data Privacy Framework Principles if third party agents that Grant Thornton engages to process personal information on our behalf do so in a manner inconsistent with the Data Privacy Framework Principles, unless we prove that Grant Thornton is not responsible for the event giving rise to the damage. The Federal Trade Commission has jurisdiction over Grant Thornton’s compliance with the representations made in this notice and the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework frameworks.



With limited exceptions3, individuals have the right to access their personal information, or correct, amend or delete such information where it is inaccurate or processed unlawfully, and also to opt out of disclosures to third parties who do not process personal information as part of the purpose for which personal information was collected or was subsequently authorized or and any uses that are materially different from the original purpose of collection. To exercise these rights, please email us at privacy.questions@us.gt.com..



Grant Thornton is committed to responding to any inquiries and resolving any complaints about your privacy and our collection or use of your personal information within forty-five (45) days of receipt. Individuals with inquiries or complaints should first contact Grant Thornton by email at privacy.questions@us.gt.com.



Grant Thornton is further committed to referring unresolved privacy complaints to JAMS, an alternative dispute resolution provider. The services of JAMS are provided at no cost to you. Please visit EU-US Data Privacy Framework | JAMS Mediation, Arbitration, ADR Services (jamsadr.com) for more information or to file a complaint. With respect to any human resources data collected under the Data Privacy Framework, Grant Thornton will cooperate with the appropriate EU Data Protection Authorities and the Swiss Federal Data Protection Commissioner, as applicable, during the investigation and resolution of complaints. As further explained in the Data Privacy Framework Principles, a binding arbitration option will also be made available, at no cost to you, in order to address complaints not resolved by any other means.



This policy may be amended or modified from time to time consistent with the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework. If there is any conflict between the terms in this policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, please visit dataprivacyframework.gov  To view Grant Thornton’s certification, please visit Participant Search (dataprivacyframework.gov)

 

 

 


 

 

  1. ”Grant Thornton” refers to the brand name under which the Grant Thornton member firms provide services to their clients and/or refers to one or more member firms, as the context requires.
    Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
    Grant Thornton International Limited (GTIL) and the member firms, including Grant Thornton LLP and Grant Thornton Advisors LLC, are not a worldwide partnership. GTIL and each member firm are separate legal entities. Services are delivered by the member firms, GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. 
  2. Data Privacy Framework Supplement Principles 4–Performing Due Diligence and Conducting Audits. The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual.  This is permitted by the Notice, Choice, and Access Principles under the circumstances described below.
    b.    Public stock corporations and closely held companies, including participating organizations, are regularly subject to audits.  Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely.  Similarly, a participating organization involved in a potential merger or takeover will need to perform, or be the subject of, a “due diligence” review.  This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel.  Premature disclosure could impede the transaction or even violate applicable securities regulation.  Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization.  These legitimate interests include the monitoring of organizations’ compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors.
  3. Where no exception applies, for sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership/activities/views or information specifying the sex life of the individual, information  on social assistance measures or administrative and criminal proceedings or sanctions), the firm will obtain either directly or through the entity that has collected the sensitive information, affirmative express consent (opt in) where such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized.  The firm will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.