Last Updated: May 1, 2025
European Privacy Addendum
This European Privacy Addendum (“Addendum”) supplements the Grant Thornton Privacy Statement (“Privacy Statement”) and is intended to inform individuals who are resident in the European Union ("EU"), the European Economic Area ("EEA") and the United Kingdom ("UK") (together, "Europe") about how your information, including Personal Data (as defined below), will be processed by Grant Thornton and/or on its behalf by its third party service providers.
We will process your Personal Data when:
- you access or use our Sites;
- you, or the organisation with which you are connected, are a potential client of our Services; or
- you have engaged with, or subscribed to, our newsletters or other marketing communications or initiatives.
We are required to give you the information in this Addendum, including to inform you about your data protection rights, under the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); and the EU GDPR as amended and incorporated into the UK's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018(together, "European Data Protection Laws"). We are committed to protecting your privacy. You should read this Addendum fully to understand the basis upon which we process your Personal Data, how we use it and to whom it will be disclosed.
All capitalised terms have the same meaning given to them in the Privacy Statement or this Addendum. In the event of a conflict between this Addendum and the Privacy Statement, this Addendum will prevail to the extent that you are resident in Europe.
Who is Responsible for Your Personal Data?
References to Grant Thornton (including, "we", "us", "our" and "Grant Thornton Group") in this Addendum refer to the following entities, each of whom are part of a global alternative practices structure: Grant Thornton Advisors LLC, Grant Thornton LLP, Grant Thornton Holdings Limited, Grant Thornton Assurance Ireland and/or their affiliates and subsidiaries. Each of these entities are joint controllers and have an arrangement in place to ensure that your data protection rights are protected. For more details about these entities see 'Who we are: joint controllers'.
In some instances, these entities may be independent controllers of your Personal Data under European Data Protection Laws.
If you have any questions about how we use your Personal Data or to exercise your data protection rights (as set out in this Addendum), please contact us at Grant Thornton LLP, Privacy Office - Risk, Regulatory & Legal Affairs, 171 N. Clark Street, Suite 200, Chicago, IL 60601 or privacy.questions@us.gt.com.
What is Personal Data?
For European residents, the term “Personal Data” means any information relating to an identified or identifiable natural person. It can include information about you that can identify you, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors.
How and Why Do We Use Your Personal Data?
Personal Data processed about you will vary according to our interactions and relationship with you, including Services we offer (and the nature of our engagements). The table below explains our processing activities, one or more of which may be apply to you. Please note that the Personal Data listed is non-exhaustive.
Types of Personal Data |
Legal basis
| Data source | Purpose of processing | Recipients |
First and last name, email address, mailing address or phone number, and current employer and role/job title (“Contact Information”). | We process your Personal Data where it is necessary for the purposes of our legitimate interests to engage you as prospective client. | Directly or indirectly from you, prospective clients, or their agents.
| To respond and manage any communications you send to us as a prospective client (e.g., when you email us or contact us via the Site). To record your details in our systems as a prospective client. | Service providers, including marketing services; our affiliates in India and entities in the Grant Thornton Group.
|
Contact Information | We process your Personal Data where it is necessary for the purposes of our legitimate interests, in providing, maintaining and/or improving our Services. | Directly from you. Directly or indirectly from clients or their agents. | To respond to individual or client requests. To provide, improve or maintain our Services. To send administrative information or notices. To communicate in connection with a client or potential client engagement. To keep records associated with our Services (including, associated communications, records, etc.). To prevent, detect and respond to actual or potential fraudulent or other activities. | Service providers, including marketing services; our affiliates in India and other entities of the Grant Thornton Group. |
Contact Information and information confirming your identity and status within a company, (e.g., director / beneficial owner), your responsibilities, PPSN, identify verification documents, tax information, and/or other information you provide to us.
| We process your Personal Data where it is necessary for the purposes of our legitimate interest to operate our business, for relationship management purposes and to provide Services.
| Directly from you. Directly or indirectly from our clients or their agents collected while providing services and in connection with pre- engagement activities. | To initiate, onboard and fulfil a contract for Services. To order to perform Services. To perform pre-engagement activities. To conduct client due diligence, background checks, KYC checks and background checks (where required by professional standards, law, or regulation). To comply with our professional standards, legal and regulatory obligations. To manage and administer our business relationship with you. To keep records associated with our Services (including, associated communications, records, etc.). To enforce our rights arising from any contract, including billing and collections. | Service providers, our affiliates in India, other entities of the Grant Thornton Group. |
Contact Information and details about your contact preferences (e.g., areas of interest) and information relating to your subscription to, receipt of or interest in any of our mailing lists or newsletters, or registration to access any of our restricted content. | We process your Personal Data where it is necessary for the purposes of our legitimate interests in relation to events, market updates & insights, and newsletters.
| Directly or indirectly from you, including through your engagement with advertisements on platforms such as LinkedIn. Directly or indirectly from our clients or their agents. | To invite you to meetings, events, webinars, conferences, seminars, online surveys, or self-assessment tools. To promote our Services. To develop and maintain our relationship with you and/or your organisation. To engage with you by sending you our newsletters, industry, market updates & insights, when you have engaged with us, or you are a client representative. To assess your participation in, reception of, interest in, or engagement with our marketing activities, materials we send you and our events (e.g., newsletter, surveys, conferences). | Service providers of marketing, social media, audio/visual or related services. |
Automatically collected information from your activity on our Sites such as browser information, IP address, and browser type. | We process your Personal Data where it is necessary for the purposes of our legitimate interests in relation to improve our Sites and personalise your visit to our Sites. | Indirectly from you through our sites, cookies, and other tracking technologies. | To personalize content on our Sites. To track activity on and technical performance of our Sites. To evaluate our marketing efforts; to improve our Sites. | Service providers for providing internet services. Service providers for marketing services (e.g., Site visitor insight solutions). |
Contact Information or other Personal Data | We process your Personal Data where it is necessary for the purposes of our legitimate interests in relation any actual or potential litigation, disputes, or complaints. | Directly or indirectly from you. Directly or indirectly from our clients or their agents. | To establish, defend or exercise our legal rights and any legal proceedings or out-of-court proceedings which may arise. | Service providers; our affiliates in India; other entities of the Grant Thornton Group. |
Contact Information or other Personal Data | We process your Personal Data where it is necessary to comply with legal obligations to which we are subject under European laws. | Directly or indirectly from you. Directly or indirectly from our clients or their agents. | To respond and manage any valid legal or data subject rights requests you and any steps relating to same.
| Service providers; our affiliates in India; other entities of the Grant Thornton Group. |
Contact Information and other Personal Data | We process your Personal Data where it is necessary for the purposes of our legitimate interests in the event Grant Thornton goes through a business transition, such as a merger, or the acquisition or sale of all or a portion of its assets. | Directly or indirectly from you. Directly or indirectly from our clients or their agents. | To manage a relevant business transition, acquisition or sale of all or a portion of our assets. | Service providers; our affiliates in Bengaluru, India; other entities of the Grant Thornton Group, interested parties in transaction |
Note: When we process your Personal Data based on our legitimate interests, we make sure to consider and balance any potential impact on you and your data protection rights. We will not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). You have certain rights when we process your Personal Data on this basis. For more information on exercising your data protection rights please see ‘Your Data Protection Rights’.
Data Retention
We will retain process your Personal Data for as long as is needed or as permitted based on the purpose(s) for which it was obtained and in accordance with applicable law. The criteria used to determine our retention periods include:
- the nature and length of our ongoing relationship with you and provide you/your organisation Services;
- whether there is a legal obligation under applicable laws or a requirement under professional standards to which we are subject; and
- whether retention is advisable considering our legal position (such as with respect to statutes of limitations, litigation, or regulatory investigations).
If you would like to find out more about our retention of your Personal Data, please contact us by e-mailing privacy.questions@us.gt.com.
Unsubscribe and Opt-out
If you wish to opt out of receiving marketing emails, newsletters or other such communications, you may do so at any time by clicking on the unsubscribe link provided in our communications or e-mailing us at privacy.questions@us.gt.com.
Automated Decision-making
We do not use profiling or make any decisions based solely on the automated processing of your Personal Information.
International Data Transfers
To facilitate our global operations, certain of our Services and Sites are provided from the United States and other locations. If you are resident in Europe, we may share, transfer or store Personal Data outside your country of residence (i.e., outside Europe) to certain recipients (mainly our affiliates and external service providers) in the United States, India, and other countries which we deem appropriate from time to time. The laws and practices in these countries may not have equivalent data protection and privacy rules to those under European Data Protection Laws. We will protect your Personal Data in accordance with this Addendum and our Privacy Statement.
Where these transfers of Personal Data occur, we ensure that a transfer mechanism and appropriate safeguards are in place to protect your Personal Data:
- For transfers (including, onward transfers) of Personal Data within the Grant Thornton Group to affiliates in the United States, we rely on the EU-US Data Privacy Framework and the UK-US Data Privacy Framework (UK and Gibraltar), as operated by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (“DPF”), and to view our certification, please visit https://www.dataprivacyframework.gov/. Please also visit our dedicated webpage for more information about our participation in the DPF: https://www.grantthornton.com/privacy-policy/data-privacy-framework.
- For transfers (including, onward transfers) of your Personal Data within the Grant Thornton Group to affiliates based in other, non-European countries, we rely on the EU Standard Contractual Clauses ("SCCs"), the UK Addendum to the EU SCCs (e.g., India and Bermuda) or adequacy decisions (e.g., the Isle of Man).
- For transfers (including, onward transfers) of Personal Data to external providers, we rely on the DPF, the EU SCCs, UK Addendum, or adequacy decisions of the European Commission.
If you would like to find out more about any transfers relating to your Personal Data, please contact us by e-mailing privacy.questions@us.gt.com.
Your Data Protection Rights
As a European resident, you have a number of data protection rights under European Data Protection Laws, which are explained in the table below. You have a right to object to processing of your Personal data where that processing is based on our legitimate interests.
Data Protection Right | Further Information |
Right of Access | You have the right to request a copy of the Personal Data held by us about you and to access the Personal Data which we hold about you. |
Right to Object | You have a right to object at any time to the processing of your Personal Data where we process your Personal Data on the legal basis of pursuing our legitimate interests. |
Right to Rectification | You have the right to have any inaccurate Personal Data which we hold about you updated or corrected. |
Right to Erasure | In certain circumstances, you may also have your Personal Data deleted. For example, if you exercise your right to object and we do not have an overriding legitimate interest to continue processing your Personal Data or if we no longer require your Personal Data for the purposes as set out in this Addendum. |
Right to Restriction of Processing | You have the right to ask us to restrict processing your Personal Data in certain circumstances, including if you believe that the Personal Data that we hold about you is inaccurate or if our use of your Personal Data is unlawful. |
Right to Data Portability | You may request us to provide you with your Personal Data which you have given Grant Thornton in a structured, commonly used, and machine-readable format where our processing is based on performance of a contract or consent. |
Right to Object to Automated Decision-Making, including Profiling | You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning Data Subjects or similarly significantly affects them. Please note that we do not use profiling or make any decisions based solely on the automated processing of your Personal Data. |
Please bear in mind that your rights in relation to your Personal Data are not absolute and that we must be cognisant of our professional, legal, and regulatory obligations and duties.
How to Submit a Rights Request, Complaint or Question
To submit a rights request, complaint or question or to have an Authorised Agent submit a rights request, complaint, or question on your behalf where permitted by applicable law, please contact us at privacy.questions@us.gt.com, (877) 282-0109, or complete the web form located here.
We may request that you provide proof of your identity for security reasons and to prevent the unauthorised disclosure or misuse of Personal Data. We will only charge you for requests to access your Personal Data where they are manifestly unfounded or excessive. If, after contacting us, you are still not satisfied with our response, you have the right to lodge a complaint with the data protection authority of your European residence.
Addendum Changes
We reserve the right to amend or modify this Addendum from time to time. We will post any revised Addendum on this Site, or a similar website that replaces this Site. By continuing to use any of our Sites, you acknowledge the terms of this Addendum and the Privacy Statement as of the effective date will apply to information, including Personal Data, previously collected, or collected in the future as permitted by applicable law.
Who we are: Joint Controllers
References to "Grant Thornton" in this Addendum refer to the brand name under which the Grant Thornton member firms operate the business, provide services to (prospective) clients and/or refers to one or more member firms, as the context requires. The below joint controllers practice as an alternative practice structure:
Grant Thornton LLP is a licensed independent CPA firm that provides attest services to clients. Address: 171 N. Clark Street, Suite 200, Chicago, IL, 60601, United States. | Grant Thornton Advisors LLC provides tax and business consulting services to clients. Its address is 171 N. Clark Street, Suite 200, Chicago, IL, 60601, United States.
|
Grant Thornton Holdings Limited provides tax and business consulting services to clients. Address: 13-18 City Quay, Dublin 2, Dublin, Ireland. | Grant Thornton Assurance Ireland provides audit services to clients. Address: 13-18 City Quay, Dublin 2, Dublin, Ireland. |
Mailing Address:
If you have any questions, comments, or concerns about the way your Personal Data are being used or processed by Grant Thornton, please submit your question, comment or concern in writing to us using the contact details below:
Corporate Mailing Address: Grant Thornton LLP
Privacy Office - Risk, Regulatory & Legal Affairs
171 N. Clark Street, Suite 200
Chicago, IL 60601
Corporate Mailing Address:
Grant Thornton LLP
Privacy Office - Risk, Regulatory & Legal Affairs
171 N. Clark Street, Suite 200
Chicago, IL 60601