Privacy policy

Personal data

Why we process personal data

Personal data is registered and processed by Grant Thornton mainly in administrative purposes, to provide the Websites, to perform the service requested for which the personal data was supplied and to communicate with our visitors.

We must have a valid reason to be able to process your personal data. Unless otherwise is stated below, our reason is a legitimate interest or to perform a contract. Processing may also be required for us to fulfil legal obligations.

Grant Thornton’s legitimate interest is primarily to fulfil the commitment for which the personal data was provided to us, but also to provide you and your organisation with information (events, marketing and news) in areas that be believe are relevant to you in your professional role or your role as a student or job-seeker. When necessary the legitimate interest may also be to defend a legal claim.

Grant Thornton process personal data with the purpose of e.g.:

• Managing registration and participation to our events/seminars
• Managing the ordering and supplying of publications, subscriptions for newsletter, magazines or other products,
• Managing responses in client and market researches or other surveys,
• Marketing of our products and services
• Informing about news such as entrepreneurship, business development, regulatory changes, surveys and other changes in the market or within our company,
• Managing job applications or spontaneous applications of interest in employment or internship
• Managing questions or other requests of contact or information
• Compiling data for business and method development as well as for statistical purposes and analysing visitor’s demographics, interests and behaviours to gain better understanding of our visitors and clients. Information is compiled and analysed on an aggregated and pseudonymised basis.

What personal data do we process

“Karriär”, Get Accounting Day, Get Audit Day and Reachmee

When you apply for a vacant job or send us a spontaneous job application we mainly process the following personal information; name, year of birth, gender, e-mail address, telephone number, address, answers to questions in the application form, CV, personal letter, other attached documents (typically grades and certificates) and reports form the capacity test.

Your personal data will be registered with the purpose of complete the recruitment process. Grant Thornton will save the data and information you register and provide us with in connection to your application in a candidate profile. Your data is stored for two years after completing the recruitment process.

Provided data may be forwarded to suppliers of recruitment and testing tools.

In our recruitment process we use a tool for capacity testing. If your result is below a predetermined level, you will automatically receive a message stating that you have not proceeded in the recruitment process. However, such message does not include profiling or assessment of specific characteristics.

Seminars, events and networks, newsletters, Target and literature etc.

When you order a publication, register for or participate in a seminar or other event, register for a newsletter etc. you will be asked to provide certain personal data, e.g. name, address, personal identification number, employer or company, title, departmental affiliation, telephone number, e-mail address and invoicing data.

Our seminars, events and meet-ups may include photographing and audio-visual recordings. This may be used to inform about our organisation and business on the Websites and social media. If you have any objections to us using an image where you can identify yourself, please contact us in accordance with below.

Your personal data is registered and stored in order to administer, prepare and evaluate meetings and membership in networks, answering inquiries, deliver orders or marketing seminars, events or news by e-mail.

Provided information may be forwarded to suppliers providing our event tool, CRM system or equivalent, downloading services for literature and arranging meetings or partners when organizing seminars or network events.

GDPR inquiries etc.

When you send us a general inquiry you will be asked to provide certain personal data, such as name, city, company, telephone number or e-mail address. For GDPR related requests you will also be asked to provide information about your relation to Grant Thornton and personal identification number.

The personal data you provide when making an inquiry is registered and stored for the purpose of managing and responding to the inquiry and if necessary to identify you in order to fulfil the request. The personal data is stored in order to fulfil legal or contractual obligations such as documentation requirements or defending legal claims.

Provided information in connection with a GDPR related request is stored with by suppliers providing services for electronic forms and identification. 

Grant Thornton’s client portal

A user account may be issued to the client’s users according to an engagement letter, including general terms and conditions. Users will primarily be identified by name, e-mail address and personal or national identification numbers. If the client is a natural person all data stored on its account is personal data, which includes accounting information, bank details, personal identification number etc.

Miscellaneous

In addition to the above, we will store personal data which you freely have chosen to provide us with, e.g. in following e-mail correspondence. Our intention is not to ask for any special categories of personal data (“sensitive data”) such as health related information. If you choose to provide us with such information, e.g. when registering for a seminar or in a job application, we have to assume that you want us to process these data in accordance with this policy.

Transferring personal data

Besides what is stated above Grant Thornton may transfer personal data to the international organisation of which Grant Thornton is a member (Grant Thornton International Ltd) or another member firm. Personal data may also be transferred to suppliers of IT related services and systems. Recipients may be based inside and outside the EU/EEA. When transferring personal data for processing in a country outside the EU/EEA, which does not certify an adequate level of security, Grant Thornton will ensure that the personal data is subject to appropriate safeguards in accordance with applicable data protection legislation.

Personal data may be transferred to insurance companies and legal advisors in connection with legal proceedings if necessary for Grant Thornton to exercise its legitimate interests or other recipients if provided by legislation, regulations or governmental decisions.

In addition, personal data will not be transferred unless Grant Thornton is obliged or allowed to do so by law or when required for the purpose of carrying out our business (such as outsourcing or other external management).

How long is personal data stored

Grant Thornton takes reasonable measures to store personal data only for as long as is necessary to fulfil the purposes for which it was collected, such as providing seminars or literature, managing job applications or complaints and for our legitimate reason of providing you with information about events, marketing and news covering relevant topics.

Personal data that we process for sending newsletters, subscriptions or notifications about other updates are stored until you terminate the subscription, which is easiest to do by a link in the e-mail or via Contact Us.

Grant Thornton’s client portal

A user account will be deactivated or deleted if the user is no longer active with the client, which is addressed as soon as the client inform Grant Thornton. Personal data which is also accounting material will be stored according to applicable legislation and the engagement letter with the client. At the time the Swedish Book-keeping Act (Sw: bokföringslagen) constitute a retention period of 7 years from the closing date of the financial year.

Security measures

Unfortunately, no data transmission over the Internet or other networks are completely secure, but Grant Thornton takes reasonable and appropriate measures to ensure that personal information is processed securely and in accordance with this policy, protected against unauthorised access, alteration and destruction.

Grant Thornton implements appropriate technical and organisational measures to ensure the protection of personal data, considering what is deemed appropriate for applicable categories, scope and sensitivity of the personal data. Grant Thornton’s systems and organisation are managed so that unauthorised persons do not have access to the personal data being processed. For more information about technical and organisational security measures, please visit Security information.

To ensure that no unauthorised person request and gain access to your personal data we apply an advanced electronic identification tool for the requesting process. The personal data we process for identification purposes is transferred to the supplier of such service, who stores it with the purpose of fulfilling the documentation requirements according to applicable data protection legislation.

According to legislation and professional obligations, including professional ethics, requirements of organisational security measures also apply, which may include:

• Confidentiality obligations for everyone working for or with Grant Thornton, including all information which has been obtained during or in connection with operations with Grant Thornton.
• Written data protection agreements with suppliers and consultants.
• Internal routines, training and policies covering careful handling of personal data, as well as data minimisation, purpose limitation, accuracy, storage limitation and incident management.

Grant Thornton’s client portal

For your safety, login to the client portal is done through a two-step authentication procedure. Users are personally responsible for not making the login procedure available to unauthorised persons. Users are also responsible for using appropriate technologies to prevent the mobile device not being affected by viruses or similar and not being transferred to the client portal. Grant Thornton’s client portal has the following access on your mobile device:

• Access to the Internet – for the client portal to communicate with Grant Thornton’s servers and systems when using the client portal, as well as other communication with Grant Thornton.
• Access to the camera and photo gallery – to allow the use of images in connection with sending documents.

Log in details may not be shared or used by more than one user. Each user is responsible for confidentiality and the correctness of log in details and other account information. A user must inform Grant Thornton immediately in the event of unauthorised access to log in details.

The Client Portal may not be used for any illegal or unauthorised purpose and the client or the user may not act in violation of any applicable legislation in a relevant jurisdiction or transfer offensive, threatening, defamatory or other offensive data to, or with the help of, the client portal.  

Rights

As a data subject you have several rights according to the GDPR. You have the right to request information whether or not your personal data are being processed and if so, a right of access to your personal data, in form of a subject access request. You also have the right to ask for rectification of inaccurate personal data. Unless an exception applies you may also request for erasure, limitation or object to further processing of personal data and under certain circumstances you may have the right to data portability. However, there may be limitations by law, professional regulations and other provisions that restrict these rights.

If you have any questions or concerns about how Grant Thornton processes your personal data please contact our Data Protection Officer, you´ll find contact information below. If you think we haven´t handled your personal data responsibly and in line with the GDPR you also have the right to make a data protection complaint to the supervisory authority in Sweden, the Swedish Authority for Privacy Protection (IMY). You file such complaint here: Complain about incorrect processing of your personal data | IMY

A subject access request can be made by our Request form or in writing to our postal address, which then requires your name, personal identification number and signature.

Last updated 2023-12-20