Candidate privacy notice

This Privacy Notice explains how Grant Thornton Luxembourg (“Grant Thornton Luxembourg”, “we”, “us” or “our”) collects, uses, shares, and otherwise processes your Personal Data in connection with your relationship with us as a candidate to a job offer, acting in accordance with applicable data privacy laws and regulations, which include the General Data Protection Regulation 2016/679 (“GDPR”).

We control the ways your personal data are collected and the purposes for which we use your personal data acting as “data controller” in the context of the GDPR.

Grant Thornton Luxembourg includes the following legal entities:

Abax Trust S.A.
Compliance & Control, S.A.
Grant Thornton (Luxembourg) Holdings S.à r.l.
Grant Thornton Advisory S.A.
Grant Thornton Audit & Assurance S.A.
Grant Thornton Consulting S.A.
Grant Thornton Financial Services S.A.
GT Lux Audit & Assurance Holdco, S.à r.l.
GT Lux Corporate & Insurance Services Holdco, S.à r.l.
GT Lux Operations
Grant Thornton Participations S.à r.l.
Grant Thornton Recovery & Reorganisation S.A.
Grant Thornton Tax & Accounting S.A.
Grant Thornton Technology S.A.
Grant Thornton Vectis S.A.
Tax Consult S.A.
Turbo Palace Buyer S.à r.l.

The composition of “Grant Thornton Luxembourg” may change from time to time as a result of corporate transactions, restructuring, or business development. This Privacy Notice shall, however, at all times apply to the entities that operate under, or share, the trade name “Grant Thornton Luxembourg”.

1. Personal data we collect about you

When using the term “personal data”, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.

We collect the data you include in your job application when you send us a spontaneous application or apply by email to a job offer:

Identification data: name, surname, title
Contact information: postal address, e-mail address, phone number
Professional data: current position, work experience, educational background, CV, and cover letter
In certain cases, a criminal record may be requested, in line with the applicable laws
For certain regulated entities of Grant Thornton Luxembourg, a background check may be performed when required by the law.

Only the data that is strictly necessary for the purposes of processing your application is requested by us and does not include any special categories of personal data such as political opinions, religious beliefs or data concerning health.

We also collect personal data from:

Your named referees, from whom we collect the following categories of data: name, periods of previous employment, performance during previous employment;
Our referral program enabling our employees to recommend potential new hires;
Publicly accessible sources, such as LinkedIn, where we collect: name, email, academic and work history, and other relevant data included on your profile;
Third parties’ databases (for the background checks where required by law)
Recruitment agencies we use for our hiring needs.

By providing your data, you expressly agree that your data will be processed by Grant Thornton Luxembourg for the purposes indicated in the section 2 below. We may not be able to process your application further if you do not provide the personal data described above.

2. How do we use your personal data

We process your personal data for the following purposes:

Processing of applications received (registering, entering information in the database…);
Assessment of the qualifications and skills needed to perform the job you are applying for;
Communication concerning the hiring process (e-mails, phone calls, SMS messages);
Referrals checks (where applicable);
Holding unsuccessful applicants’ CV on file (where applicable) for the purposes of: (1) Complying with legal and regulatory requirements relating to discrimination or equal opportunities, or (2) for contacting you for future employment opportunities, provided you have agreed to that;
Complying with Anti-Money Laundering and Countering the Financing of Terrorism law (AML/CFT).
Where necessary, for the purposes of internal cooperation, coordination of services, and the provision of high-quality professional services on a global basis.

Please note that in our recruitment process, we make use of Skeeled, a talent acquisition platform, to efficiently manage candidate applications and streamline the hiring process. This platform is designed to collect and store personal information provided by job applicants securely. For detailed information on how your personal data is collected, used, and safeguarded on the platform, please refer to the Skeeled Data Protection Notice.

3. Legal basis for data processing

We will not process your personal data unless there is a valid legal basis as provided by law. For the purposes explained under Section 2, we will only process your personal data if one of the following legal bases is met:

Legitimate interest of the employer (Article 6(1)(f) of the GDPR);
Performance of a contract or precontractual measures, depending on the stage of the recruitment process when the communication takes place (Aricle 6(1)(b) of the GDPR);
Consent (Article 6(1)(a) of the GDPR): we will only contact your referrals if you give us your explicit consent; or if you have given us your consent to keep your CV for a longer period of time in case you are a fitting candidate for another similar vacant role);
Legal obligation of the employer (Article 6(1)(c) of the GDPR).

Whenever we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time by contacting us as indicated below. Please, note that the withdrawal of your consent does not affect the lawfulness of the personal data processing based on consent prior to its withdrawal.

4. To whom might we disclose your personal data?

To achieve the purposes listed in Section 2, the data is transferred to the following recipients:

Our internal HR department and managers who are involved in the recruitment process, on a need-to-know basis;

In this case, an internal Privacy Policy was implemented and communicated to all employees of Grant Thornton Luxembourg, as well as data protection training sessions delivered by our Data Protection Officer (DPO), all together to ensure that the employees are aware of, and comply with, the data protection principles and data subjects’ rights established by applicable data protection legislations, especially in line with Articles 25 and 39 of the GDPR.

Third-party service providers acting as subcontractors and on instruction from Grant Thornton Luxembourg.

Where a service provider is involved, appropriate due diligence is conducted, a data processing agreement is entered into between Grant Thornton Luxembourg and the subcontractor in question and appropriate technical and organisational measures are put in place.

When your personal data is transferred (including in the case of remote access) to a country outside the European Economic Area that is not subject to an adequacy decision, appropriate safeguards in accordance with Chapter V of the GDPR are put in place, such as Standard Contractual Clauses adopted and approved by the European Commission.

You may request additional information in relation to such cross-border transfers and obtain a copy of the safeguards put in place by Grant Thornton Luxembourg by contacting our Data Protection Officer (DPO) at dpo@lu.gt.com.

Employees of other member firms of the Grant Thornton International Ltd Network

Grant Thorton Luxembourg is part of the Grant Thornton International Ltd network, which comprises member firms in more than 150 markets worldwide.

Grant Thornton Luxembourg may share your personal data with member firms of Grant Thornton International Ltd where necessary for the purposes of internal cooperation, coordination of services, and the provision of high-quality professional services on a global basis.

In this case, an inter-firm agreement was entered between Grant Thornton Luxembourg and other member firms of Grant Thornton International Ltd network, based on the Standard Contractual Clauses adopted by the European Commission, and appropriate technical and organisational measures are put in place.

Employees of other member firms of the Grant Thornton Advisors multinational platform

Grant Thornton Luxembourg is a part of the Grant Thornton Advisors multinational platform, which currently covers certain Grant Thornton member firms in Europe, the United Arab Emirates, the Channel Islands, the Cayman Islands, New Zealand and Brazil. The scope of the platform may be expanded from time to time because of additional transactions or platform developments. For more information regarding Grant Thornton Luxembourg’s participation in the Grant Thornton Advisors multinational platform, please refer to our website news available here.

In very limited instances, Grant Thornton Luxembourg may share your personal data to member firms of the Grant Thornton Advisors multinational platform, where necessary for the purposes of facilitating internal cooperation, enhancing service delivery, and enabling you to benefit from a broader array of industry expertise and innovative solutions.

In this case, an inter-firm agreement was entered between Grant Thornton Luxembourg and other member firms of the Grant Thornton Advisors multinational platform, based on the Standard Contractual Clauses adopted by the European Commission, and appropriate technical and organisational measures have been put in place.

5. Data retention period

Your personal data is stored by Grant Thornton Luxembourg only for as long as it is necessary for the purpose for which we obtained them. Thus, if your applications are unsuccessful, we will retain your personal data for up to two (2) years after the end of the recruitment process.

We may also contact you in case a similar role becomes vacant for which you could be a fitting candidate, only if you have given us your consent for that beforehand.

Also, we retain your personal data in order to prove, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment process and the pre-employment screening in a fair and transparent way.

In cases where we request a criminal record as part of the pre-employment screening procedure, we will retain this in line with legal obligations under Art. 8-5 (2) of the Luxembourgish "Loi du 23 juillet 2016 portant modification de la loi du 29 mars 2013 relative à l’organisation du casier judiciaire", namely:

For successful candidates, for 1 month from the beginning of the employment relationship.
For unsuccessful candidates, this will be immediately deleted after the rejection of the job application.

6. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk so that the processing complies with the GDPR.

These measures must provide for a level of security considered appropriate considering the technical standards and the type of personal data processed but also:

The state of the art and implementation costs;
The nature, scope, context, and purposes of processing; and
The likelihood and severity of the risk to the rights and freedoms of natural persons.

Grant Thornton Luxembourg is also ISO 27001 certified. This internationally recognised standard demonstrates our dedication to implementing and maintaining robust information security management systems. ISO 27001 sets forth rigorous criteria for identifying, assessing, and mitigating information security risks, ensuring the confidentiality, integrity, and availability of sensitive data.

Security requirements are continually evolving, and effective security requires frequent assessment and regular improvement of outdated security measures. We are committed to continuously evaluate, strengthen, and improve the measures we implement.

7. What are your rights regarding your personal data?

As a natural person, you have several rights regarding your personal data including:

Be informed in a clear, transparent and easily understandable way about how we use your personal data and about your rights.
The right of access: You can request access to the data concerning you at any time as well as a copy of the data;
The right to rectification: You can request at any time that inaccurate or incomplete data be rectified;
the right to request the erasure of data: You can request that your data be deleted when, for example, the data is no longer necessary for the purposes for which it was collected or processed;
The right to restriction of processing: You can request that Grant Thornton Luxembourg restrict the processing of data if, for example, you question the accuracy of the data concerning you or if you object to the processing of data concerning you;
The right to data portability: You have the right to have your data transferred to another data controller in a structured, commonly used and machine-readable format, if the processing is carried out by automated means and if it is based on prior consent or on a contract to which you are a party;
The right to object to data processing: You can object to the processing of your data and can withdraw your consent if the processing is based on consent, for example if the data is used for commercial prospecting purposes.
We do not carry out any automated decision-making during the recruitment process, including profiling, within the meaning of Article 22 of the GDPR. And no decisions producing legal effects concerning you, or similarly significantly affecting you, are made solely based on automated processing of your personal data.

You can exercise your rights by contacting the Data Protection Officer (DPO) by email at DPO@lu.gt.com.

Requests will be dealt with by the DPO and will be responded to within 1 month starting from the moment of your identity confirmation. We may extend the time limit by a further 2 months if the request is complex or if we have received a high number of requests from individuals.

We may request additional information to help us confirm your identity where deemed necessary, when you exercise any of your right. This is a security measure to ensure the non-disclosure of your personal information to an unauthorized person.

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Policy. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You also have the right to lodge a complaint at any time with the National Commission for Data Protection (“CNPD”), the Luxembourg supervisory authority for data protection issues, or any other competent supervisory authority of an EU member state.

8. Updates to the Privacy Notice

We keep this Privacy Notice under regular review, and we may change, modify, add, or remove portions from the Privacy Notice at any time. We will post any modifications or changes to this Privacy Notice on our website prior to such changes taking effect.

Last update: 2 March 2026

Audit & Assurance

Advisory

Financial Services

Tax & Accounting

Technology

Internal Audit

Asset management

Banking

Consumer products

Energy & natural resources

European Institutions Desk

Expatriates

Healthcare

Liberal professions

Not for profit

PFS

Real estate & construction

Services to SME

Careers