This Candidate Privacy Notice explains how Grant Thornton Luxembourg(1) (“Grant Thornton Luxembourg”, “we”, “us” or “our”) collects, uses, shares, and otherwise processes your Personal Data in connection with your relationship with us as a candidate to a job offer, acting in accordance with applicable data privacy laws and regulations, which include the General Data Protection Regulation 2016/679 (“GDPR”) which is applicable as of 25 May 2018.
We control the ways your personal data are collected and the purposes for which we use your personal data acting as “data controller” in the context of the GDPR.
(1) Grant Thornton Luxembourg includes the following companies: Grant Thornton Tax & Accounting S.A.; Grant Thornton Audit & Assurance S.A.; Grant Thornton Financial Services S.A.; Grant Thornton Recovery & Reorganisation S.A.; Grant Thornton Advisory S.A.; Grant Thornton Vectis S.A.
1. Personal data we collect about you
When using the term “personal data”, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.
We collect the data you include in your job application when you send us a spontaneous application or apply by email to a job offer:
- Identification data: name, surname, title
- Contact information: postal address, e-mail address, phone number
- Professional data: current position, work experience, educational background, CV, and cover letter.
Only the data that is strictly necessary for the purposes of processing your application is requested by us and does not include any special categories of personal data such as political opinions, religious beliefs or data concerning health.
We also collect personal data from:
- Your named referees, from whom we collect the following categories of data: name, periods of previous employment, performance during previous employment;
- Our referral program enabling our employees to recommend potential new hires;
- Publicly accessible sources, such as LinkedIn, where we collect: name, email, academic and work history, and other relevant data included on your profile;
- Recruitment agencies we use for our hiring needs.
By providing your data, you expressly agree that your data will be processed by Grant Thornton Luxembourg for the purposes indicated in the section 2 below. We may not be able to process your application further if you do not provide the personal data described above.
2. How do we use your personal data
We process your personal data for the following purposes:
(a) Processing of applications received (registering, entering information in the database…);
(b) Assessment of the qualifications and skills needed to perform the job you are applying for;
(c) Communication concerning the hiring process (e-mails, phone calls, SMS messages);
(d) Referrals checks (where applicable);
(e) Holding unsuccessful applicants’ CV on file (where applicable);
(f) Complying with legal and regulatory requirements relating to discrimination or equal opportunities.
3. Legal basis for data processing
For the purposes explained under point 2.:
(a) Performance of a contract or precontractual measures;
(b) Performance of a contract or precontractual measures;
(c) Performance of a contract or precontractual measures;
(d) Consent: we will only contact your referrals if you give us your explicit consent;
(e) Consent: we need your explicit consent to keep your CV for a longer period of time in case you are a fitting candidate for another vacant role;
(f) Legal obligation.
Whenever we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time by contacting us as indicated below. Please, note that the withdrawal of your consent does not affect the lawfulness of the personal data processing based on consent prior to its withdrawal.
4. To whom might we disclose your personal data?
To achieve the purposes listed in point 2, the data is transferred to the following recipients:
- HR department and managers involved in the recruitment process;
- Third-party service providers acting as subcontractors and on instruction from Grant Thornton Luxembourg.
In this case, a contract is drawn up between Grant Thornton Luxembourg and the subcontractor in question and appropriate technical and organisational measures are put in place in accordance with Articles 28 and 32 of the GDPR.
When your personal data is transferred (including in the case of remote access) to a country outside the European Union that is not subject to an adequacy decision, appropriate safeguards in accordance with Chapter V of the GDPR are put in place, such as standard contractual clauses adopted and approved by the European Commission.
Should third parties use your personal data for their own purposes (as a data controller), we are not responsible for the handling of such data. In such instances, we encourage you to refer to their privacy notice for further details on how your personal data is being handled.
5. Data retention period
Your personal data is stored only for the time in relation to the purposes pursued by Grant Thornton Luxembourg. Thus, if you are unsuccessful and upon your explicit consent, we will retain your personal data for up to 2 years after the end of the recruitment process, so we can contact you in case a similar role becomes vacant for which you could be a fitting candidate.
Also, we retain your personal data in order to prove, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment process and the pre-employment screening in a fair and transparent way.
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk so that the processing complies with the GDPR.
These measures must provide for a level of security considered appropriate considering the technical standards and the type of personal data processed but also:
- The state of the art and implementation costs;
- The nature, scope, context, and purposes of processing; and
- The likelihood and severity of the risk to the rights and freedoms of natural persons.
Security requirements are continually evolving, and effective security requires frequent assessment and regular improvement of outdated security measures. We are committed to continuously evaluate, strengthen, and improve the measures we implement.
7. What are your rights regarding your data?
As a natural person, you have several rights regarding your personal data including:
- The right of access: You can request access to the data concerning you at any time as well as a copy of the data;
- The right to rectification: You can request at any time that inaccurate or incomplete data be rectified;
- The right to request the erasure of data: You can request that your data be deleted when, for example, the data is no longer necessary for the purposes for which it was collected or processed;
- The right to restriction of processing: You can request that Grant Thornton Luxembourg restrict the processing of data if, for example, you question the accuracy of the data concerning you or if you object to the processing of data concerning you;
- The right to data portability: You have the right to have your data transferred to another data controller in a structured, commonly used and machine-readable format, if the processing is carried out by automated means or if it is based on prior consent;
- The right to object to data processing: You can object to the processing of your data and can withdraw your consent if the processing is based on consent, for example if the data is used for commercial prospecting purposes.
You can exercise your rights by contacting the Data Protection Officer (DPO) at the address shown below, or email DPO@lu.gt.com.
Requests will be dealt with by the DPO and will be responded to within 1 month starting from the moment of your identity confirmation. We may extend the time limit by a further 2 months if the request is complex or if we have received a high number of requests from individuals.
We may request you the information to help us confirm your identity and to ensure that you respect your right to access this information (or to exercise any other of your rights). This is a security measure to ensure the non-disclosure of your personal information to an unauthorised person.
You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Policy. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you are not satisfied with our response, you also have the right to lodge a complaint at any time with the National Commission for Data Protection (“CNPD”), the Luxembourg supervisory authority for data protection issues, or any other competent supervisory authority of an EU member state
8. Updates to the Privacy Notice
We keep this Privacy Notice under regular review, and we may change, modify, add, or remove portions from the Privacy Notice at any time. We will post any modifications or changes to this Privacy Notice on our website prior to such changes taking effect.
Last update: 19 May 2022