Privacy notice for external stakeholders

This Privacy Notice explains how Grant Thornton Luxembourg collects, uses, shares and otherwise processes the personal data of its stakeholders, including:

• Supplier
• Partner
• Visitor
• Event participant
• Client
• Third party acting for a client or being generally interested in our services and our publications
• External experts who are assigned in-house to support specific projects or functions at Grant Thornton Luxembourg and which are provided with an access to its premises, systems, and a professional email address.

(hereinafter, collectively, “external stakeholders” or “you”)

The composition of “Grant Thornton Luxembourg” may change from time to time as a result of corporate transactions, restructuring, or business development. This Privacy Notice shall, however, at all times apply to the entities that operate under, or share, the trade name “Grant Thornton Luxembourg”.

This Privacy Notice is drafted in accordance with applicable data protection legislations, which include Regulation (EU) 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation” or “GDPR”).

Grant Thornton Luxembourg determines purposes and means of the processing of your personal and therefore acts as the “data controller” within the meaning of the GDPR. You are, in this context, the “data subject”. 

We invite you to read this Privacy Notice carefully, as it sets out the context in which your personal data are processed and explains your rights as a data subject and our obligations as a data controller.

 

1. Personal data we collect about you

When using the term “personal data” in our Privacy Notice, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer considered as personal data.

We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us, when you engage our services or as a result of your relationship with one or more of our staff and clients or when you visit our company premises.

Depending on the purposes pursued, we may collect the following information:

 

 

If relevant to the products and services we provide to you, we will also collect information about your business partners (including other shareholders or beneficial owners), dependents or family members, representatives, and agents.

Additionally, where you act on behalf of a corporate client, we will also collect information about your directors, employees or shareholders. We kindly ask that you provide a copy of this privacy notice to any such individuals whose personal data you share with Grant Thornton Luxembourg, to ensure they are properly informed.

 

2. How we use your personal data

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:

• To establish, administer and implement a business relationship;
• To provide our services to you and manage our relationship with you, including communicating with you in relation to the products and services you obtain from us;
• To strengthen the existing business relationship or to develop a new business relationship or to approach interested parties including information on current legal developments and our range of services (Marketing);
• To fulfil our administrative purposes and protect our business interests;
• To ensure physical security of the people, items and confidential information located in or accessible from our premises;
• To comply with our legal obligations (e.g., laws of the financial sector, anti-money-laundering and tax laws), including disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and investigating or preventing crime.

When you attend a Grant Thornton organised event, please be aware that we may also take photographs. These photographs serve various purposes including for marketing and promotional activities online. 

According to applicable legislation, we differentiate between targeted and non-targeted photography. Targeted photos specifically focus on individuals and will only be taken with your consent.

Conversely, non-targeted photos, namely those capturing the general audience or atmosphere of the event, will be processed on the basis of Grant Thornton’s legitimate interest In line with applicable legislation.

We will only use your personal data for the purposes for which we collected it and which we informed you about, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

 

3. Legal basis for processing your data

We will not process your personal data unless there is a valid legal basis as provided by law. Therefore, we will only process your personal data if:

• The processing is necessary to the performance of a contract or precontractual measures (Article 6(1)(b) of the GDPR);
• Your consent (Article 6(1)(a) of the GDPR);
• The processing is necessary to fulfil our legitimate interests (Article 6(1)(f) of the GDPR);
• The processing is necessary to comply with our legal or regulatory obligations (Article 6(1)(c) of the GDPR);
• The processing is necessary to protect vital interest of you or those of another individual (Article 6(1)(d) of the GDPR).

Whenever we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time by contacting us at dpo@lu.gt.com. Please note that the withdrawal of your consent does not affect the lawfulness of the personal data processing based on consent prior to its withdrawal.

 

4. Sharing your Personal Data

To achieve the purposes mentioned in section 2, the data is in some instances transmitted to the following recipients:

Internal employees who have permissions, on a need-to-know basis

In this case, an internal Data Protection Policy was implemented and communicated to all employees of Grant Thornton Luxembourg, as well as data protection training sessions delivered by our Data Protection Officer (DPO), all together to ensure that the employees are aware of, and comply with, the data protection principles and data subjects’ rights established by applicable data protection legislations, especially in line with Articles 25 and 39 of the GDPR. 

Employees of other member firms of the Grant Thornton International Ltd Network

Grant Thorton Luxembourg is part of the Grant Thornton International Ltd network, which comprises member firms in more than 150 markets worldwide.

Grant Thornton Luxembourg may share your personal data with member firms of Grant Thornton International Ltd where necessary for the purposes of internal cooperation, coordination of services, and the provision of high-quality professional services on a global basis.

In this case, an inter-firm agreement was entered between Grant Thornton Luxembourg and other member firms of Grant Thornton International Ltd network, based on the Standard Contractual Clauses adopted by the European Commission, and appropriate technical and organizational measures are put in place.

Employees of other member firms of the Grant Thornton Advisors multinational platform

Grant Thornton Luxembourg is a part of the Grant Thornton Advisors multinational platform, which currently covers certain Grant Thornton member firms in Europe, the United Arab Emirates, the Channel Islands, the Cayman Islands, New Zealand and Brazil. The scope of the platform may be expanded from time to time because of additional transactions or platform developments. For more information regarding Grant Thornton Luxembourg’s participation in the Grant Thornton Advisors multinational platform, please refer to our website news available here.

Grant Thornton Luxembourg may share your personal data to member firms of the Grant Thornton Advisors multinational platform, where necessary for the purposes of facilitating internal cooperation, enhancing service delivery, and enabling you to benefit from a broader array of industry expertise and innovative solutions.

In this case, an inter-firm agreement was entered between Grant Thornton Luxembourg and other Grant Thornton member firms of the Grant Thornton Advisors multinational platform, based on the Standard Contractual Clauses adopted by the European Commission, and appropriate technical and organisational measures have been put in place.

Other third parties, including 

• IT, Network and technology systems providers;
• Professional advisors, auditors, external lawyers, public accountants and tax advisors for auditing purposes; 
• Suppliers to whom we outsource certain support services such as word processing, translation, photocopying and document review;
• Insurance companies by reason of the conclusion of an insurance contract over the benefits or occurrence of the insured event (e.g., liability insurance);
• Cooperation partners and legal representatives acting on our behalf;
• Other recipients as determined by the client (i.e., group companies of the client).

In this case, appropriate due diligence is conducted, a data processing agreement is entered into between Grant Thornton Luxembourg and the subcontractor in question, and appropriate technical and organisational measures are put in place in accordance with Articles 28 and 32 of the GDPR.

Administrative authorities, courts, tribunals, government agencies, law enforcement agencies and notaries

Furthermore, personal data of employees of our clients within the framework of payroll services may be shared with:

• Creditors of the employee as well as potential other parties related within legal prosecution, also in voluntary cession of salaries for due receivables;
• Organs of the workforce and legal representation;
• Insurance companies within existing group or individual insurance as well as employee pension funds;
• Banks dealing with the payment to the employee or to third parties;
• Company doctors and employee pension funds;
• Co-insured persons.

Additionally in the field of financial and administrative accounting for clients, personal data may be shared with:

• Collection agencies for debt collection;
• Banks on behalf of the client;
• Factoring-companies, assignees and leasing companies.

When your personal data is transferred (including in the case of remote access) to a country outside the European Economic Area that is not subject to an adequacy decision, appropriate safeguards in accordance with Chapter V of the GDPR are put in place, such as Standard Contractual Clauses adopted and approved by the European Commission.

You may request additional information in relation to such cross-border transfers and obtain a copy of the safeguards put in place by Grant Thornton Luxembourg by contacting our Data Protection Officer (DPO) at dpo@lu.gt.com

An interfirm agreement between all Grant Thornton Luxembourg member firms that share and process personal data is in place. Where a third-party service providers process personal data outside the EEA in the course of providing services to us, our written agreement with them will include appropriate measures, usually in the form of Standard Contractual Clauses. 

 

5. Data retention period

Your personal data is stored by Grant Thornton Luxembourg only for as long as is necessary for the purpose for which we obtained them. The retention period will depend upon several factors, such as the duration of the contract concluded with you, or legal requirements imposed to Grant Thornton Luxembourg.

For example, data collected in the scope of client onboarding is held in line with applicable AML/CFT legislation, namely from five up to 10 years following the end of the business relationship, as provided for in Article 3(6) of the 2004 AML Law.

Administrative documents, including those for accounting and finance purposes, are kept for 10 years from the closure of the financial year they relate to (Art. 14 and 16 of the Commercial Code).

Data used for commercial prospecting purposes is kept for a period of 3 years from the end of the commercial relationship (i.e. from the expiry date of a contract, or of the last contact from the customer) in line with the CNIL recommendation n°2013-213.

Photos collected from events may be stored for up to 2 years for the purposes of internal publications (e.g. in our Sustainability Report) and external publications (e.g. on our website or LinkedIn page).

Upon expiry of the applicable retention period, we will securely destroy your personal data in accordance with applicable laws and regulations.

 

6. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk so that the processing complies with the GDPR.

These measures must provide for a level of security considered appropriate considering the technical standards and the type of personal data processed but also:

• The state of the art and implementation costs;
• The nature, scope, context, and purposes of processing; and
• The likelihood and severity of the risk to the rights and freedoms of natural persons.

Grant Thornton Luxembourg is also ISO 27001 certified. This internationally recognised standard demonstrates our dedication to implementing and maintaining robust information security management systems. ISO 27001 sets forth rigorous criteria for identifying, assessing, and mitigating information security risks, ensuring the confidentiality, integrity, and availability of sensitive data.

Security requirements are continually evolving, and effective security requires frequent assessment and regular improvement of outdated security measures. We are committed to continuously evaluate, strengthen, and improve the measures we implement.

 

 7. What are your rights regarding your personal data?

As a natural person, you have a number of rights regarding your personal data including:

• Be informed in a clear, transparent and easily understandable way about how we use your personal data and about your rights;
• The right of access: You can request access to the data concerning you at any time as well as a copy of the data;
• The right to rectification: You can request at any time that inaccurate or incomplete data be rectified;
• The right to request the erasure of data: You can request that your data be deleted when, for example, the data is no longer necessary for the purposes for which it was collected or processed;
• The right to restriction of processing: You can request that Grant Thornton Luxembourg restrict the processing of data if, for example, you question the accuracy of the data concerning you or if you object to the processing of data concerning you;
• The right to data portability: You have the right to have your data transferred to another data controller in a structured, commonly used and machine-readable format, if the processing is carried out by automated means or if it is based on prior consent;
• The right to object to data processing: You can object to the processing of your data and can withdraw your consent if the processing is based on consent, for example if the data is used for commercial prospecting purposes.

We do not carry out any automated decision-making, including profiling, within the meaning of Article 22 of the GDPR. And no decisions producing legal effects concerning you, or similarly significantly affecting you, are made solely based on automated processing of your personal data.

For more information or if you wish to exercise your rights, please contact our Data Protection Officer (DPO) at dpo@lu.gt.com.

Requests will be dealt with by the DPO and will be responded to within 1 month at the latest, starting from the moment of your identity confirmation. We may extend the time limit by a further 2 months if the request is complex or if we have received a high number of requests.

We may request additional information to help us confirm your identity, where deemed necessary, when you exercise any other of your rights. This is a security measure to ensure the non-disclosure of your personal data to an unauthorised person.

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Notice. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

You also have the right to lodge a complaint at any time with the National Commission for Data Protection (CNPD), the Luxembourg supervisory authority for data protection issues, or, as the case may be, any other competent supervisory authority of an EU member state.

 

8. Updates to the Privacy Notice

We keep this Privacy Notice under regular review, and we may change, modify, add, or remove portions from the Privacy Notice at any time. We will inform you of any modifications or changes to this Privacy Notice prior to such changes taking effect.

 

Last update: 2 March 2026