1. Who is responsible for your Personal Data

This Privacy Notice explains how Grant Thornton Luxembourg[1] (“Grant Thornton Luxembourg”, “we”, “us” or “our”) collects, uses, shares and otherwise processes your Personal Data in connection with your relationship with us as a Grant Thornton Luxembourg’s client, acting for a client or being generally interested in our services and our publications in accordance with applicable data privacy laws and regulations, which include the General Data Protection Regulation 2016/679 (“GDPR”) which is applicable as of 25 May 2018.

We control the ways your Personal Data are collected and the purposes for which we use your Personal Data acting as “data controller” for the purposes of the GDPR.


2. Personal data we collect about you

When using the term “Personal Data” in our Privacy Notice, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold. Your Personal Data may include for example your name, your contact details, bank details or information on how you interact with us.

We will process your Personal Data if and to the extent applicable law provides a lawful basis for us to do so. We will therefore process your Personal Data only:

  1. If you have consented to us doing so, or
  2. If we need it to perform the contract we have entered into with you; or
  3. If we need it to comply with a legal obligation; or
  4. If we (or a third party) have a legitimate interest which is not overridden by your interests or fundamental rights and freedoms. Such legitimate interests may for instance be the provision of services by us, administrative or operational processes and direct marketing.

Categories of data we collect

We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us, when you engage our services or as a result of your relationship with one or more of our staff and clients.


Data category


Personal identification information

  • Name and surname
  • Title, Salutation (Mr / Mrs / Ms)
  • Postal and/or e-mail address
  • Phone numbers
  • Identification number
  • Date of birth
  • Publicly available information (such as LinkedIn profile etc.)
  • KYC documents (including a copy of your passport or national identity card)
  • Content you provide (such as CV, education history, comments, responses to questions)

Professional information

  • Job title
  • Department and name of organisation

Financial Information

  • Payment related information
  • Information relating to your assets

Tax information

  • Tax domicile and other tax related documents and information

Technical information

  • Information from your visits to our website or in relation to materials and communication we send to you electronically

 If relevant to the products and services we provide to you, we will also collect information about your business partners (including other shareholders or beneficial owners), dependents or family members, representatives, and agents. Additionally, where you are a corporate client, we will also collect information about your directors, employees or shareholders. Before providing Grant Thornton Luxembourg with this information, you should provide a copy of this notice to those individuals.

Sensitive personal data

In the course of providing services to you, we may collect information that could reveal your racial or ethnic origin or conviction of criminal offences. Such information is considered as “sensitive personal data” under the GDPR. We only collect this information in the case you have given your explicit consent, it is necessary according to legal obligations, or you have deliberately made it public.

For example, we may collect this information during the onboarding phase at the beginning of our business relationship when you provide us with an extract of your criminal record. Also, when you provide us with your personal documentation such as CV, copy of passport or ID card, your nationality and/or photo may imply your racial or ethnic origin.

By providing any sensitive personal data you explicitly agree that we may collect and use it in order to provide our services and in accordance with this Privacy Notice.

If you do not allow us to process any sensitive personal data, this may lead to us being unable to provide all or parts of the services that you have requested from us.


3. How and why we use your Personal Data

We always process your Personal Data for a specific purpose and only process the Personal Data which is relevant to achieve that purpose. In particular, we process your Personal Data for the following purposes:

  • To establish, administer and implement a business relationship;
  • To strengthen the existing business relationship or to develop a new business relationship or to approach interested parties including information on current legal developments and our range of services (Marketing);
  • To provide our services to you and manage our relationship with you, including communicating with you in relation to the products and services you obtain from us;
  • To fulfil our administrative purposes and protect our business interests;
  • To comply with our legal obligations (e.g. laws of the financial sector, anti-money-laundering and tax laws), including disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and investigating or preventing crime;
  • To ensure the safety of our clients, employees and other stakeholders;
  • Any other purposes we notify to you from time to time.

We will only use your Personal Data for the purposes for which we collected it and which we informed you about, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.


4. Your rights in relation to your Personal Data

Under the GDPR you have various rights as an individual which you can exercise under certain circumstances in relation to your Personal Data that we hold. These rights are to:

  • Request access to your Personal Data (commonly known as a “data subject access request”) and request certain information in relation to its processing;
  • Request rectification of your Personal Data;
  • Request the erasure of your Personal Data;
  • Request the restriction of processing of your Personal Data;
  • Object to the processing of your Personal Data.

If you want to exercise one of these rights please contact us at GDPRsupport@lu.gt.com.

If you are not satisfied with our response, you also have the right to lodge a complaint at any time with the National Commission for Data Protection (“CNPD”), the Luxembourg supervisory authority for data protection issues, or, as the case may be, any other competent supervisory authority of an EU member state.


5. Security of your Personal Data

We are committed to taking appropriate technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing and against accidental loss, disclosure, destruction or damage.

Your Personal Data is stored in Luxembourg in electronic and physical form. Any physical documentation is kept under lock and key in a secure location at our premises. Copies of this documentation are kept securely. Electronic files that contain Personal Data are stored within a secured IT infrastructure.


6. Sharing your Personal Data

Please note that we may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.

Grant Thornton Luxembourg is an independent member firm of the Grant Thornton International network and any information that you provide to us may be shared with and processed by any entity in the worldwide network where necessary for the execution of our services.

We may also share your Personal Data with certain trusted third parties in accordance with contractual arrangements in place with them, including:

  • IT service providers;
  • Suppliers to whom we outsource certain support services such as word processing, translation, photocopying and document review;
  • Administrative authorities, courts, tribunals, government agencies, law enforcement agencies and notaries;
  • Public Accountants and tax advisors for auditing purposes;
  • Insurance companies by reason of the conclusion of an insurance contract over the benefits or occurrence of the insured event (e.g. liability insurance);
  • Clients, insofar as relating to data of shareholders, organs or other employees of the respective client;
  • Cooperation partners and legal representatives acting on our behalf;
  • Other recipients as determined by the client (i.e. group companies of the client);
  • Furthermore Personal Data of employees of our clients within the framework of payroll services may be shared with:

       - Creditors of the employee as well as potential other parties related within legal prosecution, also in voluntary cession of salaries for due receivables;

       - Organs of the workforce and legal representation;

       - Insurance companies within existing group- or individual insurance as well as employee pension funds;

       - Banks dealing with the payment to the employee or to third parties;

       - Company doctors and employee pension funds;

       - Co-insured persons.

  • Additionally in the field of financial and administrative accounting for clients, Personal Data may be shared with:

       - Collection agencies for debt collection;

       - Banks on behalf of the client;

       - Factoring-companies, assignees and leasing companies.

  • If you exercise your right to data portability, we will usually disclose your Personal Data to an intermediary that facilitates data portability in accordance with applicable law and regulations.

Some of the above-mentioned recipients may be based outside of Luxembourg and process your Personal Data outside of Luxembourg. Where a transfer of your Personal Data is necessary to a location outside the European Economic Area (“EEA”) we will implement appropriate measures to ensure that your personal information remains protected and secure in accordance with applicable data protection laws.

An interfirm agreement between all Grant Thornton member firms that share and process Personal Data is in place. Where a third party service providers process Personal Data outside the EEA in the course of providing services to us, our written agreement with them will include appropriate measures, usually in the form of standard contractual clauses.


7. Retention period

We will only retain your Personal Data for as long as we need it in order to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case it is no longer considered as Personal Data. Upon expiry of the applicable retention period we will securely destroy your Personal Data in accordance with applicable laws and regulations.

If you are a client, former client, interested party or prospective client or a contact person of one of the aforementioned, we store your Personal Data for marketing purposes until revocation or the revocation of your consent if the marketing measures were carried out based on your consent.


8. Fees

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Notice. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.


9. Changes to your Personal Data

We are committed to keeping your Personal Data accurate and up to date. Therefore, if your Personal Data changes, please inform us of the change as soon as possible using the contact information provided below.


10. Links

Our website contains links to Grant Thornton International member and correspondent firm websites, but this Privacy Notice applies only to personal data collected via the Grant Thornton Luxembourg website and to how Grant Thornton Luxembourg processes personal data. It does not apply to specific member or correspondent firms practicing under the Grant Thornton name. We are not responsible for the privacy practices of other sites.


11. Cookies


What is a Cookie

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.

However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit https://www.allaboutcookies.org

You have the possibility to manage your personal preferences in our Cookie Consent Tool.

We only use cookies to monitor the performance of our website and to improve user experience.

If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.

Cookies used by the GTIL website

Cookie type

Cookie Name


Google analytics utma

These cookies are used to monitor the performance of our site. We use the information to help us improve the site. The cookies collect information in an anonymous form, including the number of visits to our site, where visitors have come from to the site and the pages they visited.

To opt out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout.
Youtube preferences PREF
We use YouTube to embed a selection of videos in our Thinking and campaign pages. The embedded videos do not set cookies themselves and can be played with no cookies set. However, if the 'Share' button is clicked YouTube will set cookies. The VISITOR_INFO1_LIVE cookie attempts to estimate your bandwidth and the use_hitbox and PREF cookies increment the 'views' counter on the YouTube video and stores session preferences. These cookies don't gather information that identifies a user.
Twitter guest_id We embed a Twitter feed in our Thinking and campaign pages. This cookie is used to identify you to twitter. if you do not have a twitter account or never accessed the twitter.com website directly then twitter will assign you a unique code to track your visit to the Twitter feed.

 12. Updates to our Privacy Notice

We reserve the right, at our discretion, to change, modify, add, or remove portions from this Privacy Notice at any time, and we will make an updated copy of such privacy notice publicly available.

If we make any material changes to this Privacy Notice, we will notify you accordingly, by email or by means of a notice on our Site’s home page.


13. Contact information

If you have questions or concerns regarding this Privacy Notice or you wish to exercise your rights in relation to your Personal Data, please do not hesitate to contact us at GDPRsupport@lu.gt.com or send your request to the following address:


Grant Thornton Luxembourg


13 rue de Bitbourg

L-1273 Luxembourg


[1] *Grant Thornton Luxembourg includes the following companies:

Grant Thornton Tax & Accounting S.A.; Grant Thornton Audit & Assurance S.A.; Grant Thornton Financial Services S.A.; Grant Thornton Recovery & Reorganisation S.A.; Grant Thornton Advisory S.A.; Grant Thornton Vectis S.A.