Grant Thornton Bermuda wants to protect the privacy of our clients and all third parties whose personal information we use in the course of our professional engagements, in accordance with the Personal Information Protection Act, 2016 (as amended) ("PIPA").
Please read the following statement in order to understand how we use your personal information.
About us
In this privacy notice:
- when we say "you" or "your", we mean you or any individual whose personal information you provide (including, but not limited to, directors, shareholders, partners, trustees, clients or customers or their employees, agents or contractors). Before you provide information about any such individual, you must make sure that you have a lawful purpose or the agreement of the relevant individual. You must also make sure they’ve been provided with this privacy notice, which explains the way in which their information will be processed and their rights in relation to their information;
- “we”, “our”, “us” and “Firm” refers to Grant Thornton Bermuda. Grant Thornton Bermuda, which comprises both legal entities incorporated in Bermuda, Grant Thornton Advisory (Bermuda) Limited and Grant Thornton (Bermuda) Limited, is a territorial extension of Grant Thornton Ireland, a partnership established under Irish Law trading as Grant Thornton and the following legal entities:
- Grant Thornton (NI) LLP; Grant Thornton Financial & Taxation Consultants Limited; Grant Thornton Business Advisory Services Limited; Grant Thornton Corporate Finance Limited; Grant Thornton Consulting Limited; Grant Thornton Financial Counselling Limited; Grant Thornton Debt Solutions Limited; Grant Thornton Pensioner Trustees Limited; Grant Thornton Limited (Isle of Man); Grant Thornton (Gibraltar) Limited; Grant Thornton Advisory (Bermuda) Limited and Grant Thornton (Bermuda) Limited.
- when we refer to "using" personal information we refer to collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying your personal information;
- "personal information", refers to any information from which an individual could be identified, directly or indirectly, by itself or when combined with other information or context;
- "sensitive personal information” refers to any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.
What personal information do we use and how do we use it?
The type of personal information we use will depend on the nature of the engagement.
In the course of carrying out our engagement for our client we may use personal information including your name, address, email address, telephone numbers, roles and responsibilities, PPS numbers, details relating to contract of employment, salary information including credits and deductions, tax returns, bank account details, insurance details, invoices and company loan information.
While most personal information will be obtained from you directly, we may also perform background checks as part of our client onboarding procedures and continuous monitoring, and we will engage a third-party service provider to assist with such checks.
In some circumstances the Firm may be required to process sensitive personal information. The Firm will obtain explicit consent of the individual unless the use of the data is required to be provided under applicable law or for recruitment and employment purposes where the nature of the role justifies the use of such data. The safeguarding of sensitive personal information will be proportionate to the risk of unlawful or unauthorised use of the sensitive personal information.
Why do we use your personal information?
We may use your personal information in connection with:
- the professional services that we provide to our clients. In particular, where we provide audit and/or tax services we use personal information in order to undertake that service and meet our contractual and professional obligations;
- to enable us to comply with laws, regulations and requirements, in the various jurisdictions in which Grant Thornton operates including in relation to financial crime or disclosure requirements;
- to perform a contract on your behalf;
- in accordance with your instructions;
- to collect a debt owed to us to repay you;
- to protect or defence the organisation in legal proceedings;
- to send you marketing materials;
- to provide information, recommendations, rates and other financial information on our services;
- to design and improve our products, services and marketing; andfor complaints handling.
We will use your personal information in a lawful and fair manner and only for the purposes for which it is collected or for purposes that are related to those specific purposes. We will ensure that personal information is adequate, relevant and not excessive in relation to the purposes for which it is used. We will ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use.
To whom might we disclose your personal information?
We may be required to provide other audit firms with access to our audit files where they act as group auditors or successor auditors. We may also be requested to provide access to our audit files to potential investors or their advisors.
We may be required in certain circumstances, by law or by regulations or by professional bodies to which we belong, some of which may be located outside Bermuda or the European Economic Area (“EEA”), to make reports to regulatory and law enforcement authorities or to such bodies, or to disclose documents or information or take other action, as a result of information received by us or matters which come to our attention during the course of our engagement.
We may also be required to provide regulatory bodies, Grant Thornton International Limited or professional bodies with access to our work papers in order to facilitate monitoring inspections.
Transfers abroad
Grant Thornton Bermuda is a territorial extension of Grant Thornton Ireland, personal information may be transferred to offices within the Grant Thornton Ireland network, but which are based outside of Bermuda or the EEA in compliance with the Firm’s Data Protection and Privacy policies and the Firm’s regulatory obligations under PIPA and the General Data Protection Regulation (Regulation 2016/679) (GDPR).
In compliance with the Firm’s Data Protection and Privacy policies and the Firm’s regulatory obligations under PIPA, prior to making a personal information transfer to third parties outside of Bermuda, Grant Thornton Bermuda will assess the level of protection provided by the overseas third party for that personal information, including considering the level of protection afforded by the law applicable to such overseas third party.
For any personal information transfers from Grant Thornton Bermuda to third parties based outside Bermuda, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include entering into contract mechanisms governing the transfer to ensure that the overseas third party provides a comparable level of protection.
Notwithstanding the above, Grant Thornton Bermuda may transfer personal information to an overseas third party for use by that overseas party on behalf of Grant Thornton Bermuda or for the overseas third party's own business purposes if:
- the transfer is necessary for the establishment, exercise or defence of legal rights; or
- Grant Thornton Bermuda assesses all the circumstances surrounding the transfer and reasonable considers the transfer is small-scale, occasional and unlikely to prejudice the rights of an individual.
Further details of the measures that we have taken in this regard are available by contacting us using the contact details below.
Our retention of your personal information
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we use your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Security
Grant Thornton Bermuda has in place appropriate security safeguards to ensure the security of personal information against the risk of loss, unauthorised access, destruction, use, modification or disclosure or other misuse.
Grant Thornton Bermuda has in place procedures to deal with any suspected breach of security and will notify you and the Privacy Commissioner or any other relevant regulator of a suspected breach of security where Grant Thornton Bermuda has a legal obligation to do so.
Grant Thornton Bermuda will provide the Privacy Commissioner, or any other relevant regulator, with a notice describing the nature of the breach of security, the likely consequence for the affected individual and the measures taken and to be taken by us to address the breach of security.
Your rights
Grant Thornton Bermuda recognises that individuals have specific rights conferred on them by PIPA, including:
- the right to access personal information about the individual in the custody or under the control of Grant Thornton Bermuda;
- the right to be informed about the purposes for which personal information has been and is being used by Grant Thornton Bermuda;
- the right to know the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed;
- the right to access personal information of a medical or psychiatric nature relating to the individual;
- the right to make a written request to Grant Thornton Bermuda to correct an error or omission in any of the personal information which is under the control of Grant Thornton Bermuda;
- the right to request Grant Thornton Bermuda to cease, or not to begin, using personal information for the purposes of advertising, marketing or public relations or where the use of personal information is likely to cause substantial damage or substantial distress to the individual or to another individual;
- the right to request that Grant Thornton Bermuda erase or destroy personal information about the individual where that personal information is no longer relevant for the purposes of its use;
- the right to be informed of a personal information breach (unless the breach is unlikely to be prejudicial); and
- the right to complain to the Privacy Commissioner.
Notwithstanding the above, Grant Thornton Bermuda may refuse to provide access to personal information under part (d) above if disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual.
Where, in these circumstances, Grant Thornton Bermuda refuses to grant a request, Grant Thornton Bermuda shall, if requested to do so by the individual, provide access to the personal information requested to a health professional, within the meaning of section 2 of the Bermuda Health Council Act, 2004, who has expertise in relation to the subject matter of the record, and the health professional shall determine whether disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual.
Grant Thornton Bermuda may refuse to provide access to personal information on the following grounds, where the personal information:
- is subject to legal privilege;
- would reveal confidential information of Grant Thornton Bermuda or of a third party that is of a commercial nature and it is not unreasonable to withhold the information;
- is being used for a current disciplinary or criminal investigation or legal proceedings, and refusal does not prejudice the right of the individual to receive a fair hearing;
- was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed by the court or by an agreement;
- the disclosure of the personal information would reveal intentions of Grant Thornton Bermuda in relation to any negotiations with the individual to the extent that the provision of access would be likely to prejudice those negotiations; or
Unless it is reasonable in all circumstances to provide access, Grant Thornton Bermuda must not provide access to personal information where the disclosure of personal information:
- could reasonably be expected to threaten the life or security of an individual;
- would reveal personal information about another individual; or
- would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to the disclosure of their identity.
Grant Thornton Bermuda may consider providing an individual with their personal information where it can reasonably redact information and provide the personal information to the individual who requested it.
Procedure for making an access request for information
In order to obtain a copy or examine personal information an individual (the "Applicant") must make the request in writing to Grant Thornton Bermuda and which can be provided in email to the Privacy Officer at dataprivacy@ie.gt.com or be provided by hand to Grant Thornton Bermuda to the attention to the Privacy Officer.
Grant Thornton Bermuda will promptly acknowledge the request in writing and inform the Applicant if any further information is required to complete the request.
A copy of the personal information must be provided within a 45-day deadline, or we may extend the period by no more than 30 days (or as permitted by the Privacy Commissioner) where a considerable amount of personal information is requested and the request would interfere with the operations of Grant Thornton Bermuda, or more time is needed to consult with a third party.
Grant Thornton Bermuda shall inform the Applicant in writing of any extension and the expected time of response.
Grant Thornton Bermuda may charge the Applicant a fee for access to the personal information, and such fee will be determined by Grant Thornton Bermuda, except where such request results in the correction of an error or omission in the personal information about the Applicant that is under the control of Grant Thornton Bermuda.
Privacy Officer details
Louise Barry, Head of Risk,13-18 City Quay, Dublin 2, Ireland, dataprivacy@ie.gt.com