Updated 24 February 2023
Grant Thornton Bermuda wants to protect the privacy of our clients and all third parties whose data we process in the course of our professional engagements. In the conduct of providing our professional services to clients, we may need to collect and use personal data about their directors, shareholders, partners, trustees, clients or customers or their employees, agents or contractors, which we will hold as an organisation under the Personal Information Protection Act 2016 (as amended) ("PIPA").
Please read the following statement; it will help you to understand how we use your personal data.
In this privacy statement “we”, “our”, and “us” refers to Grant Thornton Bermuda. Grant Thornton Bermuda is part of Grant Thornton Ireland and is one of several partnerships under Irish Law trading as Grant Thornton and the following legal entities: Grant Thornton (NI) LLP; Grant Thornton Financial & Taxation Consultants Limited; Grant Thornton Business Advisory Services Limited; Grant Thornton Corporate Finance Limited; Grant Thornton Consulting Limited; Grant Thornton Financial Counselling Limited; Grant Thornton Debt Solutions Limited; Grant Thornton Pensioner Trustees Limited; Grant Thornton Limited (Isle of Man) and Grant Thornton (Gibraltar) Limited and Grant Thornton Bermuda.
What personal data do we collect?
The type of personal data collected will depend on the nature of the engagement. In the course of carrying out our engagement for our client we may process personal data including your personal identification, name, address, email address, telephone numbers, roles and responsibilities, PPS numbers, details relating to contract of employment, salary information including credits and deductions, tax returns, bank account details, insurance details, invoices and company loan information. We may also process health information and family details if instructed to provide certain services to our client.
While most personal data will be obtained from you directly or from our client, we may also perform background checks as part of our client onboarding procedures and continuous monitoring, and we will engage a third party service provider to assist with such checks.
In some circumstances the Firm may required to process sensitive personal information which includes any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information. The Firm will obtain explicit consent to use it to carry out legal obligations, where there is a public interest and where such information is already available to the public, as well as processing legal claims and to provide an individual’s vital interest where the individual is not capable of providing consent. The safeguarding of sensitive personal information will be proportionate to the risk of unlawful or unauthorised access to the sensitive personal information.
Why do we process your personal data?
We may process your personal data in connection with our client on-boarding process, which includes background checks, in order to comply with our legal obligations in connection with the Proceeds of Crime Act 1997, the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations 2008, the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act 2008 and the Anti-Terrorism (Financial and Other Measures) Act 2004, all as amended and as may be further amended and updated from time to time.
We may also process your personal data in connection with the professional services that we provide to our clients. In particular, where we provide audit and/or tax services to our clients we may be the controller of certain personal data that we process in order to undertake that service and meet our contractual and professional obligations.
Our processing of your personal data in these circumstances is also based on our legitimate business interests in performing our engagement, operating our business and complying with internal policies and procedures. We may also be required to process such personal data in order to comply with our legal obligations.
Any additional processing of your personal data may rely on consent as a condition for use of personal information, or for:
- the performance of a contract between the individual and the Firm or for the taking of steps at the request of the individual with a view of entering into a contract;
- the use of personal information to comply with a provision of law that authorises or requires such use;
- the use of the personal information is for the purpose of complying with an order made by a court, individual or body having jurisdiction over the organisation;
- the use of the personal information is necessary in order to collect a debt owed to the organisation or for the organisation to repay to the individual money owed by the organisation; or
- the use of the personal information is reasonable to protect or defend the organisation in any legal proceeding
We will use your personal data in a lawful and fair manner and only for the purposes for which it is collected or for purposes that are related to those specific purposes. We will ensure that personal data is adequate, relevant and not excessive in relation to the purposes for which it is used. We will ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use.
To whom might we disclose your personal data?
We may be required to provide other audit firms with access to our audit files where they act as group auditors or successor auditors. We may also be requested to provide access to our audit files to potential investors or their advisors.
We may be required in certain circumstances, by law or by Regulations or by Professional Bodies, some of these may be located outside Bermuda or the European Economic Area (EEA), to which we belong, to make reports to regulatory and law enforcement authorities or to such bodies, or to disclose documents or information or take other action, as a result of information received by us or matters which come to our attention during the course of our engagement. We may also be required to provide Regulatory Bodies, Grant Thornton International Limited or Professional Bodies with access to our work papers in order to facilitate monitoring inspections.
In connection with the above, as Grant Thornton Bermuda forms part of Grant Thornton Ireland, personal data may be transferred to offices within the Firm but which are based outside of Bermuda or the EEA in compliance with the Firm’s Data Protection and Privacy policies and the firm’s regulatory obligations under PIPA and GDPR.
Prior to making a data transfer to third parties outside of Bermuda, Grant Thornton Bermuda will assess the level of protection provided by the overseas third party for that personal information, including considering the level of protection afforded by the law applicable to such overseas party.
For any data transfers from Grant Thornton Bermuda to third parties based within the EEA, personal data may be transferred without additional safeguards as EEA jurisdictions have been recognised by Bermuda as providing for an equivalent level of protection for personal data as is provided for in Bermuda.
For any data transfers from Grant Thornton Bermuda, which forms part of Grant Thornton Ireland, to third parties based outside Bermuda or the EEA, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include entering into a contract governing the transfer to ensure that the overseas third party provides a comparable level of protection.
Notwithstanding, Grant Thornton Bermuda may transfer personal information to an overseas third party for use by that overseas party on behalf of Grant Thornton Bermuda or for the overseas third party's own business purposes if:
- The transfer is necessary for the establishment, exercise or defence of legal rights; or
- Grant Thornton Bermuda assesses all the circumstances surrounding the transfer and reasonable considers the transfer is small-scale, occasional and unlikely to prejudice the rights of an individual.
Further details of the measures that we have taken in this regard are available by contacting us using the contact details below.
Our retention of your personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Grant Thornton Bermuda has put in place appropriate security safeguards to ensure the security of personal data against the risk of loss, unauthorised access, destruction, use, modification or disclosure or other misuse. Grant Thornton Bermuda has put in place procedures to deal with any suspected data security breaches and will notify you and the Privacy Commissioner or any other relevant regulator of a suspected breach where Grant Thornton Bermuda has a legal obligation to do so. Grant Thornton Bermuda will provide to the Privacy Commissioner a notice that describes the nature of the breach, the likely consequence for that individual and the measures taken and to be taken by us to address the breach.
Grant Thornton Bermuda recognises that individuals have specific rights conferred on them by PIPA, including:
- the right to access personal information about the individual in the custody or under the control of Grant Thornton Bermuda;
- the right to be informed about the purposes for which personal information has been and is being used by Grant Thornton Bermuda;
- the right to know the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed;
- the right to access personal information of a medical or psychiatric nature relating to the individual;
- the right to make a written request to Grant Thornton Bermuda to correct an error or omission in any of the personal information which is under the control of Grant Thornton Bermuda;
- the right to request Grant Thornton Bermuda to cease, or not to begin, using personal information for the purposes of advertising, marketing or public relations or where the use of personal information is likely to cause substantial damage or substantial distress to the individual or to another individual;
- the right to request that Grant Thornton Bermuda erase or destroy personal information about the individual where that personal information is no longer relevant for the purposes of its use;
- the right to restrict the processing of the individual's personal information;
- the right to be informed of a personal information breach (unless the breach is unlikely to be prejudicial); and
- the right to complain to the Privacy Commissioner.
As mentioned above in parts (a) – (d) individuals have the right to access their own personal information and receive information about its use. Unless it is reasonable in all the circumstances under parts (a) – (d) above to provide access, Grant Thornton Bermuda may refuse the request in accordance with Section 17(2) of PIPA, or shall not provide access in accordance with Section 17(3) of PIPA.
Grant Thornton Bermuda may refuse to provide access to personal information under part (d) above if disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual. Where, in these circumstances, Grant Thornton Bermuda refuses to grant a request, Grant Thornton Bermuda shall, if requested to do so by the individual, provide access to the personal information requested to a health professional, within the meaning of section 2 of the Bermuda Health Council Act 2004, who has expertise in relation to the subject matter of the record, and the health professional shall determine whether disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual.
Grant Thornton Bermuda may refuse to provide access to personal information on the following grounds, where the personal information:
- is subject to legal privilege;
- would reveal confidential information of Grant Thornton Bermuda or of a third party that is of a commercial nature and it is not unreasonable to withhold the information;
- is being used for a current disciplinary or criminal investigation or legal proceedings, and refusal does not prejudice the right of the individual to receive a fair hearing;
- was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed by the court or by an agreement;
- the disclosure of the personal information would reveal intentions of Grant Thornton Bermuda in relation to any negotiations with the individual to the extent that the provision of access would be likely to prejudice those negotiations; or
Unless it is reasonable in all circumstances to provide access, Grant Thornton Bermuda must not provide access to personal information where the disclosure of personal information:
- could reasonably be expected to threaten the life or security of an individual;
- would reveal personal information about another individual; or
- would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to the disclosure of their identity.
Grant Thornton Bermuda may consider providing an individual with their personal information where it can reasonably redact information and provide the personal information to the individual who requested it.
Procedure for Making a Subject Access Request
In order to obtain a copy or examine personal information an individual (the "Applicant") must make the request in writing to Grant Thornton Bermuda and which can be provided in email to the Privacy Officer at firstname.lastname@example.org or be provided by hand to Grant Thornton Bermuda to the attention to the Privacy Officer.
Grant Thornton Bermuda will promptly acknowledge the request in writing and inform the Applicant if any further information is required to complete the request. A copy of the personal information must be provided within a 45 day deadline, or we may extend the period by no more than 30 days (or as permitted by the Privacy Commissioner) where a considerable amount of personal information is requested and the request would interfere with the operations of Grant Thornton Bermuda, or more time is needed to consult with a third party. Grant Thornton Bermuda shall inform the Applicant in writing of any extension and the expected time of response.
Grant Thornton Bermuda may charge the Applicant a fee for access to the personal information, and such fee will determined by Grant Thornton Bermuda, except where such request results in the correction of an error or omission in the personal information about the Applicant that is under the control of Grant Thornton Bermuda.
An individual is only entitled to their own personal information and certain information about the data, but not to information relating to other people (unless the information is also about them or they are acting in a legal capacity on behalf of someone else). Therefore, it is important to vet and potentially redact the information provided. Details of Applicant requests received should be recorded. The Privacy Officer may request the advice of the Privacy Commissioner or Bermuda counsel to advise further where required.