Privacy statement: professional engagements

Updated 13 November 2025

Grant Thornton wants to protect the privacy of our clients and all third parties whose personal information we use in the course of our professional engagements, in accordance with the Personal Information Protection Act, 2016 (as amended) ("PIPA").

Please read the following statement in order to understand how we use your personal information.

About Us

In this privacy notice:

  • when we say "you" or "your", we mean you or any individual whose personal information you provide (including, but not limited to, directors, shareholders, partners, trustees, clients or customers or their employees, agents or contractors). Before you provide information about any such individual, you must make sure that you have a lawful purpose or the agreement of the relevant individual. You must also make sure they’ve been provided with this privacy notice, which explains the way in which their information will be processed and their rights in relation to their information;
  • References to Grant Thornton (including, "we", "us", "our" and "Grant Thornton Group") refer to the following entities, each of whom are part of a global alternative practices structure: Grant Thornton Advisors LLC, Grant Thornton LLP, Grant Thornton Corporate Finance Limited, Grant Thornton Ireland,  Grant Thornton (Bermuda) Limited, Grant Thornton Advisory (Bermuda) Limited and/or their affiliates and subsidiaries;
  • when we refer to "using" personal information we refer to collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying your personal information;
  • "personal information", refers to any information from which an individual could be identified, directly or indirectly, by itself or when combined with other information or context;
  • "sensitive personal information” refers to any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.

What personal information do we use and how do we use it?

The type of personal information we use will depend on the nature of the engagement. In the course of carrying out our engagement for our client we may use personal information including your name, address, email address, telephone numbers, roles and responsibilities, PPS numbers, details relating to contract of employment, salary information including credits and deductions, tax returns, bank account details, insurance details, invoices and company loan information. 

While most personal information will be obtained from you directly, we may also perform background checks as part of our client onboarding procedures and continuous monitoring, and we will engage a third-party service provider to assist with such checks.

In some circumstances the Firm may be required to process sensitive personal information. The Firm will obtain explicit consent of the individual unless the use of the data is required to be provided under applicable law or for recruitment and employment purposes where the nature of the role justifies the use of such data. The safeguarding of sensitive personal information will be proportionate to the risk of unlawful or unauthorised use of the sensitive personal information.

Why do we use your personal information?

We may use your personal information in connection with:

  • the professional services that we provide to our clients.  In particular, where we provide audit and/or tax services we use personal information in order to undertake that service and meet our contractual and professional obligations; 
  • to enable us to comply with laws, regulations and requirements, in the various jurisdictions in which Grant Thornton operates including in relation to financial crime or disclosure requirements;
  • to perform a contract on your behalf;
  • in accordance with your instructions; 
  • to collect a debt owed to us to repay you;
  • to protect or defence the organisation in legal proceedings; 
  • to send you marketing materials;
  • to provide information, recommendations, rates and other financial information on our services;
  • to design and improve our products, services and marketing; and for complaints handling.

We will use your personal information in a lawful and fair manner and only for the purposes for which it is collected or for purposes that are related to those specific purposes.  We will ensure that personal information is adequate, relevant and not excessive in relation to the purposes for which it is used.  We will ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use.

To whom might we disclose your personal information?

We may be required to provide other audit firms with access to our audit files where they act as group auditors or successor auditors. We may also be requested to provide access to our audit files to potential investors or their advisors.

We may be required in certain circumstances, by law or by regulations or by professional bodies to which we belong, some of which may be located outside Bermuda or the European Economic Area (“EEA”), to make reports to regulatory and law enforcement authorities or to such bodies, or to disclose documents or information or take other action, as a result of information received by us or matters which come to our attention during the course of our engagement. We may also be required to provide regulatory bodies, Grant Thornton International Limited or professional bodies with access to our work papers in order to facilitate monitoring inspections.

Transfers Abroad

To facilitate our global operations, certain of our services and sites are provided from the United States and other locations.

If you are resident in Bermuda, we may share, transfer or store personal information outside your country of residence to certain recipients (mainly our affiliates and external service providers) in the United States, India, and other countries which we deem appropriate from time to time.

Where the laws and practices in these countries may not have equivalent data protection and privacy rules to those under PIPA, we will protect your personal information in accordance with this Privacy Statement and our Bermuda Privacy Notice Addendum.

Where these transfers of personal information occur, we ensure that a transfer mechanism and appropriate safeguards are in place to protect your personal information:

  • For transfers (including, onward transfers) of personal information within the Grant Thornton Group to affiliates in the United States where your personal information is stored within the European Economic Area (“EEA”), we rely on the EU-US Data Privacy Framework and the UK-US Data Privacy Framework (UK and Gibraltar), as operated by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (“DPF”), and to view our certification, please visit dataprivacyframework.gov. Please also visit our dedicated webpage for more information about our participation in the DPF: Data privacy framework.
  • For transfers (including, onward transfers) of your personal information within the Grant Thornton Group to affiliates based in other, non-EEA countries we will transfer and use your data in accordance with PIPA and GDPR requirements.
  • For transfers (including, onward transfers) of your personal information within the Grant Thornton Group to affiliates based in other, non-EEA countries and where an appropriate data transfer adequacy decision has not been approved by the EU Commission, we rely on the EU Standard Contractual Clauses ("SCCs") or the UK Addendum to the EU SCCs (e.g., India and Bermuda).
  • For transfers (including, onward transfers) of personal information to external providers, we rely on the DPF, the EU SCCs, UK Addendum, or adequacy decisions of the European Commission.

If you would like to find out more about any transfers relating to your personal information, please contact us by e-mailing dataprivacy@ie.gt.com.

Our retention of your personal information

We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we use your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Security

Grant Thornton has in place appropriate security safeguards to ensure the security of personal information against the risk of loss, unauthorised access, destruction, use, modification or disclosure or other misuse. Grant Thornton has in place procedures to deal with any suspected breach of security and will notify you and the Privacy Commissioner or any other relevant regulator of a suspected breach of security where Grant Thornton has a legal obligation to do so. Grant Thornton will provide the Privacy Commissioner, or any other relevant regulator, with a notice describing the nature of the breach of security, the likely consequence for the affected individual and the measures taken and to be taken by us to address the breach of security.

Your rights 

Grant Thornton recognises that individuals have specific rights conferred on them by PIPA, including:

  1. the right to access personal information about the individual in the custody or under the control of Grant Thornton;
  2. the right to be informed about the purposes for which personal information has been and is being used by Grant Thornton;
  3. the right to know the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed;
  4. the right to access personal information of a medical or psychiatric nature relating to the individual;
  5. the right to make a written request to Grant Thornton to correct an error or omission in any of the personal information which is under the control of Grant Thornton;
  6. the right to request Grant Thornton to cease, or not to begin, using personal information for the purposes of advertising, marketing or public relations or where the use of personal information is likely to cause substantial damage or substantial distress to the individual or to another individual;
  7. the right to request that Grant Thornton erase or destroy personal information about the individual where that personal information is no longer relevant for the purposes of its use;
  8. the right to be informed of a personal information breach (unless the breach is unlikely to be prejudicial); and
  9. the right to complain to the Privacy Commissioner.

Notwithstanding the above, Grant Thornton may refuse to provide access to personal information under part (4) above if disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual. Where, in these circumstances, Grant Thornton refuses to grant a request, Grant Thornton shall, if requested to do so by the individual, provide access to the personal information requested to a health professional, within the meaning of section 2 of the Bermuda Health Council Act, 2004, who has expertise in relation to the subject matter of the record, and the health professional shall determine whether disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual.

Grant Thornton may refuse to provide access to personal information where the personal information:

  • is subject to legal privilege; 
  • would reveal confidential information of Grant Thornton or of a third party that is of a commercial nature and it is not unreasonable to withhold the information; 
  • is being used for a current disciplinary or criminal investigation or legal proceedings, and refusal does not prejudice the right of the individual to receive a fair hearing; 
  • was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed by the court or by an agreement;  
  • the disclosure of the personal information would reveal intentions of Grant Thornton in relation to any negotiations with the individual to the extent that the provision of access would be likely to prejudice those negotiations; or

Unless it is reasonable in all circumstances to provide access, Grant Thornton must not provide access to personal information where the disclosure of personal information: 

  • could reasonably be expected to threaten the life or security of an individual; 
  • would reveal personal information about another individual; or
  • would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to the disclosure of their identity. 

Grant Thornton may consider providing an individual with their personal information where it can reasonably redact information and provide the personal information to the individual who requested it. 

Procedure for Making an Access Request for Information 

In order to obtain a copy or examine personal information an individual (the "Applicant") must make the request in writing to Grant Thornton and which can be provided in email to the Privacy Officer at dataprivacy@ie.gt.com or be provided by hand to Grant Thornton to the attention to the Privacy Officer. 

Grant Thornton will promptly acknowledge the request in writing and inform the Applicant if any further information is required to complete the request. A copy of the personal information must be provided within a 45-day deadline, or we may extend the period by no more than 30 days (or as permitted by the Privacy Commissioner) where a considerable amount of personal information is requested and the request would interfere with the operations of Grant Thornton, or more time is needed to consult with a third party. Grant Thornton shall inform the Applicant in writing of any extension and the expected time of response. 

Grant Thornton may charge the Applicant a fee for access to the personal information, and such fee will be determined by Grant Thornton, except where such request results in the correction of an error or omission in the personal information about the Applicant that is under the control of Grant Thornton. 

Privacy Officer details:

Louise Barry,

Head of Risk

13-18 City Quay, Dublin 2, Ireland

dataprivacy@ie.gt.com