Grant Thornton Bermuda wants to protect the privacy of our clients and all third parties whose personal information we use in the course of our professional engagements.
In the conduct of providing our professional services to clients, we may need to use personal information about their directors, shareholders, partners, trustees, clients or customers or their employees, agents or contractors, which we will hold as an organisation under the Personal Information Protection Act, 2016 (as amended) ("PIPA").
Please read the following statement in order to understand how we use your personal information.
About us
In this privacy notice “we”, “our”, “us” and “Firm” refers to Grant Thornton Bermuda.
Grant Thornton Bermuda, which comprises both legal entities incorporated in Bermuda, Grant Thornton Advisory (Bermuda) Limited and Grant Thornton (Bermuda) Limited, is a territorial extension of Grant Thornton Ireland, a partnership established under Irish Law trading as Grant Thornton and the following legal entities:
Grant Thornton (NI) LLP; Grant Thornton Financial & Taxation Consultants Limited; Grant Thornton Business Advisory Services Limited; Grant Thornton Corporate Finance Limited; Grant Thornton Consulting Limited; Grant Thornton Financial Counselling Limited; Grant Thornton Debt Solutions Limited; Grant Thornton Pensioner Trustees Limited; Grant Thornton Limited (Isle of Man); Grant Thornton (Gibraltar) Limited; Grant Thornton Advisory (Bermuda) Limited and Grant Thornton (Bermuda) Limited.
What personal information do we collect?
The type of personal information collected will depend on the nature of the engagement.
In the course of carrying out our engagement for our client we may use personal information including your name, address, email address, telephone numbers, roles and responsibilities, PPS numbers, details relating to contract of employment, salary information including credits and deductions, tax returns, bank account details, insurance details, invoices and company loan information.
We may also use health information and family details if instructed to provide certain services to our client.
While most personal information will be obtained from you directly or from our client, we may also perform background checks as part of our client onboarding procedures and continuous monitoring, and we will engage a third-party service provider to assist with such checks.
In some circumstances the Firm may be required to process sensitive personal information which includes any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.
The Firm will obtain explicit consent of the individual, unless the use of the data is required in accordance with a court order, by instruction of the Office of the Privacy Commissioner of Bermuda (or any other relevant regulator), for the purpose of criminal or civil proceedings or for recruitment and employment purposes where the nature of the role justifies the use of such data.
The safeguarding of sensitive personal information will be proportionate to the risk of unlawful or unauthorised use of the sensitive personal information.
Why do we use your personal information?
We may use your personal information in connection with our client on-boarding process, which includes background checks, in order to comply with our legal obligations in connection with the Proceeds of Crime Act, 1997, the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations, 2008, the Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing Supervision and Enforcement) Act, 2008 and the Anti-Terrorism (Financial and Other Measures) Act, 2004, all as amended and as may be further amended and updated from time to time.
We may also use your personal information in connection with the professional services that we provide to our clients. In particular, where we provide audit and/or tax services to our clients we may be the organisation in control of certain personal information that we use in order to undertake that service and meet our contractual and professional obligations.
Our use of your personal information in these circumstances is also based on our legitimate business interests in performing our engagement, operating our business and complying with internal policies and procedures. We may also be required to use such personal information in order to comply with our legal obligations.
Any additional use of your personal information may rely on consent as a condition for use of personal information, or for:
- the performance of a contract between the individual and the Firm or for the taking of steps at the request of the individual with a view of entering into a contract;
- the use of personal information to comply with a provision of law that authorises or requires such use;
- the use of the personal information is for the purpose of complying with an order made by a court, individual or body having jurisdiction over the organisation;
- the use of the personal information is necessary in order to collect a debt owed to the organisation or for the organisation to repay to the individual money owed by the organisation; or
- the use of the personal information is reasonable to protect or defend the organisation in any legal proceeding
We will use your personal information in a lawful and fair manner and only for the purposes for which it is collected or for purposes that are related to those specific purposes.
We will ensure that personal information is adequate, relevant and not excessive in relation to the purposes for which it is used. We will ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use.
To whom might we disclose your personal information?
We may be required to provide other audit firms with access to our audit files where they act as group auditors or successor auditors. We may also be requested to provide access to our audit files to potential investors or their advisors.
We may be required in certain circumstances, by law or by regulations or by professional bodies to which we belong, some of which may be located outside Bermuda or the European Economic Area (“EEA”), to make reports to regulatory and law enforcement authorities or to such bodies, or to disclose documents or information or take other action, as a result of information received by us or matters which come to our attention during the course of our engagement.
We may also be required to provide regulatory bodies, Grant Thornton International Limited or professional bodies with access to our work papers in order to facilitate monitoring inspections.
Transfers abroad
In connection with the above, as Grant Thornton Bermuda is a territorial extension of Grant Thornton Ireland, personal information may be transferred to offices within the Grant Thornton Ireland network, but which are based outside of Bermuda or the EEA in compliance with the Firm’s Data Protection and Privacy policies and the Firm’s regulatory obligations under PIPA and the General Data Protection Regulation (Regulation 2016/679) (GDPR).
Prior to making a data transfer to third parties outside of Bermuda, Grant Thornton Bermuda will assess the level of protection provided by the overseas third party for that personal information, including considering the level of protection afforded by the law applicable to such overseas third party.
For any data transfers from Grant Thornton Bermuda to third parties based outside Bermuda, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers, which may include entering into contract mechanisms governing the transfer to ensure that the overseas third party provides a comparable level of protection.
Notwithstanding the above, Grant Thornton Bermuda may transfer personal information to an overseas third party for use by that overseas party on behalf of Grant Thornton Bermuda or for the overseas third party's own business purposes if:
- the transfer is necessary for the establishment, exercise or defence of legal rights; or
- Grant Thornton Bermuda assesses all the circumstances surrounding the transfer and reasonable considers the transfer is small-scale, occasional and unlikely to prejudice the rights of an individual.
Further details of the measures that we have taken in this regard are available by contacting us using the contact details below.
Our retention of your personal information
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we use your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Security
Grant Thornton Bermuda has in place appropriate security safeguards to ensure the security of personal information against the risk of loss, unauthorised access, destruction, use, modification or disclosure or other misuse.
Grant Thornton Bermuda has in place procedures to deal with any suspected breach of security and will notify you and the Privacy Commissioner or any other relevant regulator of a suspected breach of security where Grant Thornton Bermuda has a legal obligation to do so.
Grant Thornton Bermuda will provide the Privacy Commissioner, or any other relevant regulator, with a notice describing the nature of the breach of security, the likely consequence for the affected individual and the measures taken and to be taken by us to address the breach of security.
Your rights
Grant Thornton Bermuda recognises that individuals have specific rights conferred on them by PIPA, including:
- the right to access personal information about the individual in the custody or under the control of Grant Thornton Bermuda;
- the right to be informed about the purposes for which personal information has been and is being used by Grant Thornton Bermuda;
- the right to know the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed;
- the right to access personal information of a medical or psychiatric nature relating to the individual;
- the right to make a written request to Grant Thornton Bermuda to correct an error or omission in any of the personal information which is under the control of Grant Thornton Bermuda;
- the right to request Grant Thornton Bermuda to cease, or not to begin, using personal information for the purposes of advertising, marketing or public relations or where the use of personal information is likely to cause substantial damage or substantial distress to the individual or to another individual;
- the right to request that Grant Thornton Bermuda erase or destroy personal information about the individual where that personal information is no longer relevant for the purposes of its use;
- the right to be informed of a personal information breach (unless the breach is unlikely to be prejudicial); and
- the right to complain to the Privacy Commissioner.
As mentioned above in parts 1-4, individuals have the right to access their own personal information and receive information about its use. Unless it is reasonable in all the circumstances under parts 1-4 above to provide access, Grant Thornton Bermuda may refuse the request in accordance with Section 17(2) of PIPA or shall not provide access in accordance with Section 17(3) of PIPA.
Grant Thornton Bermuda may refuse to provide access to personal information under part (4) above if disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual.
Where, in these circumstances, Grant Thornton Bermuda refuses to grant a request, Grant Thornton Bermuda shall, if requested to do so by the individual, provide access to the personal information requested to a health professional, within the meaning of section 2 of the Bermuda Health Council Act, 2004, who has expertise in relation to the subject matter of the record, and the health professional shall determine whether disclosure of the personal information to the individual would be likely to prejudice the physical or mental health of the individual.
Grant Thornton Bermuda may refuse to provide access to personal information on the following grounds, where the personal information:
- is subject to legal privilege;
- would reveal confidential information of Grant Thornton Bermuda or of a third party that is of a commercial nature, and it is not unreasonable to withhold the information;
- is being used for a current disciplinary or criminal investigation or legal proceedings, and refusal does not prejudice the right of the individual to receive a fair hearing;
- was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration for which the mediator or arbitrator was appointed by the court or by an agreement;
- the disclosure of the personal information would reveal intentions of Grant Thornton Bermuda in relation to any negotiations with the individual to the extent that the provision of access would be likely to prejudice those negotiations; or
Unless it is reasonable in all circumstances to provide access, Grant Thornton Bermuda must not provide access to personal information where the disclosure of personal information:
- could reasonably be expected to threaten the life or security of an individual;
- would reveal personal information about another individual; or
- would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to the disclosure of their identity.
Grant Thornton Bermuda may consider providing an individual with their personal information where it can reasonably redact information and provide the personal information to the individual who requested it.
Procedure for making an access request for information
In order to obtain a copy or examine personal information an individual (the "Applicant") must make the request in writing to Grant Thornton Bermuda and which can be provided in email to the Privacy Officer at dataprivacy@ie.gt.com or be provided by hand to Grant Thornton Bermuda to the attention to the Privacy Officer.
Grant Thornton Bermuda will promptly acknowledge the request in writing and inform the Applicant if any further information is required to complete the request.
A copy of the personal information must be provided within a 45-day deadline, or we may extend the period by no more than 30 days (or as permitted by the Privacy Commissioner) where a considerable amount of personal information is requested and the request would interfere with the operations of Grant Thornton Bermuda, or more time is needed to consult with a third party.
Grant Thornton Bermuda shall inform the Applicant in writing of any extension and the expected time of response.
Grant Thornton Bermuda may charge the Applicant a fee for access to the personal information, and such fee will be determined by Grant Thornton Bermuda, except where such request results in the correction of an error or omission in the personal information about the Applicant that is under the control of Grant Thornton Bermuda.