Data Controller, contact details of the DPO and external data supervisors
- Ria Grant Thornton S.p.A. with registered office at Corso Vercelli, 40 - 20145 Milan (MI);
- Grant Thornton Consultants S.r.l. with registered office at Via Salaria, 222 – 00198 Rome (RM);
- Grant Thornton Financial Due Diligence with registered office at Corso Vercelli, 40 - 20145 Milan (MI).
Please find below the contact details of the Group Data Protection Officer (hereinafter “DPO”) of all the aforementioned companies: firstname.lastname@example.org
The updated list of any external data supervisors may be requested from the aforementioned address of the DPO.
Legal grounds for the processing
The Data Controller processes the User's personal data:
a) subject to the express and explicit consent of the User. This relates to any consent to additional voluntary services such as, for example, our newsletter, the transmission of a curriculum vitae or the signing of a contract for a specific service of the Data Controller. The consent may in any case be revoked at any time;
- b) for the performance of a specific contract to which the User is party;
- c) for a legitimate interest of the Data Controller. This could occur for the following purposes:
- General management of the company and development of services and products;
- Security guarantee in relation to IT and IT operations;
- d) for statutory and/or regulatory obligations.
Methods of collecting the personal data
The methods by which Grant Thornton collects personal data vary depending on how the User uses the website and the other services provided by the Data Controller.
Sometimes the Data Controller receives the personal data from third persons to whom the User has given his/her consent to the communication.
- The browsing data are acquired by the information systems and the software procedures which regulate the operation of this website. The information is not collected in order to allow the subsequent identification of the User but is used for the sole purpose of obtaining anonymous statistical information on the use of the website and in order to ensure that it operates correctly; this category can cover IP addresses or dominion names of the computers used by the Users who connect to the website, the time of the request, the method used to submit the request to the server, the numerical code indicating the status of the reply provided by the server (success, error, etc.) and other parameters relating to the operating system and the browser used by the User. These data could be used by the competent authorities to establish the liability in case of computer crime committed against the website.
- The Data Controller may also acquire personal data where the User:
- enters into or sets about entering into a Contract with the Data Controller in order to obtain a specific service provided by Grant Thornton directly or through subsidiaries (such as – purely by way of example and without limitation – statutory and voluntary auditing, international audit services, IFRS, governance, risk & compliance, transaction advisory service, corporate accountability and consulting);
- intends to submit his/her CV to the Data Controller;
- asks to receive the newsletter;
- has given his/her consent to the transfer of his/her personal data to the Data Controller.
- The Data Controller may also acquire data of the User collected by way of paper forms or electronically when, for example, he/she physically accesses the premises of the Data Controller and is asked for security reasons to provide his/her identification details.
Type of personal data collected
The personal data that Grant Thornton collects for the purposes indicated below may concern the information that relate to the User and make it possible to identify him/her, directly or in combination.
This information may consist of:
- identification information: first name, last name, nationality, place and date of birth, tax code, photo, IP address;
- contact information: postal and e-mail address, telephone number;
- information on training, professional duties and occupation (for example Curriculum Vitae, educational level, position, employment, name of the employer, conditions of employment, remuneration);
- other information needed to provide a specific service managed by Grant Thornton (such as – by way of example and without limitation – statutory and voluntary auditing, international audit services, IFRS, governance, risk & compliance, transaction advisory service, corporate accountability and consulting);
- information deriving from cookies, web beacons and other such technologies.
There exists the possibility that during the provision of the services to the User, Grant Thornton may also collect information that could reveal his/her racial and ethnic origins. This information is considered "special personal data" pursuant to the GDPR. The Data Controller therefore collects this information only in the event that the Data Subject has given his/her explicit consent, if it is necessary due to legal obligations or if he/she has deliberately made it public (for example, Grant Thornton could collect this information at the start of the commercial relationship or when the User provides us with personal documents such as a curriculum vitae, a copy of his/her passport or identity card, nationality and/or photo which can indicate special data).
Purposes of the processing of the User's personal data
The Data Controller may process the User's personal data for the following purposes:
- in order to manage and be able to provide one of the services provided by Grant Thornton (such as – purely by way of example and without limitation – statutory and voluntary auditing, international audit services, IFRS, governance, risk & compliance, transaction advisory service, corporate accountability and consulting) forming the subject matter of the Contract between the Data Subject and Grant Thornton;
- to search for and select personnel to be hired by Grant Thornton;
- for marketing purposes in order to: keep the User informed of initiatives and events by sending him/her the Grant Thornton newsletter or any other type of communication or to invite the User to events, conferences, meetings or to send informative material;
- to promote the image and values of Grant Thornton through events reserved to clients or which are open to the participation of third parties;
- meet its own administrative purposes and protect its commercial interests;
- to meet specific statutory obligations, including communications to the tax authorities, financial services regulators and other regulatory and government bodies, and to investigate or prevent offences;
- to provide the User or his/her organisation with information;
- to carry out research on the demographics of its visitors, their interests and behaviour. Grant Thornton does so in order to gain a better understanding of its visitors. Please note that the research is compiled and analysed on an aggregate and anonymous basis;
- for any other specific purpose which will be communicated to the User from time to time.
Persons to whom the personal data of the User may be communicated. Cases of dissemination of the data
Grant Thornton is a member of the Grant Thornton International network and any information that is provided may be shared with, and processed by, any entity in the global network where required for the performance of its services.
Furthermore, the Data Controller may communicate the User's personal data to:
- companies which on behalf of Grant Thornton provide services that are essential for the proper performance of the contract entered into with the Data Subject with a branch in Italy;
- companies which provide to Grant Thornton services relating to the management of its information system with a branch either in Italy or in EU countries;
- professional service firms and companies within professional advisory and consulting relationships with a branch in Italy;
- providers of professional services and/or companies which perform oversight, auditing and certification obligations in relation to the services performed by Grant Thornton with an office in Italy;
- law enforcement agencies competent for any investigations or court orders;
- authorities which supervise the activities of Grant Thornton (for example CONSOB);
- insurance companies providing a group or individual insurance as well as pension funds of employees with a branch in Italy or EU countries;
- banks which carry out payments to employees and third parties with a branch in Italy.
With the exception of the foregoing, Grant Thornton will not disclose the User's personal data unless it is required to do so or has permission to do so by law or must do so for the purpose of performing its service.
Please note that with some categories of persons indicated above, the Data Controller has entered into an agreement with the third party which provides a service to Grant Thornton and appointed it “Data Supervisor” pursuant to the Regulation. If said person processes the User's data, the processing may be carried out solely in relation to the type of service performed by it and in any case in compliance with obligations imposed by the Data Controller upon the Data Supervisor as regards the processing of the personal data.
Methods of processing and data retention period
- personal data and particulars collected in order to provide one of the services managed by Grant Thornton: for the term of the contract and up to 24 months subsequent to its termination, save where provision of law or regulations state otherwise, that, as regards the statutory and voluntary audit, provide at least 10 years of storage of the personal data collected for the fulfilment of the engagement;
- personal data collected for the purposes of seeking and selecting personnel to be hired at Grant Thornton once the selection process concerned by the collection of data is completed: 24 months;
- data collected for the purposes of marketing and commercial profiling: for the entire duration of the promotional campaign and however up to 36 months;
The right of the Data Subject to revoke his/her consent to the processing at any time will remain unaffected and we warn that, should the personal data be processed for the performance of a contract, the revocation of the consent makes it impossible for the Data Controller to fulfill the obligations undertaken towards the Data Subject.
Nature of the consent and consequences of refusal
Except as specified in relation to browsing data (IP address), the User is free to provide his/her data by completing appropriate request forms (on paper or electronically in the sections of the website prepared or physically at Grant Thornton. In this regard, it is to be noted, however, that failure to provide them could restrict the use of the services provided by the Data Controller.
The personal data provided voluntarily for the purposes of registration and access to some areas of the website is optional but failure to collect the data will make it impossible to forward the information or the requests to the website. Similarly, failure to collect the personal data will not allow Grant Thornton to perform the contract with the User for the services requested.
Information relating to minors
Grant Thornton does not knowingly collect the data of minors. If a minor User sends personal data to the Data Controller through the website the information will be deleted and destroyed as soon as possible.
The Data Controller has appointed as external Data Supervisors the companies, bodies or service providers that carry out the processing of personal data on behalf of the Data Controller. The updated list of Data Supervisors is available from the Data Controller and can be requested from the Data Controller as indicated above.
Security of the processed data
Grant Thornton has implemented technical and organisational measures to protect the personal data from non-authorised or illegal processing and against accidental loss, disclosure or damage.
Unfortunately, no transmission of data over the internet or any other network can be guaranteed to be 100% secure but Grant Thornton has implemented appropriate measures in order to protect the security of the personal data of its Users.
Rights of the Data Subject
In relation to the aforementioned processing of personal data pursuant to articles 13, paragraph 2, sub-paragraphs (b) and (d), 15, 18, 19 and 21 of European Regulation 679/2016, the Data Subject has a right to:
- a) ask the Controller for access to the personal data, their rectification or deletion or restriction on the processing that concerns him/her;
- b) submit complaints to the Data Protection Authority in Italy by following the procedures and instructions published on the official website of the Authority at www.garanteprivacy.it or to the Data Protection Authority of the country in which the Data Subject normally works or, finally, to the Data Protection Authority of the country in which the breach occurred.
- c) The Data Subject has a right to object in whole or in part and at any time:
- for lawful reasons to the processing of the personal data concerning him/her even if they are relevant to the purposes of the collection of the data;
- to the processing of personal data concerning him/her for the purpose of sending advertising material, direct sales or for the performance of market research surveys or commercial communication.
The Data Subject also has the right to revoke the consent to the processing of the data at any time without prejudicing the lawfulness of the processing based on the consent provided prior to the revocation. Any rectifications or deletions or restrictions on the processing carried out at the request of the Data Subject, unless this proves impossible or entails a disproportionate effort, will be communicated by the Data Controller to each of the recipients to whom the personal data have been sent. The Controller may notify the Data Subject of these recipients where the Data Subject so requests. The exercise of the rights is not subject to any formal requirements and is free of charge.
Any Data Subject may, in order to exercise his/her rights, contact the DPO by using the following address: email@example.com
The Data Controller