article banner

Privacy policy

This privacy policy, required by articles 13 et seq. of European Regulation (EU) 2016/679 (hereinafter the “Regulation” or the "GDPR"), governs the protection of natural persons in relation to the processing of personal data and is provided in order to explain how data are processed when you access, browse and use this website or use the services provided by the companies Ria Grant Thornton S.p.A., Grant Thornton Consultants S.r.l. and Grant Thornton Financial Due Diligence S.r.l. (hereinafter jointly referred to as “Grant Thornton” or the “Data Controller”) and/or collected by way of paper forms or electronically so that the user of this website (hereinafter the “User” or the “Data Subject” may knowledgeably and freely express his/her consent to the processing where required in relation to particular types of personal data that concern him /her.

Please note that this privacy policy has not been provided for any other websites consulted by the User which through links from the website of the Data Controller lead to other websites. Accordingly, the existence of a link to another website does not entail the approval or acceptance of liability by the Data Controller regarding the content of the website to which the User is directed, including in relation to the policy adopted for the processing and use of the personal data. The information contained in this privacy policy could change and, accordingly, we ask you to consult this page on a regular basis.


Data Controller, contact details of the DPO and external data supervisors

The following companies are the Data Controller for the purposes of this privacy policy:

  • Ria Grant Thornton S.p.A. with registered office at Via Melchiorre Gioia, 8 - 20124 Milano (MI);
  • Grant Thornton Consultants S.r.l. with registered office at Via Salaria, 222 – 00198 Rome (RM);
  • Grant Thornton Financial Due Diligence with registered office at Corso Vercelli, 40 - 20145 Milan (MI).

Please find below the contact details of the Group Data Protection Officer (hereinafter “DPO”) of all the aforementioned companies:

The updated list of any external data supervisors may be requested from the aforementioned address of the DPO.


Legal grounds for the processing

The Data Controller processes the User's personal data:

a) subject to the express and explicit consent of the User. This relates to any consent to additional voluntary services such as, for example, our newsletter, the transmission of a curriculum vitae or the signing of a contract for a specific service of the Data Controller. The consent may in any case be revoked at any time;

  1. b) for the performance of a specific contract to which the User is party;
  2. c) for a legitimate interest of the Data Controller. This could occur for the following purposes:

- General management of the company and development of services and products;

- Advertising;

- Security guarantee in relation to IT and IT operations;

  1. d) for statutory and/or regulatory obligations.

Methods of collecting the personal data

The methods by which Grant Thornton collects personal data vary depending on how the User uses the website and the other services provided by the Data Controller.

Sometimes the Data Controller receives the personal data from third persons to whom the User has given his/her consent to the communication.

In particular:

  • The browsing data are acquired by the information systems and the software procedures which regulate the operation of this website. The information is not collected in order to allow the subsequent identification of the User but is used for the sole purpose of obtaining anonymous statistical information on the use of the website and in order to ensure that it operates correctly; this category can cover IP addresses or dominion names of the computers used by the Users who connect to the website, the time of the request, the method used to submit the request to the server, the numerical code indicating the status of the reply provided by the server (success, error, etc.) and other parameters relating to the operating system and the browser used by the User. These data could be used by the competent authorities to establish the liability in case of computer crime committed against the website.
  • The Data Controller may also acquire personal data where the User:

- enters into or sets about entering into a Contract with the Data Controller in order to obtain a specific service provided by Grant Thornton directly or through subsidiaries (such as – purely by way of example and without limitation – statutory and voluntary auditing, international audit services, IFRS, governance, risk & compliance, transaction advisory service, corporate accountability and consulting);

- intends to submit his/her CV to the Data Controller;

- asks to receive the newsletter;

- has given his/her consent to the transfer of his/her personal data to the Data Controller.

  • The Data Controller may also acquire data of the User collected by way of paper forms or electronically when, for example, he/she physically accesses the premises of the Data Controller and is asked for security reasons to provide his/her identification details.
  • The Data Controller may also collect personal data through access by the User to social network pages such as Twitter, LinkedIn and YouTube. For example, in the Data Controller's website it is possible, by way of appropriate buttons, to follow and/or "like" Grant Thornton's posts. The information suggested by these actions can be used by the social network in question. In this regard, we ask the User to consult the privacy policy of these networks in order to know in detail the possible consequences and the methods of the processing.
  • The Data Controller may acquire data of the User by using Cookies in respect of which all the information about their use and type is provided on the Cookie Policy page (click here to enter the page) which also provides instructions about how to disable the Cookies.


Type of personal data collected

The personal data that Grant Thornton collects for the purposes indicated below may concern the information that relate to the User and make it possible to identify him/her, directly or in combination.

This information may consist of:

- identification information: first name, last name, nationality, place and date of birth, tax code, photo, IP address;

- contact information: postal and e-mail address, telephone number;

- information on training, professional duties and occupation (for example Curriculum Vitae, educational level, position, employment, name of the employer, conditions of employment, remuneration);

- other information needed to provide a specific service managed by Grant Thornton (such as – by way of example and without limitation – statutory and voluntary auditing, international audit services, IFRS, governance, risk & compliance, transaction advisory service, corporate accountability and consulting);

- information deriving from cookies, web beacons and other such technologies.

There exists the possibility that during the provision of the services to the User, Grant Thornton may also collect information that could reveal his/her racial and ethnic origins. This information is considered "special personal data" pursuant to the GDPR. The Data Controller therefore collects this information only in the event that the Data Subject has given his/her explicit consent, if it is necessary due to legal obligations or if he/she has deliberately made it public (for example, Grant  Thornton could collect this information at the start of the commercial relationship or when the User provides us with personal documents such as a curriculum vitae, a copy of his/her passport or identity card, nationality and/or photo which can indicate special data).

By providing "special personal data" the User explicitly accepts that the Data Controller may collect and use them in order to provide its services and that they will be processed in compliance with this privacy policy. Should Grant Thornton not be authorised to process such "special personal data", this could make it impossible to provide all or part of the services requested.


Purposes of the processing of the User's personal data

The Data Controller may process the User's personal data for the following purposes:

- in order to manage and be able to provide one of the services provided by Grant Thornton (such as – purely by way of example and without limitation – statutory and voluntary auditing, international audit services, IFRS, governance, risk & compliance, transaction advisory service, corporate accountability and consulting) forming the subject matter of the Contract between the Data Subject and Grant Thornton;

- to search for and select personnel to be hired by Grant Thornton;

- for marketing purposes in order to: keep the User informed of initiatives and events by sending him/her the Grant Thornton newsletter or any other type of communication or to invite the User to events, conferences, meetings or to send informative material;

- to promote the image and values of Grant Thornton through events reserved to clients or which are open to the participation of third parties;

- meet its own administrative purposes and protect its commercial interests;

- to meet specific statutory obligations, including communications to the tax authorities, financial services regulators and other regulatory and government bodies, and to investigate or prevent offences;

- to provide the User or his/her organisation with information;

- to carry out research on the demographics of its visitors, their interests and behaviour. Grant Thornton does so in order to gain a better understanding of its visitors. Please note that the research is compiled and analysed on an aggregate and anonymous basis;

- for any other specific purpose which will be communicated to the User from time to time.


Persons to whom the personal data of the User may be communicated. Cases of dissemination of the data

Grant Thornton is a member of the Grant Thornton International network and any information that is provided may be shared with, and processed by, any entity in the global network where required for the performance of its services.

Furthermore, the Data Controller may communicate the User's personal data to:

- companies which on behalf of Grant Thornton provide services that are essential for the proper performance of the contract entered into with the Data Subject with a branch in Italy;

- companies which provide to Grant Thornton services relating to the management of its information system with a branch either in Italy or in EU countries;

- professional service firms and companies within professional advisory and consulting relationships with a branch in Italy;

- providers of professional services and/or companies which perform oversight, auditing and certification obligations in relation to the services performed by Grant Thornton with an office in Italy;

- law enforcement agencies competent for any investigations or court orders;

- authorities which supervise the activities of Grant Thornton (for example CONSOB);

- insurance companies providing a group or individual insurance as well as pension funds of employees with a branch in Italy or EU countries;

- banks which carry out payments to employees and third parties with a branch in Italy.

With the exception of the foregoing, Grant Thornton will not disclose the User's personal data unless it is required to do so or has permission to do so by law or must do so for the purpose of performing its service.

Please note that with some categories of persons indicated above, the Data Controller has entered into an agreement with the third party which provides a service to Grant Thornton and appointed it “Data Supervisor” pursuant to the Regulation. If said person processes the User's data, the processing may be carried out solely in relation to the type of service performed by it and in any case in compliance with obligations imposed by the Data Controller upon the Data Supervisor as regards the processing of the personal data. 

Methods of processing and data retention period

The processing is carried out with the assistance of electronic data processing equipment and, in some cases, on paper, in accordance with the principles of propriety, lawfulness, transparency, relevance and necessity, on grounds closely connected to the purposes indicated above suitable for safeguarding the confidentiality of the data and the rights of the User in compliance with currently applicable laws. In order to protect the data from deliberate or accidental destruction or loss and against non-authorised access or disclosure the Data Controller has put in place security measures of an organisational and technical nature.  Consequently, without specific rules that provide for different retention periods, the Data Controller will use the data for purposes indicated in this privacy policy for a period of time appropriate for the purposes that justified the collection and until the prescription of the time limits identified by the rules of the Italian Civil Code and tax laws as regards accounting records, the drawing up of annual financial statements and tax obligations. In any case, the Data Controller will take all measures to avoid use of the data for an indefinite period of time and will limit their storage in the files to the length of time strictly required by law and the regulations previously referenced and the additional laws and regulations that could from time to time govern the time frame for the storage of such personal data. In particular, note must be taken of the following time limits connected to the processing:

- personal data and particulars collected in order to provide one of the services managed by Grant Thornton: for the term of the contract and up to 24 months subsequent to its termination, save where provision of law or regulations state otherwise, that, as regards the statutory and voluntary audit, provide at least 10 years of storage of the personal data collected for the fulfilment of the engagement;

- personal data collected for the purposes of seeking and selecting personnel to be hired at Grant Thornton once the selection process concerned by the collection of data is completed: 24 months;

- data collected for the purposes of marketing and commercial profiling: for the entire duration of the promotional campaign and however up to 36 months;

The right of the Data Subject to revoke his/her consent to the processing at any time will remain unaffected and we warn that, should the personal data be processed for the performance of a contract, the revocation of the consent makes it impossible for the Data Controller to fulfill the obligations undertaken towards the Data Subject.

Nature of the consent and consequences of refusal

Except as specified in relation to browsing data (IP address), the User is free to provide his/her data by completing appropriate request forms (on paper or electronically in the sections of the website prepared or physically at Grant Thornton. In this regard, it is to be noted, however, that failure to provide them could restrict the use of the services provided by the Data Controller.

The personal data provided voluntarily for the purposes of registration and access to some areas of the website is optional but failure to collect the data will make it impossible to forward the information or the requests to the website. Similarly, failure to collect the personal data will not allow Grant Thornton to perform the contract with the User for the services requested.

Information relating to minors

Grant Thornton does not knowingly collect the data of minors. If a minor User sends personal data to the Data Controller through the website the information will be deleted and destroyed as soon as possible.

Data Supervisor

The Data Controller has appointed as external Data Supervisors the companies, bodies or service providers that carry out the processing of personal data on behalf of the Data Controller. The updated list of Data Supervisors is available from the Data Controller and can be requested from the Data Controller as indicated above.


Security of the processed data

Grant Thornton has implemented technical and organisational measures to protect the personal data from non-authorised or illegal processing and against accidental loss, disclosure or damage.

Unfortunately, no transmission of data over the internet or any other network can be guaranteed to be 100% secure but Grant Thornton has implemented appropriate measures in order to protect the security of the personal data of its Users.

Rights of the Data Subject

In relation to the aforementioned processing of personal data pursuant to articles 13, paragraph 2, sub-paragraphs (b) and (d), 15, 18, 19 and 21 of European Regulation 679/2016, the Data Subject has a right to:

  1. a) ask the Controller for access to the personal data, their rectification or deletion or restriction on the processing that concerns him/her;
  2. b) submit complaints to the Data Protection Authority in Italy by following the procedures and instructions published on the official website of the Authority at or to the Data Protection Authority of the country in which the Data Subject normally works or, finally, to the Data Protection Authority of the country in which the breach occurred.
  3. c) The Data Subject has a right to object in whole or in part and at any time:
  • for lawful reasons to the processing of the personal data concerning him/her even if they are relevant to the purposes of the collection of the data;
  • to the processing of personal data concerning him/her for the purpose of sending advertising material, direct sales or for the performance of market research surveys or commercial communication.


The Data Subject also has the right to revoke the consent to the processing of the data at any time without prejudicing the lawfulness of the processing based on the consent provided prior to the revocation. Any rectifications or deletions or restrictions on the processing carried out at the request of the Data Subject, unless this proves impossible or entails a disproportionate effort, will be communicated by the Data Controller to each of the recipients to whom the personal data have been sent. The Controller may notify the Data Subject of these recipients where the Data Subject so requests. The exercise of the rights is not subject to any formal requirements and is free of charge.

Any Data Subject may, in order to exercise his/her rights, contact the DPO by using the following address:

The Data Controller