Privacy statement: professional engagements

Updated 13 November 2025 

Grant Thornton wants to protect the privacy of our clients and all third parties whose data we process in the course of our professional engagements.  In the conduct of providing our professional services to clients, we may need to collect and use personal data about their directors, shareholders, partners, trustees, clients or customers or their employees, agents or contractors, which we will hold as a controller under the Data Protection Act 2018 and applicable data protection laws. 

Please read the following statement; it will help you to understand how we use your personal data.

About Us

In this privacy statement, references to Grant Thornton (including, "we", "us", "our" and "Grant Thornton Group") refer to the following entities, each of whom are part of a global alternative practices structure: Grant Thornton Advisors LLC, Grant Thornton LLP, Grant Thornton Corporate Finance Limited, Grant Thornton Ireland and/or their affiliates and subsidiaries.

What personal data do we collect?

The type of personal data collected will depend on the nature of the engagement. In the course of carrying out our engagement for our client we may process personal data including your personal identification, name, address, email address, telephone numbers, roles and responsibilities, PPS numbers, details relating to contract of employment, salary information including credits and deductions, tax returns, bank account details, insurance details, invoices and company loan information. We may also process health information and family details if instructed to provide certain services to our client.

While most personal data will be obtained from you directly or from our client, we may also perform background checks as part of our client onboarding procedures and continuous monitoring, and we will engage a third-party service provider to assist with such checks.

Why do we process your personal data?

We may process your personal data in connection with our client on-boarding process, which includes background checks, in order to comply with our legal obligations in connection with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by the Criminal Justice Act 2013 and as may be further amended and updated from time to time.

We may also process your personal data in connection with the professional services that we provide to our clients.  In particular, where we provide audit and/or tax services to our clients we may be the controller of certain personal data that we process in order to undertake that service and meet our contractual and professional obligations. 

Our processing of your personal data in these circumstances is also based on our legitimate business interests in performing our engagement, operating our business and complying with internal policies and procedures.  We may also be required to process such personal data in order to comply with our legal obligations.

To whom might we disclose your personal data?

We may be required to provide other audit firms with access to our audit files where they act as group auditors or successor auditors.  We may also be requested to provide access to our audit files to potential investors or their advisors.

We may be required in certain circumstances, by law or by Regulations or by Professional Bodies, some of these may be located outside the European Economic Area (EEA), to which we belong, to make reports to regulatory and law enforcement authorities or to such bodies, or to disclose documents or information or take other action, as a result of information received by us or matters which come to our attention during the course of our engagement. We may also be required to provide Regulatory Bodies, Grant Thornton International Limited or Professional Bodies with access to our work papers in order to facilitate monitoring inspections.

Transfers Abroad

To facilitate our global operations, certain of our services and sites are provided from the United States and other locations.

If you are resident in Isle of Man, we may share, transfer or store personal data outside your country of residence to certain recipients (mainly our affiliates and external service providers) in the United States, India, and other countries which we deem appropriate from time to time.

Where the laws and practices in these countries may not have equivalent data protection and privacy rules to those under the Data Protection Act 2018, we will protect your personal data in accordance with this Privacy Statement and our Isle of Man Privacy Addendum.

Where these transfers of personal data occur, we ensure that a transfer mechanism and appropriate safeguards are in place to protect your personal data:

  • For transfers (including, onward transfers) of Personal Data within the Grant Thornton Group to affiliates in the United States where your personal data is stored within the European Economic Area (“EEA”), we rely on the EU-US Data Privacy Framework and the UK-US Data Privacy Framework (UK and Gibraltar), as operated by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (“DPF”), and to view our certification, please visit dataprivacyframework.gov. Please also visit our dedicated webpage for more information about our participation in the DPF: Data privacy framework.
  • For transfers (including, onward transfers) of your personal data within the Grant Thornton Group to affiliates based in other, non-EEA countries we will transfer and process your data in accordance with the Data Protection Act 2018 and GDPR requirements.
  • For transfers (including, onward transfers) of your personal data within the Grant Thornton Group to affiliates based in other, non-EEA countries and where an appropriate data transfer adequacy decision has not been approved by the EU Commission, we rely on the EU Standard Contractual Clauses ("SCCs") or the UK Addendum to the EU SCCs (e.g., India and Bermuda).
  • For transfers (including, onward transfers) of personal data to external providers, we rely on the DPF, the EU SCCs, UK Addendum, or adequacy decisions of the European Commission.

If you would like to find out more about any transfers relating to your personal data, please contact us by e-mailing dataprivacy@ie.gt.com.

Our retention of your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Your rights

You have the right, subject to certain exemptions,

  • to obtain a copy of any personal data we hold about you,
  • to request rectification or erasure of such data,
  • to request restriction of processing or to object to processing,
  • data portability,
  • and request to object to automated decision-making, including profiling.  

If you wish to exercise these rights, please contact us at our registered office:

Registered office address: Third Floor, Exchange House, 54-62 Athol Street, Douglas, Isle of Man, IM1 1JD.

Alternatively, contact dataprivacy@ie.gt.com 

You also have the right to complain to the Isle of Man Information Commission or another supervisory authority.