Privacy statement

In the context of our services, Grant Thornton processes personal data. Grant Thornton has drawn up this privacy statement to inform you about how Grant Thornton handles personal data.

1. Who is Grant Thornton?

The following entities operate under the name Grant Thornton:

  1. Grant Thornton Accountants en Adviseurs B.V.;
  2. Grant Thornton Audit en Assurance B.V.;
  3. Grant Thornton Expatriate Services B.V.;
  4. Grant Thornton Specialist Advisory Services B.V.;
  5. Grant Thornton Forensic & Investigation Services B.V.;
  6. Grant Thornton Outsourcing B.V.;
  7. Impact Campus Grant Thornton B.V.;
  8. Stichting Executele en Bewind Grant Thornton.

2. Protection of your personal data

Clients, suppliers, business contacts and employees are entitled to have Grant Thornton handle their data with care. Grant Thornton has developed a privacy policy that is aligned with the European General Data Protection Regulation (GDPR). Grant Thornton’s privacy policy is implemented in agreements, codes of conduct and (security) measures.

3. Personal data

Grant Thornton obtains personal data from you yourself or via third parties in the context of our services. Grant Thornton uses only those personal data that are necessary for proper service delivery and business operations. Insofar as Grant Thornton acts as a processor, it processes the data it receives from the controller.

In general, Grant Thornton processes the following categories of personal data of the categories of data subjects listed below:

  • Clients and suppliers: name and address details, contact details such as e-mail address, account details (portal etc.), data provided by clients/suppliers, data required by law, etc.
  • Visitors to the website: IP address, account details, behaviour on the website, data entered on the website, etc.
  • Employees: name and address details, date/place of birth, gender, contact details such as e-mail address, passport photo, citizen service number (BSN), personnel number, etc.
  • Applicants: for this, we kindly refer you to the privacy statement of Carrierebijgt.nl
  • Ultimate beneficiaries of clients who have instructed Grant Thornton Specialist Advisory Services B.V. / Impact Campus to provide impact management advice.

Depending on the purpose of the processing and the role of Grant Thornton (processor / controller), other data may also be processed.

Special categories of personal data
For the preparation of tax returns and allowances, (subsidy) applications and payroll administration, Grant Thornton is legally required to process the citizen service number (BSN). A full copy of the identity document is additionally required under wage tax legislation. The Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft) requires Grant Thornton to establish your identity and to retain evidence of this.

For the purpose of payroll administration, the filing of wage tax returns and the registration and deregistration with pension providers, absenteeism insurers, and occupational health and safety services, special categories of personal data, such as data relating to health, may be processed.

Ultimate beneficiaries of clients of Grant Thornton Specialist Advisory Services B.V. / Impact Campus who wish to obtain impact management advice: special categories of personal data, insofar as this is necessary for assessing the effectiveness of the activities provided.

4. Purposes

Grant Thornton processes these personal data for various purposes, such as:

  • Performance of agreements with suppliers and clients of Grant Thornton;
  • Proper and efficient service delivery and business operations;
  • Carrying out administrative activities;
  • Maintaining contact;
  • Improving the services provided to its clients;
  • Invoicing;
  • Collecting amounts due and taking collection measures;
  • Marketing;
  • Compliance with legal obligations;
  • Conducting legal proceedings;
  • Being able to offer personalised advertisements and information on the website.

5. Legal grounds

Grant Thornton uses personal data only where one of the legal grounds listed in the law applies.

Grant Thornton processes certain personal data in order to comply with a legal obligation. This applies, for example, to financial and payroll administration and the obligation to cooperate with tax audits. In addition, in its business operations Grant Thornton is subject to a number of legal obligations, such as verifying the identity of clients in the context of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft).

Grant Thornton also processes personal data because Grant Thornton or a third party (the client, supplier or another party) has legitimate interests in doing so. These legitimate interests include:

  • Performing the agreement concluded with the client/supplier;
  • Providing its services as efficiently as possible;
  • Improving its services;
  • Securing and managing its systems.

Grant Thornton primarily processes data of its staff on the basis of the (employment) agreements concluded with the staff members.

If personal data are processed on the basis of consent, that consent will be requested separately.

6. Disclosure to third parties

In the context of its services, Grant Thornton may exchange personal data. For the purposes mentioned above, Grant Thornton may use the services of third parties, such as the IT providers of our website and our systems, organisations for archive management, specialised advisers and other service providers. In that context, personal data are provided to these third parties. These third parties may only process your personal data for the purposes mentioned above.

Finally, your personal data may be provided to third parties where Grant Thornton is required to comply with a legal obligation. This may be the case, for example, in the event of an audit by the Dutch Tax and Customs Administration (Belastingdienst), the Fiscal Intelligence and Investigation Service (FIOD) or the Netherlands Authority for the Financial Markets (AFM).

Where third parties must or may necessarily have access to your personal data, a data processing agreement will be concluded where necessary, in which the arrangements are laid down that guarantee correct and secure processing and the confidentiality of your personal data.

7. Disclosure to other Grant Thornton member firms and transfers of data outside the EEA

It is possible that personal data will be transferred across borders to other entities within the Grant Thornton network or to third parties for the purposes described above. The foregoing may also involve transfers of personal data to countries or regions whose data protection laws are not equivalent to the level of protection enjoyed by the website visitor in his or her country of origin. In such cases, Grant Thornton will always take appropriate measures so that, in any situation in which such a transfer of data takes place, the transfer always occurs in a manner that ensures an “adequate level of protection”.

8. Profiling

Grant Thornton analyses the information that it collects about you. It does so in order to improve its services.

9. Cookies

Cookies are used on the website to improve the online services. Through cookies, your IP address and the system information of your device are processed. For more information about these cookies, please refer to our cookie statement.

10. How Grant Thornton secures your data

Grant Thornton considers it important that your personal data are protected against loss or unauthorised access to your personal data. Grant Thornton has therefore taken appropriate security measures at a level that is necessary in view of the nature and volume of the personal data to be processed.

All employees of Grant Thornton are subject to a duty of confidentiality and may only process personal data if they need these data for their work.

11. Personal data breach 

Despite all technical and organisational security measures, a breach (data breach) can never be completely ruled out. Grant Thornton has set up a dedicated e-mail address where employees and suppliers can report incidents that may constitute a data breach. Please refer to section 14 below for the contact details.

As required by law, any data breach that may have serious consequences for data subjects will be reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, where required, to the person(s) whose personal data are involved in the data breach.

12. How long Grant Thornton retains your data

Grant Thornton will not process your personal data for longer than is necessary for the purposes stated in this privacy statement. This means that your personal data will be retained for as long as they are needed to achieve the relevant purposes. Certain data must be retained for a longer period because Grant Thornton is required to comply with statutory retention obligations, such as the fiscal retention obligation.

13. Your rights

Data protection legislation is intended to give the data subject, the person whose data is processed, extensive control options. These rights are explained below.

Information
Data subjects have the right to be informed of the existence and purpose of the processing before their personal data is processed.

Access
You may request access if you believe that Grant Thornton is processing personal data about you. Grant Thornton will then inform you whether or not your personal data is being processed and provide all other information about the processing(s) for which your personal data is used.

Rectification or erasure of data
If, after access, it appears that the personal data that Grant Thornton processes about you is not (fully) correct, you may request rectification. You may also ask Grant Thornton to erase your data. Grant Thornton will comply with this request, unless there are compelling obstacles, for example, of a legal nature, to doing so. Grant Thornton will inform you whether or not a correction or erasure of data has been carried out.

Restriction and objections
You always have the right, on grounds relating to your particular situation, to object to the processing and to request Grant Thornton to restrict or cease the processing. If there are no compelling obstacles, for example of a legal nature, Grant Thornton will comply with your request. Grant Thornton will notify you of its decision.

If you wish to exercise your rights, you may submit a request in writing or by e-mail. Please refer to section 14 below for the contact details.

14. Questions - complaints

If you have a question or a complaint about the processing of your personal data by Grant Thornton, please do not hesitate to let us know. Grant Thornton will respond to your question or complaint as soon as possible, but in any event within four weeks.

Contact address:

Grant Thornton accountants en adviseurs B.V.
For the attention of the Privacy Officer
Privacy@nl.gt.com
Flemingweg 10
2408 AV (postal code)
P.O. Box 2259
2400 CG Alphen aan den Rijn
The Netherlands

You also have the right to lodge a complaint with the data protection supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can contact the Dutch Data Protection Authority for this purpose.

Grant Thornton may amend this privacy statement. New versions will always be published on the website. Grant Thornton therefore recommends that you consult this statement regularly so that you remain informed of any changes.

Amendments to the privacy statement
This privacy statement was last amended on 1 August 2025.