Privacy statement

As part of our services, Grant Thornton processes personal data. Grant Thornton has drawn up this privacy statement in order to inform you about how Grant Thornton handles personal data.

1. Who is Grant Thornton?

The following companies fall under the name Grant Thornton:

1. Grant Thornton Accountants en Adviseurs B.V.;
2. Grant Thornton Specialist Advisory Services B.V.;
3. Grant Thornton Forensic & Investigation Services B.V.;
4. Grant Thornton Expatriate Services B.V.;
5. Grant Thornton Outsourcing B.V.;
6. Impact Campus Grant Thornton B.V.

2. Protection of your personal data

Customers, suppliers, business associates and employees are entitled to expect Grant Thornton to treat their data with due care. Grant Thornton has developed a privacy policy that is in line with the (European) General Data Protection Regulation (GDPR). Grant Thornton's privacy policy is implemented through agreements, rules of conduct and (security) measures.

3. Personal data

Grant Thornton obtains personal data from you or through third parties in the context of our services. Grant Thornton uses only those personal data that are necessary for the proper provision of services and business operations. To the extent that Grant Thornton acts as a processor, it will process the data received from the controller.

Grant Thornton generally processes the following categories of personal data of the categories of data subjects listed below:

• Customers and suppliers: name/address data, contact data such as email address, account data (portal, etc.), data provided by customers/suppliers, data required by law, etc.
• Visitors to the website: IP address, account details, website behaviour, data entered, etc.
• Employees: name/address data, date of birth/place, gender, contact details such as email address, passport photo, BSN number, employee number, etc.
• Applicants: for this we would like to refer you to the new privacy statement of Carrierebijgt.nl that you can find here
• Final beneficiaries of clients who commissioned Sinzer to provide impact management advice

Depending on the purpose of the processing and the role of Grant Thornton (processor / controller), other data may also be processed.

Special personal data

Grant Thornton is legally obliged to process the BSN number in order to provide tax returns and surcharges, (subsidy) applications and the payroll administration. A full copy of the identity document is also required for payroll tax purposes. The Money Laundering and Terrorist Financing (Prevention) Act (Wwft) obliges Grant Thornton to establish your identity and keep proof thereof.

Special personal data, such as health data, can be processed for salary administration, wage tax returns and registrations and deregistrations at pension insurers, absenteeism insurers and occupational health and safety services.

Final beneficiaries of Sinzer's customers who want an impact management advice: special personal data to the extent necessary to investigate the effectiveness of the activities offered.

4. Purposes

Grant Thornton processes these personal data for various purposes, such as:

• Performance of the agreements with Grant Thornton's suppliers and customers
• Good and efficient service provision and business operations
• Performing administrative acts
• Maintaining contact
• Improving service to its customers
• Billing
• Collecting funds and taking collection measures
• Marketing
• Fulfilling legal obligations
• Litigation
• Being able to offer personalised ads and information on the website

5. Principles

Grant Thornton only uses personal data if one of the principles mentioned in the law applies.

Grant Thornton processes certain personal data in order to comply with a legal obligation. This applies, for example, to the financial and salary administration and the duty to cooperate in tax audits. In addition, Grant Thornton is subject to a number of statutory obligations in its business operations, such as verifying the identity of clients in the context of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft).

Grant Thornton also processes personal data because Grant Thornton or a third party (the customer, supplier or another party) has a legitimate interest therein. These legitimate interests are:

• Execution of the agreement concluded with the customer/supplier
• The ability to provide its services as efficiently as possible
• The improvement of its services
• Security and management of its systems

Grant Thornton processes the data of its employees primarily on the basis of the (employment) contracts concluded with them.

If personal data are processed on the basis of permission, this will be requested separately.

6. Provision to third parties

Grant Thornton may exchange personal data as part of its services. Grant Thornton may use the services of third parties for the aforementioned purposes, such as the IT suppliers of our website and our systems, organisations for archive management, specialised advisors and other service providers. In this context, personal data will be provided to these third parties. These third parties may only process your personal data for the aforementioned purposes.

Finally, your personal data may be provided to third parties if Grant Thornton is required to comply with a legal obligation. This may be the case, for example, with inspections by the Tax and Customs Administration, the FIOD (Fiscal Intelligence and Investigation Service) or the AFM ( Dutch Authority for the Financial Markets).

If third parties must or may necessarily have access to your personal data, a processing agreement will be concluded where necessary, in which the agreements will be laid down that guarantee the correct and safe processing and confidentiality of your personal data.

7. Provision to other Grant Thornton member firms and data transfer outside the EEA

Personal data may be transferred across borders to other parts of the Grant Thornton network or to third parties for the purposes described above. The foregoing may also mean that personal data may be transferred to countries or regions without legislation protecting personal data equivalent to that enjoyed by visitors to the website in their country of origin. In such cases, Grant Thornton will take appropriate measures in each case, so that in a situation in which such a transfer of data takes place, such a transfer of data will always take place in a way that provides an "adequate level of protection".

8. Profiling

Grant Thornton makes behavioural analyses of the information Grant Thornton collects about you. Grant Thornton does this in order to be able to improve its services

9. Cookies

Cookies are used on the website to improve online services. Cookies process your IP address and the system information of your device. For more information about these cookies, please refer to our Cookie Statement.

10. How Grant Thornton secures your data

Grant Thornton believes it is important that your personal data is protected against loss or unauthorised access. Grant Thornton has therefore taken appropriate security measures at a level that is necessary in view of the nature and volume of the personal data to be processed.

All Grant Thornton employees have a duty of confidentiality and are only allowed to process personal data as required for their work.

11. Security breach

Despite all technical and organisational security measures, a breach (data breach) can never be completely ruled out. Grant Thornton has set up a dedicated email address that allows employees and suppliers to report incidents that may involve a data leak. See point 14 below for contact details.

As required by law, a data breach that could have serious consequences for data subjects is reported to the Dutch Data Protection Authority and, if required, to the persons whose personal data are involved in the data breach.

12. How long Grant Thornton stores your data

Grant Thornton will not process your personal data for longer than is necessary for the purposes stated in this privacy statement. This means that your personal data will be kept for as long as they are needed to achieve the purposes in question. Certain data must be kept longer, because Grant Thornton has to comply with legal retention obligations, such as the retention obligation for tax purposes.

13. Your rights

The privacy legislation is aimed at giving control options to the data subject, the person whose data are being processed. These rights are explained below.

Information:
Data subjects have the right to be informed of the existence and purpose of the processing before their personal data are processed.

Insight:
You can request access if you think that Grant Thornton is processing your personal data. Grant Thornton will then notify you whether or not it is processing your personal data and inform you about the processing(s) for which your personal data is used.

Rectification or erasure of data:
If it appears after access that the personal data Grant Thornton processes of you are not (completely) correct, you can request rectification. You can also ask Grant Thornton to delete your data. Grant Thornton will implement this request, unless there are compelling, e.g., legal, obstacles to doing so. Grant Thornton will inform you about whether or not a rectification or data erasure has been made.

Restriction and objections:
You always have the right, due to your specific situation, to object to the processing and to request Grant Thornton to restrict or discontinue the processing. If there are no compelling obstacles, for example legal obstacles, Grant Thornton will honour your request. Grant Thornton will notify you of its decision.

If you wish to exercise your rights, you can submit a request in writing or by email. See point 14 below for contact details.

14. Questions - complaints

If you have a question or a complaint about the processing of your personal data by Grant Thornton, please let us know. Grant Thornton will respond to your question or complaint as soon as possible, but at latest within four weeks.

Contact address:

Grant Thornton Accountants en Adviseurs B.V.
Attn privacy officer
Privacy@nl.gt.com
Flemingweg 10
2408 AV

PO Box 330
2400 AH Alphen aan den Rijn

For Sinzer:
Attn privacy officer
privacy@sinzer.org
Flemingweg 10
2408 AV

PO Box 330
2400 AH Alphen aan den Rijn

You also have the right to lodge a complaint with the privacy regulator, the Dutch Data Protection Authority. You can contact the Dutch Data Protection Authority for this purpose.

Grant Thornton may amend this privacy statement. New versions are always published on the website. Grant Thornton therefore recommends that you periodically review this statement to ensure that you are kept informed of any changes.

Changes to the privacy policy
This privacy statement was last amended on July 1, 2021.