Privacy Notice

1. What is the purpose of this Privacy Notice
2. Who is responsible for processing your data?
3. How do we process data in connection with our products and services?
4. How do we process data in connection with marketing?
5. How do we process data in connection with marketing?
6. Are there any further processing activities?
7. On what legal grounds do we process your data?
8. How long do we process your personal data?
9. Are you required to provide us with your data?
10. Do we use personal data for automated decision-making, profiling, and artificial intelligence?
11. How do we protect your data?
12. What are your rights?

 

1. What is the purpose of this Privacy Notice

Through this Privacy Notice, we provide information about how we process your personal data (“personal data”) as well as about your rights in relation to this processing (“processing”). “Personal data” refers to any information relating to an identified or identifiable person (e.g., name, address, telephone number, date of birth, or email address). Information that cannot be linked to your person, for example through anonymization, is not considered personal data. “Processing” insofar refers to any handling of personal data, such as collection, use, disclosure, and deletion.

In this privacy notice, we elaborate on how we process your personal data, particularly in the context of our business activities. This Privacy Notice is governed by the Swiss Federal Act on Data Protection (FADP) as well as the European General Data Protection Regulation (GDPR, which also applies in Liechtenstein). Whether the FADP, the GDPR, or both apply to the processing of your personal data can only be determined on a case-by-case basis. If you have any questions, please do not hesitate to contact us (see Section 2).

This privacy notice is for information purposes only and does not form part of any contract with you, even if a contract refers to this Privacy Notice. For information on how we process personal data in connection with our website, please refer to our separate Website Privacy Policy, and for the processing of applicant data, please refer to our Privacy Notice for Applicants.

 

2. Who is responsible for processing your data?

The following companies are the controllers responsible for data processing under this Privacy Notice, i.e., the entities primarily responsible under data protection law (“we”). As a rule, responsibility lies with the company with which you are in direct contact and with which you may enter into a contract:

Switzerland:

Grant Thornton AG
Claridenstrasse 35
P.O. Box 9317
CH-8027 Zurich

Grant Thornton Advisory AG
Claridenstrasse 35
P.O. Box 9317
CH-8027 Zürich

 

Liechtenstein:

Grant Thornton AG
Bahnhofstrasse 15
P.O. Box 663
FL-9494 Schaan

Grant Thornton Advisory AG
Bahnhofstrasse 15
P.O. Box 663
FL-9494 Schaan

If you have any questions about our handling of your personal data, you can contact us as follows:

Grant Thornton Switzerland / Liechtenstein 

Data protection contact Switzerland
Claridenstrasse 35
P.O. Box 9317
CH-8027 Zurich
T 0041 960 71 71
E datenschutz@ch.gt.com

Data protection contact Liechtenstein
Bahnhofstrasse 15
P.O. Box 663
FL-9494 Schaan
T 00423 237 42 42
E datenschutz@li.gt.com

 

3. How do we process data in connection with our products and services?

When you use our products and services (collectively “services”), we process data primarily to initiate, conclude, and perform the relevant contract:

If we are in contact with you regarding entering into a contract, we process data during the pre-contractual phase (contact details, requests, correspondence with you, etc.) as well as information relating to the conclusion of the contract itself (e.g., date and subject matter of the contract). Furthermore, to comply with our legal obligations and internal policies, we conduct sanctions screenings and similar checks on our clients, respectively their governing bodies, and beneficial owners. For this purpose, we obtain data from relevant databases, including identification data such as date of birth of registered persons, information about economic and political affiliations, and any applicable sanctions. Before concluding a contract, we may also assess the creditworthiness of our contracting partner, i.e., the likelihood of payment default, especially if we provide services in advance or are considering offering a particular payment method. To do this, we obtain address and credit information from a credit agency. The credit agency maintains its own database for this purpose. We use this data solely for address verification and credit checks, and delete it afterwards (except for a current address).

During and after the contractual relationship, we process information in connection with the contract or the use of our services. This includes information about payments, interactions with our customer service, claims, complaints, contract termination, and – if any disputes arise regarding the contract – data relating to those disputes and related proceedings. Examples of such processing include:

• processing of data such as contact details and inquiries to provide you with optimal customer service, and support, advice, or solutions;
• processing of data such as order and billing data to process your orders and manage invoicing;
• processing of data such as customer data, passwords, and account information to administer your customer account;
• processing of data related to the conclusion and execution of contracts, to administer agreements, consents and the review and enforcement of claims;
• processing of data about services provided, evaluations, and other feedback of yours to assess customer satisfaction and improve our services;
• processing of the aforementioned data for statistical analyses supporting the enhancement and development of our products and business strategies;
• processing of the aforementioned data for marketing purposes; see Section 4 for more details.

Where appropriate for entering into or performing a contract, we may obtain additional data from public registers (e.g., the commercial register) or from the internet.

It may occur that you provide us with personal data relating to other individuals (e.g., representatives, colleagues, relatives, beneficial owners). If so, please ensure that you are authorized to do so and that the data is accurate. Please also ensure that these individuals have read and understood this Privacy Notice.

For contracting parties that are legal entities, we generally process less data, as data protection law only applies to data of natural persons (i.e., human beings). However, we do process personal data of contact persons with whom we interact, such as name, contact details, professional information, and information from our communications, as well as information about executives, etc., as part of the general information we maintain about companies with which we collaborate with.

 

4. How do we process data in connection with advertising?

We also process personal data to promote our services and the services of the Grant Thornton group. This includes:

• Newsletters: We send electronic information and newsletters, which may contain advertisements for our own offering as well as those of the Grant Thornton group. Where required by applicable law, we request your consent in advance. In this context, we process your name and email address, as well as information about your feedback, evaluations, which services you have used, whether you open our newsletters, and which links you click. Our email service provider provides a corresponding function for this. This is a common practice that helps us assess and optimize the effectiveness of our newsletters. You can prevent this tracking by adjusting your email program settings (e.g., by disabling the automatic loading of image files).
  
  
• Events: We may organize events. If you participate, we process your registration data to organize and execute the event and, if necessary, to contact you afterwards. We may also make recordings at the event, which we may share, for example, on social media. In such cases, we will inform you separately.
  
  
• Promotion calls: We may contact our clients and, in some cases, potential clients by phone and process relevant data about our conversation partners and, where applicable, related persons at the company being called.
  
  
• Market research: We also process data to improve our services and develop new products This may include information about your purchases or your responses to newsletters, data from customer surveys and questionnaires, or information from social media, media monitoring services, and public sources.

 

5. How do disclose personal data?

We may disclose personal data in the course of our activities to various recipients, including the following:

• We are a part of the international Grant Thornton network. Therefore, we obtain certain services from the group, such as IT services. The network companies also support each other in other matters and may exchange personal data for these purposes. For example, we may disclose personal data to member firms within our corporate structure, as part of the client onboarding process, during the performance of assignments, or for quality assurance;
  
  
• service providers, especially providers of IT services (examples include providers of hosting or data analytics services), consulting services (e.g., experts, lawyers, financial analysts), translation, providers a call center services, and other administrative services. This also includes services from banks, asset managers, insurers, auditors, postal services, etc. These service providers may process personal data on our behalf as necessary;
  
  
• individuals associated with you, such as authorized representatives, guarantors, proxies, and relatives. For contact persons at companies, this includes employees and the company itself;
  
  
• credit agencies and providers of sanctions- and other databases, to whom we may disclose the information about you as part of an information request;
  
  
• public authorities and institutions, offices, authorities, and courts (e.g., RAB, FINMA, FMA, tax authorities, commercial register) within the scope of our legal obligations and duties to cooperate, as well as in connection with proceedings in which we are a party or otherwise involved;
  
  
• third parties, for example, in connection with the acquisition or sale of assets;
  
  
• any other recipients to whom you have given us your consent to transfer data.

These recipients may be not only located in Switzerland or Liechtenstein. This is especially true for member firms and certain service providers, particularly IT service providers. These companies and their subcontractors are based both in Switzerland and the EU or EEA, as well as in other countries, potentially worldwide. We may also transfer data to authorities and other parties abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings (see Section 6). Not all of these countries provide an adequate level of data protection. We compensate for the lower level of protection by entering into appropriate agreements, in particular the European Commission’s Standard Contractual Clauses, which are available here. In certain cases, we may also transfer data in accordance with data protection requirements without such contracts, e.g., if you have consented to the disclosure, or if the transfer is necessary for the performance of a contract, the establishment, exercise, or enforcement of legal claims, or for overriding public interests.

6. Are there any further processing activities?

Yes. Many processes are not possible without the processing of personal data, including routine and unavoidable internal procedures. While it is not always possible to specify these processes or the scope of data involved in advance, typical examples include:

• Suppliers: We also process data relating to our suppliers and their contact persons when negotiating, concluding, executing, or enforcing a contract for the purchase of goods or services by us, essentially in accordance with the information provided in section 3.
  
  
• Communication: When we communicate with you (e.g., with your designated contacts or your customer service), we process information about the content, type, time, and place of the communication. For identification purposes, we may also process information for identity verification. Telephone calls with us may be recorded [and monitored]; we will inform you at the start of the call. If you do not wish for a call to be recorded, you may end the conversation at any time and contact us by other means (such as email).
  
  
• Prevention: We process data to prevent criminal offenses and other violations, e.g., in the context of fraud prevention or internal investigations.
  
  
• Legal proceedings: If we are involved in legal proceedings (such as court or administrative proceedings), we process data about the parties other individuals involved, such as witnesses or informants, and may disclose data to these parties, courts, and authorities, including those located abroad.
  
  
• IT security: We also process data to monitor, control, analyze, secure, and review of our IT infrastructure, as well as for backups and data archiving.
  
  
• Competition: We process data about our competitors and the general market environment (e.g., the political landscape, industry associations, etc.). In doing so, we may also process data about key individuals, such as name, contact details, roles or functions, and public statements.
  
  
• Transactions: If we sell or acquire receivables, assets, business units, or companies, we process data as necessary to prepare and complete such transactions. This may include information about clients or their contacts or employees, and we may also disclose such data to buyers or sellers.
  
  
• Other purposes: We process data to the extent necessary for other purposes, such as training and education, administration (e.g., contract management or accounting), enforcing and defending claims, contacting authorities, associations, partners, and other third parties, evaluating and improving internal processes, anonymous statistics and evaluations, and safeguarding other legitimate interests.

 

7. On what legal grounds do we process your data?

Depending on the applicable law, we may only process personal data if there is a specific legal basis for doing so. Under the Swiss FADP, such a basis is generally not required, but under the GDPR, to the extent it applies. In this case, we rely on the following legal grounds when processing your personal data:

• Art. 6 para. 1 lit. b GDPR for processing necessary for the performance of a contract with the data subject or for the implementation of pre-contractual measures. This includes most of the processing activities mentioned in Section 3;
  
  
• Art. 6 para. 1 lit. f and Art. 9 para 2 lit. e and f GDPR for processing necessary to safeguard our legitimate interests or those of third parties, provided that the fundamental rights and freedoms as well as the interests of the data subject are not overridden. This particularly concerns compliance with Swiss law, processing for the personalization of offers and services, the use of personal data for statistics, and, in general, the interest in conducting our activities and operations in a permanent, user-friendly, secure, and reliable manner. Processing for the purposes set out in Section 6 is also based on legitimate interests, unless we obtain consent;
  
  
• Art. 6 para. 1 lit. c and Art. 9 para 2 lit. g GDPR for processing necessary to fulfill a legal obligation under the law of a member state of the European Economic Area (EEA), in particular Liechtenstein;
  
  
• Art. 6 para. 1 lit. a GDPR and Art. 9 para 2 lit. b GDPR for processing that we carry out with your explicit consent.

 

8. How long do we process your personal data?

We process your personal data for as long as is necessary for the purpose of the processing (for contractual matters, this typically means for the duration of the contractual relationship), as long as we have a legitimate interest in retaining the data (e.g., to enforce legal claims, for archiving, for evidence and documentation purposes, or to ensure IT security), and as long the personal data is subject to statutory retention requirements. For the latter, the set periods for retention/documentation are usually ten years. Once these periods have expired, we will delete or anonymize your personal data.

 

9. Are you required to provide us with your data?

You are not required to provide us with your personal data, except in specific cases (e.g., if you have a contractual obligation to do so and this requires you to disclose certain information). For  legal and practical reasons, we must process personal data, e.g. when entering into and performing contracts. Within the scope of our business relationship, you only need to provide the personal data that is necessary for establishing, performing, or terminating the relationship, or that we are legally required to collect. This includes information about legal representatives, beneficial owners, contracting parties, and related entities or individuals. If you do not provide the required information and documents, we may not be able to enter into the business relationship you are seeking.

 

10. Do we use personal data for automated decision-making, profiling, and artificial intelligence?

As a general rule, we do not use automated decision-making to establish or manage our business relationships. If we do use such processes in individual cases, we will inform you separately if required by law.

We may also use new technologies, such as artificial intelligence, e.g. to improve our services, personalize content, streamline internal processes, enhance security, and prevent misuse. Applications of artificial intelligence may process personal data under our control and in accordance with our instructions. If artificial intelligence interacts directly with you, we will inform you accordingly.

 

11. How do we protect your data?

To protect your personal data from loss or misuse, we implement appropriate technical and organizational security measures, which we regularly review and update to reflect technological developments. These measures include:

• Access restriction: Personal data is accessible only to authorized employees, service providers, and business partners who require it for the purposes described above.
  
  
• Data security: We use technical and organizational measures such as firewalls, encryption, secure data transmission, and regular security reviews to help ensure the safety of your data.
  
  
• Data backup: We regularly back up your data to ensure that it can be restored in the event of a technical incident.
  
  
• Training and awareness: Our employees are regularly trained and made aware of the importance of data protection and data security to understand and comply with these requirements.
  
  
• Review of third-party providers: We ensure that third-party providers with access to your data implement appropriate security measures and comply with applicable data protection regulations.

Please note, however, that no technical or organizational measure can guarantee complete protection of your data.

12. What are your rights?

Under the conditions and within the scope of applicable data protection law, you have certain rights to request a copy of your personal data or to influence our processing of this data:

• Right to information: You may request information as to whether we process personal data about you, and if so, which data, as well as further details about our data processing.
  
  
• Rectification and restriction: You may request the correction of inaccurate personal data, the completion of incomplete data, and the restriction of processing.
  
  
• Deletion and objection: You may request the deletion of your personal data and object to its processing going forward. In particular, you may object at any time, for reasons arising from your specific situation, to processing based on our legitimate interests or for direct marketing purposes. If you object, we will cease processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
  
  
• Data portability: You may receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, where processing is based on your consent or is necessary for the performance of a contract.
  
  
• Withdrawal of consent: Where processing is based on your consent, you may withdraw your consent at any time. Withdrawal applies only to future processing; we may continue to process your data on another legal basis if applicable.

If you wish to exercise any of these rights, please contact us (see Section 2). Usually, we will need to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with the competent supervisory authority regarding our processing of your personal data, in Switzerland with the Federal Data Protection and Information Commissioner (FDPIC, at www.edoeb.admin.ch) or in Liechtenstein with the Data Protection Office Liechtenstein (at www.datenschutzstelle.li).