Data Protection Notes for our Clients

This information on privacy tells you how we process your personal data, as well as your rights. These rights may derive from the GDPR or Swiss data protection legislation. The degree to which these laws apply depends on the case in question.

Please only share the personal data of others with us if you have the permission of the individuals concerned and the data is correct. Please also ensure that these individuals have read and understand this privacy policy.

Contents

  1. Controller / Contact
  2. Collection and processing of personal data
  3. Purposes of data processing
    3.1 Revocation of consent
    3.2 Statutory and legal requirements
  4. Data disclosure and data transmission abroad
  5. Information, rectification, erasure and restriction
  6. Retention periods for personal data
  7. Data security
  8. Obligation to provide personal data
  9. Automated decision-making and profiling
  10. Rights of data subjects
  11. Amendments

 

1. Controller / Contact

 Responsible for the data processing is:

  • Switzerland
    Grant Thornton AG
    Claridenstrasse 35
    P.O. Box 9317
    CH-8027 Zurich

  • Liechtenstein
    Grant Thornton AG
    Bahnhofstrasse 15
    P.O. Box 663
    FL-9494 Schaan

If you have any questions about the information given below, you can contact us at any time as follows:

  • Grant Thornton Switzerland/Liechtenstein
    Data protection contact for Switzerland
    Claridenstrasse 35
    P.O. Box 9317
    CH-8027 Zurich
    T 0041 960 71 71
    E datenschutz@ch.gt.com  

  • Grant Thornton Switzerland/Liechtenstein
    Data protection contact for Liechtenstein
    Bahnhofstrasse 15
    P.O. Box 663
    FL-9494 Schaan
    T 00423 237 42 42
    E datenschutz@li.gt.com

 

2. Collection and processing of personal data

“Personal data” is information that can be used to determine your personal or practical circumstances, such as your name, address, phone number, date of birth or email address. Information that we are unable to associate with you, such as anonymised details, is not regarded as personal data.

The processing of personal data, such as its collection, consultation, use, storage or transfer, always requires a basis in law, a contractual imperative, the protection of vital or legitimate interests, or your consent. 

Where permitted and appropriate, we will draw helpful data about you from sources in the public domain, such as the internet, the media and reports. This information is useful in the relationship between us. 

We process personal data that we receive in the context of our business relationship with you. We receive this data from you directly in connection with the services that we provide or will provide, as well as in some cases from third-party service providers.

 

3. Purposes of data processing

The specific purposes of data processing are determined by the assignment in question and the contract documents. We may also use your data on the basis of a weighing of interests to uphold the legitimate interests of ourselves or third parties. We do this for the following purposes:

  • Client service: we process client data so that we can offer you the best possible client service. This includes recording your contact data and enquiries to provide you with support, advice or solutions.
  • Fulfilment: we process data so that we can fulfil your assignments efficiently. This involves recording assignment and billing data.
  • Personalised communication: we use your data to allow us to communicate with you on a personal basis. This includes personalised emails, newsletters, marketing campaigns and specific offers tailored to your needs and  preferences.
  • Client feedback and evaluation: we record and analyse your feedback and evaluations to assess client satisfaction and adjust our products or services accordingly.
  • Client analysis and profile creation: by analysing your data we are better able to understand how you act, what you like and what your needs are. This allows us to present you with personalised recommendations, customised offers and a better client experience.
  • Client account management: we process your data to manage your client accounts. This includes storing your client data, managing passwords, updating account information and providing selfservice functions.
  • Contract management and legal matters: as part of our partnership, we process data to manage contracts, agreements, permissions and legal documents.

Our interest in processing the data in question is derived from the purposes of that processing, and is otherwise of a business nature, such as to fulfil your assignment efficiently, for sales and to avoid legal risks. 

Providing you have given us your consent to process personal data, that consent constitutes the legal basis for the specific type of processing in each case. In particular, this concerns any consent you may have given for voluntary additional services such as the newsletter.

 

3.1 Revocation of consent

You may revoke consents given at any time with effect for the future. This also applies to declarations of consent that you made to us before the GDPR came into effect. Consent is voluntary. You will not be at any disadvantage if you do not give it.

 

3.2 Statutory and legal requirements

We are subject to a range of statutory and legal requirements that oblige us to process your data. The purpose of processing is to fulfil these legal obligations.

 

4. Data disclosure and data transmission abroad

Your data is disclosed only where statutory confidentiality obligations are upheld, and only to the extent permitted by the relevant basis in law. Your data is passed on to those functions that require it to fulfil our contractual and statutory obligations, or the individual assignments from you.

The following bodies may also receive your data:

  • Processors engaged by us, in particular consultants (valuers, financial mathematicians), translation agencies or IT services that process your data for us and are bound by our instructions
  • External service providers and offices such as banks, asset managers, insurance companies, lawyers, auditors and associations 
  • Public bodies and institutions (such as the FAOA, FINMA, FMA, tax authorities, Commercial Registry) where there is a statutory or regulatory obligation or quality controls 
  • Other bodies to which you have consented that your data may be transmitted, or for which you have released us from our duty of confidentiality under the terms of an agreement or your consent 
  • Member companies within our corporate structure and the international Grant Thornton network, as part of the assignment acceptance process and work on that assignment, as well as for quality control purposes 

Recipients may be located in Switzerland but also in any other country in the world.

We transmit your data to states that do not afford an equivalent level of data protection only where this is necessary to fulfil your assignments, is required by law or you have given us your consent.

Should it be necessary to transmit data to a country that does not have an adequate level of data protection, this is subject to standard contractual clauses or other suitable guarantees.

 

5. Information, rectification, erasure and restriction

Upon request we will be pleased to tell you what data we hold about you. If the data we hold is inaccurate, despite our efforts to keep it correct and up to date, then we will rectify it immediately. In addition, you are able to receive the personal data about you that you have agreed can be processed in a structured, commonly used and machine-readable format, and to pass it on to another controller either yourself or via us. You can check, amend or erase the personal data you have provided to us at any time by getting in touch with the contact given above.

If you would like to have the stored data erased, we will do so upon your request in accordance with statutory requirements. If the data in question cannot be erased for legal reasons, it will be restricted (locked) instead. Please note, however, that if we delete your data, we may be able to offer you our products and services to only a limited extent.

If you believe that the processing of data about you is in breach of statutory regulations, you may exercise your right to lodge a complaint with a supervisory authority.

 

6. Retention periods for personal data

Processed personal data is erased as soon as the purpose of that processing has been achieved. We are also subject to a variety of retention and documentation obligations. These generally require us to retain and/or document your data for ten years. 

We hold personal data for the period in which claims might be asserted against our company, and to the extent that we are otherwise required by law. We are also permitted to retain data where justified by our business interests, for evidence and documentation purposes, for example.

 

7. Data security

We undertake to protect your privacy and to treat your personal data as confidential. To prevent the loss or misuse of data stored with us, we take a comprehensive range of technical and organisational security precautions that are reviewed regularly and adjusted in line with the latest technologies. 

Please note, however, that technical and organisational measures may not fully protect your data.

The measures we take include the following:

  • Access restrictions: personal data may only be accessed by authorised employees, service providers and business partners that require this information to fulfil the purposes described above.
  • Data security: we have technical and organisational measures in place to ensure the security of your data. These include firewalls, encryption technologies, secure data transmission and regular reviews of our security precautions.
  • Data backup: we back up your data regularly to ensure that it can be restored in the event of a technical incident.
  • Training and awareness-raising: our employees attend regular training and awareness-raising courses so that they understand the importance of, and comply with, data privacy and data security.

Checks on third-party providers: we ensure that third-party providers that have access to your data take appropriate security precautions and comply with data protection regulations.

 

8. Obligation to provide personal data

As part of our business relationship, you only have to provide personal data that is required to establish, conduct and terminate a business relationship, or data that we are required by law to collect. This includes, for example, details of legal representatives, beneficial owners, contractual partners and related entities/individuals. If you do not provide us with the necessary information and documents, we are not permitted to enter into the business relationship that you seek.

 

9. Automated decision-making and profiling

As a rule, we do not use automated decision-making when establishing and conducting business relationships. If we were to use this process in an individual case, we would inform you specifically where required to do so by law.

 

10. Rights of data subjects

The applicable statutory provisions give you the right to information about your data, to its rectification and erasure, to restrict its processing and to data portability. Where the DPA or GDPR applies to the claim in question, you have the right to lodge a complaint with a data protection supervisory authority.

Exercising your rights may conflict with contractual agreements. This may result in the early cancellation of your contract, or costs, for example. Where this is the case and is not already governed by the contract, we will inform you in advance. 

For reasons arising from your personal situation, you have the right to object at any time to the processing of personal data concerning you.

Should you object, we will cease to process your personal data, unless we are able to demonstrate imperative legitimate reasons for processing that override your interests, rights and freedoms, or that processing serves the assertion, execution or defence of legal claims. 

To the extent provided for in law, we may also process your data for direct marketing purposes. You have the right to object at any time against the processing of personal data concerning you for the purposes of such marketing.

Should you object to processing for direct marketing, your personal data will no longer be processed for such purposes.

The objection can take effect after you have clearly proven your identity, for example with a copy of an identity document if your identity cannot be proven otherwise.

 

11. Amendments

This privacy policy may be amended at any time without prior notice. The latest version applies in all cases.