article banner

Data Protection Notes for our Clients

Our treatment of your data and your rights

Information pursuant to Article 13 of the European General Data Protection Regulation (GDPR) and the Liechtenstein and/or Swiss data protection laws applicable to you

These notes on data protection are intended to inform you about how we process your personal data and about your rights. Such rights may originate from Article 13 GDPR or their implementation in Liechtenstein or Swiss data protection legislation.

For legibility purposes, masculine and feminine forms of speech are dispensed with. All references to persons apply equally to both sexes.

1. Who is responsible for the data processing and who can I contact?

Grant Thornton AG
Claridenstrasse 35
P.O. Box 9317
CH-8002 Zurich

Grant Thornton SA
Rue du 31-Décembre 47
CH-1207 Geneva

Grant Thornton AG 
Bahnhofstrasse 7
9470 Buchs (SG)

Grant Thornton AG
Bahnhofstrasse 15
P.O. Box 663
FL-9494 Schaan

All these companies belong to Grant Thornton Switzerland / Liechtenstein. The responsible enterprise is generally your (potential) contractual partner.

The contact data for questions concerning data protection within Grant Thornton Switzerland/Liechtenstein are:

Switzerland:

Liechtenstein:

Grant Thornton Switzerland / Liechtenstein
Data Protection Contact Switzerland
Claridenstrasse 35
P.O. Box 9317
CH-8027 Zürich

T 0041 43 960 71 71
datenschutz@ch.gt.com

Grant Thornton Switzerland / Liechtenstein
Data Protection Contact Liechtenstein
Bahnhofstrasse 15
P.O. Box 663
FL-9494 Schaan

T 00423 237 42 42
datenschutz@li.gt.com
2. Which sources and data are used?

The relevant responsible enterprise (hereinafter “we” and “us”) processes personal data which it receives during the course of the business relationship with you. It receives the data directly from you, in connection with services in the following sectors: auditing, consultancy, tax consultancy and outsourcing or in some cases from third-party service providers, such as banks, asset managers and auditors.

3. Why do we process your data (purpose of processing) and on what legal basis?

The following information tells you why and on what legal basis we process your data:

3.1. To comply with contractual obligations (Article 6 Paragraph 1 Point b GDPR)

In particular, the purposes of the data processing are oriented towards the specific task and the contract documents.

3.2. Relating to the balancing of interests (Article 6 Paragraph 1 Point f GDPR)

We may also use your data on the basis of a balancing of interests to protect our legitimate interests or the legitimate interests of third parties. This shall be for the following purposes:

  • general business operations and further development of services and products
  • advertising, market research and public opinion research
  • assertion of legal claims and defence in legal disputes
  • prevention and investigation of criminal acts
  • ensuring IT security and IT operations

Our interest in the processing in question follows from the relevant purposes and is also of a commercial nature (efficient fulfilment of tasks, marketing, prevention of legal risks)

3.3. On the basis of your consent (Article 6 Paragraph 1 Point a GDPR)

Insofar as you have given us your consent to process personal data, such consent forms the legal basis for the processing thereby undertaken. This relates in particular to your possible consent in the case of voluntary benefits, e.g. newsletter. You may at any time revoke consents with effect for the future. This also applies to declarations of consent which you have given to us prior to the coming into force of the GDPR. The revocation shall only apply to future data processing.

3.4. On the basis of statutory requirements (Article 6 Paragraph 1 Point c GDPR)

We are subject to various legal obligations (e.g. on the basis of the Swiss Anti-Money Laundering Act (hereinafter “AMLA”), the Liechtenstein Due Diligence Act (hereinafter “DDA”), tax laws and treaties (in particular AEI/FATCA) as well as the regulatory provisions of the Swiss Financial Market Supervisory Authority (hereinafter “FINMA”), the Swiss Federal Audit Oversight Authority (hereinafter “FAOA”) and/or the Liechtenstein Financial Market Authority (hereinafter “FMA”)).

As a corporate group active in the auditing sector, we are also subject to a statutory obligation to identify clients and to monitor business relationships in order to safeguard professional independence. 

4. Who receives my data and how are they processed?

Your data shall only be transferred subject to protection of statutory obligations concerning confidentiality, and only insofar as this is permitted on a legal basis. Within the companies named under item 1 above, those bodies which need your data to comply with their contractual and statutory obligations or to perform their respective tasks shall receive your data.
Furthermore, the following bodies may receive your data:

  • processors appointed by us (Article 28 GDPR), and in particular consultants within and outside the corporate group, (experts, actuaries) translation agencies or IT services providers who process your data for us subject to our instructions,
  • external service providers and bodies, such as banks, asset managers, insurance companies, lawyers, auditors, associations, etc.
  • public bodies and institutions (e.g. FAOA, FINMA, FMA, tax authorities) if there are statutory or regulatory obligations or quality controls,
  • other bodies for which you have given us your consent to transfer data pursuant to an agreement or your consent.
  • member firms in the international network of Grant Thornton in connection with the order acceptance process and the safeguarding of network-wide independence (e.g. Global Independence System and International Relationship Check) and in connection with quality controls.
5. For how long will my data be stored?

Where necessary, we process your personal data for the duration of our business relationship, which also includes the preparation and processing of a contract. Furthermore, we are subject to various storage and documentation obligations, arising inter alia from the Swiss Code of Obligations and/or the Persons and Companies Act of Liechtenstein, the relevant employment law, additional applicable laws and regulations relating to supervision. The periods of time for storage and/or documentation which are prescribed therein are generally ten years.

The storage period is ultimately also assessed on the basis of the statutory limitation periods, and is generally ten years.

6. Are data transmitted to a third country or to an international organisation?

We only transmit your data in states without equivalent data protection insofar as this is necessary to execute your orders, is prescribed by law or for which you have given us your consent.

7. What additional data protection rights do I have?

Subject to the relevant statutory prerequisites, you have a right of access, rectification, erasure, restriction of processing and a right to data portability. Insofar as the GDPR is applicable to the respective claim, you have a right to lodge a complaint with a data protection supervisory authority.

8. Do I have an obligation to make data available?

Within the scope of our business relationship, you only have to make available personal data which are necessary for the establishment, execution and termination of a business relationship or for the collection of which we have a statutory obligation. Within the scope of the Swiss Anti-Money Laundering Act, the Liechtenstein Due Diligence Act, tax laws and treaties (in particular AEI/FATCA) and the safeguarding of network-wide independence, this includes, inter alia, information concerning legal representatives, beneficial owners, contractual partners and associated entities/persons. Should you not make the necessary information documents available to us, we shall be permitted not to take up the business relationship you have requested.

9. To what extent is there automated decision-making in an individual case

As a matter of principle, we do not use automated decision-making pursuant to Article 22 GDPR in order to establish and execute the business relationship. Should we use this process in individual cases, we shall specifically inform you of this, insofar as this is prescribed by law.

10. To what extent are my data used for profiling?

We do not automatically process your data with the objective of assessing particular personal characteristics. We do not employ profiling.

11. What rights to object do I have? (Article 21 GDPR)
11.1. Right to object in a particular situation

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 Paragraph 1 Point f GDPR (data processing on the basis of a balancing of interests).
If you file an objection, we shall no longer process your personal data unless we can prove that there are imperative grounds for processing, which merit protection, and which outweigh your interests, rights and freedoms, or the data processing serves the assertion, exercise and defence of legal rights.

11.2 Right to object to processing of data for purposes of direct advertising

Within the scope of the statutory provisions, we may also process your data for direct advertising. You have the right, at any time, to file an objection against the processing of personal data relating to you for the purpose of such advertising. If you object to processing for the purposes of direct advertising, we shall no longer process your personal data for these purposes. The objection may be each case be made informally. Our contact data are provided under item 1 above.