Privacy statement: European Privacy Addendum

Updated 24 June 2025

This European Privacy Addendum (“Addendum”) supplements the Grant Thornton Privacy Statement (“Privacy Statement”).

Grant Thornton respects the rights to privacy established under GDPR (“General Data Protection Regulation”) and applicable data protection laws has established a data privacy framework designed protect the privacy of individuals whose personal data is processed by Grant Thornton, including those who engage our services and those who view or interact with our website, www.grantthornton.ie.

This privacy statement is intended to inform users of our website and individuals who are resident in the European Economic Area ("EEA") and the United Kingdom ("UK") (together, "Europe") about how your information, including personal data (as defined below), will be processed by Grant Thornton and/or on its behalf by its third party service providers.

We will process your personal data when:

you access or use our sites;
you, or the organisation with which you are connected, are a potential client of our services; or
you have engaged with, or subscribed to, our newsletters or other marketing communications or initiatives.

We are required to give you the information in this Addendum, including to inform you about your data protection rights, under the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); and the EU GDPR as amended and incorporated into the UK's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, "European Data Protection Laws").

We are committed to protecting your privacy. You should read this Addendum fully to understand the basis upon which we process your personal data, how we use it and to whom it will be disclosed. Additionally, details about our use of personal data in relation to professional engagements are available in our privacy statement: professional engagements.

All capitalised terms have the same meaning given to them in the Privacy Statement or this Addendum. In the event of a conflict between this Addendum and the Privacy Statement, this Addendum will prevail to the extent that you are resident in Europe.

Who is responsible for your personal data?

References to Grant Thornton (including, "we", "us", "our" and "Grant Thornton Group") in this Addendum refer to the following entities, each of whom are part of a global alternative practices structure: Grant Thornton Advisors LLC, Grant Thornton LLP, Grant Thornton Corporate Finance Limited, Grant Thornton Ireland and/or their affiliates and subsidiaries.

Each of these entities are joint controllers and have an arrangement in place to ensure that your data protection rights are protected. For more details about these entities see 'Who we are: joint controllers'.

In some instances, these entities may be independent controllers of your personal data under European Data Protection Laws.

If you have any questions about how we use your personal data or to exercise your data protection rights (as set out in this Addendum), please contact us at Data Protection Team, Grant Thornton Ireland, 13-18 City Quay, Dublin 2, Ireland or dataprivacy@ie.gt.com.

What is personal data?

Under GDPR, the term “personal data” means any information relating to an identified or identifiable living natural person.

It can include information about you that can identify an individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors.

How and why do we use your personal data?

Personal data processed about you will vary according to our interactions and relationship with you, including services we offer (and the nature of our engagements).

The table below explains our processing activities, one or more of which may be apply to you. Please note that the personal data listed is non-exhaustive.

Types of personal data	Legal basis	Data source	Purpose of processing	Recipients
First and last name, email address, mailing address or phone number, and current employer and role/job title (“Contact Information”).	We process your personal data where it is necessary for the purposes of our legitimate interests to engage you as prospective client.	Directly or indirectly from you, prospective clients, or their agents.	To respond and manage any communications you send to us as a prospective client (e.g., when you email us or contact us via the site). To record your details in our systems as a prospective client.	Service providers, including marketing services; our affiliates in India and other entities in the Grant Thornton Group.
Contact information	We process your personal data where it is necessary for the purposes of our legitimate interests, in providing, maintaining and/or improving our services.	Directly from you. Directly or indirectly from clients or their agents.	To respond to individual or client requests. To provide, improve or maintain our services. To send administrative information or notices. To communicate in connection with a client or potential client engagement. To keep records associated with our services (including, associated communications, records, etc.). To prevent, detect and respond to actual or potential fraudulent or other activities.	Service providers, including marketing services; our affiliates in India and other entities of the Grant Thornton Group.
Contact Information and information confirming your identity and status within a company, (e.g., director / beneficial owner), your responsibilities, PPSN, identify verification documents, tax information, and/or other information you provide to us.	We process your personal data where it is necessary for the purposes of our legitimate interest to operate our business, for relationship management purposes and to provide services. For further details please see our privacy statement: professional engagements.	Directly from you. Directly or indirectly from our clients or their agents collected while providing services and in connection with pre- engagement activities.	To initiate, onboard and fulfil a contract for services. To order to perform services. To perform pre-engagement activities. To conduct client due diligence, background checks, KYC checks and background checks (where required by professional standards, law, or regulation). To comply with our professional standards, legal and regulatory obligations. To manage and administer our business relationship with you. To keep records associated with our services (including, associated communications, records, etc.). To enforce our rights arising from any contract, including billing and collections.	Service providers, our affiliates in India, other entities of the Grant Thornton Group.
Contact Information and details about your contact preferences (e.g., areas of interest) and information relating to your subscription to, receipt of or interest in any of our mailing lists or newsletters, or registration to access any of our restricted content. Publicly available personal data such as name, employer and job title and /or position	We process your personal data where it is necessary for the purposes of our legitimate interests in relation to events, market updates & insights, and newsletters.	Directly or indirectly from you, including through your engagement with advertisements on platforms such as LinkedIn. Directly or indirectly from our clients or their agents.	To invite you to meetings, events, webinars, conferences, seminars, online surveys, or self-assessment tools. To promote our services. To develop and maintain our relationship with you and/or your organisation. To engage with you by sending you our newsletters, industry, market updates & insights, when you have engaged with us, or you are a client representative. To assess your participation in, reception of, interest in, or engagement with our marketing activities, materials we send you and our events (e.g., newsletter, surveys, conferences).	Service providers of marketing, social media, audio/visual or related services.
Automatically collected information from your activity on our sites such as browser information, IP address, and browser type.	We process your personal data where it is necessary for the purposes of our legitimate interests in relation to improve our sites and personalise your visit to our sites. Please see below for further details on cookies.	Indirectly from you through our sites, cookies, and other tracking technologies.	To personalise content on our sites. To track activity on and technical performance of our sites. To evaluate our marketing efforts; to improve our sites. All IP addresses of users of this website are anonymised within Google Analytics as soon as technically feasible at the earliest possible stage of the collection network.	Service providers for providing internet services. Service providers for marketing services (e.g., site visitor insight solutions).
Contact Information or other personal data	We process your personal data where it is necessary for the purposes of our legitimate interests in relation any actual or potential litigation, disputes, or complaints.	Directly or indirectly from you. Directly or indirectly from our clients or their agents.	To establish, defend or exercise our legal rights and any legal proceedings or out-of-court proceedings which may arise.	Service providers; our affiliates in India and other entities of the Grant Thornton Group.
Contact Information or other personal data	We process your personal data where it is necessary to comply with legal obligations to which we are subject under European laws.	Directly or indirectly from you. Directly or indirectly from our clients or their agents.	To respond and manage any valid legal or data subject rights requests you and any steps relating to same.	Service providers; our affiliates in India and other entities of the Grant Thornton Group.
Contact Information and other personal data	We process your personal data where it is necessary for the purposes of our legitimate interests in the event Grant Thornton goes through a business transition, such as a merger, or the acquisition or sale of all or a portion of its assets.	Directly or indirectly from you. Directly or indirectly from our clients or their agents.	To manage a relevant business transition, acquisition or sale of all or a portion of our assets.	Service providers; our affiliates in India and other entities of the Grant Thornton Group, interested parties in transaction.
Name, contact information, employment history and educational background, details of current immigration status and other information which you volunteer on your curriculum vitae or application	We process your personal data where it is necessary for the purposes of our legitimate interests in relation to an employment application	Directly or indirectly from you. Directly or indirectly from our clients or their agents.	To manage your application for a position with us as the first step in the recruitment process.	Service providers; our affiliates in India and other entities of the Grant Thornton Group.

Note:

When we process personal data based on our legitimate interests, we ensure that we consider and balance any potential impact on the rights of data subjects under European Data Protection Laws.

We will not use your personal data for activities where our interests are overridden by the impact on you (unless we have appropriate consent or are otherwise required or permitted by law). Grant Thornton acknowledges data subjects’ rights under European Data Protection Laws when we process your personal data on this basis.

For more information on exercising your data protection rights please see ‘Your Data Protection Rights’.

Data retention

We will only process your personal data for as long as is needed or as permitted based on the purpose(s) for which it was obtained and in accordance with applicable law. The criteria used to determine our retention periods include:

the nature and length of our ongoing relationship with you and provide you/your organisation services;
whether there is a legal obligation under applicable laws or a requirement under professional standards to which we are subject; and
whether retention is advisable considering our legal position (such as with respect to statutes of limitations, litigation, or regulatory investigations).

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

If you would like to find out more about our retention of your personal data, please contact us by e-mailing dataprivacy@ie.gt.com.

Unsubscribe and consent preferences

When you have consented receive any marketing material from us, we include an unsubscribe button in our communications, so you can opt out of receiving such communications or adjust your marketing consent preferences at any time by clicking on the unsubscribe link provided in our communications or e-mailing us at dataprivacy@ie.gt.com.

Automated decision-making

We do not use profiling or make any decisions based solely on the automated processing of your personal information.

International data transfers

To facilitate our global operations, certain of our services and sites are provided from the United States and other locations.

If you are resident in Europe, we may share, transfer or store personal data outside your country of residence (i.e., outside Europe) to certain recipients (mainly our affiliates and external service providers) in the United States, India, and other countries which we deem appropriate from time to time.

Where the laws and practices in these countries may not have equivalent data protection and privacy rules to those under European Data Protection Laws, we will protect your personal data in accordance with this Addendum and our Privacy Statement.

Where these transfers of personal data occur, we ensure that a transfer mechanism and appropriate safeguards are in place to protect your personal data:

For transfers (including, onward transfers) of personal data within the Grant Thornton Group to affiliates in the United States, we rely on the EU-US Data Privacy Framework and the UK-US Data Privacy Framework (UK and Gibraltar), as operated by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (“DPF”), and to view our certification, please visit dataprivacyframework.gov. Please also visit our dedicated webpage for more information about our participation in the DPF: Data privacy framework.
For transfers (including, onward transfers) of your personal data within the Grant Thornton Group to affiliates based in other, non-EEA countries we will transfer and process your data in accordance with GDPR requirements.
For transfers (including, onward transfers) of your personal data within the Grant Thornton Group to affiliates based in other, non-EEA countries and where an appropriate data transfer adequacy decision has not been approved by the EU Commission, we rely on the EU Standard Contractual Clauses ("SCCs") or the UK Addendum to the EU SCCs (e.g., India and Bermuda).
For transfers (including, onward transfers) of personal data to external providers, we rely on the DPF, the EU SCCs, UK Addendum, or adequacy decisions of the European Commission.

If you would like to find out more about any transfers relating to your personal data, please contact us by e-mailing dataprivacy@ie.gt.com.

Your data protection rights

As a resident within the EEA, you are permitted to exercise a number of data protection rights under European Data Protection Laws, which are explained in the table below:

Data protection right	Further information
Right of access	You have the right to request a copy of the personal data held by us about you and to access the personal data which we hold about you.
Right to object	You have a right to object at any time to the processing of your personal data where we process your personal data on the legal basis of pursuing our legitimate interests.
Right to rectification	You have the right to have any inaccurate personal data which we hold about you updated or corrected.
Right to erasure	In certain circumstances, you may also have your personal data deleted. For example, if you exercise your right to object and we do not have an overriding legitimate interest to continue processing your personal data or if we no longer require your personal data for the purposes as set out in this Addendum.
Right to restriction of processing	You have the right to ask us to restrict processing your personal data in certain circumstances, including if you believe that the personal data that we hold about you is inaccurate or if our use of your personal data is unlawful.
Right to data portability	You may request us to provide you with your personal data which you have given Grant Thornton in a structured, commonly used, and machine-readable format where our processing is based on performance of a contract or consent.
Right to object to automated decision-making, including profiling	You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning Data Subjects or similarly significantly affects them. Please note that we do not use profiling or make any decisions based solely on the automated processing of your personal data.

In acknowledgment of data subject rights, we are cognisant of our professional, legal, and regulatory obligations and duties which may result in certain limitations on the extent to which we are required to comply with specific rights requests, subject to restrictions as set out under European Data Protection Laws.

If you become aware that information we maintain about you is inaccurate, or if you would like to update or review your information, you may contact us using the contact information below. We will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate.

We may limit or deny access to personal information where providing such access would be unreasonably burdensome or inappropriate under the circumstances. All requests to change personal information will be handled in accordance with applicable legal requirements. If you would like to change your information you should contact us at dataprivacy@ie.gt.com.

How to submit a rights request, complaint or question

To submit a rights request, complaint or question or to have an Authorised Agent submit a rights request, complaint, or question on your behalf where permitted by applicable law, please contact us at dataprivacy@ie.gt.com or submit a request to Data Protection Team, 13-18 City Quay, Dublin 2, Ireland.

We may request that you provide proof of your identity for security reasons and to prevent the unauthorised disclosure or misuse of personal data. If, after contacting us, you are still not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner.

Addendum changes

We reserve the right to amend or modify this Addendum from time to time. We will post any revised Addendum on this site, or a similar website that replaces this site.

By continuing to use any of our sites, you acknowledge the terms of this Addendum and the Privacy Statement as of the effective date will apply to information, including personal data, previously collected, or collected in the future as permitted by applicable law.

Who we are: Joint Controllers

References to "Grant Thornton" in this Addendum refer to the brand name under which the Grant Thornton member firms operate the business, provide services to (prospective) clients and/or refers to one or more member firms, as the context requires. The below joint controllers practice as an alternative practice structure:

Joint Controllers
Grant Thornton LLP is a licensed independent CPA firm that provides attest services to clients. Address: 171 N. Clark Street, Suite 200, Chicago, IL, 60601, United States.
Grant Thornton Advisors LLC provides tax and business consulting services to clients. Address: 171 N. Clark Street, Suite 200, Chicago, IL, 60601, United States.
Grant Thornton Corporate Finance Limited provides tax and business consulting services to clients. Address: 13-18 City Quay, Dublin 2, Dublin, Ireland.
Grant Thornton Ireland provides audit services to clients. Address: 13-18 City Quay, Dublin 2, Dublin, Ireland.