How do We use your personal data?
In order to collect, process and retain your Personal Data on you as a Data Subject, We ensure that all Personal Data is processed in accordance with purpose for which it was obtained and as strictly necessary. Therefore, We hereby declare that all processing is undertaken in line with a lawful basis.
Lawful basis for processing
Grant Thornton Malta relies on different lawful basis for processing in the collection and processing of your Personal Data. Processing of data is dependent on the purpose to which it is being collected (e.g., to operate Our business, provide products and services, website functionality and cookies and vacant opportunities or as otherwise indicated in other privacy notices). In this regard, Personal Data may be processed based on the following legal grounds:
- Legal obligations: where We would be required to comply with a legal or regulatory obligation to which We may be subject as part of Our business and regulated service offering;
- Contract: where We are required to perform contractual obligations, with an individual or to undertake steps to enter into a contract with the individual;
- Consent: when a Data Subject has freely consented to the processing of their Personal Data for one or more specific purposes;
- Legitimate interest: when We have a legitimate interest to process the data, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data; and/or
- Public interest: where the processing of data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Collection of personal data
We collect data, whether directly or indirectly, relating to an identified or identifiable natural person (‘Personal Data’). We may collect your personal data through various means, namely; the use of Our website, marketing promotional materials or as may otherwise be stipulated in privacy notices from time to time.
The type of information collected may occur for the submission of a vacancy, subscription to Our marketing newsletters, onboarding of a prospective customer and/or when submitting questions or comments through Our website.
Website data collection
The information collected through Our website is based on information you as the Data Subject choose to provide to Us. Should any information be submitted to Us via email correspondence, We will process same to carry out your request or to execute the purpose to which it was provided.
Consequently, the following types of direct or indirect Personal Data may be collected through Our Website.
- Full name (i.e., name and surname);
- Title (e.g. Dr, Mr, Mrs, Ms, Miss);
- Email address;
- Telephone number; and
- Internet Protocol (IP) address.
When visiting Our website or communicating with Us, We log your Internet Protocol (IP) address in order to receive and send information from and to you over the internet. In the event you decide to provide personal data, this policy will apply.
When applying with Us for a vacant role, applicants may need to submit Personal Data for Us, as a Data Controller, to process their data. As a result, the following information will be required as part of the recruitment process:
- Full name (i.e., name and surname);
- Contact details;
- An official detailed Curriculum Vitae;
- Details of your qualifications;
- Employment his
Following a successful recruitment process, We may request further information such as criminal records and special categories of data (e.g., biometric data for door access control measures) as would be explained to you. Moreover, We may also collect information on your personal data from third parties, such as through character references by former employees or necessary background checks.
Personal Data relating to vacant opportunities will not be retained for longer than strictly necessary. Unsuccessful applicants’ Personal Data will be retained for a period of six (6) months from date of application. However, should the Data Subject accept, We will retain the Curriculum Vitae for a period of one (1) year to be re-considered in case of other future vacant opportunities. Should you no longer wish to be retained for the one (1) year period, kindly contact Us through any of the contact measures outlined in the ‘Contact Us’ section.
GT Advance training sessions, seminars, and events
Grant Thornton Malta has implemented a GT Advance training platform for continuous professional development. To apply for any GT Advance platform training sessions, you would be required to contact Us on +356 2093 1810 or send an email to email@example.com. Following application, We may request the following types of Personal Data to provide you with the requested training needs and certifications:
- Full name (i.e., name and surname);
- Company name;
- Email address;
- Mobile number;
- ID card number;
- Postal address; and
- VAT number (if applicable).
Moreover, you may be interested in subscribing to Our GT Advance Training Newsletter found on Our website. Should you wish to do so, the above information shall be further processed to provide information on Our scheduled trainings.
In cases where you, as the Data Subject, choose to sign up for seminars or other events organised by Us, the above Personal Data would be collected in order to register you. By signing up, you approve that your Personal Data may be used to manage the event and that you will receive emails from Us concerning the event (e.g., confirmation of the event registration, event reminders, emails with event or seminar materials, etc). Moreover, by choosing to attend one of our training sessions, seminars or events, you would be accepting to the involvement of photographs/videography as applicable, unless otherwise specified in the respective event’s privacy notice. Should you wish to not have your photo or video taken, kindly let us know on firstname.lastname@example.org or inform us at the beginning of the training or event.
Surveys and competitions
We may carry out surveys, competitions and promotional activities on an ongoing basis. As a result, an individual may choose to participate in these activities and consequently consent to the processing of their data. Therefore, Our team will be required to process the provided Personal Data in the performance of a contract in terms of Our surveys, competitions and promotions.
Alternatively, a Data Subject may choose to refrain from taking part in such activities. Therefore, it is important to note that those Data Subjects who choose not to provide such information will not be processed by Us.
We have a legitimate interest in the use of Data Subject’s Personal Data for other matters, provided that adequate privacy measures are in place in relation to your rights and interests:
- for research and/or analysing Our Data Subject’s personal data, to better understand Our clients and online audience, whilst also understanding who they are and how they interact with Our team;
- in the provision of training of staff members; and
- to improve Our website and consistently maintain Our security standards (i.e., statistical/testing/analytical purposes or troubleshooting).
We do this to better understand Our visitors. This research is compiled and analysed on an aggregated and anonymous basis. In cases where the anonymisation of data is not possible, any information collected under this section shall be deleted in accordance with the stipulated retention period outlined to you at data collection stage.
Marketing subscriptions, newsletters and materials
As a Data Subject, you may choose to subscribe to one specific portal subscription or our Grant Thornton newsletter. In view of this, when subscribing to one or more of Our newsletter(s) or other marketing materials, you would agree to the receipt of marketing emails with publications, news, articles, advice on emerging trends and invitations to seminars/events.
Grant Thornton Malta uses a third-party software known as Marketo Engage to which measures were implemented to ensure that all Data Subjects are able to receive information specific to the subscription applied for. This means that the Data Subject’s subscription details will be linked to specific service lines (e.g., TAX, VAT, Audit, Accounting, Regulatory and Corporate) and/or particular categories (e.g., Malta Budget Highlights, Shaping Malta’s Future, Property Landscape).
Onboarding data collection
Prospective customers may be requested by Our team to provide their Personal Data in line with Our local and international regulations (i.e., as part of Our legal obligations) prior to the provision of a service. As a result, Our onboarding due diligence process is conducted through a third-party system known as ‘Risk Screen’, in which Data Subjects would be required to provide additional types of Personal Data including, but not limited to:
- Official full name (i.e., name and surname);
- Date and place of birth;
- Identification document number;
- Permanent/ current residential address;
- Contact information (i.e., mobile/ telephone number, email address, etc);
- Source of wealth (including where income was generated);
- Occupation/ ownership positions;
- Political status (i.e., whether a person is considered a politically exposed person or otherwise); and
- Sanctions, regulatory disciplinary actions, offences, and declaration of bankruptcy.
When providing information through Risk Screen, you acknowledge that the information collected will be used by Grant Thornton and consequently transferred/stored on the Risk Screen system in accordance for Us to carry out Our legal obligation.
To whom We disclose your Personal Data
We may disclose your Personal Data in cases where it is necessary for the purposes to which the data was collected, and/or where We are required to do so under contractual agreement(s) and/or other instances identified (e.g., security mechanisms). Such examples of data sharing include:
- to Our supplier(s), subcontractor(s) or sub-processor(s) for the provision of a service;
- with Law enforcement agencies, other government and regulatory agencies, third parties (in which We are required by law, the courts or other legal/authorities to which We may be subject);
- with member firms of Grant Thornton International Limited where We may be required to provide services and for administrative purposes (e.g., internal audits in line with Our standards);
- Professional advisors, auditors or insurers to which We are required by law or in line with the management of Our business; and
- where a reliance agreement is in place (e.g., professional bodies which need access to the work documents in order to provide services that We may not be able to provide).
Unless specified above, We will not disclose any Personal Data relating to you or others unless We are required to do so by law or as intended in applicable contractual agreements /powers of the data controller in terms of applicable legislation. In this regard, your Personal Data shall not be retained for longer than strictly necessary, as required by law or for purposes other than those made known to you.
Although Our data is stored on servers within Malta and the European Union, We may encounter situations where We would be required to disclose Personal Data to countries outside of the European Economic Area. In view of this, We ensure that security measures are implemented to safeguard disclosures of data whilst maintaining confidentiality. For further information on this, kindly contact Us through any of the channels indicated within Our ‘Contact Us’ section.
How long do We keep your data?
We keep Personal Data only for as long as necessary and in line with the purpose to which it was obtained and/or as required under by any legal, regulatory or contractual requirements or for any litigation or investigation arising from the provision of a service.
In terms of the GDPR, Data Subjects are granted rights vis-à-vis the processing of their Personal Data:
- Right to be informed: you have the right to be given clear information regarding how your Personal Data is processed. We do this by means of this Policy which will be duly revised from time to time.
- Right to access: you may send Us a request to access all Personal Data that the Firm holds on you. To exercise this right, kindly send an email to email@example.com. We will do Our best to attend to your request within one (1) month. In case of more complex requests, the timeframe will be extended by a further one (1) month. Should you disagree with Our judgement, you can complain to the Information and Data Protection Commissioner (hereinafter referred to as the “IDPC”) on File a complaint - IDPC
- Right to rectification: you can also request that any inaccurate or incomplete Personal Data held by Us is corrected accordingly. In such instances, kindly send an email to firstname.lastname@example.org.
- Right to erasure: there are certain instances where you may also request the deletion of your Personal Data. On a general note, We will comply with your request in this regard. However, We may have the necessity not to comply with the request if retention of the data is required for Us to be compliant with a legal obligation and/or such data would be required by Us to exercise or defend any legal claims.
- Right to restrict or object to processing: you have the right to request the restriction or suppression of your Personal Data in certain circumstances. This would mean that you can limit the way that We use your data where there is a particular reason for wanting such a restriction. In most cases, this is not done indefinitely but for a period of time.
- Right to data portability: you have the right to put forward a request asking Us to provide you with certain personal data which had been provided to Us in a structured, commonly used and machine-readable format. When technically feasible, you may also request that your Personal Data be transferred to a third-party controller of your choice.
- Right to object: you may object to your Personal Data being processed at any time, including when such processing is based on legitimate interest (e.g., opting out of marketing subscriptions). You may choose to object to marketing communications at any time by clicking on the provided unsubscribe link in the email or by contact Us on email@example.com.
- Right in automated decision making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- Right to lodge a complaint: you have the right to lodge a complaint against any Personal Data breach by communicating such breach to the IDPC. The IDPC may be notified by filling in the complaint form available at File a complaint - IDPC
Where We process your data and you choose to exercise any of your rights, We will ensure to provide feedback and adhere to your requests promptly and within the timeframes required by law. Nevertheless, should the nature and extent of the request prove to be lengthy or complex, we will inform you of any extended periods required to fulfil the exercise of your rights.
How We keep your data secure
We treat security of data with utmost importance. However, no data transmission over the Internet or any other network can be guaranteed as 100% secure. In view of this, We ensure to take appropriate steps to try to protect the security of your Personal Data. Grant Thornton Malta has implemented as many measures as possible to ensure that data remains strictly confidential, is only transferred on a need-to-know basis and for the purpose to which it was obtained.
Links to other websites or platforms
We encourage Our visitors to be wary when they leave Our website and to read the privacy policies of other sites that collect or use your Personal Data.
For any further questions about this Policy, how We handle your Personal Data, or wish to exercise a Data Subject right/ complaint, kindly contact Us through any of the following means:
Please to be redirected to Our contact page.
You may choose to contact Our Data Protection Representative and designated data protection and privacy team on firstname.lastname@example.org.
Registered office address
Fort Business Centre,
Triq L-Intornjatur, Zone 1,
Central Business District,
Birkirkara, CBD 1050,