1. Terms and definitions
1.1. Personal data – means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.2. Processing of personal data – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.3. Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
1.4. Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
1.5. Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
1.6. Personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
1.7. Data subject – person whose personal data is processed (e.g. client who is a natural person, website user or a contact person of a legal entity client).
2.1. Grant Thornton and the processors working for us process person data adhering to following principles:
2.1.1. lawfulness, fairness and transparency – the processing is lawful, fair and transparent to the data subject;
2.1.2. purpose limitation – collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
2.1.3. data minimisation – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
2.1.4. accuracy – the personal data is accurate and up to date; we employ all reasonable measures to ensure that inaccurate personal data is deleted or corrected;
2.1.5. storage limitation – kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
2.1.6. integrity and confidentiality – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Security of processing
3.1. Grant Thornton applies necessary, and appropriate to a risk, organisational, physical and technological measures to protect personal data. These measures include rules and procedures for employees, for managing data and IT infrastructure, internal and external networks and also protecting all the equipment and the building of Grant Thornton.
3.2. Grant Thornton has provided relevant training to all employees processing personal data.
3.3. Grant Thornton may use processors to process personal data, we ensure that all our processors process personal data in accordance with our instructions, applicable law and employing all appropriate organisational and technological security measures.
4. Lawful basis of processing
4.1. Grant Thornton processes personal data to ensure performance of a contract, to comply with legal obligations, out of legitimate interest, or on the basis of data subject’s consent.
4.1.1. We process personal data to ensure performance of a contract is used when we have concluded a contract and the contractual aim is not achievable without processing personal data.
4.1.2. Legal obligations of processing includes all personal data processing under relevant laws and regulations for example Employment Contracts Law, the Money Laundering and Terrorism Financing Prevention Act, the Auditors Activities Act or the Accounting Act.
4.1.3. We process personal data on grounds of legitimate interest to improve the quality of our services and for the purpose of business development. To ensure that our legitimate interest doesn’t breach data subjects’ fundamental freedoms and rights we conduct a three part test to guarantee that the processing is purposeful, required and proportional to the stated purpose.
4.1.4. When processing personal data with consent as lawful basis we only process specifically what data subject has consented to. The consent is freely given, specific and informed. Data subject can take back consent at any given time and as easily taken back as it was given.
5. Data controller or data processor and collection of data
5.1. Grant Thornton can be a controller or a processor in various data processing operations. To ensure data subjects privacy rights Grant Thornton abides by confidentiality principles and strictly limits disclosure of personal data.
5.2. Only the persons authorised by Grant Thornton have the right to modify and process personal data.
5.3. Grant Thornton processes personal data received directly from the data subject (i.e. person who submitted the personal data) or indirectly (through corporate clients). Personal data received indirectly is processed by Grant Thornton only if we have a need to process the personal data in order to provide a service, such as payroll accounting, to a corporate client.
6. Types of personal data
6.1. personal data: first and last name, personal number (ID code);
6.2. contact details: e-mail address, contact telephone number, postal address (place of residence);
6.3. personal data obtained indirectly, which we process to provide an assurance, internal audit, accounting or advisory services, may include, inter alia, the following: first and last name, personal number (ID code), number of children, marital status, e-mail address, contact telephone number, postal address (place of residence), remuneration, bank account number, companies’ shareholders, owners and beneficial ownership;
6.4. Internet data: data on website visitors’ sessions, cookies, log data and IP addresses.
7. Purposes of processing personal data
7.1.1. provide assurance and internal audit service pursuant to the Auditors Activities Act and other relevant legal acts;
7.1.2. provide accounting service pursuant to the Accounting Act and other legal acts;
7.1.3. offer tax, legal and other advisory services;
7.1.4. send out newsletters and conducting client satisfaction studies;
7.1.5. process purchase and sales invoices;
7.1.6. comply with legal obligations and activities resulting thereof.
8. Retention of personal data
8.1. Grant Thornton retains personal data only as long as this is necessary to fulfil the purpose for which the personal data is processed, unless there is an applicable legal obligation stating otherwise. We retain data as follows:
8.1.1. according to the Auditors Activities Act data collected in the process of assurance service is retained for 7;
8.1.2. accounting documents must 7 years as stipulated in the Accounting Act;
8.1.3. data collected on the basis of the Money Laundering and Terrorism Financing Prevention Act shall be retained for 5 years after the end of the business relationship.
8.2. Grant Thornton retains other data until the end of the respective retention term specified in the company’s personal data processing inventory.
8.3. Grant Thornton shall securely destroy and/or delete all personal data that has fulfilled its purpose or upon expiring of the retention term.
8.4. Grant Thornton stores personal data on cloud service provider servers located in the European Union.
9. Third parties and data processors
9.1. Strictly limited by necessity and pursuant to the purposes, Grant Thornton may forward personal data to third parties and data processors for the following purposes:
9.1.1. for issuing sales invoices;
9.1.2. for client relationship management;
9.1.3. to partners to improve the quality of our services.
9.2. Regardless of access restrictions, Grant Thornton shall release a document to an organisation or a person who legal right to request the data (e.g. police, court, supervisory authority etc).
10. Rights of the data subject
10.1. The data subject has the right to receive information regarding processing of their personal data. Data subject can obtain a copy of their personal data held by Grant Thornton by submitting a request via e-mail to email@example.com.
10.1.1. Grant Thornton has a legal obligation to make sure that a person requesting information about themselves is indeed the person who has the right to receive the data. For this reason, the requesters may have to prove their identity or right to request the data.
10.2. The data subject has the right to deletion of personal data if the processing of personal data took place on the basis of consent.
10.3. The data subject has the right to restrict the processing of personal data.
10.4. Where feasible a data subject has the right to data portability.
10.5. The data subject has the right to lodge a complaint to the Data Protection Inspectorate regarding processing of personal data.
11.1. A cookie is a small text file that a web browser automatically saves in the device used by the user.
11.4. The website administered by Grant Thornton Baltic OÜ, www.grantthornton.ee, uses the following cookies:
11.4.1. Facebook Pixel cookies to deliver targeted advertisements as well as to analyse the website flow generated by the latter. Therefore, this entails the tracking of the user’s web traffic by Facebook.
11.4.2. Google Analytics cookies to deliver targeted advertisements as well as to analyse the website flow generated by the latter. Therefore, this entails the tracking of the user’s web traffic by Google.
11.4.3. LinkedIn Insight Tag cookies to deliver targeted advertisements as well as to analyse the website flow generated by the latter. Therefore, this entails the tracking of the user’s web traffic by LinkedIn.
11.4.4 All the aforementioned cookies collect information in an anonymous form.
11.5. It is possible to refuse or block cookies on the device, this may mean that the website may not function properly and all services may not be available. To refuse or block cookies you need to change your browser settings.
11.5.1. To remove the cookies the user can simply go to browser’s settings and either reset the browser or manually remove the specific cookies in the designated section. You can read more about managing and deleting cookies from the following webpage: http://www.allaboutcookies.org.
13. Contact information
13.1. If you have any issues, concerns or suggestions pertaining to processing of personal data, contact the controller using the following contact details:
Grant Thornton Baltic OÜ
Pärnu mnt 22