1. Terms and definitions
1.1. Personal data – means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.2. Processing of personal data – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.3. Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
1.4. Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
1.5. Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
1.6. Personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
1.7. Data subject – person whose personal data is processed (e.g. client who is a natural person, website user or a contact person of a legal entity client).
1.8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2.1. Grant Thornton and the processors working for us process person data adhering to following principles:
2.1.1. lawfulness, fairness and transparency – the processing is lawful, fair and transparent to the data subject;
2.1.2. purpose limitation – collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
2.1.3. data minimisation – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
2.1.4. accuracy – the personal data is accurate and up to date; we employ all reasonable measures to ensure that inaccurate personal data is deleted or corrected;
2.1.5. storage limitation – kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
2.1.6. integrity and confidentiality – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Security of processing
3.1. Grant Thornton applies necessary, and appropriate to a risk, organisational, physical and technological measures to protect personal data. These measures include rules and procedures for employees, for managing data and IT infrastructure, internal and external networks and also protecting all the equipment and the building of Grant Thornton.
3.2. Grant Thornton has provided relevant training to all employees processing personal data.
3.3. Grant Thornton may use processors to process personal data, we ensure that all our processors process personal data in accordance with our instructions, applicable law and employing all appropriate organisational and technological security measures.
4. Lawful basis of processing
4.1. Grant Thornton processes personal data to ensure performance of a contract (including a contract with clients - data controllers), to comply with legal obligations, out of legitimate interest, or on the basis of data subject’s consent.
4.1.1. We process personal data to ensure performance of a contract is used when we have concluded a contract and the contractual aim is not achievable without processing personal data.
4.1.2. Legal obligations of processing includes all personal data processing under relevant laws and regulations for example Labour Code of the Republic of Lithuania, The Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing, The Republic of Lithuania Law on the Audit of Financial Statements, The Republic of Lithuania Accounting Law, The Republic of Lithuania Law on Companies, The Civil Code of the Republic of Lithuania and other.
4.1.3. We process personal data on grounds of legitimate interest to improve the quality of our services and for the purpose of business development. We ensure that our legitimate interest doesn’t breach data subjects’ fundamental freedoms and rights.
4.1.4. When processing personal data with consent as lawful basis we only process specifically what data subject has consented to. The consent is freely given, specific and informed. Data subject can take back consent at any given time and as easily taken back as it was given.
5. Data controller or data processor and collection of data
5.1. Grant Thornton can be a controller or a processor in various data processing operations. To ensure data subjects privacy rights Grant Thornton abides by confidentiality principles and strictly limits disclosure of personal data.
5.2. Only the persons authorised by Grant Thornton have the right to modify and process personal data.
5.3. Grant Thornton processes personal data received directly from the data subject (i.e. person who submitted the personal data) or indirectly (through corporate clients).
6. Types of personal data
Grant Thornton, clients, employees, representatives, participants, members of bodies, third parties, employees of related companies, representatives, participants, members of bodies - natural persons and representatives of legal entities, whose data is required for the fulfillment of the specified purposes in clause 7, personal data:
6.1. personal data: first and last name, personal identification number (ID code) and / or date of birth; Data on the ID card / passport, signature;
6.2. contact details: e-mail address, contact telephone number, postal address (place of residence);
6.3. other personal data obtained directly and / or indirectly, which we process to ensure the fulfillment of the specified purposes in clause 7 may include for example number of children, marital status, remuneration, bank account number, owners and beneficial ownership, health condition (typical when providing accounting services to clients);
6.4. Internet data: data on website visitors’ sessions, cookies, log data and IP addresses.
7. Purposes of processing personal data
7.1.1. provide assurance and internal audit service pursuant to The Republic of Lithuania Law on the Audit of Financial Statements and other relevant legal acts;
7.1.2. provide accounting service pursuant to The Republic of Lithuania Accounting Law and other legal acts and standards;
7.1.3. provide advisory (legal, tax, finance) services pursuant to other relevant legal acts;
7.1.4. offer tax, legal, finance and other business advisory services, accounting, assurance services;
7.1.5. send out newsletters and conducting client satisfaction studies (for marketing purposes);
7.1.6. process purchase and sales invoices;
7.1.7. process purchase, orders (for goods and services);
7.1.8. process internal administration (policies, employment contracts, events and etc.);
7.1.9. fulfill obligations under agreements with partners;
7.1.10. comply with legal obligations and activities resulting thereof.
8. Retention of personal data
8.1. Grant Thornton retains personal data only as long as this is necessary to fulfil the purpose for which the personal data is processed, unless there is an applicable legal obligation stating otherwise. Specific time limits for the retention of documents and the personal data are indicated in a documentation plan approved by Grant Thornton executive, which is regularly updated in accordance with applicable law and Grant Thornton's internal procedures.
9. Third parties and data processors
9.1. Personal data may be transferred only if the conditions for transfer to third parties or international organizations set out in Chapter V of the GDPR and other personal data protection laws are met, i.e. an adequate level of protection of the transferred Personal Data is ensured.
9.2. Grant Thornton not taking into account access restrictions, provides personal data to an organization or person who has the right to request data in accordance with the law (such as the police, court, supervisory authority, etc.).
10. Rights of the data subject
10.1. Data recipients / categories of data recipients: IT, service providers, public authorities, partners.
10.2. Source of data subject's data source: legal entity (for example employer, partner, client), publicly available sources of information (for example websites, public databases of institutions).
10.3. We do not use automated decision-making to process the data subject's personal data.
10.4. Data subject has the right to submit a request via e-mail to firstname.lastname@example.org for:
- information and access to personal data processed;
- rectification of personal data;
- deletion of personal data;
- a restriction on the processing of personal data;
- presenting personal data in a structured, computer-readable format.
10.5. Requests from a data subject must include: information that would allow us to identify you as a data subject; actions requested; personal data in respect of which such action is requested.
10.6. We will process the data subject's request within 20 working days of receiving it and inform you of the action taken in response to the request received.
10.7. You (the data subject) will be informed in the form in which the request was made. If you believe that your rights in relation to the processing of your personal data by us have been violated, you have the right to apply to the supervisory authority - the State Data Protection Inspectorate; company code 188607912; address - A. Juozapavičiaus st. 6, 09310 Vilnius; tel. (8 5) 271 2804, 279 1445; fax. (8 5) 261 9494; el. e-mail email@example.com.
11. Personal data breach
11.1. All data controllers must notify the State Data Protection Inspectorate about data security violations in cases where there is a significant risk to the security of personal data.
11.2. Violations of personal data security must be reported to the State Data Protection Inspectorate of the Republic of Lithuania within 72 hours.
The notification must specify:
- The nature of the data breach, the categories of data subjects, the approximate number, the categories of personal data records and the approximate number;
- Name and contact details of the Data Protection Officer or other contact person who can provide further information;
- The likely consequences of the personal data breach are described;
- Describes the measures taken or proposed by the controller to remedy the personal data breach;
- Other information in accordance with applicable law and internal Grant Thornton procedures.
11.3. Grant Thornton, as controller of personal data, shall notify the personal data subject (where technologically possible) and / or another controller of personal data (eg a legal person who, acting as controller, lawfully transferred personal data to Grant Thornton, who also acts as controller of personal data). The notification shall contain the information specified in clause 11.2. The notification shall be sent to the subject by electronic means within 48 hours from the breach of security, but not later than the deadline specified in clause 11.2.
11.4. Grant Thornton, as the controller of personal data, shall notify the controller who transferred the personal data of personal data breaches in cases where there is a serious risk to the security of personal data. The notification shall contain the information specified in clause 11.2. The notification shall be sent to the subject by electronic means within 48 hours from a security breach, but no later than the deadline specified in clause 11.2, or sent in accordance with the written instructions provided to us by the controller of personal data (personal data processing agreement).
12.2. A cookie is a small text file that a web browser automatically saves in the device used by the user.
12.4. It is possible to refuse or block cookies on the device, this may mean that the website may not function properly and all services may not be available. To refuse or block cookies you need to change your browser settings.
14. Other provisions
14.1. Liability for personal data processing violations arises in accordance with the law. Each party is responsible for damages caused by its illegal actions.
14.2. All disputes between the parties shall be settled by negotiation. If the dispute cannot be resolved through negotiations, disputes shall be resolved in accordance with the procedure provided by the laws of the Republic of Lithuania in the courts of the Republic of Lithuania.
14.3. When Grant Thornton acts as a controller of personal data, this policy, internal documentation and applicable law shall apply. When Grant Thornton acts as a controller of personal data (for example provides accounting, consulting services to a client on its behalf), the written instructions provided by the controller (client) are followed, which does not contradict the applicable laws and internal procedures.
15. Contact information
15.1. If you have any issues, concerns or suggestions pertaining to processing of personal data, contact the controller using the following contact details:
Grant Thornton Baltic UAB
Upės street 21