The Firm will only collect, use, or disclose Personal Data (defined under Glossary) for the purposes described in the Policy. In case where collection, use, or disclosure of Personal Data will be different from the purpose previously notified to the Data Subject, we will (i) inform of such new purpose and obtained consent from Data Subject prior to the time of collection, use, or disclosure, or (ii) it can be done by the provisions of the Regulations. Additionally, we ensure that systems and processes we use are in compliance with Regulations to the extent that they are applicable to us.
“Data Controller” means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.
“Data Subject” (or “You” or “Your”) means any Person whose Personal Data is being collected, used, or disclosed.
“Grant Thornton”, for the purposes of this policy, means all the Grant Thornton member firm in Thailand.
“Person” means a natural person.
“Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.
“Processing” refers to collect, use, or disclose of Personal Data.
Collect of Personal Data
In general, we collect Personal Data directly from Data Subject such as our clients/prospective clients, suppliers, subcontractors, visitors of our official website https://www.grantthornton.co.th/ (the “Official Website”), visitors of our office, journalists, candidates for job applications, our employees, or other individual third parties. We could obtain your Personal Data from many circumstances e.g. when you submit your enquiry via our Contact Us page on our Official Website, when you communicate with us directly in relation to our services (via our customer service, email, telephone, or any other means), when you apply for employment/internship with us, when you voluntarily participate in our surveys. We could collect Personal Data through e.g. inquiries, requests, emails, registration, completion of forms/surveys, application forms, and other situations where Data Subject chooses to provide Personal Data to us. However, if we obtain Personal Data from person other than Data Subject (the “Disclosing Person”), we assume the Disclosing Person represents and confirms to us that such Personal Data has been disclosed in compliance with applicable Regulations on personal data protection by the Disclosing Person. Details of how we obtain such Personal Data will be properly recorded in our system.
Following scope of categories may be collected by us:
- Basic data: e.g. Name, Gender, Date of Birth, Title, Working Place, Phone Number, Mailing Address, Email Address, Contact Details
- Sensitive data: e.g. Health Data, Criminal Record
- Client service data: e.g. Personal Data receives from clients in respect of their individuals associated with them
- Registration data: e.g. Event/Seminar registrations, Details on Contact Us page
- Marketing data: e.g. Data about individuals participated the Firm’s Events or Seminars, Conferences, Clients’ Networking
- Employment data: e.g. Banking Details
- IT related data: e.g. IP Address, Cookies ID
- Compliance data: e.g. Beneficial Ownership Data, Identification Details
- Job applicant data: e.g. Education, Work Experience, Salary
Use of Personal Data
Unless we obtain your consent or it is required or permitted by Regulations, your Personal Data may be used for the following purposes: -
- Providing Professional Services: We offer various types of services to our clients. To perform our services efficiently, we need to use Personal Data of our clients to deliver our works within the scope of the service agreements.
- Managing Business Operations: To run our business effectively, we may need to use Personal Data for various reasons, including (i) manage relationships with our clients, suppliers, contractors, subcontractors, or other individuals that we have business relationships, (ii) develop our official website to be easy to use and prevent it from misuses of IT or other crimes, (iii) provide information about our services that might be of interest, (iv) send you invitation and host seminars, events, or clients’ networking, (v) consider individuals for potential recruitments, or (vi) maintain and update internal record keeping.
- Complying with Rules, Regulations, and Professional Obligations: as a regulated business, it is necessary for us to comply with legal requirements and professional obligations that we are subject e.g. (i) for auditing, risk management and security purposes, (ii) for detecting, investigating and preventing illegal activities, (iii) for enabling us to perform our obligations and enforce/defend our rights under any agreements/documents that we are a party to, (iv) for meeting any applicable legal/regulatory requirements, or (v) for carrying out verification and background checks as a part of recruitment or selection process.
Disclose of Personal Data
We may disclose your Personal Data under these following categories of recipients:
- Member Firms and our affiliates: We are a member firm of Grant Thornton International Ltd. a list of Grant Thornton member firms. We have a foundational principle of membership that if a member firm has been approached by an international client who has need in a foreign jurisdiction, there is a requirement that such member firm approached by an international client will refer such client to a member firm in that jurisdiction to provide the relevant services. Please note that sharing of Personal Data either to other member firms will be conducted on a strict principle of a need-to-know basis and only to the extent necessary for them to perform their duties under their engagements. Your Personal Data will be secure because of their organisational and technical measures having put in place by member firms and/or Affiliates.
- Service Providers: We disclose Personal Data to our third party service providers to enable them to perform their services which are under our instruction. Those services are such as IT services, event organisers, employment agencies, professional advisors, consultants, or external auditors. As a part of our agreement with them, they are required to strictly adhere to applicable laws and/or regulations and to take reasonable and efficient measures to ensure Data Subject that your Personal Data is secure.
- Financial Institutions: We disclose Personal Data to them in connection with business routines e.g. invoicing and payments.
- Compulsory disclosure: We disclose Personal Data as requested from regulators, governmental bodies/organisations, or other related law enforcement authorities where our services are subject to be regulated. We also disclose Personal Data to establish or protect our legal rights, property, or safety, or rights, property, or safety of other individuals, or we have to defend against any legal claims.
Storage, Retention, and Destruction of Personal Data
We realise the importance of security, and we endeavor to take all reasonable and reliable steps to safeguard Personal Data that we hold by providing appropriate technical and organisational measures. This consideration includes implements of Policies & Procedures and trainings for our personnel related to confidentiality, records retention, or information technology. Those Policies & Procedures and trainings will be regularly reviewed to ensure that they are effective for their purposes.
Personal Data will be kept either in hard copies and/or soft files. We provide filing cabinets and/or rooms to store hard copies of Personal Data and they are requested to be locked at all times. For soft files, they have been kept in channels provided for each department and simultaneously uploaded on the cloud which has a reliable security measure put in place. Additionally, only authorised departments/persons are allowed to have access to secured spaces. Personal Data is kept only for its necessary in relation to lawful purposes, including in compliance with:
(i) activities or services for which they are being processed;
(ii) applicable statues, regulations and other legal requirements and guidelines under effective Policies & Procedures;
(iii) applicable professional requirements which they are relevant to our professional services; and
(iv) litigations or investigations that might arise from providing services and there is a requirement under a compulsory disclosure.
Generally, we will keep Personal Data in accordance with our applicable Records Retention Policy which will be typically ten years from the date of termination of contracts/legal documents. We will securely destruct your Personal Data when they are no longer necessary to keep them for purposes which they were collected, we are no longer subject to any legal requirements to keep them, or we have no other lawful basis to keep your Personal Data.
Lawful basis for processing Personal Data
It means any freely given, specific, informed and unambiguous indication of Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
 Article 4(11) of the General Data Protection Regulation
- Legitimate Interest
It is necessary for legitimate interests of a Data Controller or any other persons, except where such interests are overridden by the fundamental rights of a Data Subject with respect to his/her Personal Data.
It is necessary for a performance of a contract to which a Data Subject is a party, or in order to take steps at the request of a Data Subject prior to entering into a contract.
- Legal Obligation
It is necessary for compliance with a law to which a Data Controller is subjected.
- Vital Interest
It is for preventing or suppressing a danger to a person’s life, body or health.
- Public Interest
It is necessary for the performance of a task carried out in the public interest by a Data Controller, or it is necessary for the exercising of official authority vested in a Data Controller.
It is for the achievement of a purpose relating to the preparation of historical documents or archives for public interest, or for a purpose relating to research or statistics, in which suitable measures to safeguard a Data Subject's rights and freedoms are put in place and in accordance with Notification as prescribed by the Committee.
Data Subject’s Rights
Data Subject (or “You”) have rights to:
- Withdraw consent: In the case where the Firm processes your Personal Data based on your consent, you have a right to withdraw your consent at any time and we will respond to your request within 30 days from when such a request of withdrawal has been made Please note that your withdrawal of consent shall not affect the past collection, use, or disclosure of Personal Data for which you have already given legally consent. Furthermore, your withdrawal may leave you some certain consequences which we will inform you such consequences when we receive your request of withdrawal.
- Access: You have the right to request access to and obtain a copy of your Personal Data, or request a disclosure of an acquisition of your Personal Data obtained without your consent, subject to certain exceptions. In case of a copy requirement, the Firm may charge a reasonable administration fee for multiple copies of your Personal Data. Please note that we will process your request once the fee has been agreed.
- Rectify: You have a right to have your Personal Data remain accurate, up-to-date, complete, and not misleading. However, you realise that we rely on your Personal Data which we assume is accurate, up-to-date, and complete at the time when you gave it to us or any updates that made later. Therefore, we have no responsibility for relying on using any inaccurate, outdated, or incomplete Personal Data that you provided to us or failed to update any changes. If you believe your Personal Data needs to be rectified, you can exercise your right by contacting our Contact firstname.lastname@example.org.
- Erase: You have a right to request the Firm to erase or destroy your Personal Data, unless such Personal Data retained by the Firm is necessary for a preparation of a historical document, a public interest, an establishment, compliance or exercise of legal claims, or a defense of legal claims, or a purpose for compliance with the law.
- Restrict of processing: You have a right to request the Firm to restrict use of your Personal Data including but not limited to:
- When there is a pending examination process on accuracy of your Personal Data when you believe it is inaccurate;
- When your Personal Data shall be erased but you make a request to restrict use of such Personal Data; and
- When the Firm has no longer necessary to retain such Personal Data in accordance with the purpose. However, you have necessity to retain such Personal Data for establishment, compliance or exercise of legal claims, or a defense of legal claims.
- Data portability: You have a right to request the Firm to send or transfer Personal Data to you or to another person or organisation. The Firm will arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means.
- Object: You have a right to object processing of your Personal Data when your Personal Data is collected without your consent or to serve a purpose of direct marketing.
Please note that we will endeavor to respond your request within 30 days upon receiving your request. However, our length of time to respond will depend on the nature and extent of your request. In case where your request cannot be responded to within the timeline, we will notify you at the earliest practicable opportunity.
Third party websites
What is a Cookie
Cookies used by the our website
|Cookie type||Cookie Name||Purpose|
These cookies are used to monitor the performance of our site. We use the information to help us improve the site. The cookies collect information in an anonymous form, including the number of visits to our site, where visitors have come from to the site and the pages they visited.To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
|We use YouTube to embed a selection of videos in our Thinking and campaign pages. The embedded videos do not set cookies themselves and can be played with no cookies set. However, if the 'Share' button is clicked YouTube will set cookies. The VISITOR_INFO1_LIVE cookie attempts to estimate your bandwidth and the use_hitbox and PREF cookies increment the 'views' counter on the YouTube video and stores session preferences. These cookies donâ€™t gather information that identifies a user.|
|guest_id||We embed a Twitter feed in our Thinking and campaign pages. This cookie is used to identify you to twitter. if you do not have a twitter account or never accessed the twitter.com website directly then twitter will assign you a unique code to track your visit to the Twitter feed.|
We have recognised the importance of Personal Data by implementing our protection through organisational and technical measures. We restrict access on a need-to-know basis and only to the extent necessary for engagement team to perform their duties in relation to their engagement assignments. We also endeavour to take appropriate steps to protect and safeguard our systems, networks and information against unauthorised access, use, modification and disclosure. However, the internet is considered as an open global communication platform and has potential to expose to other risks during transmission or stored on our systems. Therefore, we cannot guarantee that any information will be 100% safe from attackers. Also we have no responsibility to assume any unauthorised and illegal use of Personal Data by third parties which are deemed beyond our control.
Additionally, a Data Subject has an important role to protect your Personal Data by not sharing username, password, or other authentications with anyone. Also, it is recommended to use a strong password when transferring Personal Data. However, if you have reasonable reason to believe that your username, password, or other authentication has been compromised, please contact us as details provided under contact channels.
If you have questions or comments regarding this Privacy, please contact us here:
Office of the Privacy Officer
11th Floor Capital Tower, All Seasons Place,
87/1 Wireless Road, Lumpini, Pathumwan,
Changes to the Policy
The Firm will regularly review and reserve a right to amend terms of the Policy at our absolute discretion in order to be complied with any amendments or updates on the relevant Regulations. Any updates will be posted on the Official Website (defined under Glossary). Therefore, a notice will not be sent to any individual and you are deemed to have acknowledged and agreed to any amended versions of the Policy if you continue to use our Official Websites after amendments have occured. As a result, the Firm encourages a Person (defined under Glossary) whose Personal Data (defined under Glossary) will be or has potential to be collected, used, or disclosed under the Policy to carefully read the Policy to understand how the Firm will handle Personal Data (defined under Glossary) and are well informed of our latest Policy in relation to Personal Data.