Privacy Policy
Grant Thornton, Godkendt Revisionspartnerselskab safeguards the privacy of our users and clients and strives to maintain a high level of protection of personal data. We encourage you to read the following privacy policy carefully, as it describes how we handle personal data.
Identification of the data controller
Grant Thornton is the data controller for the personal data described in this privacy policy.
Grant Thornton, Godkendt Revisionspartnerselskab
CVR: 34209936
Lautrupsgade 11
2100 Copenhagen Ø
Email: dpo@dk.gt.com
For certain services, Grant Thornton acts as a data processor. This applies, for example, to certain assistance tasks, payroll administration, etc. In cases where Grant Thornton is the data processor, Grant Thornton acts on the instructions of the data controller and pursuant to a data processing agreement.
Below you can find a brief overview of our processing activities.
Processing activities
| Service | Data Controller | Data Processor |
|---|---|---|
|
Customer management
|
✓
|
|
|
Marketing
|
✓
|
|
|
Newsletters
|
✓
|
|
|
Contact form on the website
|
✓
|
|
|
Audit, declaration work and consulting
|
✓
|
|
|
Payroll administration
|
✓
|
|
|
Bookkeeping
|
✓
|
|
|
Recruitment of new employees
|
✓
|
On this page, we only elaborate on the processing activities/services that we perform in the role of data controller as part of our duty to provide information.
Purpose, legal basis, categories of personal data, retention, and categories of recipients
When we, as a data controller, process information that can be linked to you, we must inform you, among other things, about the purpose of the processing, the legal basis we rely on, the categories of personal data we process about you, the retention period, and any categories of recipients of your personal data.
Client management, including leads, offers, initial meetings, and KYC (Know Your Customer) procedure
Purpose
The purpose of this activity is to establish collaborations and offer our services to potential clients.
Legal basis
Processing is carried out pursuant to Article 6(1)(f) GDPR (legitimate interests), as we balance our interest in selling our services with the potential client’s possible need for our services.
Processing is also carried out pursuant to Article 6(1)(b) GDPR (contract), Article 6(1)(c) GDPR (legal obligation), the Danish Data Protection Act section 11(2)(1) and the Danish Anti-Money Laundering Act section 11(1)(a) or (b) when leads result in processing for the purpose of entering into a contract and carrying out KYC procedures.
Categories of personal data
For this purpose, we process ordinary personal data, including: company name, employee name, job title, work email, telephone number, address, CVR number, and the company’s country of establishment.
Retention
Personal data will be deleted when it is no longer relevant, but no later than 12 months after processing if there is no ongoing dialogue or no cooperation/contractual relationship is established. If you reply to or ask questions via email, the data will generally also be stored for 12 months (see also “Contact form on the website”).
Personal data collected as part of KYC procedures will be deleted 5 years after the end of the business relationship or completion of a single transaction, cf. section 30(2) of the Anti-Money Laundering Act. We continuously delete personal data that is not covered by the Act.
Recipients / processors
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton. Grant Thornton discloses personal data to the following categories of recipients: public authorities, where required by a court order, subpoena, or other legal requirements.
Client management within a contractual relationship
Purpose
To manage agreements with clients and partners, maintain the agreement, and deliver services related to our engagement.
Legal basis
Article 6(1)(b) GDPR (contract) and Article 6(1)(c) GDPR (legal obligation).
Categories of personal data
Ordinary personal data, including: name, email, telephone number, job title, workplace (company name), address, CVR number, company country, bookkeeping information, the client’s processing activities and processors, the client’s agreements with controllers, the client’s sub-processors, number of employees, and year of establishment.
Retention
We are required to retain information covered by section 12 of the Danish Bookkeeping Act for 5 years after the end of the current financial year, after which the data is deleted.
Recipients / processors
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Grant Thornton discloses personal data to public authorities where required by a court order, subpoena, or other legal requirements.
Marketing via the website
Purpose
To share information about the company’s services and products.
Read more about our processing of necessary and non-necessary cookies for website visitors in our Cookie Policy.
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Marketing using testimonials, images, and video
Purpose
To share knowledge about our employees, clients, and partners in marketing contexts.
Legal basis
When we share materials (including photos, videos, or written testimonials) containing personal data about employees, clients, or partners, processing is based on Article 6(1)(a) GDPR (consent).
Categories of personal data
Name, workplace, job title, photo, video, and testimonials which may relate to other employees’ work and experience or to the client’s experience.
Retention
We delete content when it is no longer considered relevant and necessary for the purpose. We also delete your information if you withdraw your consent.
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Newsletter subscription on the website
Purpose
To send news to clients, partners, and other interested parties who have subscribed.
Legal basis
Article 6(1)(a) GDPR (consent).
Categories of personal data
Ordinary personal data, including email address and preferred language (only email is required). You will also be asked to confirm your subscription and email to verify your identity.
Retention
We store your data until you withdraw your consent, e.g., by clicking “Unsubscribe” at the bottom of our newsletters.
Recipients / international transfers
We distribute newsletters via MailChimp, which receives your personal data. MailChimp is a US-based company used pursuant to Article 46(2)(c) GDPR (EU SCCs) with the addition of technical measures.
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
After-work meetings, events, and webinars
Purpose
To host meetings, webinars, and events.
When you register, personal data such as name, company name, job title, telephone number, and email address is recorded.
Legal basis
Article 6(1)(a) GDPR (consent).
By registering, you consent to the use of your personal data to administer the event and to send you event-related emails (e.g., registration confirmation, reminders, and an email with slides).
Retention
All personal data recorded in connection with an event is deleted no later than one month after the event has been held.
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Contact form on the website
Purpose
To establish contact with potential clients and partners, including responding to inquiries.
Legal basis
Article 6(1)(f) GDPR (legitimate interests), as we have a legitimate interest in responding to inquiries and the visitor has provided the data for the purpose of being contacted.
Categories of personal data
Name, job title, company name, email, telephone number, and message content.
Retention
If the inquiry leads to a collaboration or client relationship, personal data is stored in accordance with the client-management activities. Otherwise, the data is deleted automatically no later than 12 months after the last correspondence.
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Audit, assurance engagements, and advisory services
Purpose
To perform the audit or advisory services ordered by the client.
Legal basis
Article 6(1)(b) GDPR (contract), Article 6(1)(c) GDPR (legal obligation), and section 11(2)(1) of the Danish Data Protection Act.
Categories of personal data
Company name, address, CVR number, work phone number, work email, legal form, group customer number, industry code, type of engagement, risk classification, and CPR number.
Retention
We are required to retain information covered by section 12 of the Danish Bookkeeping Act for 5 years after the end of the current financial year, after which the data is deleted. We continuously delete personal data that is not covered by the Act.
Recipients / processors
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Grant Thornton discloses personal data to public authorities where required by a court order, subpoena, or other legal requirements.
Recruitment of new employees
Purpose
To identify the appropriate candidate(s) for positions within the organisation.
Legal basis
- Article 6(1)(f) GDPR (legitimate interests) when we receive your application
- Article 6(1)(a) GDPR (consent) if we wish to store your application for an extended period
- Article 6(1)(b) GDPR (contract) if we proceed to offering employment and process data for an employment contract
Categories of personal data
Ordinary personal data, including name, phone number, address, education, work experience, and previous employers.
Retention
Up to 6 months after hiring the final candidate(s), or 6 months after you receive a rejection. If we have your consent, we may store your data for up to 12 months after receiving your application. We delete your data if you withdraw your consent before the 12 months have passed.
Recipients / processors
Grant Thornton shares personal data with processors who process personal data on behalf of Grant Thornton.
Grant Thornton discloses personal data to public authorities where required by a court order, subpoena, or other legal requirements.
Whistleblower services
As part of our advisory and compliance services, Grant Thornton offers customers the option of a whistleblower solution. In this context, Grant Thornton processes personal data as a data processor on behalf of the individual customer (data controller).
The whistleblower solution is based on a technical platform delivered and hosted by an external sub-processor, Whistlebox BV, which processes personal data only on instructions from Grant Thornton and the individual customer.
Personal data that may be processed can include information about:
- The reporter (if not anonymous)
- Persons concerned by the report
- The content of the report itself, including any confidential or sensitive information necessary to understand and follow up on the case
Purpose of processing
To enable the technical receipt, storage, and handling of whistleblower reports on behalf of the customer, including access control, qualified logging, reporting to the customer, and assisting the customer in fulfilling legal obligations.
Whistleblower personal data is processed solely on the instructions of the data controller customer and in accordance with applicable data protection law, including the GDPR and the Danish Whistleblower Act.
Sub-processor
To provide the technical whistleblower solution, Grant Thornton uses Whistlebox BV as a sub-processor. Whistlebox BV processes personal data on behalf of Grant Thornton and the data controller customer solely in accordance with a written sub-processing agreement.
Whistlebox BV may not process personal data for its own purposes and may act only on documented instructions from Grant Thornton.
Any transfer of whistleblower data to a third country takes place only in accordance with applicable rules and only where appropriate safeguards have been established.
Retention, deletion, and security
Whistleblower reports are stored and deleted in accordance with the customer’s instructions and applicable law, including retention requirements under whistleblower protection legislation.
Grant Thornton has implemented appropriate technical and organisational security measures to protect whistleblower data against unauthorised access, loss, or other unlawful processing.
Data subject rights
As a data processor, Grant Thornton assists the data controller in fulfilling data subjects’ rights under the GDPR, including access, rectification, erasure, and objection, to the extent provided for in the data processing agreement.
Data subjects should generally contact the data controller customer to exercise their rights. Grant Thornton may, where relevant and necessary, assist the customer in handling such requests.
Your rights as a data subject
When we process personal data about you, you have a number of rights under Chapter 3 of the GDPR that you may exercise against us as data controller:
- Right to withdraw consent (withdrawal does not affect the lawfulness of processing based on consent before withdrawal; we stop processing unless another legal basis applies)
- Right of access
- Right to rectification
- Right to erasure (in certain cases)
- Right to data portability
- Right to restriction of processing (in certain cases; subsequent processing generally limited to storage unless consent or specific exceptions apply, including important public interests such as archiving)
- Right to object (in certain cases)
You can read more in the Danish Data Protection Agency’s guidance on data subject rights.
Right to lodge a complaint with the danish data protection agency
You have the right to lodge a complaint with the Danish Data Protection Agency if you believe that our company does not comply with its obligations under the GDPR.
Danish Data Protection Agency (Datatilsynet)
Carl Jacobsens Vej 35
2500 Valby
Email: dt@datatilsynet.dk
Telephone: +45 33 19 32 00
The privacy policy was updated on February 12, 2026.