article banner

Client information

For information about processing personal data in audit assignments, click here.

Information on processing of personal data in filing systems for acceptance and management of clients and engagements

This information is a translation of the official version in Swedish. In the event of any conflict between the Swedish and English version, the Swedish shall prevail. 

We encourage you to visit the website on a regular basis, as the information describes how process personal data as a result of our client engagement contract and in order to fulfil our commitments, which may change over time. Please feel free to read or download this document as a PDF file. [ 166 kb ]

When personal data is processed, the controller shall supply certain information to the data subjects. As a result of the engagement contract, personal data will be processed by Grant Thornton Sweden AB ("Grant Thornton"). For this reason, the following information is provided.

Grant Thornton's processing of personal data
Grant Thornton will process personal data in accordance with applicable law. The personal data that will be processed is obtained from the client, its group companies (if applicable) or other entity, for example the Swedish Tax Agency (Sw: Skatteverket), the Swedish Companies Registration Office (Sw: Bolagsverket) or publicly available sources and relates to authorised representatives and other persons whose personal data is needed to administrate the client relationship and beneficial owner. Personal data is processed prior to the acceptance of clients and/or engagements and as a result of the performance of the engagement in order to undertake required controlling measures for independence, quality control, avoiding conflicts of interest, fulfilling requirements under the Act (2017:630) on Measures Against Money Laundering and Terrorist Financing ("the Anti-Money Laundering Act") and in order to complete documentation requirements of the measures taken. Such processing is necessary to fulfil the legal obligations of Grant Thornton, or a statutory auditor within Grant Thornton who has undertaken to perform the engagement and is necessary for the contractor's legitimate interest in fulfilling professional duties. Grant Thornton may also process personal data for other risk management measures (such as insurance matters) and to carry out internal financial reporting. This processing is necessary for Grant Thornton's legitimate interest in managing risks and any claims, as well as the legal obligation according to applicable accounting legislation.

The categories of personal data that may be processed for the above-mentioned purposes include contact details such as name, address, personal identity number/coordination number, telephone number, e-mail address and details of departmental affiliation and position. In connection with the client acceptance and registration process Grant Thornton may also process copies of identification documentation for those persons who represent the client as a result of the customer due diligence measures required by the Anti-Money Laundering Act.

Grant Thornton may also process personal data such as name, departmental affiliation, position and e-mail addresses to provide information regarding seminars and other events that Grant Thornton arranges and to send newsletters and other marketing material. Processing for such purposes is necessary for Grant Thornton's legitimate interest in being able to reach out to clients or employees at clients who may be interested in events, marketing and news in areas that are relevant to these people in their profession.

Transfer to third countries
Personal data may be processed on behalf of Grant Thornton by other member firms within the global organisation that Grant Thornton is a member of network firms or other entities engaged by Grant Thornton for the purpose of carrying out the measures referred to above. They may be based either in or outside the EU/EEA. In the transfer of personal data for processing in a country outside the EU/EEA that does not guarantee an adequate level of protection*, Grant Thornton is responsible for the personal data being covered by appropriate safeguards, e.g. through standard data protection clauses adopted by the European Commission under Article 46 of the General Data Protection Regulation, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Recipients of the information
Grant Thornton shall ensure that the information processed as a result of the engagement does not become available to unauthorised persons, which means that personal data will be processed confidentially.

Grant Thornton may disclose personal data to other member firms within the global organisation that Grant Thornton is a member of or another entity engaged by Grant Thornton for the purpose of controlling and maintaining the impartiality and independence of auditors active within Grant Thornton, carrying out quality controls and undertaking other risk management measures, as well as sending invitations to events and other marketing material. Grant Thornton may also disclose personal data to insurance companies or legal advisers in connection with a judicial procedure to the extent required to enable Grant Thornton to look after its legal interests or to another recipient if such an obligation exists under applicable laws and regulations, professional obligation or decision of an authority.

Security in processing of personal data
Grant Thornton is responsible under applicable law for the personal data that is processed being protected by necessary technical and organisational security measures, having regard to what is appropriate in relation to the nature and sensitivity of the personal data. Grant Thornton's system and organisation are arranged so that unauthorised persons do not have access to the personal data processed as a consequence of the engagement. More information about Grant Thornton’s technical and organisational security measures is available at

Storage of personal data
The personal data will not be processed for a longer time than is necessary for the purposes for which the personal data is processed.

Rights of the data subject
Data subjects have in certain cases the right to request receipt of information concerning whether personal data relating to the data subject is processed, and if so to obtain access to the personal data in the form of an extract from a filing system. Data subjects furthermore often have the right to obtain the rectification of inaccurate personal data concerning them. Furthermore, data subjects may have the right to erasure of their personal data and the right to request restriction of the processing of personal data concerning the data subject or to object to such processing. Data subjects also have the right to lodge a complaint with a supervisory authority concerning the processing.
Regarding personal data processed in connection with the acceptance of clients and engagements and as a consequence of the engagement, Grant Thornton is obliged to retain such documentation in this respect for at least ten years. This means that it is not permitted to erase personal data included in such documentation beforehand, and sometimes neither is it permitted to rectify the data. For these reasons it is not possible for Grant Thornton to restrict or limit the processing of personal data even if requested by a data subject.

With regard to Grant Thornton's processing of personal data for marketing purposes, data subjects have the right to request erasure, rectification and restriction and to object to the processing of their personal data for such purposes.

If you have any questions regarding GDPR or want to make a request of information, please use

Adequacy of the protection of personal data in non-EU countries.