article banner

Information on processing of personal data in audit engagements

This information is a translation of the official version in Swedish. In the event of any conflict between the Swedish and English version, the Swedish shall prevail.

We encourage you to visit the website on a regular basis, as the information describes how process personal data as a result of our client engagement contract and in order to fulfil our commitments, which may change over time. Please feel free to read or download this document as a PDF file. [ 167 kb ]

Background

When personal data is processed, the controller shall provide certain information to the data subjects. As a result of the audit engagement, any statutory supplementary engagements and audit advice that may be attributed to such engagements (jointly referred to as "the Audit Engagement"), personal data will be processed by Grant Thornton Sweden AB ("Grant Thornton"). For this reason, the following information is provided.

Grant Thornton's processing of personal data

Grant Thornton needs to have access to certain personal data in order to be able to perform the Audit Engagement in accordance with applicable laws and regulations, generally accepted auditing standards and professional ethics for accountants in Sweden.

Grant Thornton will process personal data obtained from the audit client, its group companies (if applicable), or another party, e.g. the Swedish Tax Agency (Sw: Skatteverket) or the Swedish Companies Registration Office (Sw: Bolagsverket) or other publicly available sources, in order to perform and document the Audit Engagement. Personal data will be processed in accordance with applicable law. Such processing is necessary in order to fulfil legal obligations to which Grant Thornton, or a statutory auditor within the firm, who has undertaken to perform the Audit Engagement is subject.

For these purposes, Grant Thornton will process information that may contain personal data, for example payroll files, board minutes, share registers/list of members, authorization lists and other documents related to the activities of the audit client and any potential group companies. The categories of personal data that may be processed include:

  •  contact details such as name, address, domicile, telephone number and e-mail address,
  • data on employment such as employee number, departmental affiliation, position and period of employment,
  • data concerning health and absence, for example medical certificates and data concerning sickness absence, leave of absence and parental leave,
  • information regarding memberships of trade unions and religious affiliations (church tax);
  • identification documentation such as personal identity number/coordination number,
  • data on financial circumstances such as bank account details, data on salary and other benefits, insurance details and registration number details for a company car, and possible financial distraint
  • data on insurance policies or pensions, or
  • other categories of personal data that may be required as a result of the review in accordance with generally accepted auditing standards and professional ethics for accountants.

Grant Thornton will also process certain personal data in order to perform independence checks, quality checks, checking of conflicts of interest, fulfilling requirements under the Act on Measures against Money Laundering and Terrorist Financing and risk management measures (such as insurance matters), in order to carry out internal financial reporting and in order to complete documentation requirements of the measures taken. Grant Thornton also has certain duties under applicable law to provide information to authorities or another external party (for example a new auditor). The processing of personal data for the purposes indicated in this clause is necessary for Grant Thornton to fulfil the legal obligations of Grant Thornton, or a statutory auditor within Grant Thornton who has undertaken to perform the engagement. With regard to risk management measures, the processing is necessary for Grant Thornton's legitimate interest in managing risks and any claims.

Grant Thornton may also process the contact details of employees, consultants, board members and other executives and owners of the audit client and its group companies (if applicable) in order to provide information on seminars and other events that Grant Thornton arranges in order to send newsletters and other marketing material. Processing for such purposes is necessary for Grant Thornton's legitimate interest in being able to reach out to concerned persons with the client who may be interested inevents, marketing and news in areas that are relevant to the positions of these persons.

Transfer to third countries

Personal data may be processed on behalf of Grant Thornton by other member firms within the global organisation that Grant Thornton is a member of or other entities engaged by Grant Thornton for the purpose of carrying out the measures referred to above. They may be based either in or outside the EU/EEA. In the transfer of personal data for processing in a country outside the EU/EEA that does not guarantee an adequate level of protection , Grant Thornton is responsible for the personal data being covered by appropriate safeguards, e.g. through standard data protection clauses adopted by the European Commission under Article 46 of the General Data Protection Regulation, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Recipients of the information

Grant Thornton shall ensure that the information processed as a result of the Audit Engagement does not become available to unauthorised persons, which means that personal data will be processed confidentially. Only members of the audit team or who are consulted by the audit team will have access to the personal data that is required for the performance of the Audit Assignment according to applicable laws and regulations, professional obligations and decisions by relevant authorities.

Grant Thornton may disclose personal data to other member firms within the global organisation that Grant Thornton is a member of or another entity engaged by Grant Thornton to perform the Audit Engagement and otherwise for those purposes stated in this document. Grant Thornton may also disclose personal data to insurance companies or legal advisers in connection with a judicial procedure to the extent required to enable Grant Thornton to look after its legal interests or to another recipient if such an obligation exists under applicable laws and regulations, professional obligation or decision of an authority.

Security in processing of personal data

The procedures and reviews performed within the framework of the Audit Engagement are covered by a statutory duty of confidentiality, which means that personal data processed under the Audit Engagement and for other stated purposes is also covered by such confidentiality. Grant Thornton ensures that the personal data processed is protected by necessary technical and organisational security measures having regard to what is appropriate in relation to the nature, extent and sensitivity of the personal data. The Audit Firm's system and organisation are arranged such that unauthorised persons do not have access to the personal data processed as a consequence of the Audit Engagement. More information about Grant Thornton's technical and organisational security measures is available at www.grantthornton.se/en/securitymeasures.

Storage of personal data

Personal data will be processed during the time needed to perform the Audit Engagement, and the data will then be retained in order to fulfil documentation requirements the Audit Engagement for at least ten years from the end of the financial year in which the review was concluded in accordance with applicable laws and regulations, generally accepted auditing standards and professional ethics for accountants in Sweden.

Rights of the data subject

Data subjects have in certain cases the right to request information concerning whether personal data relating to the data subject is processed, and if so to obtain to and rectification or erasure of their personal data and the right to request restriction or to object to processing. Data subjects also have the right to lodge a complaint with a supervisory authority concerning the processing. An audit means that the audit client's information for a particular financial year is reviewed at certain times during this year and during a certain time thereafter, which means that updating/rectification of personal data will not be relevant in this type of engagement after the audit procedure has been performed. Furthermore, the information and data that the auditor access within the framework of the Audit Engagement are covered by a statutory duty of confidentiality, which means that Grant Thornton normally must not disclose such information. In addition, Grant Thornton is obliged to document audit engagements performed and retain the documentation for at least ten years from the end of the financial year in which the review was concluded, which means that it is not permitted to amend/erase personal data included in such documentation beforehand. For the reasons mentioned, neither is it possible for Grant Thornton/the auditor to fulfil a request from a data subject to restrict or limit any processing of personal data that takes place as a consequence of the Audit Engagement.

With regard to Grant Thornton's processing of personal data for marketing purposes, however, data subjects have the right to request erasure, rectification and restriction and to object to the processing of their personal data for such purposes.

If you have any questions regarding GDPR or want to make a request of information, please use www.grantthornton.se/en/contact-us/.