Grant Thornton group of entities

Grant Thornton International Ltd (GTIL) forms a network of member firms operating under the auspices of the international Grant Thornton company and providing register auditors’, tax, advising or consulting services to their clients. The member organisations are present in over 130 countries and employ ca. 58 000 persons. 

GTIL is an international patronage entity, incorporated as a private limited liability company registered in England and Wales. GTIL does not provide services on its own behalf and does not provide services at all. Every member firm is a separate legal entity that provides services and is liable for its own actions and inactions. 

In the context of personal data protection, this means that data may be made available and entrusted between member organisations as well as between the member organisation and Grant Thornton International. Every sharing, entrustment or transfer of data is analysed in terms of lawfulness, both in the scope of national laws proper for the given member organisation as well as international laws. 

The Polish member organisations providing services under the Grant Thornton brand are: 

  • Grant Thornton Polska P.S.A. 
  • Grant Thornton Frąckowiak P.S.A. 
  • Grant Thornton Legal Maślanko sp. K 
  • Grant Thornton Technology P.S.A. – providing cybersecurity services 

In Poland, the Grant Thornton brand umbrella covers also the following entities: 

  • Edisonda P.S.A. – providing digital transformation services  

As regards data transfer outside the European Economic Area, i.e. to GTIL group entities, the data transfer consists in making data available between independent controllers of personal data (usually due to exchange of data of organisation’s employees in connection with on-going communication).  

It involves also entrustment of data to processors and sub-processors under concluded data processing agreements with standard contractual clauses guaranteeing security of transfer incorporated therein under the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. 

Additionally, data transfer to a third country is subject to regular evaluation in terms of transfer risk and technical measures ensuring secure transfer. 

The Polish firms make personal data available and entrust them as well. 

Data can be made available for internal administrative purposes, based on a consent obtained from the data subject for such an operation and under the law (e.g. Act on Registered Auditors). Under recital 48 of GDPR, controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. “Administrative purposes” include, for example, group’s internal reporting. 

In the context of employees’ personal data, the President of the Personal Data Protection Office explains that internal administrative purposes can regard mostly activities related to the employment relationship (delegation, recruitment, statistics). It is assumed that administrative purposes should be understood as all activities related directly to the employment relationship, such as transferring the employee to another place, including delegating him or her to work temporarily in another group company, actions connected with employees’ development – organisation of trainings, approval of the value of remuneration or keeping statistics regarding employment in the group as well as employee recruitment. The above is always restricted by situations where the interest as well as fundamental rights and freedoms of the data subject requiring protection of personal data outweigh the legitimate interest of the employer. 

The firms provide each other with mutual services, including but not limited to: 

  • sublease of office space and office maintenance; 
  • legal and compliance support in terms of personal data protection; 
  • recruitment, employment and payroll services; 
  • review and audit of financial statements; 
  • marketing support connected with promotion of Grant Thornton entities; 
  • rental of equipment;
  • IT services. 

This means that data of our clients and/or employees can be transferred (entrusted or made available) between such firms for the purpose of performance of service contracts. 

For transparency purposes, we present the bases for processing of personal data in our privacy notices. Furthermore, our Data Protection Officer can be contacted by e-mail at to ask about the scope of processing, making available or entrusting of your personal data. 

Get in touch

Marcin Troszak

Data privacy officer (DPO)