article banner

Data Protection Notice

Grant Thornton firms established in Singapore (GTS) wants to protect the privacy of visitors to our website. Please read the following notice; it will help you to understand how we collect, use, disclose, process, protect and retain your personal data that is in our possession. We may change our privacy notice at any time without giving you notice, so please check it each time you visit our website.

How We Collect Your Personal Data

Personal data refers to any information that can uniquely identify an individual person (a) on its own, or (b) when combined with other information. Under the Personal Data Protection Act 2012 (PDPA), business contact information (e.g. full name, business address, business telephone number) is not considered as personal data so long as it is used strictly for business-to-business (B2B) transactions. Under the General Data Protection Regulations (GDPR), business contact information is considered as personal data.

We collect your personal data when you:

Corporate Clients/Individuals

  • Enter into an agreement or contract with us to provide you with our audit, tax or business advisory services
  • Outsource your tax processing or financial accounting to us to process on your behalf
  • Respond to one of our marketing or promotion campaigns
  • Are referred to us by one of our clients or customers
  • Enquire about our range of services
  • Enrol in our subscription or membership programme
  • Provide feedback to us on our quality of service
  • Visit our websites and leave behind your contact information
  • Communicate with us via emails or written correspondences
  • Attend one of our events (in-person or online)


  • Submit your CV and job application form to us in response to our recruitment advertisements
  • Submit your CV to recruitment firms or job portals, which are in turn forwarded to or retrieved by us
  • Submit your visa and employment pass application forms through us to apply to the relevant government agencies on your behalf

Types of Personal Data We Collect About You

The types of personal data we collect about you include but are not limited to:

Corporate Clients/Individuals

  • Client’s contact information (name, address, phone no., email Address)
  • Client’s personal details (name, NRIC no./FIN no./passport No., gender, date of birth, country of origin, country of residence, citizenship, nationality, race/ethnicity)
  • Client’s financial information (bank account no., credit/debit card name, credit/debit card no., card expiry date)


  • Job applicant’s personal details (name, NRIC no./FIN no./passport no., gender, date of birth, race/ethnicity, citizenship, nationality, marital status, family background, religion, languages spoken or written, household/personal income)
  • Job Applicant’s educational and professional qualifications (highest education level, qualifications, schools attended, academic transcripts, membership of professional bodies, certifications)
  • Job applicant’s professional and work experience (job title, occupation, employment history, employment pass status, work experience, curriculum vitae) 

Event attendee 

  • Attendees information (name, company, university, email address, contact number) 

How We Use Your Personal Data

We use the personal data you provide us for a range of services, including but are not limited to one or more of the following purposes

Corporate Clients/Individuals

  • Provide audit, tax or business advisory services
  • Carry out payroll processing, tax processing or financial accounting services on your behalf
  • Process account payables/receivables
  • Conduct direct marketing and lead generation activities
  • Conduct joint marketing with other companies and service providers
  • Process applications for membership programme
  • Communicate with customers, members and website visitors
  • Respond to inquiries and feedback to improve our quality of service
  • Analyse the use of our products, services or websites
  • Conduct risk assessment, or analyse risk and business results
  • Process employment passes of clients with the relevant government agencies
  • Process visa applications of clients with the relevant government agencies
  • Submit documents to government agencies for the formation of a new corporation or business entity
  • Carry out our obligations arising from any contracts entered into between you and us
  • Comply with or fulfil legal obligations and regulatory requirements
  • Process billing, payment and other credit-related activities


  • Process job applications, recruitment and selection
  • Process employment passes with the relevant government agencies
  • Process visa applications with the relevant government agencies
  • Process payroll

Who We Disclose Your Personal Data To

We may pass your personal data to our third-party service providers who need the data in order to fulfil your request for our services or process any payment. Some of these may be located outside the European Economic Area. Where applicable, we will abide by the GDPR.

We may pass your personal data to Grant Thornton member firms or to our data processors such as survey firms or electronic direct mail (EDM)/email service vendors.

Except as set out above, we will not disclose your personal information unless we are obliged to do so or allowed to do so, by law, or where we need to do so in order to run our business (for instance where we outsource services or other organisations to process data for us).

How We Manage the Collection, Use and Disclosure of Your Personal Data

Obtaining Consent or Use of Lawful Processing

Before we collect, use or disclose your personal data, we will notify you of the purpose why we are doing so. We will obtain written confirmation from you on your expressed consent. We will not collect more personal data than is necessary for the stated purpose. We will seek fresh consent from you if the original purpose for the collection, use or disclosure of your personal data has changed.

Under certain circumstances, we may assume deemed consent from you when you voluntarily provide your personal data for the stated purpose, e.g. when you apply for a job with us using our job application forms.

We may rely on exceptions to the need for consent under the PDPA for the collection, use or disclosure of your personal data under the following circumstances (only those relevant to GTS are included):

  • The personal data is publicly available
  • The personal data is disclosed by a public agency or disclosed to a public agency
  • The personal data is necessary for any investigation or proceedings
  • The personal data is necessary for evaluative purposes (e.g. determining the suitability of a job applicant for the job applied for)
  • The personal data is necessary to recover a debt owed by an individual to GTS, or for GTS to pay a debt owed to the individual
  • The personal data is necessary for the purpose of managing or terminating an employment relationship
  • The personal data is necessary for a business asset transaction

Under the GDPR, we may rely on the following legal grounds for the processing of personal data in lieu of consent (only those relevant to GTS are included):

  • Processing is necessary for the performance of a contract or to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary for the purposes of legitimate interests pursued by GTS

Handling Sensitive Data

While the PDPA does not have a separate classification of sensitive data, the GDPR defines the following as sensitive or special categories of data: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data; data concerning health or sex life; and sexual orientation.

Where applicable under the GDPR, we will only process special categories of data pertaining to you upon your explicit consent, except under certain circumstances such as in the context of employment; protecting your vital interests; personal data made public by you; for legal claims; or for reasons of public interest.

Withdrawal of Consent

If you wish to withdraw consent, you should give us reasonable notice. We will advise you of the likely consequences of your withdrawal of consent, e.g. without your personal contact information we may not be able to inform you of future services offered by us.

Your request for withdrawal of consent can take the form of an email or letter to us, or through the “UNSUB” feature in an online service.

Cookies used by the Grant Thornton Singapore Pte Ltd website

A cookie is a small piece of data or message that is sent from an organisation's web server to your web browser and is then stored on your hard drive. Cookies can't read data off your hard drive or cookie files created by other sites, and do not damage your system.


However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit


We only use cookies to monitor the performance of our website and to improve user experience.


If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.


Cookie type Cookie Name Purpose
Google analytics



These cookies are used to monitor the performance of our site. We use the information to help us improve the site. The cookies collect information in an anonymous form, including the number of visits to our site, where visitors have come from to the site and the pages they visited.

To opt out of being tracked by Google Analytics across all websites visit

.Net cookies


The ASP Session Cookie may be set as part of your online experience if using a site login to enable us to identify you. It only exists for the duration of the browsing session and is deleted afterwards.

CMS Platform cookies


 Used to distribute traffic to the website on several servers in order to optimise response times.

CMS Platform cookies


This is used to track the number of visits to the website

Youtube preferences PREF
We use YouTube to embed a selection of videos in our Thinking and campaign pages. The embedded videos do not set cookies themselves and can be played with no cookies set. However, if the 'Share' button is clicked YouTube will set cookies. The VISITOR_INFO1_LIVE cookie attempts to estimate your bandwidth and the use_hitbox and PREF cookies increment the 'views' counter on the YouTube video and stores session preferences. These cookies don't gather information that identifies a user.

How We Ensure the Accuracy of Your Personal Data

We will take reasonable steps to ensure that the personal data we collect about you is accurate, complete, not misleading and kept up-to-date.

From time to time, we may do a data verification exercise for you to update us on any changes to the personal data we hold about you. If we are in an ongoing relationship with you, it is important that you update us of any changes to your personal data (such as a change in your mailing address).

How We Protect Your Personal Data

We have implemented appropriate information security and technical measures (such as data encryption, firewalls and secure network protocols) to protect the personal data we hold about you against loss; misuse; destruction; unauthorised alteration/modification, access, disclosure; or similar risks.

We have also put in place reasonable and appropriate organisational measures to maintain the confidentiality and integrity of your personal data and will only share your data with authorised persons on a ‘need to know’ basis.

When we engage third-party data processors to process personal data on our behalf, we will ensure that they provide sufficient guarantees to us to have implemented the necessary organisational and technical security measures and have taken reasonable steps to comply with these measures (as required under the GDPR).

How We Retain Your Personal Data

We have a document retention policy that keeps track of the retention schedules of the personal data you provide us, in paper or electronic forms. We will not retain any of your personal data when it is no longer needed for any business or legal purposes.

We will dispose of or destroy such documents containing your personal data in a proper and secure manner when the retention limit is reached.

How You Can Access and Make Correction to Your Personal Data

You may write in to us to find out how we have been using or disclosing your personal data over the past one year. Before we accede to your request, we may need to verify your identity by checking your NRIC or other legal identification document. We will respond to your request as soon as possible, or within 30 days from the date we receive your request. If we are unable to do so within the 30 days, we will let you know and give you an estimate of how much longer we require. We may also charge you a reasonable fee for the cost involved in processing your access request.

If you find that the personal data we hold about you is inaccurate, incomplete, misleading or not up-to-date you may ask us to correct the data. Where we are satisfied on reasonable grounds that a correction should be made, we will correct the data as soon as possible, or within 30 days from the date we receive your request.

What Your Rights Are Under the GDPR

Under the GDPR, if you are an EU resident, you will have additional rights besides the Right of Access and the Right to Rectification that are similar to the Access and Correction Obligation under the PDPA. These additional rights are:

  • Right to Erasure (‘Right to be Forgotten’). You have the right to request GTS to erase your personal data based on certain grounds and in certain specified situations.
  • Right to Restriction of Processing. You have the right to obtain a restriction on the processing of your personal data, such as pending verification of a legal ground to process your personal data or where you dispute the accuracy of your personal data.
  • Right to Data Portability. You have a right to, under certain circumstances, request GTS to provide your personal data in a structured, commonly used and machine-readable format, and to transmit such data to another organisation without hindrance.
  • Right to Object. You have the right to object to the processing of your personal data for direct marketing purposes; for scientific/historical research/statistical purposes; or for purposes based on legitimate interest grounds.
  • Automated Individual Decision-Making, Including Profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you.

Where applicable, GTS will fulfil any of your requests as far as practicable, within a reasonable timeframe.

Transfer of Personal Data

Where there is a need to transfer your personal data to another country outside Singapore,we will ensure that the standard of data protection in the recipient country is comparable to that of PDPA and / or GDPR, where applicable. If this is not so, we will enter into a contractual agreement with the receiving party to accord similar levels of data protection as those in Singapore.

Contacting Us

If you have any query or feedback regarding this Notice, or any concern you have relating to how we manage your personal data, you may contact our Data Protection Officer (DPO) at:

Any query or concern should include, at least, the following details:

  • Your full name and contact information
  • Brief description of your query or concern

We treat such queries and feedback seriously and will deal with them confidentially and within reasonable time.

Changes to this Data Protection Notice

We may update this Data Protection Notice from time to time. We will notify you of any changes by posting the latest Notice on our website. Please visit our website periodically to note any changes.

Changes to this Notice take effect when they are posted on our website.