Grant Thornton Cambodia wants to protect the privacy of visitors to our website. Please read the following policy; it will help you to understand how we use your personal data. We may change our privacy policy at any time without giving you notice, so please check it each time you visit our website.
What personal data do we collect?
We log your Internet Protocol (IP) address in order to receive and send information from and to you over the internet.
When you visit our website, make an enquiry, order publications or request more information, you may be asked to provide some personal data such as your name, address, telephone number and e-mail address. In the event you decide to provide personal data, this policy will apply.
Grant Thornton (the “Firm”, “We” or “Our”) recognises the importance of privacy of personal data. We have therefore developed this Privacy Policy (the “Policy”) to govern our practice of how Personal Data (defined under Glossary) of our personnel, clients of the Firm, third parties of the Firm, or any other individuals from whom we obtain Personal Data during the course of our business will be collected, used, or disclosed by the Firm in accordance with relevant effective regulations and their sub-regulations as being announced by the authorities (the “Regulations”).
The Firm will only collect, use, or disclose Personal Data (as defined under Glossary) for the purposes described in the Policy. In case where collection, use, or disclosure of Personal Data will be different from the purpose previously notified to the Data Subject, we will (i) inform of such new purpose and obtained consent from Data Subject prior to the time of collection, use, or disclosure, or (ii) it can be done by the provisions of the Regulations. Additionally, we ensure that systems and processes we use are in compliance with Regulations to the extent that they are applicable to us.
Glossary
“Data Controller” means a Person or a juristic person having the power and duties to make decisions regarding the collection, use, or disclosure of the Personal Data.
“Data Subject” (or “You” or “Your”) means any Person whose Personal Data is being collected, used, or disclosed.
“Grant Thornton”, for the purposes of this policy, means Grant Thornton in Cambodia.
“Person” means a natural person.
“Personal Data” means any information relating to a Person, which enables the identification of such Person, whether directly or indirectly, but not including the information of the deceased Persons in particular.
“Processing” refers to collect, use, or disclose of Personal Data.
Collect of Personal Data
In general, we collect Personal Data directly from Data Subject such as our clients/prospective clients, suppliers, subcontractors, visitors of our official website www.grantthornton.com.kh (the “Official Website”), visitors of our office, candidates for job applications, our employees, or other individual third parties. We could obtain your Personal Data from many circumstances e.g. when you submit your enquiry via our Contact Us page on our Official Website, when you communicate with us directly in relation to our services (via our customer service, email, telephone, or any other means), when you apply for employment/internship with us, when you voluntarily participate in our surveys. We could collect Personal Data through e.g. inquiries, requests, emails, registration, completion of forms/surveys, application forms, and other situations where Data Subject chooses to provide Personal Data to us. However, if we obtain Personal Data from person other than Data Subject (the “Disclosing Person”), we assume the Disclosing Person represents and confirms to us that such Personal Data has been disclosed in compliance with applicable Regulations on personal data protection by the Disclosing Person. Details of how we obtain such Personal Data will be properly recorded in our system.
Following scope of categories may be collected by us:
- Basic data: e.g. Name, Gender, Date of Birth, Title, Working Place, Phone Number, Mailing Address, Email Address, Contact Details
- Sensitive data: e.g. Health Data, Criminal Record
- Client service data: e.g. Personal Data receives from clients in respect of their individuals associated with them
- Registration data: e.g. Event/Seminar registrations, Details on Contact Us page
- Marketing data: e.g. Data about individuals participated the Firm’s Events or Seminars, Conferences, Clients’ Networking
- Employment data: e.g. Banking Details
- IT related data: e.g. IP Address, Cookies ID
- Compliance data: e.g. Beneficial Ownership Data, Identification Details
- Job applicant data: e.g. Education, Work Experience, Salary
Use of Personal Data
Unless we obtain your consent or it is required or permitted by Regulations, your Personal Data may be used for the following purposes: -
- Providing Professional Services: We offer various types of services to our clients. To perform our services efficiently, we need to use Personal Data of our clients to deliver our works within the scope of the service agreements.
- Managing Business Operations: To run our business effectively, we may need to use Personal Data for various reasons, including (i) manage relationships with our clients, suppliers, contractors, subcontractors, or other individuals that we have business relationships, (ii) develop our official website to be easy to use and prevent it from misuses of IT or other crimes, (iii) provide information about our services that might be of interest, (iv) send you invitation and host seminars, events, or clients’ networking, (v) consider individuals for potential recruitments, or (vi) maintain and update internal record keeping.
- Complying with Rules, Regulations, and Professional Obligations: as a regulated business, it is necessary for us to comply with legal requirements and professional obligations that we are subject e.g. (i) for auditing, risk management and security purposes, (ii) for detecting, investigating and preventing illegal activities, (iii) for enabling us to perform our obligations and enforce/defend our rights under any agreements/documents that we are a party to, (iv) for meeting any applicable legal/regulatory requirements, or (v) for carrying out verification and background checks as a part of recruitment or selection process.
Disclose of Personal Data
We may disclose your Personal Data under these following categories of recipients:
- Member Firms and our affiliates: We are a member firm of Grant Thornton International Ltd.a list of Grant Thornton member firms. We have a foundational principle of membership that if a member firm has been approached by an international client who has need in a foreign jurisdiction, there is a requirement that such member firm approached by an international client will refer such client to a member firm in that jurisdiction to provide the relevant services. Please note that sharing of Personal Data either to other member firms will be conducted on a strict principle of a need-to-know basis and only to the extent necessary for them to perform their duties under their engagements. Your Personal Data will be secure because of their organisational and technical measures having put in place by member firms and/or Affiliates.
- Service Providers: We disclose Personal Data to our third party service providers to enable them to perform their services which are under our instruction. Those services are such as IT services, event organisers, employment agencies, professional advisors, consultants, or external auditors. As a part of our agreement with them, they are required to strictly adhere to applicable laws and/or regulations and to take reasonable and efficient measures to ensure Data Subject that your Personal Data is secure.
- Financial Institutions: We disclose Personal Data to them in connection with business routines e.g. invoicing and payments.
- Compulsory disclosure: We disclose Personal Data as requested from regulators, governmental bodies/organisations, or other related law enforcement authorities where our services are subject to be regulated. We also disclose Personal Data to establish or protect our legal rights, property, or safety, or rights, property, or safety of other individuals, or we have to defend against any legal claims.
Storage, Retention, and Destruction of Personal Data
We realise the importance of security, and we endeavor to take all reasonable and reliable steps to safeguard Personal Data that we hold by providing appropriate technical and organisational measures. This consideration includes implements of Policies & Procedures and trainings for our personnel related to confidentiality, records retention, or information technology. Those Policies & Procedures and trainings will be regularly reviewed to ensure that they are effective for their purposes.
Personal Data will be kept either in hard copies and/or soft files. We provide filing cabinets and/or rooms to store hard copies of Personal Data and they are requested to be locked at all times. Soft files have been kept in channels provided for each department and simultaneously uploaded on the cloud which has a reliable security measure put in place. Only authorised departments/persons are allowed to have access to secured spaces. Personal Data is kept only for its necessary in relation to lawful purposes, including in compliance with:
(i) activities or services for which they are being processed;
(ii) applicable statues, regulations and other legal requirements and guidelines under effective Policies & Procedures;
(iii) applicable professional requirements which they are relevant to our professional services; and
(iv) litigations or investigations that might arise from providing services and there is a requirement under a compulsory disclosure.
Generally, we will keep Personal Data in accordance with our applicable Records Retention Policy which will be typically ten years from the date of termination of contracts/legal documents. We will securely destruct your Personal Data when they are no longer necessary to keep them for purposes which they were collected, we are no longer subject to any legal requirements to keep them, or we have no other lawful basis to keep your Personal Data.
Lawful basis for processing Personal Data
- Consent
It means any freely given, specific, informed and unambiguous indication of Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.[1]
[1] Article 4(11) of the General Data Protection Regulation
- Legitimate Interest
It is necessary for legitimate interests of a Data Controller or any other persons, except where such interests are overridden by the fundamental rights of a Data Subject with respect to his/her Personal Data.
- Contract
It is necessary for a performance of a contract to which a Data Subject is a party, or in order to take steps at the request of a Data Subject prior to entering into a contract.
- Legal Obligation
It is necessary for compliance with a law to which a Data Controller is subjected.
- Vital Interest
It is for preventing or suppressing a danger to a person’s life, body or health.
- Public Interest
It is necessary for the performance of a task carried out in the public interest by a Data Controller, or it is necessary for the exercising of official authority vested in a Data Controller.
- Research
It is for the achievement of a purpose relating to the preparation of historical documents or archives for public interest, or for a purpose relating to research or statistics, in which suitable measures to safeguard a Data Subject's rights and freedoms are put in place and in accordance with Notification as prescribed by the Committee.
Data Subject’s Rights
Data Subject (or “You”) have rights to:
- Withdraw consent: In the case where the Firm processes your Personal Data based on your consent, you have a right to withdraw your consent at any time and we will respond to your request within 30 days from when such a request of withdrawal has been made Please note that your withdrawal of consent shall not affect the past collection, use, or disclosure of Personal Data for which you have already given legally consent. Furthermore, your withdrawal may leave you some certain consequences which we will inform you such consequences when we receive your request of withdrawal.
- Access: You have the right to request access to and obtain a copy of your Personal Data, or request a disclosure of an acquisition of your Personal Data obtained without your consent, subject to certain exceptions. In case of a copy requirement, the Firm may charge a reasonable administration fee for multiple copies of your Personal Data. Please note that we will process your request once the fee has been agreed.
- Rectify: You have a right to have your Personal Data remain accurate, up-to-date, complete, and not misleading. However, you realise that we rely on your Personal Data which we assume is accurate, up-to-date, and complete at the time when you gave it to us or any updates that made later. Therefore, we have no responsibility for relying on using any inaccurate, outdated, or incomplete Personal Data that you provided to us or failed to update any changes. If you believe your Personal Data needs to be rectified, you can exercise your right by contacting our Contact dataprotection.officer@kh.gt.com
- Erase: You have a right to request the Firm to erase or destroy your Personal Data, unless such Personal Data retained by the Firm is necessary for a preparation of a historical document, a public interest, an establishment, compliance or exercise of legal claims, or a defense of legal claims, or a purpose for compliance with the law.
- Restrict of processing: You have a right to request the Firm to restrict use of your Personal Data including but not limited to:
- When there is a pending examination process on accuracy of your Personal Data when you believe it is inaccurate;
- When your Personal Data shall be erased but you make a request to restrict use of such Personal Data; and
- When the Firm has no longer necessary to retain such Personal Data in accordance with the purpose. However, you have necessity to retain such Personal Data for establishment, compliance or exercise of legal claims, or a defense of legal claims.
- Data portability: You have a right to request the Firm to send or transfer Personal Data to you or to another person or organisation. The Firm will arrange such Personal Data to be in the format which is readable or commonly used by ways of automatic tools or equipment, and can be used or disclosed by automated means.
- Object: You have a right to object processing of your Personal Data when your Personal Data is collected without your consent or to serve a purpose of direct marketing.
Please note that we will endeavor to respond your request within 30 days upon receiving your request. However, our length of time to respond will depend on the nature and extent of your request. In case where your request cannot be responded to within the timeline, we will notify you at the earliest practicable opportunity.
How do we use your personal data?
We use your personal data to provide information to you or your organisation.
We may also use your personal data to carry out research about our visitors' demographics, interests and behaviour. We do this to better understand our visitors. This research is compiled and analysed on an aggregated and anonymous basis.
When you give us personal data, those data may be sent electronically to servers anywhere in the world and may be used, stored and processed anywhere in the world.
Whenever and wherever we collect, process or use personal data, we take steps to ensure that it is treated securely and in accordance with our privacy policy.
To whom might we disclose your personal data?
We may pass your personal data to anyone who needs the data in order to fulfil your request for our services, or process any payment. Some of these may be located outside the European Economic Area.
We may pass your personal data to Grant Thornton member firms or to our data processors.
Except as set out above, we will not disclose your personal information unless we are obliged to do so or allowed to do so, by law, or where we need to do so in order to run our business (for instance where we outsource services or other people process data for us).
Direct Marketing
You may at any time request us to stop using your personal data for direct marketing purposes. If you wish to do this, please contact us.
Links
Our website contains links to Grant Thornton member and correspondent firm websites, but this privacy policy applies only to personal data collected via websites operated by GTIL which include www.gti.org , www.internationalbusinessreport.com and www.globaldynamismindex.com and to how GTIL processes personal data. It does not apply to specific member or correspondent firms practising under the Grant Thornton name. We are not responsible for the privacy practices of these or other sites. We encourage our visitors to be aware when they leave our website, and to read the privacy policy of other sites that collect or use personal data.
Security
Unfortunately, no data transmission over the Internet or any other network can be guaranteed as 100% secure, but we take appropriate steps to try to protect the security of your personal data.
Contacts
This is the website of GTIL, a non-practicing, non-trading international umbrella organisation that does not deliver services. GTIL and its member firms are not a worldwide partnership. GTIL and each member firm of GTIL is a separate legal entity.
If you want to request any information about your personal data, please contact us at our registered office.
Registered office address: Grant Thornton House, Melton Street, Euston Square, London NW1 2EP.
Inaccuracies and Corrections
We would like to keep your personal data accurate and up to date. If you become aware of any errors or inaccuracies please let us know by contacting us at our registered office.