article banner


In the performance of the engagements, our Firm can collect and use personal data relevant to:

  • the Client, its employees, its company, its trustees, its clients, and
  • the Client’s employees, agents and collaborators,
  • any other personal data collected also at third party companies, useful for the performance of the engagement.

The Bernoni Grant Thornton entity which the Client has entered into a contractual relationship with will be responsible for the protection of personal data, as detailed below.

Depending on the degree of autonomy in the processing of personal data, Bernoni Grant Thornton can act either as a Controller or a Processor.

  • Should we act as a Controller, we would process data as such, in compliance with Opinion no. 1/2020 of Working Party 29 for the protection of personal data. In this case, data will be processed in order to carry out pre-contractual verifications provided by our procedures, to execute our engagement and to comply with law, accounting and tax fulfilments, also according to the requirements of applicable regulations, by the policies and procedures on quality control from time to time in force at Bernoni Grant Thornton, as well as by applicable professional standards.
  • Should we act as a Processor, we would process only data relevant to the management of the contract in place in our capacity as controllers, whereas we would act as processors with reference to data processed on behalf of the Client, also with reference to Opinion no. 1/2020 of Working Party 29 for the protection of personal data. As regards the role as Processor, Bernoni Grant Thornton acknowledge that the engagement was assigned considering the company profile, in terms of resources, property, equipment and know-how, adequate to provide sufficient guarantees so that the proper technical and organisational solutions can be enacted to make processing compliant with the requirements of the Regulation and ensure the protection of data subjects. The Processor will report to the Client any event that could breach the above requirements. The parties agree that the breach of one of the requirements under art. 28 of the Regulation constitutes a just cause for the revocation of the role as data Processor by the Controller. The Processor will stick to the instructions agreed with the Client.

Generally speaking, the Client’s contact people may be included in the distribution lists of informative newsletters concerning issues related to the contract and may be contacted for commercial purposes in the pursuance of the Controller’s legitimate interest, without prejudice to the data subjects’ right to object.

Data will be processed by Bernoni Grant Thornton for the entire duration of the contract and afterwards for the performance of all law fulfilments provided. Data will be retained for the terms provided by civil and tax law.

Data can be disclosed to data processors, which Bernoni Grant Thornton engage with within outsourcing relationships, as well as to people authorised to personal data processing, pursuant to art. 29 of the Regulation, who will process them in compliance with the contents of this policy. Data processing is not subject to automated decision-making, including profiling.

This policy is provided in an abridged form. The specific complete data processing policies are provided by the Bernoni Grant Thornton entities when performing the specific engagements.