Effective: 28 January 2021
Introduction and Scope
- when we provide services to you, or to someone acting on your behalf (“Your Agent”), based on an engagement letter entered into between you or Your Agent and us (the “Professional Services”);
- when you or Your Agent uses the My GTN Portal at https://www.mygtnportal.com or https://mygtnportal.com (the “Portal”); or
- when you or Your Agent uses the GTN payment application at https://payment.gtn.com (collectively with the Portal, the “Web Applications”).
EU-US and Swiss-US Privacy Shield Frameworks
GTN US complies with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework (the “Privacy Shield”) previously adopted and set forth by the US Department of Commerce and the European Commission regarding the collection, use, retention, and transfer of PII transferred from the European Union (EU), the European Economic Area (EEA), the United Kingdom, or Switzerland, to the United States, with regard PII that was received in reliance on the Privacy Shield. The Privacy Shield Principles require GTN US to maintain high standards for our use and treatment of PII. GTN US commits to maintaining adherence to the Privacy Shield Principles and has certified such adherence to the Department of Commerce, in each case with respect to all PII that GTN US received in reliance on the Privacy Shield.
To learn more about the Privacy Shield Principles, please visit: https://www.privacyshield.gov. To view GTN US’s certification information, please visit: https://www.privacyshield.gov/list.
VeraSafe Privacy Program
Where a privacy complaint or dispute relating to PII that we received in reliance on the Privacy Shield cannot be resolved through our internal processes, GTN US has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
What Data Do We Collect?
Data We Automatically Collect
When you access our Web Applications, whether by computer, mobile phone or other device, we automatically collect certain data about your use of our Web Applications. This data may include, without limitation:
- geographical location of your computer, mobile or other device;
- bandwidth used;
- system and connection performance;
- browser type and version;
- operating system;
- referral source;
- length of visit;
- page views;
- your mobile carrier (if applicable); and
- IP address or other unique identifier for your computer, mobile phone or other device.
We do not link such data to your PII, except to your IP address, which may be personally identifying in some circumstances.
In the course of providing Professional Services to you, GTN may also collect PII including your IP address, email address, and name in connection with the digital execution of agreements.
Data You Provide to Us
In some situations, you or Your Agent may provide us with your PII. Such PII may include your:
- biographical data;
- professional data, including your title and your travel history;
- contact data;
- financial data;
- Individual Taxpayer Identification Numbers, non-U.S. tax ID or social insurance numbers;
- any other data you choose to submit to GTN; and
- any other data we collect about you that by itself is not PII but if combined with PII could be used to help personally identify you.
You, or Your Agent, may provide us with your PII when:
- entering data into the Web Applications;
- sending source documents to us via the document sharing feature in the Portal or via other document sharing tools;
- providing data to us to enable or support our provision of Professional Services to you or your Agent;
- submitting a payment to GTN;
- contacting us via the Portal;
- registering and/or setting up an account or profile to access, visit and/or use the Portal; and
- engaging in any other transaction with us on, or in relation to, our Web Applications.
We may also receive your PII from other third parties, such as dependents and spouses, tax or other government authorities, cooperating tax offices, and relocation providers.
A “cookie” is a small file stored on your hard drive that contains data about your computer. By showing how and when visitors use the Web Applications, cookies help us identify how many unique users visit us, save user preferences and track user trends and patterns. We use session cookies, which are cookies that are deleted when you leave our Web Applications, and persistent cookies, which are cookies that remain after you leave our Web Applications, so that you are recognized when you return.
How We Use Your Data
GTN Will Use Data We Automatically Collect to:
- improve your experience on our Web Applications;
- count users who visit our Web Applications or open our HTML-formatted email messages;
- improve the delivery of our web pages to you; and
- measure traffic on our Web Applications.
We May Use Your IP Addresses to:
- help diagnose problems with our servers;
- administer our Web Applications;
- analyze trends, track users' movement through our Web Applications; and
- gather broad demographic data for aggregate use in order for us to improve the Web Applications.
GTN Will Use PII to:
- provide the Professional Services to you or Your Agent;
- respond to your inquiries, and/or other requests or questions;
- enable your or Your Agent’s use of the Web Applications;
- contact you regarding your engagement with us;
- collect payments;
- send you or Your Agent invoices;
- send you or Your Agent email notifications which you have specifically requested;
- send you limited email marketing communications relating to our business; and
- send you email messages containing company news, or service information.
Basis of Processing
In general, we process your PII on the basis of:
- your (explicit) consent, where you have provided us with your consent for such processing;
- the need to perform our obligations under an engagement letter entered into between you and us, where you have entered into such an engagement letter with us; or
- our legitimate interests, such as our need to perform our obligations under an engagement letter entered into between Your Agent and us.
Please note that where we process your PII based on your consent, you may withdraw your consent at any time. This will not affect the lawfulness of processing that was conducted based on consent given before the withdrawal, however, nor will it affect processing performed on other lawful grounds.
Where we receive your PII directly from you for the purpose of providing you with our Professional Services, we require such PII (and in some cases, we will need your consent to process your PII) to be able to perform our contractual obligations to you. Without the necessary PII, GTN will not be able to provide Professional Services to you.
Sharing PII with Third Parties
We may use third parties to perform certain services on our behalf. We may share your PII with these third parties, as necessary, solely to enable them to perform those specific services for us.
Such third parties include those:
- hosting our Web Applications;
- providing tax and accounting software;
- hosting our document sharing platform;
- providing cloud-based file backup service;
- providing e-signature software as a service;
- managing the functionality of our Web Applications; and
- processing credit or other payment card payments.
We contractually obligate that those third parties only provide access to your PII to persons who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Some of these third parties may be located outside of the United States. However, before transferring your PII to these third parties, we will either ask for your explicit consent or require the third party to implement and maintain reasonable security controls to protect the confidentiality, integrity, and availability of such PII, in accordance with the Privacy Shield and applicable data protection laws. GTN remains liable for the protection of your PII that we transfer to our service providers, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.
We may also share your PII with:
- third parties who provide relocation and other services to you;
- cooperating tax offices who provide non-U.S. tax services to you (please note that such cooperating tax offices may be located outside of the U.S.); and
- governmental authorities as required by applicable law, including tax and immigration authorities.
The PII that GTN shares with such third parties is limited to the following:
- compensation, payroll, and expense details related to your international assignment, transfer, or work abroad;
- the result of your tax equalization, tax protection, and/or tax reconciliation settlement calculation(s);
- the amount of any foreign tax credits utilized and/or carried back to prior years or carried forward to future years;
- balance due/refund information from your individual tax returns;
- the amount of any exclusions, deductions or credits related to income related to your international assignment, transfer or work abroad;
- detail (including location and number) of days present and days worked;
- detail of taxes paid and/or accrued;
- a description of the work performed in preparing your tax returns and consulting services for purposes of GTN billing for services rendered;
- personal financial data included in your individual income tax returns; and
- data used in the review of your potential income, social, or other tax obligations.
Some of our third party service providers may be located outside of the country that you reside in. In some cases, the authorities in your country may not have determined that the data protection laws in the countries where our third party service providers are located provide a level of protection equivalent to the laws in your country. We will only transfer PII to third parties in these countries when there are appropriate safeguards in place. For example, if you are resident in the EU and the European Commission has not determined that the countries where our third party service providers are located provide an adequate level of protection for your PII, we will ensure that we have appropriate safeguards in place with the third parties, such as the Standard Contractual Clauses as approved by the European Commission (“SCCs”).
GTN does not currently use the Privacy Shield as its data transfer mechanism from the EU, EEA and Switzerland, and uses the SCCs as its primary data transfer mechanism for EEA and Swiss PII. The SCCs are formally integrated into our agreements with third parties from whom and on behalf of whom we receive such PII. In addition, GTN regularly reviews and confirms its compliance with the most up-to-date guidance and obligations on valid data transfer under applicable privacy regulations. If we find it necessary to update the data transfer mechanism used, we will update this Privacy Notice accordingly. We remain liable for the protection of your PII that we transfer or have transferred to third parties through our designated data transfer mechanism, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.
Other Disclosures of Your PII
We may disclose your PII (i) to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders, or (ii) if we sell or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change, or (iii) to our subsidiaries or affiliates only if necessary to provide Professional Services or Web Applications access to you.
We reserve the right to use, transfer, sell, and share aggregated, anonymous data, which does not include any PII, about our Web Applications’ users as a group for any legal business purpose, such as analyzing usage trends and seeking compatible clients and customers.
If we must disclose your PII in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, we may not be able to ensure that such recipients of your PII will maintain the privacy or security of your PII.
We do not engage in automated decision-making activities, such as profiling.
Where we are a joint data controller, we retain your PII for as long as is required by law, professional standards, or professional codes of conduct to which we are subject. Typically, PII relating to U.S. citizens must be retained for at least seven (7) years, in order to comply with Internal Revenue Service requirements.
Where we are a data processor, we retain your PII for as long as is necessary for us to perform under our engagement with the data controller.
Please note that in some cases, data processed in the Web Applications may be archived in backup volumes and it may not be reasonably possible for us to delete data from those locations.
We have implemented commercially reasonable technical and organizational security measures designed to protect against unauthorized access to and unlawful interception or other processing that may affect the confidentiality, integrity, and availability of your PII that we process. All data you or Your Agent submits via our Web Applications is transmitted to us via TLS encryption. Unfortunately, data transmission over the Internet is never 100% secure, so we cannot guarantee the security of any data transmitted to us or from our Web Applications. Therefore, you use our Web Applications at your own risk.
You are responsible for protecting the security of your username and password that you use to access the Portal.
Third Party Websites
GTN is not responsible for the treatment of your PII or any of your data by these third parties.
Revoking or Limiting Consent and Opting Out
You may also make updates or changes to your preferences regarding receiving future promotional messages from us by logging into the Portal and making the desired changes.
Please note that if you opt out of promotional/marketing emails, you may continue to receive certain communications from us, such as messages about your account in the Web Applications, and regarding our provision of Professional Services to you. However, if we required your consent in order to process your PII to provide our Professional Services to you and you withdraw your consent, we will no longer be able to provide our Professional Services to you.
Accessing, Changing or Updating Your Data
Where we act as a data processor, and you wish to review, correct, update, or delete your PII that we process, please contact the data controller who has provided your PII to us.
Restriction and Objection to Processing, Portability
If you are a data subject whose PII we process, you may have the right, under certain circumstances, to have the processing of your PII limited (restricted), as well as the right to object to the processing of your PII. You may also have the right to ask to have your PII exported in a machine-readable format.
EU Supervisory Authority Oversight
If you are a data subject whose PII we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Union Member States.
GTN has appointed VeraSafe as our representative in the EU for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union (GDPR). VeraSafe may be contacted in addition to GTN only on matters related to the processing of PII. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative
Alternatively, VeraSafe can be contacted as follows:
VeraSafe Czech Republic s.r.o.
Prague 1, 11002
VeraSafe Ireland Ltd
North Point House
North Point Business Park
New Mallow Road
If you are a resident of the European Union, you may have the right to lodge a complaint with a data protection regulator in one or more of the EU member states.
VeraSafe has been appointed as GTN's representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom, VeraSafe can be contacted in addition to GTN, only on matters related to the processing of your PII. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
If you have any questions about this Policy or our processing of your PII, please write to us by email at email@example.com or by postal mail at:
Global Tax Network US, LLC/GTN Canada Mobility Tax Services, ULC
Attn: COO / Data Privacy & Security Officer
6900 Wedgwood Road N, Suite 400
Maple Grove, MN 55311
We will respond to your inquiry within one month or less.
If a privacy dispute or complaint relating to PII that GTN US received in reliance on the Privacy Shield can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you, pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield.
US Regulatory Oversight
GTN US is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.