Last updated 31 May 2021
KPMG is dedicated to protecting the confidentiality and privacy of information entrusted to us. We comply with the EU General Data Protection Regulation (GDPR) and the Bulgarian data protection law. Please read this Privacy Statement to learn what information about job applicants (“job applicants”, “candidates” or “you”) we collect, how we use, share and protect it, your data privacy related rights and other useful information.
1. Who are we?
This Privacy Statement applies to KPMG Audit OOD, Uniform Identification Code 040595851, and KPMG Bulgaria OOD, Uniform Identification Code 121489246, both having its seat and registered address at 45/A Bulgaria Blvd., Sofia 1404, Bulgaria (hereinafter referred to “KPMG” or “we”). Both companies do not act as joint controllers but demonstrate the same attitude to the processing and protection of personal data entrusted to them and apply the same policies and procedures to the processing of personal data.
2. What categories of personal data do we collect?
With regard to your application for employment with us or with our clients, we may collect and process the following categories of personal data:
If you are a selected candidate for employment we will request additional personal details as required by the applicable law for the purposes of the employment contract execution.
Special categories of personal information
In the initial stages of the recruitment process, we do not seek to collect special categories personal information from you (this is also known as “sensitive personal information”). Special categories of personal information include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, information concerning health, information concerning a natural person's sex life or sexual orientation.
We may need to collect special categories of personal information from you at a later stage in the recruitment process if local employment law requires us to do so and we, will notify you explicitly of this.
Please do not include any special categories of personal information in your application documents.
3. How do we collect personal data for recruitment purposes?
4. Why do we need your personal data?
KPMG may use your personal data for any or all of the following purposes:
5. What lawful reasons do we have for processing personal data?
We may rely on the following lawful bases for personal data processing when we collect and use your personal data for recruitment purposes:
KPMG normally does not carry out automated decision-making, including profiling, of personal data in the course of conducting recruitment campaigns for its own needs or for the purposes of delivering recruitment services to its clients. If such is being carried out, KPMG undertakes to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.
6. Are you obliged to provide your personal data to us?
Providing personal information to us is voluntary, but necessary for the recruiting process. You are under no statutory or contractual obligation to provide your personal information to KPMG during the recruitment process. However, if you do not provide sufficient information we may be unable to consider or process your employment application.
7. Do we share personal data with third parties?
We may share personal data with trusted third parties to help us carry out our business activities and deliver efficient and quality services. These third parties are contractually bound to safeguard the data we entrust to them. We may engage with several or all of the following categories of third parties:
8. Do we transfer your personal data outside the European Economic Area?
We store personal data on servers located in the European Economic Area (EEA). We may transfer personal data to KPMG International Limited, a private English company limited by guarantee, KPMG member firms, and reputable third party organisations situated inside or outside the EEA when we have a business reason to engage these organisations. Each organisation is required to safeguard personal data as either the country where the organization is located is considered an adequate country based on a Decision of the European Commission, or it is obliged by means of contracts we have in place with those organizations outside the EEA, containing standard data protection clauses which are in a form approved by the European Commission.
You may find a complete list of adequate countries here. Upon request we will provide you with additional information about the data protection clauses we use.
9. How long do we retain your personal data?
All documents submitted by and collected from you in the course of the respective recruitment campaign containing your personal data, including but not limited to CVs, certificates, cover letters, test results, etc., will be retained for a period of 6 (six) months upon completion of the campaign in case your application is unsuccessful, unless you have provided consent to keeping your data for future vacancies or further job opportunities. If you provide us with originals or notarized copies of documents during the campaign they will be returned to you within the time limit specified in the previous sentence.
The internal documents created by KPMG with regard to the respective recruitment campaign that may contain your personal data will be retained for a period of 3 (three) years upon completion of the campaign for the purposes of establishment, exercise or defence of legal claims and resolving disputes under the Protection Against Discrimination Act.
Upon your explicit consent KPMG will retain and use your application and supporting documents containing personal data in the course of further recruitment campaigns for a period of 3 (three) years upon submission of your application.
Sometimes KPMG receives personal data from candidates who are interested in working at KPMG without applying for a specific job position, for example by sending a CV to KPMG's official e-mail address or in the curse of KPMG's participation in various events (e.g. career days organized by universities and others) in order to promote the activities of the Company and recruit potential staff. In these cases, personal data is processed on the basis of consent given by the job applicant for a period of 3 (three) years upon submission of the application.
All documents that shall be retained on the basis of the Regulation on the terms and conditions for conducting employment intermediation (e.g. contract for intermediation services) will be stored for a period of 5 (years) as required by law.
10. What are your data protection rights and how you can exercise them?
Your data protection rights are highlighted here.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
If you are not satisfied with the response you receive or if you have any concerns in relation to the processing of your personal data from us, you may escalate your concern to our Privacy Liaison by sending an email to email@example.com or to contact him at 45/A Bulgaria Blvd., Sofia 1404, Bulgaria. We will acknowledge your complaint within 14 days and seek to resolve your concern within 3 months of receipt. Where the concern is complex or we have a large volume of concerns, we will notify you that the concern will take longer than one month to resolve, and we will seek to resolve your concern within three months of the concern being first raised.
If you believe that KPMG has not complied with your data protection rights, you always have the right to lodge a complaint with the Commission for Personal Data Protection of the Republic of Bulgaria and to report concerns you may have about our data handling practices at:
Postal address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Phone number: +359 (2) 91-53-518
Email address: firstname.lastname@example.org
Internet address: www.cpdp.bg
11. What about personal data security?
We have put appropriate technical and organisational security measures in place to protect personal data (including sensitive personal data) from loss, misuse, alteration or destruction. We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect personal data.
12. Do we change this Privacy Statement?
We regularly review this Privacy Statement and will post any updates to it on this webpage. When we make amendments to this privacy statement, we will revise the “updated” date at the top of this page. This privacy statement was last updated 31 May 2021.
Any changes to the processing of personal data as described in this privacy statement affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.