Principle 1 - We are accountable for the personal information in our possession or control.
Principle 2 - KPMG will explain why we are collecting personal information at or before the time that the information is collected, subject to limited exceptions.
Client Personal Information
In most instances, KPMG will collect, use or disclose personal information about clients only for the purpose of providing professional services, to comply with applicable laws, regulations and professional standards, or for the purpose of obtaining technological, administrative, analytical and clerical services or support.
Client personal information may also be collected, used or disclosed internally and to other member firms of the KPMG International Cooperative network for the purpose of compliance with KPMG policies and processes, in the performance of quality reviews, or in order to allow us to offer services or products that may be of interest to clients.
KPMG may also collect, use or disclose personal information about clients, prospective clients and alumni for business development purposes which may include (i) developing and maintaining our relationship with you, (ii) conducting research to develop, evaluate, and improve our services, and (iii) communicating with you news and information updates or invitations to KPMG hosted and sponsored events that may be of interest to you.
KPMG may also aggregate personal information with information from other sources for the purpose of improving quality and service, and for use in presentations to clients and non-clients, in a form where such information is sufficiently de-identified so as not to be attributable to any individual or organization.
In accordance with professional standards, if a client is an assurance client, personal information may be shared with the KPMG assurance engagement team and other KPMG personnel so that it may be used in the assurance engagement.
You can withdraw your consent to the use and disclosure of your personal information for marketing purposes by contacting our Privacy Officer.
KPMG Partner and Employee Personal Information
KPMG collects, uses and discloses personal information about KPMG personnel in order to pay them, to comply with laws, regulations and professional standards, to provide them with benefits, to administer performance management tools, to administer, manage, enforce and monitor compliance with KPMG programs, policies and employee relations, and generally to establish, manage or terminate the employment or partnership relationship.
KPMG may also collect, use or disclose KPMG partner and employee personal information to develop business metrics and analytics, and to evaluate the effectiveness of our policies, programs and processes.
We may also collect, use or disclose KPMG partner and employee personal information in the course of investigating, negotiating or completing a sale, financing or other business transaction involving all or any part of our business.
We may collect, use and disclose personal information about individuals seeking employment with KPMG for the purpose of evaluating their application, to communicate with them regarding employment opportunities that may be of interest, and for the purpose of evaluating or monitoring KPMG policies, programs and practices.
At or before the time that KPMG collects personal information, we will inform KPMG personnel of the reasons why we require such information, what use will be made of it, and with whom it may be shared, except where we are permitted or required by law to collect, use or disclose personal information without providing such notice. For example, collection may occur without notice or consent as permitted by law in the course of an investigation.
We collect personal information about clients and KPMG personnel for the above purposes directly from you, or indirectly from third party sources (including publicly available sources, suppliers, vendors, member firms of the KPMG International Cooperative network, previous employers, public websites, educational institutions, and social media) as permitted by applicable law.
Principle 3 - KPMG will collect, use or disclose personal information about you with your consent except where collection, use or disclosure without consent is permitted or required by law.
How Will We Ask for Consent?
Client Personal Information
The terms and conditions of every KPMG professional services engagement are documented in an engagement letter. These terms and conditions include a discussion about how KPMG may collect, use and disclose client personal information. By signing the engagement letter, the client is providing its consent to the collection, use and disclosure of personal information described in the terms and conditions. If a client provides us with personal information relating to a third party, by signing the engagement letter the client represents and warrants that they have obtained consent from the third party to allow us to collect, use and disclose their personal information as described in the engagement letter.
KPMG Partner and Employee Personal Information
Forms and applications used to provide human resources-related services to KPMG personnel will describe the purposes for which their personal information is required and to whom it will be disclosed.
In addition, certain KPMG policies or program documents may provide information about how personal information relating to partners and employees may be collected, used and disclosed.
Employment candidates will also be advised of the purposes for which their personal information is being collected, used and disclosed.
What happens if you choose not to give us your consent? What if you withdraw your consent at a later date?
KPMG clients always have the option not to provide their consent to the collection, use and disclosure of their personal information, or to withdraw their consent at a later stage, subject to contractual and legal restrictions and reasonable notice. Where a client chooses not to provide us with permission to collect, use or disclose their personal information, we may not be able to provide, or continue to provide, the client with our services.
Where a partner, employee or candidate for employment chooses not to provide us with permission to collect, use or disclose their personal information, we may not be able to employ them, continue to employ them or to provide them with benefits.
Principle 4 - KPMG limits the amount and type of personal information we collect.
KPMG will limit the collection of personal information to that which is reasonably required to provide our services and to operate our business.
In order to protect the personal information in our possession, KPMG employs data loss prevention software which is used to monitor access, use and disclosure of confidential and personal information through any device which is connected to the KPMG network. The use of
data loss prevention software may result in the incidental collection or use of personal information.
Principle 5 - KPMG will use and disclose your personal information only for the purposes for which we have your consent or as permitted or required by law. We will keep personal information only as long as necessary to accomplish these purposes.
Use and Disclosure of Personal Information
If KPMG intends to use or disclose personal information for any purpose not previously identified to an individual, we will obtain their prior consent unless we are permitted or required by law to use or disclose their personal information without consent.
For example, but without limitation, KPMG may use and disclose personal information without consent:
- for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual, including steps taken under our pandemic policies;
- to prevent, detect or suppress fraud or financial abuse;
- in connection with an investigation;
- to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction or to comply with rules of conduct required by regulatory bodies;
- to a government institution that has requested the information, identified its lawful authority, and has indicated that disclosure is for the purpose of enforcing, administering, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or to national security or the conduct of international affairs; and
- to an investigative body or government institution on our initiative when we believe the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law, or we suspect the information relates to national security or the conduct of international affairs.
Retention of Personal Information
In compliance with professional standards, we keep a record of the work performed by KPMG personnel. This record, or “working papers”, may include personal information and will be retained until such working papers are no longer reasonably required for legal, administrative, audit, regulatory or professional purposes. Working papers are safeguarded against inappropriate access, as discussed in Principle 7 below.
KPMG retains personal information about current and past KPMG personnel in accordance with employment laws and standards. We will destroy human resources and other files containing KPMG partner and employee personal information when such information is no longer reasonably required for legal, administrative, audit or regulatory purposes. Certain additional information may be retained to administer and to keep former KPMG personnel informed about our Alumni Program. Former KPMG personnel may request at any time that they not be contacted about the Alumni Program.
Personal information collected from individuals seeking employment with KPMG will be retained by KPMG for 24 months so that KPMG may contact the applicant about other positions that may also be of interest. Should another suitable position at KPMG become available within this 24 month period, KPMG may contact the applicant to discuss this other position, and the applicant’s information will be retained for an additional 24 months. If a candidate is hired, the personal information collected during the application process will be retained in order to establish, manage and terminate the employment relationship.
Principle 6 - KPMG will endeavor to keep accurate the personal information in our possession or control.
In order to provide clients with a professional level of service and KPMG personnel with appropriate benefits, the personal information that we collect must be accurate, complete and current. From time to time, clients and KPMG personnel may be asked to update their personal information. Individuals are encouraged to advise us of any changes to their personal information.
Clients are encouraged to contact their engagement partner to update their personal information.
KPMG personnel and employment candidates should contact the HR Service Team should they need to update their personal information.
Principle 7 - KPMG protects your personal information with safeguards appropriate to the sensitivity of the information.
KPMG will protect personal information by using physically secure facilities, industry standard security tools and practices, and clearly defined internal policies and practices. Security measures are in place to prevent the loss, misuse and alteration of the personal information under our control. Personal information is stored in secure environments that are not available to the public (e.g., restricted access premises, locked rooms and filing cabinets). To prevent unauthorized electronic access to personal information, any information that is stored in electronic form is protected in a secure electronic and physical environment.
In some circumstances, personal information may be collected, used, disclosed or stored outside of Canada, including but not limited to in the U.S., EU and Asia, by KPMG or a third party to provide professional services and administrative, analytical and clerical support, and to comply with applicable law, regulation and professional standards, and such personal information may be subject to disclosure in accordance with the laws applicable in the jurisdiction in which the information is collected, used, disclosed or stored. These laws may not provide the same level of protection as Canadian privacy laws.
Principle 8 - KPMG will be open about the procedures used to manage your personal information.
Principle 9 - At their request, KPMG will advise individuals of what personal information we have in our possession or control about them, what it is being used for, and to whom and why it has been disclosed.
Personal information files are maintained in our offices or on our servers (or those of our service providers) and are accessible by authorized personnel, agents and mandataries who require access in connection with their job responsibilities.
Clients have the right to review and obtain a copy of their personal information on record in our individual offices by contacting their engagement partner.
KPMG personnel have the right to review and obtain copies of their personal information on record by contacting their HR Consultant.
The right to access personal information is subject to certain legal restrictions and we will take reasonable steps to verify an individual’s identity before providing access.
In most instances, individuals will receive a response to their access request within 30 days. If an individual has any concerns about the access that is provided, they are encouraged to contact our Privacy Officer at firstname.lastname@example.org or at 1-866-502-2955.
KPMG will respond to individual complaints and questions relating to privacy. We will investigate and attempt to resolve all complaints.
We know that protecting the privacy of our clients, partners and employees is important. If you have any questions or concerns about your privacy and our role in protecting it, please contact our Privacy Officer at email@example.com or at 1-866-502-2955.