Last updated in April 2020
Data protection policy for the application process of KPMG AG Wirtschaftsprüfungsgesellschaft and its affiliates or associates (KPMG)
The following data protection policy is to inform you about how we process personal data during the application process at KPMG.
Applicant management at KPMG is conducted centrally by KPMG AG Wirtschaftsprüfungsgesellschaft for all affiliates and associates of KPMG in Germany listed under item 1 of this guide. Basic information on data protection when using the KPMG website can be found at www.kpmg.de and www.kpmg-law.de.
1. Who is responsible for data processing?
The KPMG firm to which the application is sent is responsible for processing the data during the application process:
KPMG AG Wirtschaftsprüfungsgesellschaft
Phone: +49 30 2068-0
Fax: +49 30 2068-2000
KPMG IT Service GmbH
Phone: +49 30 2068-0
Fax: +49 30 2068-2000
KPMG Law Rechtsanwaltsgesellschaft mbH
Phone: +49 711 781923-400
Fax: +49 711 781923-455
Candidates who have specific queries regarding their application to any of the KPMG firms can also contact:
KPMG Application Hotline: 0800-5764-562
2. How can the data protection officer be reached?
KPMG Data Protection Officer
3. For what purpose do we process data of candidates and on what legal basis?
Unless otherwise explicitly specified, KPMG processes data of candidates for the purposes of establishing or implementing an employment relationship (conducting the application process as well as any contract initiation/establishing an employment contract) on the basis of Article 6 (1)(b) GDPR in conjunction with Section 26 of the German Federal Data Protection Act [BDSG].
a) Information regarding online applications using one of the KPMG websites (KPMG application tool)
To apply via one of the KPMG websites, candidates must register using the KPMG application tool and set up a personal user account. This requires information such as surname, first name, email address and place of residence, to complete the registration/login process and administration of the individual user account.
On registration, login and use of the user account, the candidate's IP address and time of login are also logged. A legitimate interest pursuant to Article 6 (1)(f) EU GDPR is pursued by KPMG for security reasons (e.g. protection against abuse, unauthorised use).
When setting up a user account with the KPMG application tool, candidates can agree by clicking on a link (Art. 6(1)(a) GDPR) to regularly receive emails on new job listings and/or career opportunities at KPMG in general. Candidates who no longer wish to receive emails can unsubscribe at any time by email to or directly in the KPMG application tool.
b) General data protection policy for the application process at KPMG
(1) Application procedure
The following types of personal data must be provided during the KPMG application process:
- Personal data (e.g. name, email, other contact details)
- Data on education and professional training (e.g. school, university, leaving certificates, previous employers, work certificates/references, further education, if applicable)
- (if provided by the candidate) Information on special categories of personal data pursuant to Article 9 GDPR, as applicable (e.g. serious disability)
Once a user account has been set up (see item 3a above), the data required for the application process can be stored in the KPMG application tool. If the application is received another way (e.g. by email), KPMG will create a candidate profile in the KPMG application tool and the candidate is informed accordingly and prompted to complete the registration in the KPMG application tool.
The application is always coordinated by internal KPMG staff involved in the application process, who only grant those responsible for recruiting in the specialist departments of the entity concerned access to review the candidate profile (including attachments). In addition, staff involved in the application process can view the details of individual positions (e.g. receipt of application for the position or number/type of positions for which the candidate has applied) for the administration of the firm-wide application process.
Upon completion of the application process, access to the candidate profile is then limited again to staff involved in the application process. In the event of a positive reply, the required information for the contract initiation process is handled in the HR department.
In order to allow swift continuation of the process by all involved once the application process has been successfully completed, after sending a positive reply, KPMG forwards all relevant documents (including the draft contract) also to the email address provided during the application process. This is done through TLS (transport layer security) by KPMG as a standard procedure if the candidate's mail server supports TLS. If a candidate does not wish to have documents sent by email, please let us know in the course of the application (e.g. by sending an email to email@example.com).
To the extent legally required, personal data is forwarded based on Article 6 (1)(c) GDPR to the competent KPMG staff council for the consultation process.
(2) KPMG applicant pool
Candidates can always be included in the KPMG applicant pool on completion of the regular application process by giving their consent pursuant to Article 6 (1)(a) EU GDPR. Consent can already be provided in the KPMG application tool on submitting the application. Alternatively, candidates are contacted separately before their candidate profile is routinely deleted. If a candidate agrees to be included, the candidate profile will remain on file and our staff involved in the application process will regularly check the profile against vacancies and contact the candidate for renewed application if a suitable position becomes available.
4. To whom could candidate data be forwarded?
KPMG uses the data collected as part of the application to examine the candidate's suitability for the advertised position. If applicable, we will review an application for a specific position also for other vacancies at KPMG. But application data is generally only forwarded to the division of KPMG to which the application was addressed.
Forwarding to other corporate divisions and possibly other KPMG firms occurs only on the basis of consent pursuant to Article 6(1)(a) EU GDPR, which can be given during the application process.
5. How long will data be stored?
Unless otherwise explicitly stated, KPMG stores personal data for as long as necessary for the above-mentioned purposes. This is subject to the statutory retention obligations. KPMG employees are instructed to regularly check the duration of storage of personal data and to delete these if necessary.
If a candidate profile was set up by KPMG and a candidate does not log in despite being prompted, the candidate profile is automatically deleted three months after storage. A candidate profile set up in the KPMG application tool by a candidate himself is deleted from the system after six months of being inactive (i.e. the last login).
Application documents are – subject to inclusion in the KPMG candidate pool – deleted from the system no later than six months after completion of the application process. In the event that the application is successful, the data required for employment is transferred in advance to the employee's personnel file.
Candidates can request deletion of their data at KPMG directly in the KPMG application tool or by email to firstname.lastname@example.org at any time themselves.
6. What data protection rights do data subjects have?
Candidates and other data subjects are afforded rights of access pursuant to Article 15 EU GDPR regarding the processing of their personal data by KPMG (also regarding the purpose of processing, any possible recipients and the expected duration of the storage of data), rights to rectify incorrect data (Art. 16 EU GDPR), rights to erasure (Art. 17 EU GDPR), rights to restriction of processing and the data portability of the data provided (Art. 18, 20 EU GDPR) and the right to object against the use of their data for marketing purposes and based on a legitimate interest (Art. 21 EU GDPR).
Any consent given to KPMG can be revoked at any time with future effect. In order to safeguard these rights any data subject can contact the KPMG data protection officer (see point 2). Furthermore, they also have the right to complain to a data protection supervisory authority. Data subjects can lodge their complaint with the competent data protection supervisory authority in their place of residence or with any other data protection supervisory authority.