KPMG has adopted this notice regarding protection of privacy of Personal Data (the “Privacy Notice”) in order to assist in establishing and maintaining an adequate level of Personal Data privacy in the collecting, processing, disclosing and cross-border transfer of Personal Data including that relating to current, past and prospective KPMG Personnel, Clients, suppliers, contractors and business associates of the KPMG Firms.
The Privacy Notice was last reviewed on May 23, 2018 to reflect the provisions of the General Data Protection Regulation.
“Applicable Data Protection Laws” means the French legislation on data protection no78-17 of 6 January 1978 as subsequently amended and consolidated and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, and all other laws and regulations relating to or impacting the processing of Personal Data, if applicable.
“Client” means the Party (or Parties) signatory (or signatories) of the engagement letter or contract with KPMG and beneficiary (or beneficiaries) of the Services.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Controlled Party (ies)” means any legal entity which is wholly or dominantly owned and controlled by a KPMG Firm.
“Data Subject” means any identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity.
“Inter-Firm Agreement” means the agreement entered into between the KPMG Firms setting out the terms on which international transfers of Personal Data are to be carried out within the network of KPMG Firms.
“KPMG International” means KPMG International a cooperative organized and existing under the laws of Switzerland and headquartered in the Netherlands.
“KPMG” means KPMG SA, a company capital organized under the laws of France, having its registered office at Tour Eqho, 2 avenue Gambetta CS 60055 – 92066 Paris la Défense Cedex, and any KPMG Firms controlled by KPMG SA and/or KPMG SA Transitional affiliates in France.
“KPMG Firms” means (i) KPMG International and (ii) any entity which is either: (a) a signatory to the KPMG International Cooperative membership agreement; (b) a firm to which membership benefits are sublicensed by a Member Firm of KPMG International Cooperative; (c) any entity, subsidiary or affiliate owned in whole or in part by any of the entities described in Sections (a) and (b), supra; (d) a Transitional affiliate of any of the above firms described in paragraphs (a), (b) and (c), supra. “Transitional affiliates” shall mean any unrelated legal entity that either has entered into an agreement to become a part of, or affiliated with, a Member Firm or was formerly part of, or affiliated with, a Member Firm, provided that such Transitional affiliate has entered into an agreement with a Member Firm or KPMG SA that relates to transitional support.
“KPMG Personnel” means all partners, directors, officers, employees, individual contractors and other personnel of KPMG or a KPMG Firm.
“Personal Data” means any information relating to an identified or identifiable Data Subject.
“Process,” “processes,” “processing,” “processing” and “processed” shall mean any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.
“Processor” means a natural or legal person which processes personal data on behalf of the Controller, pursuant to specific and written instructions.
“Sensitive Personal Data” means Personal Data: (i) revealing information as to a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, offences, criminal convictions, criminal history, trade union membership, genetic data, biometric data, health, sex life or sexual orientation; or (ii) which does not fall into any of the categories in (i), but which is (a) regulated under national privacy law in the jurisdiction from which it was exported in the same manner as those types of Personal Data and (b) the relevant KPMG Firm has informed KPMG that the Personal Data should be treated as sensitive personal data.
“Services” means services to be delivered by KPMG to Client under the terms and conditions set forth in an engagement letter or contract.
This Privacy Notice only applies to Personal Data which is processed by or on behalf of KPMG.
KPMG processes Personal Data fairly and lawfully in accordance with Applicable Data Protection Laws.
In the event of any conflict between this Privacy Notice and Applicable Data Protection Laws, the provisions of Applicable Data Protection Laws shall prevail.
III. KPMG’s Ten Principles for Handling Personal Data as a Controller
KPMG will be “Controller” where it determines the purposes and means by which Personal Data is used. For instance, KPMG shall be Controller in relation to (i) all employee data for the purpose of handling recruitment and human resources activities; (ii) KPMG’s Clients and prospective Clients’ data for the purpose of managing KPMG contractual relationship with them and informing them about its Services, (iii) suppliers and sub-contractors data for the purpose of managing KPMG’s contractual relationship with them.
While performing Services, KPMG may have access to Client’s documents which may contain Personal Data and /or process Personal Data initially collected by its Client directly or indirectly from Data Subjects (such as Client’s employees, clients and suppliers).
KPMG will generally be Controller on those Client engagements where KPMG performs Services independently, in accordance with professional and ethical rules applicable to statutory auditors (“Commissaires aux Comptes”) and French Registered Professional Accountants (“Experts-comptables”) or for certain consultancy Services, where Client does not determine the purpose and means by which Personal Data is used, nor provides specific instructions on how Personal Data shall be processed.
When KPMG and Client jointly determine the purposes and means by which Personal Data is used in the context of a mission or Services, KPMG and Client may be “Joint-Controllers” and shall define precisely, in the relevant engagement letter or contract, the scope of their respective responsibilities. Unless otherwise provided, Client shall remain in charge of informing Data Subjects of the processing of their Personal Data, their rights, and act as a direct point of contact with them.
In handling Personal Data as a Controller or joint-Controller, KPMG and KPMG Personnel will abide by the following ten key principles:
Where KPMG collects Personal Data directly from Data Subjects, KPMG will provide those Data Subjects with information about how KPMG processes their Personal Data to the extent necessary to ensure that processing is fair and lawful. In circumstances where KPMG Clients transfer Personal Data to KPMG, KPMG shall not be obliged to inform Data Subjects on the type of Personal Data processing made by KPMG in connection with the Services.
2- Purpose limitation:
KPMG will only process Personal Data for the purposes (i) set out in the engagement letter or contract entered between KPMG and its Client or provider or in any notice made available to the relevant Data Subjects which are relevant to KPMG; (ii) as required by law; (iii) for the pursuing of KPMG’s legitimate interests, (iv) for public interests or (v) where consented to by the relevant Data Subjects.
Examples of the ‘legitimate interests’ referred to above are:
- To prevent fraud or criminal activity and to safeguard our IT systems, assets and places of work.
- To meet KPMG’s corporate and social responsibility obligations.
- To exercise our fundamental rights in the EU under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property.
- To benefit from cost-effective services (e.g. KPMG may opt to use certain IT platforms offered by suppliers).
- To provide for a centralised, global approach to the provision of IT services to our employees, and enable staff working for KPMG Firms to interact with one another. This normally involves the hosting of your contact and e-mail information to allow KPMGI’s global IT network to be established and populated with relevant details.
3- Data quality and proportionality:
Personal Data shall be kept accurate and where necessary, up to date. The Personal Data KPMG holds must be adequate, relevant and not excessive for the purposes for which they are processed and shall only be retained for as long as necessary for the purposes of the relevant processing.
4- Security and confidentiality:
Reasonable precautions must be taken to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. These precautions include technical, physical and organizational security measures, such as measures to prevent unauthorized access, that are commensurate with the sensitivity of the information and the level of risk associated with the processing of the Personal Data.
Security procedures in place are described more in detail in KPMGI’s Information Protection Statement.
Where KPMG processes Personal Data on behalf of another KPMG Firm, it will only act under the first firm’s instructions.
5- Access, rectification, deletion and objection:
Data Subjects shall have access to their Personal Data that is held by KPMG, where those requests are reasonable and permitted by law. KPMG agrees to rectify, amend, or delete Personal Data upon request where it is inaccurate or where it is being used contrary to these key principles.
Data Subjects shall be able to object to the processing of their Personal Data if there are compelling legitimate grounds relating to their particular situation, to the extent required and permitted by Applicable Data Protection Laws. Data Subjects have also a right to data portability pursuant article 20 of the General Data Protection Regulation, as well as the other rights provided by Applicable Data Protection Laws.
6- Sensitive Personal Data:
Where KPMG process Sensitive Personal Data, it will take such additional measures (e.g., relating to security) as are necessary to protect such Sensitive Personal Data in accordance with Applicable Data Protection Laws.
7- Data used for marketing purposes:
Where KPMG processes Personal Data for the purposes of direct marketing, KPMG will have effective procedures allowing Data Subjects at any time to “opt-out” from having their Personal Data used for such purposes.
8- Automated Processing:
Where KPMG processes Personal Data on a purely automated basis that has a significant impact on a Data Subject, KPMG shall give the Data Subject the opportunity to discuss the output of such processing before making those decisions (save to the extent otherwise permitted under Applicable Data Protection Laws).
9- Data minimization:
Where KPMG retains a Data Subject’s Personal Data, KPMG will do so in a form identifying or rendering a Data Subject identifiable only if relevant regarding the purpose(s) and for so long as it serves the purpose(s) for which it was initially collected or subsequently authorised except to the extent permitted by Applicable Data Protection Laws.
10- Information transfer and compliance:
Within the global network of KPMG Firms, Personal Data may be transferred outside the country in which it was collected, including countries outside of the European Economic Area, for legitimate business activities in accordance with Applicable Data Protection Laws. In addition, in accordance with Applicable Data Protection Laws, KPMG may store Personal Data in facilities operated by other KPMG Firms and/or third parties on behalf of KPMG outside the country in which the Personal Data was collected.
Nevertheless, Personal Data must not be transferred to another country unless the transferor has assurance that an adequate level of protection is in place in relation to that Personal Data as required under Applicable Data Protection Laws. In the case of each KPMG Firm, an adequate level of protection is ensured by the Inter-Firm Agreement which each KPMG Firm shall abide by, including KPMG, or by Binding Corporate Rules (if and when adopted by KPMG Firms) or any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.
KPMG will ensure that where Personal Data is transferred to third parties outside of the KPMG network for processing (for example to KPMG’s service providers to support KPMG’s business), it is only done where the Personal Data is adequately protected. KPMG will achieve this by entering into written agreements with third parties which impose obligations that reflect the requirements of this Privacy Notice or using Standard Contractual Clauses approved by the European Commission (such as Standard Contractual Clauses for Data Controllers 2004/915/EC or Standard Contractual Clauses for Data Processors 2010/87/EU or any subsequent version) or any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.
IV. Acting as a Processor
KPMG will be “Processor” where it processes Personal Data on behalf of a “Controller” who instructs him how it can use the Personal Data. Where KPMG acts in a capacity as a Processor of Personal Data on behalf of Clients, it shall act in accordance with the instructions of the Controller of such Personal Data.
KPMG may be Processor on those Client engagements where Client provides specific instructions on which type of Personal Data provided by Client to KPMG shall be processed by KPMG, (ii) which operation or set of operations shall be performed by KPMG on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction, (iii) for which duration Personal Data shall be processed and stored by KPMG, (iv) which technical means (such as software or tools) KPMG shall use to process Personal Data on behalf of Client, (v) what additional security measures shall be taken by KPMG.
If complying with such instructions is not possible for any reason (for example due to a conflict with current or future legislation), KPMG will promptly inform the Client (directly or via another KPMG Firm) of its inability to comply with its instructions.
When KPMG ceases to act on behalf of a Client, it will (at the Client’s option) return, destroy or continue to properly protect all Personal Data it had received from that Client, save as provided otherwise under applicable law.
Save as specifically provided otherwise in the engagement letter or contract entered between KPMG (Processor) and Client (Controller), KPMG is authorized to (i) use any technical means it finds suitable to provide the Services and process Personal Data (such as selecting appropriate software solutions) all in accordance with the KPMG security policies, (ii) engage sub-Processors to provide parts of the Services, access and use Personal Data, including outside the European Union, provided that sub-Processors are bound by written agreements that require them to provide at least the level of Personal Data protection required by this Privacy Notice, and subject to principle 10-“Information transfer and compliance” above.
Where KPMG acts as such a Processor, it also has a duty to help Client to comply with the law (subject to the Client meeting the KPMG’s related costs and expenses), for example (i) by informing the Client about the processing activities that KPMG carry out so that it may inform the relevant Data Subjects; (ii) at the Clients request putting in place reasonable measures to have that Personal Data updated, corrected, anonymized or deleted (subject to certain limited exceptions), and inform other firms within the KPMG network where such changes are made; and (iii) sending to the Client any requests they receive from Data Subjects for access to their Personal Data that the KPMG Firm holds, so that the Client may respond to those Data Subjects.
Where acting as such a Processor of Personal Data, KPMG will in any event treat such Personal Data in accordance with the above paragraphs relating to security and confidentiality and information transfer and compliance, only transfer Personal Data where the Client has agreed to such a transfer (which it may do in advance under the terms of engagement with KPMG) and inform the Client if there is serious breach of security in relation to Personal Data so that it can inform the Data Subjects concerned, where necessary.
V. International Databases
For legitimate business and professional reasons, KPMG International has created, will continue to create, and will maintain, systems and applications that contain Personal Data about KPMG Personnel (and, where applicable, their immediate family members) and Clients, suppliers, contractors and business associates. These systems and applications are part of the shared electronic communications, knowledge management, and information technology environments of the KPMG Firms and are used to share this Personal Data between KPMG Firms to the extent permitted by law and applicable professional standards.
VI. Complaints, Questions and Additional Information
KPMG is committed to protecting the privacy of your personal information. If you have questions or comments about our administration of your personal information, please contact us at KPMG Privacy Officer (firstname.lastname@example.org). You may also use this address to communicate any concerns you may have regarding compliance with the present Privacy Notice.
If you are not satisfied with the response you receive, you may escalate your concern to the Global Privacy Officer by sending an email to GlobalPrivacyOfficer@kpmg.com.
We will acknowledge your email within 14 days and seek to resolve your concern within one month of receipt. Where the concern is complex or we have a large volume of concerns, we will notify you that the concern will take longer than one month to resolve, and we will seek to resolve your concern within three months of the concern being first raised.
In any event, you always have the right to lodge a complaint with the French Data Privacy Regulatory Authority, the Commission Nationale de l’Informatique et Libertés (CNIL).
VII. Changes to this Privacy Notice
KPMG may modify this Privacy Notice from time to time to reflect our current privacy practices. When we make changes to this Privacy Notice, we will revise the "updated" date at the top of this page. Any changes to the processing of personal data as described in this Privacy Notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.