KPMG has adopted this notice regarding protection of privacy of Personal Data (the “Privacy Notice”) in order to assist in establishing and maintaining an adequate level of Personal Data privacy in the collecting, processing, disclosing and cross-border transfer of Personal Data including that relating to current, past and prospective KPMG Personnel, Clients, suppliers, contractors and business associates of the KPMG Firms.
The Privacy Notice was last reviewed on 28/01/2020
“Applicable Data Protection Laws” means the French legislation on data protection no78-17 of 6 January 1978 as subsequently amended and consolidated and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC, and all other laws and regulations relating to or impacting the processing of Personal Data, if applicable.
“Client” means the Party (or Parties) signatory (or signatories) of the engagement letter or contract with KPMG and beneficiary (or beneficiaries) of the Services.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Controlled Party (ies)” means any legal entity which is wholly or dominantly owned and controlled by a KPMG Firm.
“Data Subject” means any identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity.
“EEA” means the European Economic Area.
“Inter-Firm Agreement” means the agreement entered into between the KPMG Firms setting out the terms on which international transfers of Personal Data are to be carried out within the network of KPMG Firms.
“KPMG International” means KPMG International a cooperative organized and existing under the laws of Switzerland and headquartered in the Netherlands.
“KPMG” means KPMG SA, a company capital organized under the laws of France, having its registered office at Tour Eqho, 2 avenue Gambetta CS 60055 – 92066 Paris la Défense Cedex, and any KPMG Firms controlled by KPMG SA in France, as well as KPMG Avocats, KPMG Academy, KPMG Associés, and the Fondation d’entreprise KPMG France.
“KPMG Firms” means (i) KPMG International and any other “KPMG Network Entity” as such term is defined in the Inter-Firm Agreement and (ii) any member firm or sublicensee of KPMG International (including the Controlled Parties) which is dully authorized to use the “KPMG” name and/or trade and/or service marks and “KPMG Firm” shall mean each of them.
“KPMG Personnel” means all partners, directors, officers, employees, individual contractors and
other personnel of KPMG or a KPMG Firm.
“Personal Data” means any information relating to an identified or identifiable Data Subject.
“process,” “processes,” “processing,” “processing” and “processed” shall mean any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.
“Processor” means a natural or legal person which processes personal data on behalf of the Controller, pursuant to specific and written instructions.
“Sensitive Personal Data” means Personal Data: (i) revealing information as to a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, offences, criminal convictions, criminal history, trade union membership, genetic data, biometric data, health, sex life or sexual orientation; or (ii) which does not fall into any of the categories in (i), but which is (a) regulated under national privacy law in the jurisdiction from which it was exported in the same manner as those types of Personal Data and (b) the relevant KPMG Firm has informed KPMG that the Personal Data should be treated as sensitive personal data.
“Services” means services to be delivered by KPMG to Client under the terms and conditions set forth in an engagement letter or contract.
This Privacy Notice only applies to Personal Data which are processed by or on behalf of KPMG.
KPMG processes Personal Data fairly and lawfully in accordance with Applicable Data Protection Laws.
This Privacy Notice should not conflict with Applicable Data Protection Laws in the jurisdiction in which KPMG operates and the Privacy Notice shall be construed so wherever possible. In the event of any conflict between this Privacy Notice and Applicable Data Protection Laws, the provisions of Applicable Data Protection Laws shall prevail. In this event, KPMG will notify the Global Chief Privacy Officer and KPMG International Office of General Counsel
III. KPMG’s Principles for Handling Personal Data as a Controller
KPMG will be “Controller” where it determines the purposes and means by which Personal Data is used. For instance, KPMG shall be Controller in relation to (i) all employee data for the purpose of handling recruitment and human resources activities; (ii) KPMG’s Clients and prospective Clients’ data for the purpose of managing KPMG contractual relationship with them and informing them about its Services,
(iii) suppliers and sub-contractors data for the purpose of managing KPMG’s contractual relationship with them.
While performing Services, KPMG may have access to Client’s documents which may contain Personal Data and /or process Personal Data initially collected by its Client directly or indirectly from Data Subjects (such as Client’s employees, clients and suppliers).
KPMG will generally be Controller on those Client engagements where KPMG performs Services independently, in accordance with professional and ethical rules applicable to statutory auditors
(“Commissaires aux Comptes”) and French Registered Professional Accountants (“Experts-comptables”) or for certain consultancy Services, where Client does not determine the purpose and means by which Personal Data is used, nor provides specific instructions on how Personal Data shall be processed.
When KPMG and Client jointly determine the purposes and means by which Personal Data is used in the context of a mission or Services, KPMG and Client may be “Joint-Controllers” and shall define precisely, in the relevant engagement letter or contract, the scope of their respective responsibilities. Unless otherwise provided, Client shall remain in charge of informing Data Subjects of the processing of their Personal Data, their rights, and act as a direct point of contact with them.
In handling Personal Data as a Controller or joint-Controller, KPMG and KPMG Personnel will abide by the following key principles:
Where KPMG collects Personal Data directly from Data Subjects, KPMG will provide those Data Subjects with information about how KPMG processes their Personal Data to the extent necessary to ensure that processing is fair and lawful. In circumstances where KPMG Clients transfer Personal Data to KPMG, KPMG shall not be obliged to inform Data Subjects on the type of Personal Data processing made by KPMG in connection with the Services.
2- Data minimization and accuracy
Where we act as controller, we will ensure that Personal Data is accurate and where necessary, kept up to date. The Personal Data we hold must be adequate, relevant and not excessive for the purposes for which they are transferred between KPMG entities and should only be retained for as long as necessary for the purposes of the processing. Where we act as a processor of Personal Data on behalf of a Client, we will, at the Client’s request, put in place reasonable measures to have that data updated, corrected, anonymized or deleted (subject to certain limited exceptions) and inform other firms within the KPMG network where such changes are made.
3- Legal basis of Processing
The Applicable Data Protection Laws allow us to process Personal Data so long as we have a ground under the law to do so. It also requires us to tell you what those grounds are. As a result, when we process your Personal Data, we will rely on one of the following processing conditions:
- Performance of a contract: this is when the processing of your Personal Data is necessary in order to perform our obligations under a contract;
- Legal obligation: this is when we are required to process your Personal Data in order to comply with a legal obligation such as keeping records for tax purposes or providing information to a public body or law enforcement agency;
- Legitimate interest: we will process information about you where it is in our legitimate interest in running a lawful business to do so in order to further that business, so long as it doesn’t outweigh your interest;
- Your consent: in some cases, we will ask you for specific permission to process some of your Personal Data, and we will only process your Personal Data in this way if you agree to us doing so. You may withdraw your consent at any time by using the following link: exercising my rights
We only collect “sensitive” data when the relevant individuals voluntarily provide us with this information or where such information is required or permitted to be collected by law or professional standards.
4- Purpose limitation
KPMG will only process Personal Data for the purposes (i) set out in the engagement letter or contract entered between KPMG and its Client or provider or in any notice made available to the relevant Data Subjects which are relevant to KPMG; (ii) as required by law; (iii) for the pursuing of KPMG’s legitimate interests, (iv) for public interests or (v) where consented to by the relevant Data Subjects.
Examples of the ‘legitimate interests’ referred to above are:
- To prevent fraud or criminal activity and to safeguard our IT systems, assets and places of work.
- To meet KPMG’s corporate and social responsibility obligations.
- To exercise our fundamental rights in the EU under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property.
- To benefit from cost-effective services (e.g. KPMG may opt to use certain IT platforms offered by suppliers).
- To provide for a centralized, global approach to the provision of IT services to our employees, and enable staff working for KPMG Firms to interact with one another. This normally involves the hosting of your contact and e-mail information to allow KPMGI’s global IT network to be established and populated with relevant details.
5- Data quality and proportionality
Personal Data shall be kept accurate and where necessary, up to date. The Personal Data KPMG holds must be adequate, relevant and not excessive for the purposes for which they are processed and shall only be retained for as long as necessary for the purposes of the relevant processing. KPMG applies its policies relating to the retention of document in compliance with the law, regulatory requirements and other requirements related to its professions. These policies apply to any document or file, in physical or electronic forms. After expiry of the retention period (from 7 to 10 years), documents and files are securely deleted in compliance with standards applicable to our line of business and our policies.
6- Security and confidentiality
Reasonable precautions must be taken to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access. These precautions include technical, physical and organizational security measures, such as measures to prevent unauthorized access, that are commensurate with the sensitivity of the information and the level of risk associated with the processing of the Personal Data.
Security procedures in place are described more in detail in KPMGI’s Information Protection Statement.
Where KPMG processes Personal Data on behalf of another KPMG Firm, it will only act under the first firm’s instructions.
7- Data Subjects’ rights
Data Subjects shall have access to their Personal Data that is held by KPMG, where those requests (i) are reasonable and permitted by law, (ii) do not violate our ethical obligations and (iii) do not conflict with our professional obligations or any other obligation of confidentiality. KPMG agrees to rectify, amend, or delete Personal Data upon request where it is inaccurate or where it is being used contrary to these key principles, and to the extent that those rights are not subject to any limitation under applicable regulation.
Data Subjects shall be able to object to the processing of their Personal Data if there are compelling legitimate grounds relating to their particular situation, to the extent required and permitted by Applicable Data Protection Laws. Data Subjects have also a right to data portability pursuant article 20 of the General Data Protection Regulation, as well as the other rights provided by Applicable Data Protection Laws.
8- Sensitive Personal Data
Where KPMG process Sensitive Personal Data, it will take such additional measures (e.g., relating to security) as are necessary to protect such Sensitive Personal Data in accordance with Applicable Data Protection Laws.
We only collect Sensitive Personal Data when the relevant individuals voluntarily provide us with this information or where such information is required or permitted to be collected by law or professional standards.
9- Data used for marketing purposes
Where KPMG processes Personal Data for the purposes of direct marketing, KPMG will have effective procedures allowing Data Subjects at any time to “opt-out” from having their Personal Data used for such purposes.
10- Automated Processing
Where KPMG processes Personal Data on a purely automated basis that has a significant impact on a Data Subject, KPMG shall give the Data Subject the opportunity to discuss the output of such processing before making those decisions (save to the extent otherwise permitted under Applicable Data Protection Laws).
11- Information transfer and compliance
Within the global network of KPMG Firms, Personal Data may be transferred outside the country in which it was collected, including countries outside of the European Economic Area, for legitimate business activities in accordance with Applicable Data Protection Laws. In addition, in accordance with Applicable Data Protection Laws, KPMG may store Personal Data in facilities operated by other KPMG Firms and/or third parties on behalf of KPMG outside the country in which the Personal Data was collected.
Nevertheless, Personal Data must not be transferred to another country unless the transferor has assurance that an adequate level of protection is in place in relation to that Personal Data as required under Applicable Data Protection Laws. In the case of each KPMG Firm, an adequate level of protection is ensured by the Inter-Firm Agreement which each KPMG Firm shall abide by, including KPMG, or by Binding Corporate Rules (if and when adopted by KPMG Firms) or any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.
KPMG will ensure that where Personal Data is transferred to third parties outside of the KPMG network for processing (for example to KPMG’s service providers to support KPMG’s business), it is only done where the Personal Data is adequately protected. KPMG will achieve this by entering into written agreements with third parties which impose obligations that reflect the requirements of this Privacy Notice or using Standard Contractual Clauses approved by the European Commission (such as Standard Contractual Clauses for Data Controllers 2004/915/EC or Standard Contractual Clauses for Data Processors 2010/87/EU or any subsequent version) or any other mechanism officially recognized by Applicable Data Protection Laws as ensuring an adequate level of protection of Personal Data.
IV. Acting as a Processor
KPMG will be “Processor” where it processes Personal Data on behalf of a “Controller” who instructs him how it can use the Personal Data. Where KPMG acts in a capacity as a Processor of Personal Data on behalf of Clients, it shall act in accordance with the instructions of the Controller of such Personal Data.
KPMG may be Processor on those Client engagements where Client provides specific instructions on (i) which type of Personal Data provided by Client to KPMG shall be processed by KPMG, (ii) which operation or set of operations shall be performed by KPMG on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction, (iii) for which duration Personal Data shall be processed and stored by KPMG, (iv) which technical means (such as software or tools) KPMG shall use to process Personal Data on behalf of Client, (v) what additional security measures shall be taken by KPMG.
If complying with such instructions is not possible for any reason (for example due to a conflict with current or future legislation), KPMG will promptly inform the Client (directly or via another KPMG Firm) of its inability to comply with its instructions.
When KPMG ceases to act on behalf of a Client, it will (at the Client’s option) return, destroy or continue to properly protect all Personal Data it had received from that Client, save as provided otherwise under applicable law.
Save as specifically provided otherwise in the engagement letter or contract entered between KPMG (Processor) and Client (Controller), KPMG is authorized to (i) use any technical means it finds suitable to provide the Services and process Personal Data (such as selecting appropriate software solutions) all in accordance with the KPMG security policies, (ii) engage sub-Processors to provide parts of the Services, access and use Personal Data, including outside the European Union, provided that sub-Processors are bound by written agreements that require them to provide at least the level of Personal Data protection required by this Privacy Notice, and subject to principle 10-“Information transfer and compliance” above.
Where KPMG acts as such a Processor, it also has a duty to help Client to comply with the law (subject to the Client meeting the KPMG’s related costs and expenses), for example (i) by informing the Client about the processing activities that KPMG carry out so that it may inform the relevant Data Subjects; (ii) at the Clients request putting in place reasonable measures to have that Personal Data updated, corrected, anonymized or deleted (subject to certain limited exceptions), and inform other firms within the KPMG network where such changes are made; and (iii) sending to the Client any requests they receive from Data Subjects for access to their Personal Data that the KPMG Firm holds, so that the Client may respond to those Data Subjects.
Where acting as such a Processor of Personal Data, KPMG will in any event treat such Personal Data in accordance with the above paragraphs relating to security and confidentiality and information transfer and compliance, only transfer Personal Data where the Client has agreed to such a transfer (which it may do in advance under the terms of engagement with KPMG) and inform the Client if there is serious breach of security in relation to Personal Data so that it can inform the Data Subjects concerned, where necessary.
V. Retention period for which data will be stored or the criteria used to determine this period
We make reasonable efforts to retain Persona Data only for so long as the information is necessary to comply with an individual’s request, as necessary to comply with legal, regulatory or internal policy requirements or until that person asks that the information be deleted.
VI. Recipients or categories of recipients of Personal
Transfer within the network of KPMG firms
We share information about you with other KPMG Firms of the KPMG network as part of international engagements and with KPMG International and other KPMG Firms where required or desirable to meet our legal and regulatory obligations around the world. Other parts of the KPMG network are also used to provide services to us and you, for example hosting and supporting IT applications, provision of certain forms of insurance for member firms and its client.
Transfer to third parties
We do not share Personal Data with third parties, except as necessary to our legitimate professional and business needs to carry out your request and/or as required or permitted by law or professional standards. This would include:
- Our service providers: We transfer Personal Data to our third-party service providers such as our IT systems providers, our hosting providers, our payroll providers, consultants (such as legal advisers) and other goods and services providers. KPMG work with such providers so they can process your Personal Data on our behalf. KPMG will only transfer Personal Data to them when they meet our strict standards on the Processing of data and security. We only share Personal Data that allows them to provide their services.
- If we are reorganized or sold to another organization: KPMG will typically also disclose Persona Data in connection with sale, assignment or other transfer of the business to which the data relates.
- Courts, tribunals, law enforcement or regulatory bodies: KPMG will disclose Personal Data in order to respond to request of courts, tribunals, government or law enforcement agencies where it is necessary or prudent to comply with applicable laws, court or tribunal orders or rules, or government regulations.
- Audits: disclosure of Personal Data will also be needed for data privacy or security audits and/or to investigate or respond to a complaint or security threat;
- Insurers: our professional rules and our business requirements mean that we carry significant insurance cover in respect of business activities (our “insurance program”). This is required to assist each member firm of the KPMG network in covering the cost associated with claims which may arise in the event that it is alleged that something has gone wrong during the course of providing services to its Clients. In order to make the insurance program work effectively, the insurance program involves a number of different participants in the insurance market (e.g brokers, insurers and reinsurers, as well as their professional advisors and other third parties involved should there be a claim). Some of these insurance market participants will require that we disclose Personal Data about you to them. The information will be used by the insurance market participants in the underwriting and ongoing administration of the insurance program, where there is a claim that you are relevant to and to allow the insurance market participants to comply with their legal and regulatory obligations. Some of these insurance market participants will handle this information on our behalf (like our service providers described above), but others will want to process information about you independent of us.
VII. International Databases
For legitimate business and professional reasons, KPMG International has created, will continue to create, and will maintain, systems and applications that contain Personal Data about KPMG Personnel (and, where applicable, their immediate family members) and Clients, suppliers, contractors and business associates. These systems and applications are part of the shared electronic communications, knowledge management, and information technology environments of the KPMG Firms and are used to share this Personal Data between KPMG Firms to the extent permitted by law and applicable professional standards.
VIII. Your Rights, Complaints, Questions and Additional Information.
KPMG is committed to protect your personal information.
If KPMG processes Personal Data about you, you have the following rights:
- Access and correction: you have the right to access to your Personal Data. This is sometimes called “Subject Access Request”. If we agree that we are obliged to provide personal information to you, we will provide it to you free of charge. Before providing personal information to you, we may ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data. If the information we hold about you is incorrect, you are entitled to ask us to correct any inaccuracies in the personal information.
- Object to Processing: you have the right to object to us processing your Personal Data if we are not entitled to use it any more
- Other rights: in addition, you may have the rights to have your personal Data deleted if we are keeping it too long, have its processing restricted in certain circumstances and/or to obtain copies of information we hold about you in electronic form.
You also have a right to data portability, a right of giving instructions regarding your data in the event of death, a right to limit the processing, and a right to erasure.
You may exercise your rights and request a copy of the suitable safeguards implemented in the event of transfer outside the European Economic Area, by using the following link: exercising my rights. We will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.
We will acknowledge your email and seek to resolve your concern within one month of receipt. Where the concern is complex or we have a large volume of concerns, we will notify you that the concern will take longer than one month to resolve, and we will seek to resolve your concern within three months of the concern being first raised.
We may accept your request (in which case we will implement one of the measures mentioned in the section "Data Subjects’ rights" above) or reject it on the basis of legitimate reasons.
In any event, you always have the right to lodge a complaint with the French Data Privacy Regulatory Authority, the Commission Nationale de l’Informatique et Libertés (CNIL).
If you have questions or comments regarding compliance with the present Privacy Notice, please contact our Data Protection Officer at firstname.lastname@example.org.
IX. Changes to this Privacy Notice
This Privacy Notice is reviewed by KPMG on an annual basis.
KPMG may modify this Privacy Notice from time to time to reflect our current privacy practices. When we make changes to this Privacy Notice, we will revise the "updated" date at the top of this page. Any changes to the processing of personal data as described in this Privacy Notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.