October 2018

Contents

1. About KPMG
2. What information and personal data we have about you
3. Receiving confidential or personal information
4. For which purpose do we use your personal data
5. How we use your personal data
6. Who has access to your personal data and to whom are they transferred?
7. Protection of your personal data
8. Retention of and access to personal data
9. Your privacy rights

1. About KPMG 

KPMG [1] is dedicated to protecting the confidentiality and privacy of information entrusted to it and complies with Personal Data Privacy legislation as currently in force. As part of this fundamental obligation, KPMG is committed to the appropriate protection and use of personal information/data (sometimes referred to as "personally identifiable information" or "PII") that it collects either online, or by the professional services it offers, or by its communications/cooperation by any third party. Our commitment to privacy is a natural extension of KPMG’S commitment to client confidentiality, and is based on the conviction that respecting individual privacy is not only the right thing to do, but it enhances our business. 

KPMG has adopted this policy about the privacy of Personal Data (the Policy) in order to assist in establishing and maintaining an adequate level of Personal Data privacy in the collecting, processing, disclosing and cross-border transfer of Personal Data including that relating to current, past and prospective KPMG Personnel, clients, suppliers, contractors and business associates of KPMG.We invite you to carefully read this Privacy Notice, which sets out in which context we are processing your personal data and explains your rights and our obligations when doing so.

[1] “KPMG”, “We”, “our” and “us”, refers to KPMG Auditors AE, KPMG Advisors AE, KPMG Accountants AE and C. Papacostopoulos & Associates, Law Firm.KPMG is a member of KPMG International Cooperative. KPMG International is a Swiss entity, whose network consists of other independent firms affiliated with KPMG International. KPMG International provides no client services.

2. What information and personal data we have about you

This information and personal data may either be directly provided by you or the legal entity for which you work for or provided by a third party (supplier, service provider, business associate etc.).We may collect various types of personal data about you, including:

• your identification information (e.g. name, first name, last name, gender, date and place of birth, nationality, ID card or passport numbers, email and/or postal address, fixed and/or mobile phone number and car registration number, etc.);
• your function (e.g. job title, position and name of company);
  
• financial information (e.g. bank account details); and
  
• your electronic identification data where required for the purpose of the delivery of services to our firm (e.g. login, access right, passwords, employee number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as CCTV or voice recordings, or ATS/email pictures).
  

3. Receiving confidential or personal information 

Where KPMG and/or its personnel receive personal or confidential information from another member firm or from a third party, it shall:

• keep personal information and data confidential and secure, and only disclose such information to that personnel who have a legitimate business reason to access such information.
• Establish additional security measures and/or disclosure restrictions at the transferring party’s written request.
  

Where KPMG acts as a Data Processor, it shall comply with GDPR and among others:

• Only process the personal data in accordance with the instructions from and the consent of the transferring party.
• Only retain that personal data until the termination of the data processing services, subject to any requirements of applicable legislation.
  
• Promptly notify the transferring party of any legally binding request for disclosure of the data, of any accidental or unauthorized access or of any requests received directly from data subject.
  
• Not respond to any requests to disclose the data unless it has been authorized to do so by the transferring party or the individual concerned or as required by law.
  

Where KPMG acts as a Data Controller, it shall comply with GDPR and among others:

• apply all appropriate measures for compliance and data protection by design and default
• implement appropriate technical and organisational security measures to protect personal data.
  
• reporting data breaches to DPAs and the data subject.
  
• work with supervisory authorities.
  
• facilitate the exercise of data subject rights.
  

4. For which purpose do we use your personal data

We process your personal data for a specific purpose and only process the personal data which is necessary and relevant to achieving that purpose. 

In particular, we process personal data for the following purposes always in accordance with the nature of our collaboration as well as applicable legislation and regulations:

• perform our contractual obligations towards you or to take pre-contractual steps at your request and/or consent; 
• manage our suppliers and subcontractors;
  
• monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
  
• manage our IT resources, including infrastructure management and business continuity;
  
• preserve the firm’s economic interests;
  
• ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
  
• archiving and record-keeping;
  
• billing and invoicing; and
  
• any other purposes imposed by law and authorities.
  

5. How we use your personal data

According to Greek and EU law, we will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if we have a basis or “ground” under the law to do so, such as:

• Performance of a contract: this is when the processing of your personal data is necessary to perform our obligations under a contract; 
• Legal obligation: this is when we are required to process your personal data to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency; 
  
• Legitimate interests: we will process your personal data where it is in our legitimate interest, so long as it doesn’t outweigh your interests and freedoms; 
  
• Vital interests: the processing is necessary to protect the vital interests of the relevant individual or of another natural person; 
  
• Public Interest: the processing is necessary for the performance of a task carried out in the public interest; or
  
• Your consent: in some cases, and in addition to your contract, we will ask you for specific permission to process some of your personal information, and we will only process your personal data in this way if you agree for us to do so. You may withdraw your consent at any time by contacting us at dataprivacy@kpmg.gr and/or dataprivacy@cpalaw.gr, as applicable.
  

6. Who has access to your personal data and to whom are they transferred?

KPMG do not share personal data with unaffiliated third parties, except as necessary for their legitimate professional and business needs, to carry out your requests, and/or as required or permitted by law or professional standards. 

KPMG work with reputable partners, service providers or agencies so they can process your personal data on our behalf. KPMG will only transfer personal data to them when they meet our strict standards on the processing of data and security. KPMG only share personal data that allows them to provide their services. 

KPMG ensures that the external services providers that have access to or use confidential information are bound by contractual obligations to maintain the confidentiality and security of the information. Those confidentiality and security obligations shall be at least equivalent to those with which KPMG member firms are obliged to comply. KPMG includes a confidentiality clause in the General terms of Business, and confidentiality or non-disclosure agreements may be signed at times with third parties, (i.e. external service providers that have access to confidential information).

7. Protection of your personal data

We have implemented appropriate organizational and technical measures to provide a high level of privacy and security to your personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and other illegal forms of processing.

KPMG incorporates the protection of personal data as an integral part of its business operations by design and by default, so as to protect the rights of data subjects, such as user management policy, distinct roles and responsibilities, backups, physical security measures, policy of destruction of personal data etc.

8. Retention of and access to personal data 

To the extent not prohibited by applicable laws or regulations, KPMG:

• retains personal data for 7 years at least, and in any case as long as and until the purpose of collection the data is achieved, subject to any requirements to retain information otherwise, in order to comply with any applicable law, regulation, professional requirements or standards, 
• maintains a process in place to determine and track the types and location of personal data it hold about you,
• enables you to have access to your personal data that is maintained by KPMG, and allows you  to review and correct any errors with respect to your personal information as required by applicable laws and regulations.

9. Your privacy rights 

Your rights include the right of access to data, the rectification the erasure / right to be forgotten, the restriction of processing of personal data, the objection to processing of personal data, the data portability, the right to withdraw consent at any time (where processing is based on consent) and the right to lodge a complaint with a supervisory authority.

For any complaint you may use our Complaint Form  and you may contact us at dataprivacy@kpmg.gr or dataprivacy@cpalaw.gr, as applicable.