Last updated: April 2022
- About KPMG
- What information and personal data we have about you
- Receiving confidential or personal information
- For which purpose do we use your personal data
- How we use your personal data
- Who has access to your personal data and to whom are they transferred?
- Protection of your personal data
- Retention of and access to personal data
- Your privacy rights
KPMG  dedicated to protecting the confidentiality and privacy of information entrusted to it and complies with Personal Data Privacy legislation as currently in force. As part of this fundamental obligation, KPMG is committed to the appropriate protection and use of personal information/data (sometimes referred to as "personally identifiable information" or "PII") that it collects either online, or by the professional services it offers, or by its communications/cooperation by any third party. Our commitment to privacy is a natural extension of KPMG’S commitment to client confidentiality, and is based on the conviction that respecting individual privacy is not only the right thing to do, but it enhances our business.
KPMG has adopted this policy about the privacy of Personal Data (the Policy) in order to assist in establishing and maintaining an adequate level of Personal Data privacy in the collecting, processing, disclosing and cross-border transfer of Personal Data including that relating to current, past and prospective KPMG Personnel, clients, suppliers, contractors and business associates of KPMG.
We invite you to carefully read this Privacy Notice, which sets out in which context we are processing your personal data and explains your rights and our obligations when doing so.
KPMG International Limited is a private English company limited by guarantee and does not provide services to clients. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.
This information and personal data may either be directly provided by you or the legal entity for which you work for or provided by a third party (supplier, service provider, business associate etc.).
We may collect various types of personal data about you, according to the purposes for which they are collected, including:
- your identification information (e.g. name, first name, last name, gender, date and place of birth, nationality, ID card or passport numbers, email and/or postal address, fixed and/or mobile phone number and car registration number, etc.);
- your function (e.g. job title, position and name of company);
- financial information (e.g. bank account details); and
- your electronic identification data where required for the purpose of the delivery of services to our firm (e.g. login, access right, passwords, employee number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as CCTV or pictures).
Where KPMG and/or its personnel receive personal or confidential information from another member firm or from a third party, it shall:
- keep personal information and data confidential and secure, and only disclose such information to that personnel who have a legitimate business reason to access such information and to the public authorities according to the applicable legislation,
- Establish additional security measures and/or disclosure restrictions at the transferring party’s written request.
Where KPMG acts as a Data Processor, it shall comply with GDPR and among others:
- Only process the personal data in accordance with the instructions of the Data Controller/person who transferred the data, who is obliged to comply with GDPR requirements.
- Only retain that personal data until the termination of the data processing services, subject to any requirements of applicable legislation.
- Promptly notify the Data Controller of any legally binding request for disclosure of the data in accordance with the applicable legislation, of any accidental or unauthorized access or of any requests received directly from data subject.
- Not respond to any requests to disclose the data unless it has been authorized to do so by the Data Controller or the individual concerned or as required by law.
Where KPMG acts as a Data Controller, it shall comply with GDPR and among others:
- apply all appropriate measures for compliance and data protection by design and default
- implement appropriate technical and organizational security measures to protect personal data.
- reporting data breaches to DPAs and the data subject(s) in accordance with the applicable legislation.
- work with supervisory authorities.
- facilitate the exercise of data subject rights.
We process your personal data for a specific purpose and only process the personal data which is necessary and relevant to achieving that purpose.
In particular, we process personal data for the following purposes always in accordance with the nature of our collaboration as well as applicable legislation and regulations:
- perform our contractual obligations towards you or to take pre-contractual steps at your request and/or consent;
- manage our suppliers and subcontractors;
- monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
- manage our IT resources, including infrastructure management and business continuity;
- preserve the firm’s economic interests;
- ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
- archiving and record-keeping;
- billing and invoicing; and
- any other purposes imposed by law and authorities.
According to Greek and EU law, we will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if we have a basis or “ground” under the law to do so, such as:
- Performance of a contract: this is when the processing of your personal data is necessary to perform our obligations under a contract;
- Legal obligation: this is when we are required to process your personal data to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency;
- Legitimate interests: we will process your personal data where it is in our legitimate interest, so long as it doesn’t outweigh your interests and freedoms; or
- Your consent: in some cases, and in addition to your contract, we will ask you for specific permission to process some of your personal information, and we will only process your personal data in this way if you agree for us to do so. You may withdraw your consent at any time by contacting us at firstname.lastname@example.org .
KPMG do not share personal data with unaffiliated third parties, except as necessary for their legitimate professional and business needs, to carry out your requests, and/or as required or permitted by law or professional standards.
KPMG work with reputable partners, service providers or agencies so they can process your personal data on our behalf. KPMG will only transfer personal data to them when they meet our strict standards on the processing of data and security. KPMG only share personal data that allows them to provide their services.
KPMG ensures that the external services providers that have access to or use confidential information are bound by contractual obligations to maintain the confidentiality and security of the information. Those confidentiality and security obligations shall be at least equivalent to those with which KPMG member firms are obliged to comply. KPMG includes a confidentiality clause in the General terms of Business, and confidentiality or non-disclosure agreements may be signed at times with third parties, (i.e. external service providers that have access to confidential information).
In addition, KPMG may transfer certain personal information outside of the EEA to companies working with us or on our behalf for the purposes described in this Statement for Protection of Personal Data. KPMG may also store personal information outside of the EEA. If we do this, your personal information will continue to be protected by means of contracts we have in place with those organisations outside the EEA, which are in a form approved by the European Commission. By providing personal information on online, visitors are consenting to this transfer and/or storage of their personal information across borders.
KPMG will not transfer the personal information you provide to any third parties for their own direct marketing use.
We have implemented appropriate organizational and technical measures to provide a high level of privacy and security to your personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and other illegal forms of processing.
KPMG incorporates the protection of personal data as an integral part of its business operations by design and by default, so as to protect the rights of data subjects, such as user management policy, distinct roles and responsibilities, backups, physical security measures, policy of destruction of personal data etc.
To the extent not prohibited by applicable laws or regulations, KPMG:
- retains personal data for 10 years at least, and in any case as long as and until the purpose of collection the data is achieved, subject to any requirements to retain information otherwise, in order to comply with any applicable law, regulation, professional requirements or standards,
- maintains a process in place to determine and track the types and location of personal data it hold about you,
- enables you to have access to your personal data that is maintained by KPMG, and allows you to review and correct any errors with respect to your personal information as required by applicable laws and regulations.
Your rights include the right of access to data, the rectification the erasure / right to be forgotten, the restriction of processing of personal data, the objection to processing of personal data, the data portability, the right to withdraw consent at any time (where processing is based on consent) and the right to lodge a complaint with a supervisory authority.
Finally, you always have the right to lodge a complaint with Hellenic Data Protection Authority (DPA). [www.dpa.gr/ Call Center: 210 64 75 600, Fax: 210 64 75 628, email: email@example.com.
10. Changes to this statement
KPMG may update this Policy from time to time to reflect the current privacy developments. When we make changes to this Policy, we will revise the "updated" date at the top of this page. We encourage you to periodically review this Policy to be informed about how KPMG is protecting personal data.