KPMG often uses tools and applications to digitalize our services offerings and our internal and external processes. In some cases you may use one of our tools or applications, for example if you attend our (web)events or conferences for which we use technology solutions such as webinar, survey and polling tools. If you work at one of our clients you may also come across our tools as part of our client services. For example, if you are asked to complete a questionnaire or assessment in one of our (web)applications or if you get access to tools we use to collaborate, to create a virtual data room and/or workspace, to manage projects, to visualize data or process flows or to provide certain (financial) insights in your employer’s processes or assets.
In this privacy statement we inform you about how we process personal data if you use tools or applications that are used, provided or made accessible by or via KPMG (“KPMG Tools”).
This privacy statement should be read in combination with the KPMG Online Privacy Statement, which statement includes additional information regarding our processing of personal data, such as with regard to the rights you have and our sharing of personal data with third parties.
What (types of) personal data do we collect?
The personal data that is being processed in the context of a KPMG Tool, depends on the specific tool or application. This may include the following (categories):
- First name and last name
- (business) (email) address
- (business) telephone number
- Information relating to a persons’ position such as company name, function title and department
- User account data
- IP-address and other (automatically generated) technical data
- Survey or poll responses
- Information necessary for audit trails (e.g. access logs)
- Digital signature
- Chat- or conversation data
- (profile) pictures or other visual material
- Other information that is included in the tool or application
In some cases, but only if this is permitted by law, the personal data that we collect may also include special categories of personal data (such as information about racial or ethnic origin, political opinions, religious and other beliefs, trade union membership, data about sexual orientation or health data) and data about alleged or proven criminal offences.
We receive personal data directly from you, or via other sources, depending on the KPMG Tool and the specific use purposes of such KPMG Tool. In general, for KPMG Tools that we use within the scope of our client services, we receive personal data from our clients. We may also collect personal data ourselves in the course of the services, for example if we perform (marketing) research or conduct interviews. Furthermore, personal data may be collected via the KPMG Tool itself.
We usually agree with our clients that if we need to process personal data in the context of our services, the client shall inform the data subjects about the processing of their personal data by KPMG.
For what purposes do we use these personal data?
It may be necessary to process personal data of users of KPMG Tools, such as personnel of our clients, persons that are otherwise related to our clients such as customers, and other persons related to KPMG, such as visitors of KPMG congresses or other KPMG (web)events. For example in order:
- To provide services to clients, for example i) we provide the tool as a (SaaS-) product, ii) the KPMG Tool enables us to provide certain services, such as generating financial or corporate social responsibility insights, or iii) the KPMG Tool supports us when providing client services, such as data rooms or virtual workspaces;
- To use technology solutions such as collaboration tools and project/process management tools, to enhance, automate and optimize our services and improve collaboration;
- To create and maintain user accounts that are necessary to access and use KPMG Tools;
- To use surveys, assessments and/or questionnaires within a client engagement and process the results thereof;
- Conduct client satisfaction surveys;
- Use surveys, polls and/or questionnaires for congresses or other KPMG (web)events;
- Manage and operate the tool or application and protect and maintain our IT-systems;
- Develop and improve KPMG Tools and our (associated) services;
- Process personal data for purposes that are compatible with the purpose the personal data is initially collected for;
- Anonymize personal data to enable the use for other purposes such as knowledge sharing.
What are the legal bases for our processing of personal data?
We will only use personal data if we have a legal basis to do so. The legal basis to process your personal data depends on the KPMG Tool that you are using. The following legal bases may be applicable:
- Performance of a contract: this applies when the processing of your personal data is necessary to perform our obligations under a contract with you (which can be form-free), or prior to entering into such contract. For example, if you subscribe for a KPMG (web)conference or KPMG event, this might be considered as concluding an agreement and to comply with our obligations under that agreement, we need to process certain personal data.
- Legitimate interest: we process your personal data if this is in our legitimate interest to run and optimize our business, or in the legitimate interest of a third party such as our client, insofar this does not outweigh your interests. KPMG has, for example, a legitimate interest in processing personal data for the purposes as described above under “For what purposes do we use these personal data?”. In some cases, we do not (only) rely on our legitimate interest for the processing of personal data, but (also) ask your specific consent for the processing of your personal data, as described below.
- Your consent: in some cases we ask for your consent to process (parts of) your personal data. We will only process your personal data in this way if you agree to us doing so. You may withdraw your consent at any time in the manner as described when providing your consent, or by contacting KPMG at email@example.com. This does not affect the lawfulness of the processing that took place before you withdrew your consent.
Sharing and transfer of personal data
In order to use KPMG Tools, it may be necessary to share or transfer your personal data to other member firms of the KPMG network and KPMG International, or to third party services providers. For example if it concerns a tool that we license from another KPMG member firm or a third party (SaaS)-supplier, or in case another KPMG member firm or third party supplier is engaged to provide services to us and you, such as hosting and supporting KPMG Tools. This may entail the transfer of certain personal data outside of the EEA to outside companies working with us or on our behalf for the purposes described in this statement and/or the general KPMG Online Privacy Statement. KPMG may also store personal information outside of the EEA. If we do this, your personal data will continue to be protected by means of contracts we have in place with the recipients of the personal data. In most cases we ensure that such recipients are, as a minimum, subject to standard contractual clauses as approved by the European Commission to ensure adequate protection of your personal data.
It is possible that when using a KPMG Tool, a privacy statement from KPMG International, another KPMG member firm or a third party is shown. In some cases, these aforementioned parties may (also) process your personal data for their own purposes. This KPMG privacy statement does not relate to such use of personal data by other parties. We advise you to also read the privacy statements of KPMG International, other KPMG member firms or other third parties to make sure that you are duly informed about the processing of your personal data.
How long do we retain personal data?
The retention period for personal data depends on the nature of the data and the context in which the information is collected. Personal data is retained as long as necessary for the purpose they are collected for.
With regards to KPMG Tools that are used within the scope of client services, data relating to user accounts and audit trails are usually retained for as long as an engagement for the service provision is active. That means that such personal data will generally be deleted within a short period after finalizing the respective engagement.
Personal data that are processed within the scope of the services and that are part of the engagement file, are usually retained for a period of 7 or 10 years, depending on the kind of service.
We may retain your personal data for a longer period if that is necessary in order to comply with legal, regulatory, internal company- or policy requirements or if this is necessary with regard to (preparations for) legal procedures or disputes.