In the context of our services we process personal data of employees of clients and other persons related to clients, such as contact persons that are employed at a client, board members, shareholders and supervisors and persons that are otherwise related to a client.
This privacy statement describes how KPMG handles these personal data before start of the services, when performing the services and in other situations relating to our services. This privacy statement should be read in addition to and in conjunction with the general KPMG Online Privacy Statement, which statement provides additional information about our processing of personal data, such as with regard to the rights you have and the sharing of personal data with third parties.

What (types of) personal data do we process?
In the context of our services we may process various types of personal data, such as:

• name;
• date of birth;
• address;
• gender;
• (business) email address and telephone number;
• information relating to a persons’ position such as company name, function title and department and job history;
• information that is available in public sources, such as the Chamber of Commerce;
• information about shareholder positions/structure.

For certain services additional financial data may be processed. This may also be the case if a natural person is client of KPMG.

In some cases, and only if this is permitted by law, the personal data that we collect may also include special categories of personal data (such as information about racial or ethnic origin, political opinions, religious and other beliefs, trade union membership, data about sexual orientation or health data) and data about alleged or proven criminal offences. In some cases it may also be required to collect and retain the national identification number (in the Netherlands the Citizen Service Number (BSN)) or a (partly shielded) copy of an identification document.

What are the legal bases for our processing of personal data?
We will only use personal data if we have a legal basis to do so. The legal basis to process your personal data depends on the purpose of the processing. The following legal bases may be applicable:

• Performance of a contract: this applies when the processing of your personal data is necessary to perform our obligations under a contract to which you are party, or prior to entering into such contract, for example if our client is a natural person.
• Legal obligation: this applies when we are required to process your personal data in order to comply with a legal obligation, such as:
  • performing a know-your-client check or complying with other obligations under the Anti-Money Laundering and Anti-Terrorist Financing Act;
  • performing independence checks;
  • keeping records for tax purposes;
  • recording our activities in a file;
  • providing information to a governmental- or law enforcement agency (including supervisory authorities).
• Legitimate interest: we process your personal data if this is in our legitimate interest to run and optimize our business, or in the legitimate interest of a third party such as our client, insofar this does not outweigh your interests. Our clients have a legitimate interest in receiving our services. KPMG has, for example, a legitimate interest in:
  • corresponding with (potential) clients regarding its services;
  • providing services;
  • keeping (financial) records;
  • conducting client satisfaction surveys;
  • protecting and maintaining IT-systems;
  • developing and improving services.
• Your consent: in some cases we ask for your specific consent to process parts of your personal data. We will only process your personal data in this way if you agree to us doing so. You may withdraw your consent at any time in the manner as described when providing your consent, or by contacting KPMG at privacy@kpmg.nl.

How do we process personal data before the start of the services?
Prior to the start of our services, personal data may be processed for various reasons, such as:

• during the proposition phase where we inform (potential) clients about our services, make proposals, communicate with clients and conclude an engagement;
• verifying if a certain service can be provided to a (potential) client. We do this among other by checking if there are (potential) independence conflicts and by performing a know-your-client check.

In the context of the know-your-client check, that KPMG performs on the basis of i.a. the Anti-Money Laundering and Anti-Terrorist Financing Act and internal policies, research is done on the client, the ‘ultimate beneficial owner’ of the client, so called ‘politically exposed persons’ that are related to a client, the representative of the client and the origin of capital. For the purposes of these checks it might also be necessary to request and keep a copy of the identification document, and to perform research in various (public) sources, which research may involve the processing of personal data and special categories of personal data.

How do we process personal data when providing services?
As part of our services, it may be necessary to process personal data of persons that are related to a client, such as persons that are employed at a client or that are registered in the customer database of a client. For example in order to:

• audit the financial statements for e.g. companies within the health care industry, insurance companies or pension funds;
• provide other accountancy related services;
• carry out a forensic investigation on behalf of a client;
• provide payroll services;
• provide various consultancy services, such as with regard to the improvement of a client’s internal processes;
• provide access to software and technical support and advice in that regard. 

More information on the services that KPMG provides can be found here.

In most cases, we receive the personal data that we process when providing our services from our clients. We may also collect personal data ourselves in the course of the services, for example if we perform marketing research or conduct interviews.

We usually agree with our clients that if we need to process personal data in the context of our services, the client shall inform the data subjects about the processing of their personal data by KPMG.

The personal data that we process depends on the specific context of the services. As a general rule, we try to limit the processing of personal as much as possible.

Other processing of personal data
Besides the personal data processing before and during our service, it may be necessary to process personal data from employees of clients and other persons related to the clients for other reasons, for example to:

• prevent fraud or criminal activity and to safeguard and maintain our IT-systems;
• comply with our business obligations;
• perform quality checks in order to monitor the quality of our services;
  
• anonymize personal data to enable the use for other purposes such as knowledge sharing;
• monitor, analyze or benchmark our services;
• comply with our obligations on the basis of law and (professional) regulations;
• institute, substantiate or defend against a legal claim or other legal procedure.

How long do we retain personal data?
The retention period for personal data depends on the nature of the data and the context in which the information is collected. Personal data is retained as long as necessary for the purpose they are collected for. Personal data that is processed within the scope of the services and that are part of the engagement file is usually retained for a period of 7 or 10 years, depending on the kind of service. It might be necessary to retain personal data for a longer period in order to comply with legal, regulatory, internal company- or policy requirements or if this is necessary with regard to (preparations for) legal procedures or disputes.