In the context of our services we process personal data of employees of clients and other persons related to clients, such as contact persons that are employed at a client, board members, shareholders and supervisors and persons that are otherwise related to a client.
This privacy statement describes how KPMG handles these personal data before start of the services, when performing the services and in other situations relating to our services. This privacy statement should be read in addition to and in conjunction with the general KPMG Online Privacy Statement, which statement provides additional information about our processing of personal data, such as with regard to the rights you have and the sharing of personal data with third parties.
What (types of) personal data do we process?
In the context of our services we may process various types of personal data, such as:
For certain services additional financial data may be processed. This may also be the case if a natural person is client of KPMG.
In some cases, and only if this is permitted by law, the personal data that we collect may also include special categories of personal data (such as information about racial or ethnic origin, political opinions, religious and other beliefs, trade union membership, data about sexual orientation or health data) and data about alleged or proven criminal offences. In some cases it may also be required to collect and retain the national identification number (in the Netherlands the Citizen Service Number (BSN)) or a (partly shielded) copy of an identification document.
What are the legal bases for our processing of personal data?
We will only use personal data if we have a legal basis to do so. The legal basis to process your personal data depends on the purpose of the processing. The following legal bases may be applicable:
How do we process personal data before the start of the services?
Prior to the start of our services, personal data may be processed for various reasons, such as:
In the context of the know-your-client check, that KPMG performs on the basis of i.a. the Anti-Money Laundering and Anti-Terrorist Financing Act and internal policies, research is done on the client, the ‘ultimate beneficial owner’ of the client, so called ‘politically exposed persons’ that are related to a client, the representative of the client and the origin of capital. For the purposes of these checks it might also be necessary to request and keep a copy of the identification document, and to perform research in various (public) sources, which research may involve the processing of personal data and special categories of personal data.
How do we process personal data when providing services?
As part of our services, it may be necessary to process personal data of persons that are related to a client, such as persons that are employed at a client or that are registered in the customer database of a client. For example in order to:
More information on the services that KPMG provides can be found here.
In most cases, we receive the personal data that we process when providing our services from our clients. We may also collect personal data ourselves in the course of the services, for example if we perform marketing research or conduct interviews.
We usually agree with our clients that if we need to process personal data in the context of our services, the client shall inform the data subjects about the processing of their personal data by KPMG.
The personal data that we process depends on the specific context of the services. As a general rule, we try to limit the processing of personal as much as possible.
Other processing of personal data
Besides the personal data processing before and during our service, it may be necessary to process personal data from employees of clients and other persons related to the clients for other reasons, for example to:
How long do we retain personal data?
The retention period for personal data depends on the nature of the data and the context in which the information is collected. Personal data is retained as long as necessary for the purpose they are collected for. Personal data that is processed within the scope of the services and that are part of the engagement file is usually retained for a period of 7 or 10 years, depending on the kind of service. It might be necessary to retain personal data for a longer period in order to comply with legal, regulatory, internal company- or policy requirements or if this is necessary with regard to (preparations for) legal procedures or disputes.