Candidate Privacy Notice

Last Updated 31^st March 2022

KPMG LLP (UK) is committed to protecting your privacy and safeguarding your personal data. This Privacy Notice is issued by KPMG LLP (UK) and its subsidiaries (”KPMG”, “firm”, ‘we’, ‘our’, or “us”) in accordance with the UK General Data Protection Regulation and the UK Data Protection Act 2018.

The purpose of this Privacy Notice is to describe how KPMG collects and uses your personal data in the course of our candidate application and recruitment process, as required by Data Protection Laws. This Privacy Notice applies to all current and former candidates for roles as KPMG partners, employees, associates and contractors (collectively referred to as “Candidates”). 

What kind of personal data do we hold about you?

The categories of personal data that we process in the course of our candidate application and recruitment process may include the following:

• Contact details such as name, address, email address.
• Date and country of birth.
• Previous employment history (inc. names of employer, dates of employment, positions held, current salary).
• Educational history.
• Employer feedback / references (exc. contractors).
• Nationality and evidence of right to work in the UK (e.g. passport, ID cards, visa details) (exc. contractors).
• Results of KPMG assessments (and video footage from any recorded assessments).
• Results of pre-employment screening checks (e.g. credit history, criminal records checks).
• Physical and/or mental health where this requires KPMG to make reasonable adjustments in the candidate and recruitment process (e.g. accessibility to premises).

In addition to the above, the following personal data may also be processed in the course of the candidate application and recruitment process for Partners, Associated Partners and Directors:

• Social media and online activity.
• Psychometric assessment.
• Gender.

Candidates (exc. contractors) may also voluntarily provide the following personal data (“Diversity Data”) to KPMG in the course of the candidate application and recruitment process in order to contribute to KPMG’s promotion of diversity within its workforce:

• Physical and/or mental health.
• Ethnic background.
• Sexual orientation.
• Religious beliefs.
• Gender.
• Social economic background.

If you fail to provide personal data

The provision of your personal data (other than Diversity Data) is necessary for us to enter and maintain our contract with you. If you fail to provide certain personal data items when requested, we may not be able to perform any contract we decide to enter into with you, or to comply with our legal obligations. As a result, we may not be able to progress your application.

How do we collect your personal data?

• Directly. We obtain personal data directly from individuals in a variety of ways, where you provide information to us by applying directly for a role at KPMG, or information that we learn about you through your interactions with us.
• Indirectly. We may also collect additional information about you from third parties including former employers, employment agencies, specialty search firms, credit reference agencies, background check providers, other service providers, and from other sources where you have made your personal information publicly available for the purposes of recruitment on jobs boards (e.g. LinkedIn).

How do we use your personal data?

We use your personal data during our recruitment process and to process your application for the position for which you have applied, as well as to meet our legal obligations. We may also process Diversity Data in order to promote diversity within our work force. In doing so, we ensure that we comply with Data Protection Laws.

In addition to using your personal information data for the position for which you have applied, we may retain and use your personal information to consider you for other positions. If you do not want to be considered for other positions or would like to have your personal data removed, you may contact us as specified under ‘Who can answer your privacy questions or complaints?’ below.

KPMG will only use your personal data collected in the course of the candidate application and recruitment process for the purposes set out in this Privacy Notice. For full details of how and why we process each type of personal data, please see Annex 1 below.

What lawful basis do we have for processing personal data?

We may rely on the following lawful bases when we process your personal in the course of the candidate application and recruitment process: 

• Contract – We may process personal data to perform our contractual obligations.
• Legal obligation – We may process personal data to meet our legal and regulatory obligations.
• Consent - We may rely on your freely given consent at the time you provided your personal data to us. 
• Legitimate Interests – We may rely on legitimate interests of KPMG for processing your data where this does not unduly affect your interests or fundamental rights and freedoms
• Public Interest – We may process your data to perform a task carried out in the public interest
• Vital Interest – We may process your data to protect your vital interests

For full details as to which lawful basis we rely on to process each type of personal data, please see the Annex 1 below.

How do we share your personal data?

The extent to which your personal data is shared both internally and externally will differ for each candidate but will always be strictly limited individuals who need to access your personal data in order meet the specific purpose for which it is processed..

Your personal information may be shared internally within KPMG with the following people:

• Those employees who would have managerial responsibility for you or are acting on their behalf.
• Employees in HR who have responsibility for certain HR processes (for example, recruitment, assessment, pre-employment screening).
• Employees with responsibility for investigating issues of non-compliance with laws and regulations, internal policies and contractual requirements.
• Employees in IT and system owners who manage user access.
• Quality and risk management team for independent and risk assurance checks. To review and monitor ‘conflicts of interest’ and compliance with ‘fit and proper’ regulation.

KPMG may also need to share your information externally with certain external third parties including:

• Companies who provide recruitment and candidate interview and assessment services to us.
• Suppliers who undertake background screening on behalf of KPMG (credit checking agencies, criminal checking bureaus, social media checks etc.).
• Academic institutions (Universities, colleges, etc.) in validating information you’ve provided.
• Individuals and companies that you have previously worked for who may provide references/recommendations to the KPMG.
• Other third-party suppliers (or potential suppliers), who provide services on our behalf.
• Third parties to conduct assessments for your suitable for the role you have applied for.

We aim to keep the sharing of your personal data as minimal as possible and do not make financial gain from the information you provide. When we do share your personal data, we ensure that we impose appropriate security and privacy obligations in line with our policies. We require third party service providers to only process your personal data on our instructions and not use it for their own purposes.

Do we transfer your personal data abroad?

We store your personal data on servers located in the European Economic Area (EEA) only and will only transfer your personal data outside of the EEA to other KPMG member firms and reputable third-party organisations where it is strictly necessary in order to meet the purpose of the processing. Each recipient organisation is required to safeguard personal data in accordance with our contractual obligations and Data Protection legislation.

What pre-employment screening checks to we undertake?

KPMG will typically only transfer your personal to an external third party for the purpose of pre-employment checks.

If you are offered a role, we will determine which checks need to be carried out for the role in question.  A number of these checks will be performed for all roles, but some of the checks will only be performed for certain role. KPMG will only perform screening checks if it is appropriate given the nature of your role, your offer will be subject to the successfully completion of the screening checks.

Criminal records checks

Given the nature of our business, we have legal and regulatory obligations to ensure that the people we employ can be relied upon. We therefore envisage that where appropriate during the recruitment process, we will collect and hold information about criminal convictions. As part of pre-employment screening checks we may ask questions about any prior civil or criminal proceedings you may have been subject to and may also conduct criminal record checks.

We will use information about criminal convictions and offences in the following ways:

• To establish whether to offer / withdraw an offer of employment
• If successful in your application, in assigning or re-assigning you to appropriate client engagements according to agreed client screening requirements.

Fraud prevention checks

To prevent or detect fraud, or assist in verifying your identity, we may make searches of Group records using fraud prevention agencies. Should our investigations identify fraud or the commission of any other criminal offence by you (on your part) when applying for, or during the course of your employment with us, we will record details on this on the fraud prevention database. This information may be accessed from the UK and other countries and used by law enforcement agencies, us and other employers (and potential employers) to prevent fraud.

Personal information we have collected from you will be shared with the Credit Industry Fraud Avoidance System CIFAS who will use it to assess and prevent fraud, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct. If any of these are detected, you could be refused certain services or employment.

Regulatory screening

In order to comply with our legal and regulatory obligations in relation to anti-money laundering and sanctions restrictions, we will screen your name against global sanctions lists. The screening will simply involve searching our internal and third-party databases to ensure you are not listed on the sanctioned list. We are not able to employ anyone on a sanctions list. In addition, in order to comply with our legal obligations relating to anti-bribery and corruption, we will also perform searches and ask questions to assess whether there is a potential bribery or corruption risk to the role based on your personal and political associations. If there is a risk, we will look to assess what additional internal controls we need to put in place to reduce that risk prior to your employment.

Ethics & Independence checks

In order to comply with our legal and regulatory obligations, KPMG will review and monitor ‘conflicts of interest’ and compliance with ‘fit and proper’ regulation.  This may include processing of financial information, investments/assets as well as director/shareholding interests of KPMG personnel and their relatives.   

We will only keep your personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means and the applicable legal requirements.

In some circumstances, we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

We may retain your information for longer periods under exceptional circumstances, for example, where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators.

We have put appropriate technical and organisational security policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect personal data.

If you have access to parts of our websites or use our services, you remain responsible for keeping your user ID and password confidential. Please be aware that the transmission of data via the Internet is not completely secure. Whilst we do our best to try to protect the security of your personal data, we cannot ensure or guarantee the security of your data transmitted to our site; any transmission is at your own risk. 

KPMG is committed to being transparent about how we collect and use the personal data entrusted to us. In accordance with the Data Protection Laws, you have the right to know what personal data KPMG holds about you and how it is used. Your rights regarding your personal data are set out below:

a)     Access – You have the right to access your personal data to ensure we are processing it fairly and lawfully. This is known as a Data Subject Access Request. You will be provided with a copy of the personal data that is disclosable to you free of charge and will be responded to within one calendar month in most instances.

b)     Correction – If the information we hold about you is incorrect or incomplete, you have the right to ask us to correct it.

c)     Object to processing – You have the right to object to us processing your personal data if we are no longer entitled to do so.                                   

d)     Deletion/Erasure – In certain circumstances you may have the right to have your personal data deleted if we are no longer entitled to retain it.

e)     Restriction – In certain circumstances, you may have the right to have the processing of your personal data restricted.

f)      Transfer – In certain circumstances, you may have the right to request the transfer of your personal data to another party.

To exercise any of these rights, please email DataPrivacy@kpmg.co.uk your request to setting out which right you wish to exercise. Please note that we may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. 

If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence to: KPMG LLP, Data Protection and Privacy Office, 15 Canada Square, London UK E14 5GL or email DataPrivacy@kpmg.co.uk. We aim to respond within 30 days from the date we receive privacy-related communications.

You may also withdraw consent to the processing of your personal information or submit complaints and/or objections to the processing of your personal information by sending a request in writing to: The Data Privacy Office at DataPrivacy@kpmg.co.uk.  

When asked to remove a record from our database, KPMG will retain minimal personal information in order to prevent future contact and where required in accordance with legal / regulatory requirements.

In respect of personal data processed by KPMG UK, you also have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues, at:

The ICO’s address:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

In respect of personal data processed by KPMG Gibraltar, you also have the right to make a complaint at any time to the Gibraltar Regulatory Authority (“GRA”), the Gibraltar supervisory authority for data protection issues, at info@gra.gi. 

We take care to ensure that your personal data is accurate and up to date. Please be sure to keep us informed of any changes to your personal data changes at any stage of your application and recruitment process. This can be done through the recruitment portal using your sign-in credentials, alternatively please contact the recruitment team for further assistance on this. 

The table below summarises the categories of personal data that we process, the purpose and legal basis of such processing, and who we share it with. It is not an exhaustive list and will be updated from time to time. Some of the grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

Processing Purpose	Categories of Personal Data Processed	Lawful Basis for Processing	Potential Recipients of your Personal Data (in addition to other KPMG member firms)
Assessment and recruitment.	Name.   Personal telephone numbers.   Current and previous personal addresses.   Personal email addresses.   Identification information (name, position, title, place of birth, staff number, photo ID card, passport numbers, NI and equivalent numbers).   Electronic identification data (login information, access rights, staff pass information, IP address, online identifiers/cookies, logs and connection times, sound or image recording such as CCTV or voice recordings).   Employment history   Compensation history   Country of birth, nationality and residence   References   CVs and cover letter information   Education and academic achievement   Physical and/or mental health	Contract – the processing is necessary in order for KPMG to enter into a contract of employment with you.     Consent - We may rely on your freely given consent at the time you provided your personal data to us.	Home Office Professional regulatory bodies (e.g. ICAEW, FCA) Professional insurers
	Gender (Partners, Associate Partners and Directors only).	Public Interest – the processing is necessary for the performance of a task carried out in the public interest.	n/a
New employee on-boarding	Copies of right to work documentation   Background checks (inc. criminal records)   Nationality	Legal Obligation – the processing is necessary for KPMG to comply with the law.	Third party screening providers Professional regulatory bodies (e.g. ICAEW, FCA) Professional insurers
Promotion of inclusion, diversity and social equality	Physical or mental health condition   Ethnic background   Sexual orientation   Religion or other similar belief   Gender   Social economic background	Public Interest – the processing is necessary for the performance of a task carried out in the public interest. Substantial Public Interest (Article 9, II (g)) - processing is necessary for reasons of substantial public interest.	n/a
Regulatory and Risk Management	Ethics and Independence Investments   Financial and Investment data from partner or dependents   Trustee and Board appointments   Insurance coverage Relationship with clients Employment History Public records   Identification Documents (e.g., passports, visas)	Contract – the processing is necessary for a contract KPMG has with you. Legal Obligation – the processing is necessary for KPMG to comply with the law. Legitimate Interests – the processing is necessary to ensure KPMG runs its business operations efficiently.	Professional regulatory bodies (e.g. ICAEW, FCA) Professional insurers CIFAS (Credit Industry Fraud Avoidance System)