KPMG LLP (U.S.)1 (“KPMG”) is dedicated to protecting the confidentiality and privacy of information entrusted to it, including Personal Information (also known as “personal data,” “Personally Identifiable Information,” or “PII”). This Firm Personnel Data Privacy Notice (“Privacy Notice”) aims to give Firm Personnel (as defined below) information on how their Personal Information (as defined below) is collected, processed, used, and retained by KPMG. For the purposes of this Privacy Notice: (i) “Firm Personnel” includes current and former partners, principals, employees, directors, officers, and interns of KPMG; and (ii) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer that is a member of, or a particular household that includes a member of, Firm Personnel.
Please review this Privacy Notice to learn more about how we collect, use, share, and protect the Personal Information of Firm Personnel that we obtain. For more information about KPMG’s privacy policies applicable to Firm Personnel, please see the Confidentiality and Privacy section of the Policy Center
Collection and Use of Personal Information
KPMG’s collection of Personal Information from and about Firm Personnel is necessary in order for KPMG to fulfill its legal, professional, and contractual obligations, and for the performance of current and former partnership or employment relationships, as applicable. Therefore, the failure by any Firm Personnel to provide Personal Information, in whole or in part, could prevent KPMG from fulfilling some or all of its obligations regarding the partnership or employment relationship, or as may be required under contract, applicable law, or our professional standards, including, but not limited to, obligations related to auditor independence rules, payroll, social security contribution, tax, and insurance.
KPMG may process the following types of Personal Information, including Sensitive Personal Information (as defined below), for the purposes set out in this Privacy Notice, and subject to and in accordance with applicable law:
- Identifiers, which may include: your name, address, email address, phone number, and other contact details; usernames and passwords; social security number and national identity number, driver’s license number, passport number, or other government-issued identification number;
- Commercial and financial information, which may include: your bank account information and other information relating to your financial institution; credit applications, credit checks, and information from credit reporting agencies; and brokerage account information;
- Professional or employment-related information, which may include: information regarding your current and previous employers; job title and responsibilities; assets; income; and/or other information related to your work history and/or prospective employment; compensation, bonus or incentive information and social security premiums (including amounts paid, the frequency and currency of payments); benefits information (e.g., car allowance, health insurance, pension contributions) (including amounts paid, the frequency and currency of payments); records of your work history (including internal and external work history, references, and civil and criminal background checks); participation on corporate boards or advisory councils; records of your performance (including evaluations and ratings, grievances, and disciplinary records); information relating to absences from work; general organizational data (such as your department, work location, job title, and seniority);
- Education information, which may include: academic record, degrees, and educational history;
- Biometric information, which may include: signatures; fingerprints; facial scans; voice recognition information; genetic information; and/or other similar biometric identifiers;
- Information relating to Internet activity or other electronic network, application, and systems activity, which may include: cookie identifiers, clear gifs, browser type, Internet service provider (ISP), Internet Protocol (IP) addresses, media access control (MAC) addresses, referring/exit pages, operating system, date/time stamp, clickstream data, device platform, device version, and/or other device characteristics including your choice of settings such as Wi-Fi, Bluetooth, and Global Positioning System (GPS) data; usage data; and other, similar Personal Information collected for monitoring purposes, or other purposes pursuant to any KPMG policy, in relation to your interaction with KPMG’s networks, applications, and systems, including badge swipes to KPMG’s facilities, hoteling, training, messaging and calendaring, mobile device management, and remote access;
- Geolocation data, which may include: GPS data; locational information based upon your IP address; cell network data; and/or other similar locational data;
- Audio, electronic, or visual information, which may include: records of calls to or from our service or support centers; and/or audio or video information recorded for surveillance or training purposes, during meetings (virtual or in person), or at firm events/town halls;
- Information not listed above and related to characteristics protected under applicable state or federal law, which may include: gender; race and ethnicity; nationality; marital status; military service or veteran status; and/or date of birth;
- Inferences about you, which may include preferences and characteristics and other information we may infer from other Personal Information we have collected;
- Other Personal Information not listed above and defined in applicable law(s), which may include: insurance policy number; and/or bank account number, credit card number, debit card number, and other financial, medical, and health insurance information;
- Other information voluntarily disclosed by you to us, or collected or generated by KPMG in connection with your partnership or employment relationship or the related activities in which you participate on account of your relationship with KPMG.
KPMG may process Sensitive Personal Information (as defined below) if and to the extent such processing is: (i) necessary for compliance with applicable law; (ii) specifically authorized or required by law; or (iii) of Sensitive Personal Information that is voluntarily shared by any Firm Personnel with KPMG. For the purposes of this Privacy Notice, “Sensitive Personal Information” is Personal Information that may reveal an individual’s race or ethnic origin, political opinions, health data, including genetic data, disability information, sex life, sexual orientation, religious or similar beliefs, membership in a trade union organization, and/or criminal records.
We may create de-identified or anonymized data from Personal Information by removing data components that make the data personally identifiable to you, or through obfuscation or other means. Our use of de-identified or anonymized data is not subject to this Privacy Notice.
Collection and Use of Personal Information of Family Members of Firm Personnel
KPMG may also collect certain information from or regarding the spouses, partners, dependents, and other household members of Firm Personnel (“Family Members”), such as emergency contact details and contact information and information in connection with the administration of health, medical, or other employment benefits. In addition, to comply with federal law, regulations, and professional standards, KPMG is required to collect certain information from or regarding Family Members of Firm Personnel, including certain financial information, such as brokerage account information, and certain Personal Information that we require to fulfill our obligations under applicable professional standards and laws, including, without limitation, auditor independence rules. KPMG’s collection and processing of Personal Information of Family Members of Firm Personnel is subject to KPMG’s external Privacy Statement.
Purposes of Processing Personal Information
Personal Information may be processed by KPMG for the purposes set out below:
- Managing the recruitment, onboarding, and retention of Firm Personnel;
- Administering human resource functions, including performance reviews and appraisals, personal time off, including, without limitation, sickness leave, training, internal directories and organizational charts, internal communications, professional development and continuing education tracking, social and cultural activities directly implemented by KPMG and dealing with disciplinary action, termination, and retirement of Firm Personnel;
- Planning and staffing client engagements, including, without limitation, providing resumes and descriptions of work experience and qualifications to clients and potential clients;
- Administering payroll, or partner drawing accounts and partner statements, the reimbursement of expenses, the payment of remuneration and other benefits of Firm Personnel, such as bonuses, car allowances, the booking of a flight or hotel room, loans, pensions, health insurance, life insurance, travel insurance, death-in-service benefits, and disability plans;
- Firm Personnel communications, including authorizing, granting, and administering access to or use of KPMG systems, facilities, devices, and records, including management of email accounts;
- Health, safety, and wellness of our workplace, facilities, and workforce;
- Investigating and resolving complaints, grievances, or misconduct;
- Preparing for and acting in relation to inquiries, investigations, or proceedings by governmental, administrative, judicial, or regulatory authorities or third parties, including civil litigation;
- Audit purposes and complying with policy, procedures, laws, regulations, and professional standards, including performing checks for auditor independence purposes;
- Monitoring Firm Personnel pursuant to our policies and applicable law, including those policies set forth in the Policy Center;
- Improving the delivery or quality of services or technology to KPMG’s clients (including, but not limited to, for software/machine learning, internal analytics, and benchmarking related to those services or technology);
- Alumni updates and post-employment engagement;
- Any other purposes relating to the above.
Sharing and Transfer of Personal Information
We do not share Personal Information with unaffiliated third parties, except as stated in this Privacy Notice, including as necessary for our legitimate professional and business needs, to carry out your requests, to market our services, and/or as required or permitted by law or professional standards, or otherwise with your consent.
In some instances, KPMG may share Personal Information about you with various third-party service providers and vendors working on our behalf, or to help fulfill your requests. These third parties include, for example, providers of administrative, identity management, website hosting, data analysis, data back-up, and security management services. Third parties receiving Personal Information from KPMG are obligated to protect Personal Information in accordance with their contractual obligations and data protection legislation applicable to their provision of services.
KPMG and our service providers also may use aggregated, anonymized data for research and development. As set forth above, anonymized data does not identify you individually but rather helps to identify trends in preferences and behaviors of Firm Personnel at an aggregate level.
KPMG may disclose Personal Information to address or respond to requests of, or guidance provided by, government entities, bodies, or agencies, law enforcement agencies, or other entities or organizations, such as public health agencies, authorized by, or otherwise acting or operating pursuant to the lawful direction or authority of, an international, federal, state, or local governmental body, including to meet national security or law enforcement requirements and for health and safety purposes. We may also disclose Personal Information where disclosure is required by applicable laws, court orders, government regulations, or other legal process, or where we believe disclosure is necessary or appropriate to protect the rights or safety of KPMG, Firm Personnel, or other third parties.
In the event that the ownership of KPMG or an affiliate or their assets changes as the result of a merger, acquisition, or sale of assets, information owned or controlled by KPMG may be transferred to another company. Information may also be shared in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, assign or transfer all or a portion of our assets. If any such transaction occurs, the purchaser will be entitled to use and disclose the Personal Information collected by KPMG in the same manner that we are able to, and the purchaser will assume the rights and obligations regarding Personal Information as described in this Privacy Notice.
KPMG may also need to disclose certain Personal Information in connection with audits and/or to investigate or respond to a complaint or security threat.
KPMG does not sell Personal Information to any third parties.
Further, Personal Information may be disclosed to the extent necessary for the purposes described in this Notice to the following recipients:
- Departments within KPMG, including, Human Resources, Finance, Digital Nexus, and Office of General Counsel, among others;
- Financial institutions, pension plan institutions, insurance companies, consultants, and professional advisors;
- Other service providers, such as payroll administrators, benefits providers and administrators, and information technology systems providers involved in the provision of services to KPMG and/or Firm Personnel;
- Independent public accountants and auditors, authorized representatives of internal control functions, such as audit, legal, and/or firm-wide security;
- Applicable tax authorities.
Cross-Border Collection and Transfer
We may directly collect Personal Information from or about you if you are in a jurisdiction other than the U.S. for purposes of your employment. Similarly, if you are in the U.S., we may transfer outside of the U.S. the Personal Information we collect from or about you. Regardless of where you are, we may transfer certain Personal Information across geographical borders to KPMG International, other member firms affiliated with KPMG International, or to various third party providers working on our behalf, or we may receive Personal Information in the U.S. or elsewhere transferred from another member firm affiliated with KPMG International or an unaffiliated third party. KPMG may also store Personal Information in a jurisdiction other than where you are based, and such jurisdiction may not provide the same level of protection for your Personal Information as your home country. By providing your Personal Information to KPMG, you understand that your Personal Information may be collected, transferred, and/or stored in a jurisdiction other than your home country. Each member firm affiliated with KPMG International is required to safeguard Personal Information of personnel in accordance with its contractual obligations, applicable data protection legislation, policies, and applicable professional standards. Your Personal Information will only be transferred if appropriate or suitable safeguards are in place.
Privacy Shield Frameworks
The following provisions in this section apply only to Firm Personnel who are residents of the European Union and/or United Kingdom:
KPMG complies with the EU-U.S. Privacy Shield (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and United Kingdom, as applicable to the U.S. in reliance on Privacy Shield. KPMG has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles with respect to such Personal Information. If there is any conflict between the terms in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Please review our Privacy Shield Statement for information about KPMG’s data practices regarding Personal Information received from the European Union and United Kingdom pursuant to Privacy Shield. To learn more about the Privacy Shield program, and to view our certification, please visit: https://www.privacyshield.gov/.
Following recent decisions invalidating the adequacy of Privacy Shield, we no longer rely on Privacy Shield for cross-border transfers of Personal Information. As stated above, KPMG relies on the direct collection of Personal Information from individuals located outside of the U.S., or we use other bases, such as standard contractual clauses for cross-border transfers of Personal Information from another entity to us, including KPMG International and other member firms affiliated with KPMG International.
KPMG’s participation in Privacy Shield is subject to investigation and enforcement by the Federal Trade Commission. In compliance with the Privacy Shield Principles, KPMG commits to resolve all complaints about our collection or use of your Personal Information. EU or UK individuals with inquires or complaints regarding our Privacy Shield Statement should first contact Human Resources at us-hrprivacy@kpmg.com.
Should your complaint remain fully or partially unresolved after a review by KPMG, the firm has also committed to refer unresolved privacy complaints under Privacy Shield and the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU Privacy Shield, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the BBB EU Privacy Shield’s consumer complaint system for more information and to file a complaint. KPMG has further committed to cooperate with the panel established by the EU data protection authorities (“DPAs”) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. Should your complaint remain fully or partially unresolved after a review by KPMG, the BBB, and the DPAs, you may be able, under certain conditions, to invoke binding arbitration to resolve disputes regarding Privacy Shield compliance. For more information about remedies, please refer to Privacy Shield’s Annex I: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Rights of Firm Personnel
It is the responsibility of all Firm Personnel to provide the Human Resources Department with accurate Personal Information. If you have provided Personal Information to KPMG, under most circumstances, subject to applicable law, you have the right to reasonable access to that Personal Information to correct any inaccuracies. You can also make a request to update or remove Personal Information about you, and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards. To request access to or correction, updating, or removal of your Personal Information, please contact Human Resources at us-hrprivacy@kpmg.com.
KPMGConnect.com Alumni Portal
Firm Personnel may enroll in the firm’s alumni community portal, available at KPMGConnect.com (“KPMGConnect”). KPMGConnect is a voluntary social platform to connect Firm Personnel, including retired partners and principals, alumni, and current professionals. This Privacy Notice applies to the collection and processing of Personal Information on KPMGConnect, in conjunction with its Terms of Use. The Personal Information associated with your KPMGConnect profile, including but not limited to your name, address, email address, telephone number, employment history, and your service on corporate boards and advisory councils, is visible to Firm Personnel who are enrolled in KPMGConnect, and may be made available to Firm Personnel upon reasonable request. KPMGConnect further provides registered users with the ability to set privacy preferences through its portal.
Data Security and Integrity
KPMG has, and requires its service providers to have, security policies and procedures in place to help protect Personal Information from unauthorized loss, misuse, alteration, or destruction. Despite KPMG’s efforts, however, security cannot be guaranteed against all threats. We seek to limit access to your Personal Information to those who have a need to know. Those individuals who have access to such information are required to maintain the confidentiality of it. We also make efforts to retain Personal Information only for so long as such information is needed for legitimate business purposes or pursuant to applicable law, provided that we might in certain cases retain Personal Information for longer periods to comply with a data subject’s request to do so, or until the data subject asks that the information be deleted, as permitted by law.
KPMG seeks to limit the collection of Personal Information to information that is relevant for processing purposes. Unless otherwise required or permitted by applicable law, KPMG does not process Personal Information in a way that is incompatible with the purposes for which it is collected or authorized to use.
Links to Other Sites
Please be aware that KPMG websites, applications, and social media platforms may contain links to other sites, including sites maintained by KPMG International and other member firms affiliated with KPMG International, that are not governed by this Privacy Notice, but by other privacy statements that may differ.
KPMG is not responsible for the content or practices of these other sites. We encourage Firm Personnel to review the privacy policy of each website visited before disclosing any Personal Information.
Updates to This Privacy Notice
KPMG may update or modify this Privacy Notice from time to time to reflect our current privacy practices. When we make changes to this Privacy Notice, we will revise the "last updated" date at the top of this page. We encourage you to periodically review this Privacy Notice to be informed about how KPMG is protecting your Personal Information.
Policy Questions and Enforcement
KPMG is committed to protecting the privacy of your Personal Information. If you have questions or comments about our processing of your Personal Information, please contact the Privacy Office at us-privacy@kpmg.com. You may also use the foregoing email address, or contact KPMG’s Ethics and Compliance office at us-eandc@kpmg.com, to communicate any concerns you may have regarding our compliance with this Privacy Notice.