Firm Personnel Data Privacy Notice

Last updated October 10, 2023

KPMG LLP¹ (“KPMG”) is dedicated to protecting the confidentiality and privacy of information entrusted to it, including Personal Information (also known as “personal data,” “Personally Identifiable Information,” or “PII”). This Firm Personnel Data Privacy Notice (“Data Privacy Notice”) aims to give Firm Personnel (as defined below) information on how their Personal Information (as defined below) is collected, processed, used, and retained by KPMG. For the purposes of this Data Privacy Notice: (i) “Firm Personnel” includes current and former partners, principals, employees, directors, officers, interns, and Third Party Personnel[1] of KPMG; and (ii) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Firm Personnel, or a particular household that Firm Personnel is a member of. Please review this Data Privacy Notice to learn about how we collect, use, share, and protect Firm Personnel’s Personal Information

Collection and Use of Personal Information

KPMG’s collection of Personal Information from and about Firm Personnel is necessary in order for KPMG to fulfill its legal, professional, and contractual obligations, and for the performance of current and former partnership or employment relationships, as applicable. Therefore, the failure by any Firm Personnel to provide Personal Information, in whole or in part, could prevent KPMG from fulfilling some or all of its obligations regarding the partnership or employment relationship, or as may be required under contract, applicable law, or our professional standards, including, but not limited to, obligations related to auditor independence rules, payroll, social security contribution, tax, and insurance.

KPMG may process the following types of Personal Information, including Sensitive Personal Information (as defined below), for the purposes set out in this Data Privacy Notice, and subject to and in accordance with applicable law:

• Identifiers, which may include: your name, address, e-mail address, phone number, and other contact details; usernames and passwords; social security number and national identity number, driver’s license number, passport number, or other government-issued identification number;
• Commercial and financial information, which may include: your bank account information and other information relating to your financial institution; credit applications, credit checks, and information from credit reporting agencies; and brokerage account information;
• Professional or employment-related information, which may include: information regarding your current and previous employers; job title and responsibilities; assets; income; and/or other information related to your work history and/or prospective employment; compensation, bonus or incentive information and social security premiums (including amounts paid, the frequency and currency of payments); benefits information (e.g., car allowance, health insurance, pension contributions) (including amounts paid, the frequency and currency of payments); records of your work history (including internal and external work history, references, and civil and criminal background checks); participation on corporate boards or advisory councils; records of your performance (including evaluations and ratings, grievances, and disciplinary records); information relating to absences from work; general organizational data (such as your department, work location, job title, and seniority);
• Education information, which may include: academic records, degrees, and educational history;
• Biometric information, which may include: signatures; fingerprints; facial scans, voice recognition information, genetic information, and/or other similar biometric identifiers;
• Information relating to Internet activity or other electronic network, application, and systems activity, which may include: cookie identifiers, clear gifs, browser type, Internet service provider (ISP), Internet Protocol (IP) addresses, media access control (MAC) addresses, referring/exit pages, operating system, date/time stamp, clickstream data, device platform, device version, and/or other device characteristics including your choice of settings such as Wi-Fi, Bluetooth, and Global Positioning System (GPS) data; usage data; and other, similar Personal Information collected for monitoring purposes, or other purposes pursuant to any KPMG policy, in relation to your interaction with KPMG’s networks, applications, and systems, including badge swipes to KPMG’s workplaces, hoteling, training, messaging and calendaring, mobile device management, and remote access;
• Geolocation data, which may include: GPS data, locational information based upon your IP address, cell network data, and/or other similar locational data;
• Audio, electronic, or visual information, which may include: records of calls to or from our service or support centers; and/or audio or video information recorded for surveillance or training purposes, during meetings (virtual or in person), or at firm events/town halls;
• Information not listed above and related to characteristics protected under applicable state or federal law, which may include: gender, race and ethnicity, nationality, marital status, disability, military service or veteran status, and/or date of birth;
• Inferences about you, which may include preferences and characteristics and other information we may infer from other Personal Information we have collected;
• Other Personal Information not listed above and defined in applicable law(s), which may include: insurance policy number; bank account number, credit card number, debit card number, and other financial information; and health or medical information and health insurance information; and
• Other information voluntarily disclosed by you to us, or collected or generated by KPMG in connection with your partnership or employment relationship or the related activities in which you participate on account of your relationship with KPMG.

KPMG may process Sensitive Personal Information (as defined below) if and to the extent such processing is: (i) necessary for compliance with applicable law; (ii) specifically authorized or required by law; or (iii) of Sensitive Personal Information that is voluntarily shared by any Firm Personnel with KPMG. What constitutes Sensitive Personal Information may vary by law, but for the purposes of this Data Privacy Notice, “Sensitive Personal Information” is Personal Information is that may reveal an individual’s person's race, ethnicity, political beliefs, trade union membership, religious or similar beliefs, physical or mental health, biometrics, precise geolocation, sexual orientation or criminal record.

We may create de-identified or anonymized data from Personal Information by removing data components that make the data personally identifiable to you, or through obfuscation or other means. Our use of de-identified or anonymized data is not subject to this Data Privacy Notice.
 

Collection and Use of Personal Information of Family Members of Firm Personnel

KPMG may also collect certain information from or regarding the spouses, partners, dependents, and other household members of Firm Personnel, excluding Third Party Personnel (“Family Members”), such as emergency contact details and contact information and information in connection with the administration of health, medical, or other employment benefits. In addition, to comply with federal law, regulations, and professional standards, KPMG is required to collect certain information from or regarding Family Members of Firm Personnel, including certain financial information, such as brokerage account information, and certain Personal Information that we require to fulfill our obligations under applicable professional standards and laws, including, without limitation, auditor independence rules. KPMG’s collection and processing of Personal Information of Family Members of Firm Personnel is subject to KPMG’s external Privacy Statement.
 

Purposes of Processing Personal Information

• Personal Information may be processed by KPMG for the purposes set out below:
• Managing the recruitment, onboarding, and retention of Firm Personnel;
• Administering human resource functions, including performance reviews and appraisals, personal time off, including, without limitation, sickness leave, training, internal directories and organizational charts, internal communications, professional development and continuing education tracking, social and cultural activities directly implemented by KPMG and dealing with disciplinary action, termination, and retirement of Firm Personnel;
• Planning and staffing client engagements, including, without limitation, providing resumes and descriptions of work experience and qualifications to clients and potential clients;
• Administering payroll, or partner drawing accounts and partner statements, the reimbursement of expenses, the payment of remuneration and other benefits of Firm Personnel, such as bonuses, car allowances, the booking of a flight or hotel room, loans, pensions, health insurance, life insurance, travel insurance, death-in-service benefits, and disability plans;
• Communicating with Firm Personnel and emergency contacts;
• Authorizing, granting, and administering access to or use of any KPMG IT  Resources (including firm-issued laptops, firm-managed personal devices, and e-mail accounts), workplaces (including offices and facilities), and firm records;
• Health, safety, and wellness of our workplace and workforce;
• Investigating and resolving complaints, grievances, or misconduct;
• Preparing for and acting in relation to inquiries, investigations, or proceedings by governmental, administrative, judicial, or regulatory authorities or third parties, including civil litigation;
• Audit purposes and complying with policy, procedures, laws, regulations, and professional standards, including performing checks for auditor independence purposes;
• Monitoring Firm Personnel pursuant to our policies and applicable law, including those policies set forth in the Policy Center and the Acceptable Use Policy;
• Improving the delivery or quality of services or technology for KPMG and its clients (through the use of artificial intelligence, machine learning, internal analytics, and benchmarking related to those services or technology);
• Alumni updates and post-employment engagement; and
• Any other purposes relating to the above.
   

Sharing and Transfer of Personal Information

We do not share Personal Information with unaffiliated third parties, except as stated in this Data Privacy Notice, including as necessary for our legitimate professional and business needs, to carry out your requests, to market our services, and/or as required or permitted by law or professional standards, or otherwise with your consent.

In some instances, KPMG may share Personal Information about you with various third-party service providers working on our behalf, or to help fulfill your requests. These third parties include, for example, providers of administrative, identity management, website hosting, data analysis, data back-up, and security management services. Third parties receiving Personal Information from KPMG are obligated to protect Personal Information in accordance with their contractual obligations and data protection legislation applicable to their provision of services.

Our service providers also may use aggregated, deidentified or anonymized data for improving the delivery or quality of services or technology, among other lawful uses and for research and development. As set forth above, de-identified or anonymized data does not identify you individually but rather helps to identify trends in preferences and behaviors of Firm Personnel at an aggregate level.

KPMG may disclose Personal Information to address or respond to requests of, or guidance provided by, government entities, bodies, or agencies, law enforcement agencies, or other entities or organizations, such as public health agencies, authorized by, or otherwise acting or operating pursuant to the lawful direction or authority of, an international, federal, state, or local governmental body, including to meet national security or law enforcement requirements and for health and safety purposes. We may also disclose Personal Information where disclosure is required by applicable laws, court orders, government regulations, or other legal process, or where we believe disclosure is necessary or appropriate to protect the rights or safety of KPMG, Firm Personnel, or other third parties.

In the event that the ownership of KPMG or an affiliate or their assets changes as the result of a merger, acquisition, or sale of assets, information owned or controlled by KPMG may be transferred to another company. Information may also be shared in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, assign or transfer all or a portion of our assets. If any such transaction occurs, the purchaser will be entitled to use and disclose the Personal Information collected by KPMG in the same manner that we are able to, and the purchaser will assume the rights and obligations regarding Personal Information as described in this Data Privacy Notice.

KPMG may also need to disclose certain Personal Information in connection with audits and/or to investigate or respond to a complaint or security threat.

KPMG neither sells Firm Personnel’s Personal Information to any third parties nor shares Firm Personnel’s Personal Information with any third parties for cross-context behavioral advertising.

Further, Personal Information may be disclosed to the extent necessary for the purposes described in this Notice to the following recipients:

• Departments within KPMG, including, Talent & Culture, Finance & Accounting, Digital Nexus, Risk Management, and Legal, Regulatory & Compliance, among others;
• Financial institutions, pension plan institutions, insurance companies, consultants, and professional advisors;
• Other service providers, such as payroll administrators, benefits providers and administrators, and information technology systems providers involved in the provision of services to KPMG and/or Firm Personnel;
• Independent public accountants and auditors, authorized representatives of internal control functions, such as audit, legal, and/or firm-wide security;
• KPMG International or other member firms affiliated with KPMG International; and
• Applicable tax authorities.
   

Cross-Border Collection and Transfer

We may collect Personal Information from or about you if you are in a jurisdiction other than the U.S. for purposes of your employment or relationship with KPMG. Similarly, if you are in the U.S., we may transfer outside of the U.S. the Personal Information we collect from or about you. Regardless of where you are located, we may transfer certain Personal Information across geographical borders to KPMG International, other member firms affiliated with KPMG International or to various third-party providers working on our behalf, or we may receive Personal Information in the U.S. or elsewhere transferred from KPMG International, another member firm affiliated with KPMG International or an unaffiliated third party. KPMG may also store Personal Information in a jurisdiction other than where you are based, and such jurisdiction may not provide the same level of protection for your Personal Information as your home country. By providing your Personal Information to KPMG, you understand that your Personal Information may be collected, transferred and/or stored in a jurisdiction other than your home country. Each member firm affiliated with KPMG International is required to safeguard Personal Information in accordance with its contractual obligations and data protection legislation applicable to its provision of services. Your Personal Information will only be transferred if appropriate or suitable safeguards are in place.
 

Data Privacy Framework

The following provisions in this section apply only to Firm Personnel who are residents of European Economic Area member countries and the United Kingdom.

KPMG complies with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. KPMG has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regards to the processing of Personal Information received from the European Union in reliance on the EU-U.S. If there is any conflict between the terms in this Data Privacy Notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification page, please visit https://www.dataprivacyframework.gov/.

For more details, please review the KPMG LLP Data Privacy Framework Policy, which applies to Personal Information transferred from member countries of the European Economic Area and the United Kingdom (including Gibraltar), pursuant to the DPF.

The Federal Trade Commission has jurisdiction over KPMG’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In compliance with the DPF, KPMG commits to resolve EU-U.S. DPF Principles-related complaints about our collection and use of your Personal Information. EEA or UK individuals with inquires or complaints regarding our handling of Firm Personnel’s Personal Information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Talent & Culture by e-mailing us-hrprivacy@kpmg.com. Third Party Personnel may address questions by first contacting the Contingent Workforce Center of Excellence at US-HR-CWO@kpmg.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, KPMG commits to refer unresolved complaints concerning our handling of Personal Information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to the BBB NATIONAL PROGRAMS, an independent, alternative dispute resolution provider based in the U.S. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.bbbprograms.org/dpf-complaints for more information or to file a complaint. The services of BBB NATIONAL PROGRAMS are provided at no cost to you.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, KPMG further commits to cooperate and comply (respectively) with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”), and the Gibraltar Regulatory Authority (“GRA”), with regard to unresolved complaints concerning our handling of Firm Personnel’s Personal Information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship. If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf for further information.
 

Rights of Firm Personnel

It is the responsibility of all Firm Personnel to provide the Talent and Culture Department with accurate Personal Information. If you have provided Personal Information to KPMG, under most circumstances, subject to applicable law, you have the right to reasonable access to that Personal Information to correct any inaccuracies. You can also make a request to update or remove Personal Information about you, and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.

Furthermore, the firm will retain Personal Information subject to any record retention requirements set forth in the Enterprise Retention Schedule and the U.S. Risk Management Manual. Your Personal Information may also be subject to preservation requirements and in accordance with the firm’s Preservation Guidelines.

To make a Data Privacy Request, please contact us by:

• Submitting a Data Privacy Request through our webform; or
• E-mailing us-privacy@kpmg.com.

In addition, you may make corrections to certain Personal Information that you provide to the firm via Self Service Connection.
 

Rights of Firm Personnel Residing in California

The California Consumer Privacy Act, as amended and including its regulations, (“CCPA”), grants rights to Firm Personnel, who are California residents, with regard to their Personal Information. If you are a California resident, the following explains your CCPA rights and our Personal Information practices as applicable.

For purposes of the CCPA, “Personal Information”, “Sensitive Personal Information”, and other terms below have the meaning defined in the CCPA.

Our Personal Information collection practices, including during the preceding 12 months, are identified above.

If you are a California resident, you have the right to request the following:

• The categories of Personal Information we collected about you in the last 12 months;
• The categories of sources from which that Personal Information was collected in the last 12 months;
• Our business or commercial purpose for collecting or selling or sharing (as such terms are defined under the CCPA) that Personal Information in the last 12 months;
• The categories of third parties with whom we shared that Personal Information in the last 12 months;
• The categories of that Personal Information we sold or shared for cross-context behavioral advertising in the last 12 months;
• The categories of third parties to whom we sold that Personal Information in the last 12 months;
• The categories of Personal Information we disclosed for a business purpose in the last 12 months;
• The categories of third parties to whom we disclosed that Personal Information for a business purpose in the last 12 months;
• The specific pieces of your Personal Information we collected in the last 12 months;
• The correction of Personal Information that we maintain about you,
• The deletion of Personal Information that we have collected from you;
• To limit or restrict the use of your Sensitive Personal Information; and
• To opt-out (or opt-in for children under 16) to the sale or sharing of your Personal Information.

To exercise any of your rights, please contact us by:

• Submitting a Data Privacy Request through our webform; or
• E-mailing us-privacy@kpmg.com.

In addition, you may make corrections to certain Personal Information that you provide to the firm via Self Service Connection.

We will respond to authorized and verified requests as soon as practicable and as required by law, including any reason for denying or restricting a request. The above rights are subject to various exclusions and exceptions under firm policies and applicable laws (including professional standards), and under certain circumstances we may be unable to fulfill your request. The firm will retain Personal Information subject to any record retention requirements set forth in the Enterprise Retention Schedule and the U.S. Risk Management Manual. Your Personal Information may also be subject to preservation requirements and in accordance with the firm’s Preservation Guidelines.

You may authorize someone to exercise the above rights on your behalf. If we have collected information about your Family Members, including minor children, you may exercise the above rights on behalf of your Family Members.

Note, KPMG neither sells Firm Personnel’s Personal Information to any third parties nor shares Firm Personnel’s Personal Information with any third parties for cross-context behavioral advertising.
 

KPMGConnect Alumni Portal

Current and former partners, principals, and employees may enroll in the firm’s alumni community portal, available at KPMGConnect.com (“KPMGConnect”). KPMGConnect is a voluntary social platform to connect firm professionals. This Data Privacy Notice applies to the collection and processing of Personal Information on KPMGConnect, in conjunction with its Terms of Use. The Personal Information associated with your KPMGConnect profile, including but not limited to your name, address, e-mail address, telephone number, employment history, and your service on corporate boards and advisory councils, is visible to professionals who are enrolled in KPMGConnect, and may be made available upon reasonable request. KPMGConnect provides registered users with the ability to set privacy preferences through its portal settings.
 

Data Security and Integrity

KPMG has, and requires its service providers to have, security policies and procedures in place to help protect Personal Information from unauthorized loss, misuse, alteration, or destruction. Despite KPMG’s efforts, however, security cannot be guaranteed against all threats. We seek to limit access to your Personal Information to those who have a need to know. Those individuals who have access to such information are required to maintain the confidentiality of it. We also make efforts to retain Personal Information only for so long as such information is needed for legitimate business purposes or pursuant to applicable law, provided that we might in certain cases retain Personal Information for longer periods to comply with a data subject’s request to do so, or until the data subject asks that the information be deleted, as permitted by law.

KPMG seeks to limit the collection of Personal Information to information that is relevant for processing purposes. Unless otherwise required or permitted by applicable law, KPMG does not process Personal Information in a way that is incompatible with the purposes for which it is collected or authorized to use.
 

Links to Other Sites

Please be aware that KPMG websites, applications, and social media platforms may contain links to other sites, including sites maintained by KPMG International and other member firms affiliated with KPMG International, that are not governed by this Data Privacy Notice, but by other privacy statements that may differ. KPMG is not responsible for the content or practices of these other sites. We encourage Firm Personnel to review the privacy policy of each website visited before disclosing any Personal Information.
 

Updates to This Data Privacy Notice

KPMG may update or modify this Data Privacy Notice from time to time to reflect our current privacy practices. When we make changes to this Data Privacy Notice, we will revise the "last updated" date at the top of this page. We encourage you to periodically review this Data Privacy Notice to be informed about how the firm is protecting your Personal Information.
 

Policy Questions and Enforcement

KPMG is committed to protecting the privacy of your Personal Information. If you have questions about our privacy practices, please contact the U.S. Privacy Office at us-privacy@kpmg.com. You may also use the foregoing email address, or contact KPMG’s Ethics and Compliance Office at us-eandc@kpmg.com, to communicate any concerns you may have regarding our compliance with this Data Privacy Notice.

1. “KPMG,” “we,” “our,” and “us” refers to KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited (“KPMG International”), a private English company limited by guarantee. KPMG International and its related entities do not provide services to clients.
2. “Third Party Personnel” means “Individual(s) engaged with KPMG through a third party,” including Contractor Personnel, as such terms are defined in Ch. 16 of the U.S. Risk Management Manual. Note, if the data privacy terms in a Third Party Personnel’s agreement with KPMG conflict with this Data Privacy Notice, the terms of the agreement will prevail. Any additional questions may be addressed by contacting the Contingent Workforce Center of Excellence at US-HR-CWO@kpmg.com.