Compilation preserves exact KPMG personnel data privacy notice and international policy

KPMG’s firm-level personnel privacy notice is posted on kpmg.com and operates alongside a KPMG International policy that carries a Document Classification - KPMG CONFIDENTIAL stamp and was last reviewed in January 2019 to reflect the network’s proposed adoption of Binding Corporate Rules. Both documents state their shared purpose is the protection and handling of personnel personal data across collecting, processing, storing, transferring and disclosure activities.

The firm notice opens by name: “KPMG LLP1 (‘KPMG’) is dedicated to protecting the confidentiality and privacy of information entrusted to it, including Personal Information (also known as ‘personal data,’ ‘Personally Identifiable Information,’ or ‘PII’).” The notice is titled “This Firm Personnel Data Privacy Notice (‘Data Privacy Notice’)” and states it “aims to give Firm Personnel (as defined below) information on how their Personal Information (as defined below) is collected, processed, used, and retained by KPMG.”

Scope language in the firm notice lists who is covered: Firm Personnel includes “current and former partners, principals, employees, directors, officers, interns, and Third Party Personnel2.” The documents use parallel but not identical terminology for personal data - the firm notice defines “Personal Information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could [...]” while the international Policy defines “Individual” as “any identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by [...]”; both excerpts provided to this compilation are truncated with ellipses.

Operational responsibilities and rights are spelled out at firm level. “It is the responsibility of all Firm Personnel to provide the Talent & Culture Department with accurate Personal Information.” The notice sets out access and correction rights: “If you have provided Personal Information to KPMG, under most circumstances, subject to applicable law, you have the right to reasonable access to that Personal Information to correct any inaccuracies.” It adds that employees may request updates or removal: “You can also make a request to update or remove Personal Information about you, and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.”

Practical contact routes for exercising those rights are explicit. “To make a Data Privacy Request, please contact the U.S. Confidentiality & Privacy Office by: Submitting a Data Privacy Request through our webform; or E-mailing us-privacy@kpmg.com.” That U.S. office is the named operational touchpoint in the firm notice.

Security commitments and caveats appear in the firm text. “KPMG has, and requires its service providers to have, security policies and procedures in place to help protect Personal Information from loss, destruction, and unauthorized access, disclosure, transfer, use, or modification.” The notice also acknowledges limits: “Despite KPMG’s efforts, however, security cannot be guaranteed against all threats.” The firm reiterates access controls: “We seek to limit access to your Personal Information to those who have a need to know. Those individuals who have access to such information are required to maintain its confidentiality.”

At network level the Policy frames governance through principles. Section header “3.4 KPMG’s Ten Principles for Handling Personal Data as a Controller” appears in the excerpt and the first principles are quoted: “Transparency: KPMG Firms will provide individuals with information about how we process their Personal Information to the extent necessary to ensure that processing is fair.” “Purpose limitation: KPMG Firms will only process Personal Information for the purposes (i) set out in any notice made available to the relevant individuals which are relevant to KPMG; (ii) as required by law or (iii) where consented to by the relevant individuals.” “Data quality and proportionality: Personal Data should be kept accurate and where necessary, up to” (truncated).

Gaps remain in the excerpts provided: the firm text omits a complete list of data categories and timelines, the Policy excerpt contains only the first three of the ten principles and truncated definitions, and there is no full Binding Corporate Rules text or confirmation whether those rules were adopted after January 2019. For KPMG personnel the concrete takeaway is clear: the firm posts a personnel Data Privacy Notice on kpmg.com, directs requests to the U.S. Confidentiality & Privacy Office at us-privacy@kpmg.com, and operates under an international Policy labeled KPMG CONFIDENTIAL that was reviewed in January 2019 in connection with proposed Binding Corporate Rules.