Whistleblowing Hotline - Privacy Notice

The Belgian KPMG entity^[1] responsible for the relevant whistle-blowing hotline (hereafter referred to as “KPMG”) processes your personal data, in its capacity as controller, in accordance with the applicable European privacy legislation (including the General Data Protection Regulation 2016/679 - hereafter referred to as the “GDPR”), the national privacy legislation (including but not limited to the Belgian Law of 30 July 2018 concerning the protection of natural persons with regard to the processing of personal data - hereafter referred to as the “Privacy Law”), the Belgian Law of 28 November 2022 on the protection of reporters of breaches of Union or national law established within a legal entity in the private sector (hereafter referred to as the “Law”) and all applicable related jurisprudence and guidelines.

KPMG may process the following personal data:

• Contact details (such as first name, last name, e-mail address, phone number);
• Personal information (such as gender);
• Professional information (such as the enterprise/organization you work for, your title/function);
• Special categories of personal data (such as racial or ethnic origin, religious or philosophical beliefs, medical or health information, sexual orientation, sex life);
• Personal data relating to criminal convictions and offences;
• And/or any other information that may be provided to KPMG through the relevant KPMG reporting channel (hereafter referred to as the “Hotline”).

KPMG may collect the personal data that you provide through the Hotline and for which you shall remain solely responsible. KPMG may also obtain personal data pertaining to you from other persons, within or outside the Belgian KPMG network, in the framework of the Hotline and its subsequent investigations, where applicable.

KPMG processes this personal data with regard to the general principles of the GDPR, as enshrined in Article 5 of the GDPR and as further explained in this Privacy Notice. 

KPMG processes your personal data to handle the report received through the Hotline, which might include conducting the necessary investigations, as further described in the “Whistleblowing Hotline pages” on KPMG’s website. 

Depending on the nature of the matter being reported and/or the category of personal data laid down in the report, KPMG may rely on the following legal grounds to process your personal data:

• If the processing involves personal data (e.g. first name, last name, e-mail address, phone number, function, etc.) within the meaning of Article 4.1 of the GDPR, the processing of personal data is necessary to comply with our legal obligation pursuant to the Law in accordance with Article 6.1, c) of the GDPR, to the extent the matter being reported falls within the scope of the Law;
• If the matter being reported does not fall within the scope of the Law, the processing of personal data is necessary for the purpose of the legitimate interest pursued by KPMG, in accordance with Article 6.1 f) of the GDPR (see also Article 5 of the “Whistleblowing Hotline pages” on KPMG’s website); 
• The report may involve special categories of personal data, also known as sensitive personal data, (e.g. data regarding ethnic origin, data regarding sexual orientation, etc.) within the meaning of Article 9 of the GDPR. The processing of these types of personal data is necessary to comply with our obligations pursuant to employment and social security and social protection law (including but not limited to the Law), in accordance with Article 9.2, b) of the GDPR; 
• The report may also involve personal data relating to criminal offenses and convictions within the meaning of Article 10 of the GDPR. The processing of this data is necessary to comply with our obligations pursuant to Belgian legislations (including but not limited to the Law), in accordance with Article 10 of the GDPR juncto Article 10.3 of the Privacy Law. 

Your personal data will be processed by the persons responsible for receiving and handling the report, including persons conducting investigations and deciding upon actions where required.

Your personal data will be shared with a third-party supplier, acting as processor, for providing and operating the web-based tool to report to the Hotline.

Depending on the nature of the matter being reported and/or the outcome of the investigations conducted, (some of) your personal data may also be disclosed with other persons, within or outside the KPMG network. In such cases, the disclosure of your personal data will be restricted to what is strictly necessary for the purpose of such communication. Please note that the identity of the reporting person, the person against whom an allegation has been made or with whom that person is associated, and any other person mentioned in the report shall not be disclosed, except in certain exceptional circumstances (such as with the prior explicit consent of that person or as required by special legislation and/or legal proceedings). 

Your personal data will be processed in the European Economic Area and in Canada, where the web-based tool to report to the Hotline is hosted and operated.

All personal data transferred to and further processed in Canada will be protected by an appropriate safeguard within the meaning of the GDPR i.e., the adequacy decision granted by the European Commission for the processing activities subject to the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).

KPMG will not keep your personal data longer than necessary for the purposes for which they have been collected or otherwise processed. The retention time will depend on the nature of the matter being reported and the outcome of the investigations triggered by the report.

KPMG will keep records of every report received that is within the scope of the Law for the duration of the contractual relationship between the reporting person and the relevant KPMG entity in Belgium.

Certain personal data (i.e. name, function, contact details and where applicable, company number) will be kept until the reported matter has reached its statute of limitations.  

You have the right to access, rectify and erase your personal data as well as to restrict or object the processing of your personal data. Besides that, you have the right to data portability. You also have the right to withdraw your consent at any moment. The withdrawal of your consent shall not affect the lawfulness of processing based on your consent before its withdrawal. Furthermore, you have the right to object at any time to processing of your personal data for direct marketing purposes.

You can exercise these rights by filling out this form and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards. Please note that in some exceptional circumstances the exercise of your rights might be restricted where required by applicable law e.g., to safeguard the investigation, detection and/or prosecution of criminal offences or breaches of ethics for regulated professions.

You also have the right to lodge a complaint with the Belgian Data Protection Authority should any of your rights be violated:

Address: Drukpersstraat 35, 1000 Brussels
E-mail: contact@apd-gba.be
Tel: +32 (0)2 274 48 00 / +32 (0)2 274 48 35

For the sake of completeness, your personal data will be processed in accordance with KPMG’s Privacy Statement. 

***

* KPMG may modify this Privacy Notice from time to time. When KPMG makes changes to this notice, KPMG will revise the "updated" date at the top of this page. KPMG encourages you to periodically review this Privacy Notice to be informed about how KPMG is protecting your personal data.