Privacy Statement - Job applicants

Privacy Statement - Job applicants

Last updated April 2024

Bulgarian version

KPMG is dedicated to protecting the confidentiality and privacy of information entrusted to us. We comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)and the Bulgarian data protection law. Please read this Privacy Statement to learn what information about job applicants (“job applicants”, “candidates” or “you”) we collect, how we use, share and protect it, your data privacy related rights and other useful information.

1. Who are we?

This Privacy Statement applies to KPMG Audit OOD, Uniform Identification Code 040595851, and KPMG Bulgaria OOD, Uniform Identification Code 121489246, both having its seat and registered address at 45/A Bulgaria Blvd., Sofia 1404, Bulgaria (hereinafter referred to “KPMG” or “we”). Both companies do not act as joint controllers but demonstrate the same attitude to the processing and protection of personal data entrusted to them and apply the same policies and procedures to the processing of personal data.

2. What categories of personal data do we collect?

With regard to your application for employment with us or with our clients, we may collect and process the following categories of personal data:

—   Identification information (such as name, citizenship, date and place of birth);

—   Contact details (such as email, postal address, phone number);

—   Information about your education, skills and professional experience (such as name of educational institution, study periods, years of award and graduate degrees and certificates, professional qualifications and other work-related licenses, participation in training and courses, foreign language proficiency, professional background, including references from current and previous employers or colleagues that you may present);

—   Information collected during the interviews (such as notes taken by the interviewer, test results, results of personality assessment questionnaires with focus on behaviour, aptitudes, personality traits and skills carried out as a part of the recruitment process);

—   Information about your current level of remuneration, including benefit entitlements;

—   Other information included in your application that you deem relevant and have voluntarily provided in your CV, cover letter and/or during the interviews (e.g., employment preferences, willingness to relocate, current salary, desired salary, awards or professional memberships).

If you are a selected candidate for employment we will request additional personal details as required by the applicable law for the purposes of the employment contract execution.

Special categories of personal information

In the initial stages of the recruitment process, we do not seek to collect special categories personal information from you (this is also known as “sensitive personal information”). Special categories of personal information include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, information concerning health, information concerning a natural person's sex life or sexual orientation.

We may need to collect special categories of personal information from you at a later stage in the recruitment process if local employment law requires us to do so and we, will notify you explicitly of this.

Please do not include any special categories of personal information in your application documents. If you provide us with such information, you agree that we may use it in accordance with the applicable law and this Privacy Statement.

3. How do we collect personal data for recruitment purposes?

  • Directly: We may obtain personal data directly from you upon submission of your CV and supporting documents (such as diplomas, certificates, cover letters, references from employers and colleagues). 
  • Indirectly: We may obtain personal data about you indirectly, using the following sources of information: 
    • Professional networking sites – We may research in professional networking sites (such as LinkedIn) where you have set up a profile in order to obtain information about you which will be relevant for the recruitment purposes. This information may include your name and job position, as well as employment and education details, and depending on your privacy settings, additional details about you. You may review the privacy controls on the applicable service to set how much information you want to share with us. We will not inspect any purely personal social media activities of yours. 
    • Recruitment agencies - We may obtain your personal data from a recruitment agency if we engage such for the recruitment campaign or if you look for a job through such agency. 
    • Employers and colleagues - We may obtain your personal data from references from your current and former employers or colleagues if you provide us with such references or if you provide us with consent to contact such third parties. 
    • KPMG Employees - We may obtain information about you from our employees if they refer you as suitable candidates to the firm. 
    • Research into our own job candidates database – We may look into our own job candidates database in order to carry out extensive research for a suitable candidate for the relevant recruitment campaign if you have provided consent for keeping your details for future vacancies or further job opportunities.


4. Why do we need your personal data?

KPMG may use your personal data for any or all of the following purposes:

  • Carrying out a preliminary selection of candidates whose education and professional experience match the requirements of the position they are applying for;
  • Contacting you in order to request additional information or to schedule an interview;
  • Arranging and conducting an interview for the purposes of assessment of your suitability for the position and assessment of whether your skills, motivation, education and experience meet the requirements of the respective job position, as well as preparation of the relevant internal documentation in the course of the recruitment campaign; 
  • Sending an employment offer if you are considered a suitable candidate;
  • Keeping your data on file for future vacancies or further job opportunities if you have provided consent thereto; 
  • Complying with legal and regulatory obligations, including as licensed employment intermediary.


5. What lawful reasons do we have for processing personal data?

We may rely on the following lawful bases for personal data processing when we collect and use your personal data for recruitment purposes:

  • Legitimate interests  We rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced in the following cases:
    • Conducting a recruitment campaign for our own needs – We rely on legitimate interest as a lawful basis for processing your personal data when we conduct a recruitment campaign for our own needs and you apply for the specific job position. In this case our legitimate interest is to find suitable new employees to join our team and ensure you a job if you match the position requirements.
    • Delivering professional recruitment services to our clients – We rely on legitimate interest as a lawful basis for processing your personal data when we deliver professional recruitment services to our clients (License No 2154/01.12.2016) and you apply for the specific job position. In this case our legitimate interest is to help you find a job and help our clients find suitable new employees to join their teams.
    • Protection of our legitimate rights and interests in case of proceedings before courts and state authorities – We rely on legitimate interest as a lawful basis for processing your personal data in cases of claims brought against us e.g. in case of proceedings before the Commission for protection against discrimination or Commission for personal data protection.
  • ConsentWe rely on your consent in the following cases:
    • Submission of your CV to our email – We rely on your consent to processing your data when you submit your CV to our email and wish to join our team without applying for a specific open position.
    • Keeping your data for future vacancies or further job opportunities – We rely on your consent to process your data when your application for specific open position is not successful, but you wish to keep your data on file for future vacancies and further job opportunities.

KPMG normally does not carry out automated decision-making, including profiling, of personal data in the course of conducting recruitment campaigns for its own needs or for the purposes of delivering recruitment services to its clients. If such is being carried out, KPMG undertakes to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

6. Are you obliged to provide your personal data to us?

Providing personal information to us is voluntary, but necessary for the recruiting process. You are under no statutory or contractual obligation to provide your personal information to KPMG during the recruitment process. However, if you do not provide sufficient information we may be unable to consider or process your employment application.

7. Do we share personal data with third parties?

We may share personal data with trusted third parties to help us carry out our business activities and deliver efficient and quality services. These third parties are contractually bound to safeguard the data we entrust to them. We may engage with several or all of the following categories of third parties:

  • Potential employers when you apply for a job position advertised as being open at our client and it is necessary for realization of your rights and interests as a participant in the selection process;
  • KPMG member firms, where necessary, for administrative purposes or normal quality performance review or when conducting audits regarding the confidentiality and security of information;
  • Parties that facilitate the administration of our business or support our infrastructure or services (e.g. providers of telecommunication services, postal or transport services, storage and archiving services, maintenance and user support services or disposal of data carriers, cloud-based software services);
  • Our professional advisers, including lawyers;
  • Employment agency when we provide intermediary recruitment services;
  • Courts, law enforcement or other government and regulatory agencies and bodies or to other third parties as required by, and in accordance with, applicable law or regulation;
  • Recruitment agencies;
  • If we are reorganized or sold to another organization: KPMG will typically also disclose personal information in connection with the sale, assignment, or other transfer of the business to which the data relates.

8. Do we transfer your personal data outside the European Economic Area?

We store personal data on servers located in the European Economic Area (EEA). We may transfer personal data to KPMG International Limited, a private English company limited by guarantee, KPMG member firms, and reputable third party organisations situated inside or outside the EEA when we have a business reason to engage these organisations. Each organisation is required to safeguard personal data as either the country where the organization is located is considered an adequate country based on a Decision of the European Commission, or it is obliged by means of contracts we have in place with those organizations outside the EEA, containing standard data protection clauses which are in a form approved by the European Commission.

You may find a complete list of adequate countries here. Upon request we will provide you with additional information about the data protection clauses we use.

9. How long do we retain your personal data?

All documents submitted by and collected from you in the course of the respective recruitment campaign containing your personal data, including but not limited to CVs, certificates, cover letters, test results, etc., will be retained for a period of 6 (six) months upon completion of the campaign in case your application is unsuccessful, unless you have provided consent to keeping your data for future vacancies or further job opportunities. If you provide us with originals or notarized copies of documents during the campaign they will be returned to you within the time limit specified in the previous sentence.

The internal documents created by KPMG with regard to the respective recruitment campaign that may contain your personal data will be retained for a period of 3 (three) years upon completion of the campaign for the purposes of establishment, exercise or defence of legal claims and resolving disputes under the Protection Against Discrimination Act.

Upon your explicit consent KPMG will retain and use your application and supporting documents containing personal data in the course of further recruitment campaigns for a period of 3 (three) years upon submission of your application.

Sometimes KPMG receives personal data from candidates who are interested in working at KPMG without applying for a specific job position, for example by sending a CV to KPMG's official e-mail address or in the cоurse of KPMG's participation in various events (e.g. career days organized by universities and others) in order to promote the activities of the Company and recruit potential staff. In these cases, personal data is processed on the basis of consent given by the job applicant for a period of 3 (three) years upon submission of the application.

All documents that shall be retained on the basis of the Regulation on the terms and conditions for conducting employment intermediation (e.g. contract for intermediation services) will be stored for a period of 5 (years) as required by law.

10. What are your data protection rights and how you can exercise them?

Your data protection rights are highlighted here.

  • Access – You can ask us to verify whether we are processing personal data about you, and if so, to provide more specific information. This is sometimes called “Subject Access Request”.
  • Correction – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you. 
  • Erasure – You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected.
  • Processing restrictions – You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we
    have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
  • Data portability – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company if technically feasible.
  • Object to processing – You can object to our use of your personal data if we are not entitled to use it any more. In these cases we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • Right to Withdraw Consent – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case. You may withdraw your consent at any time by contacting us at 45/A Bulgaria Blvd., Sofia 1404, Bulgaria or at

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

In case you wish to exercise any of the rights described above, you may use our template form to contact us at 45/A Bulgaria Blvd., Sofia 1404, Bulgaria or at


If you are not satisfied with the response you receive or if you have any concerns in relation to the processing of your personal data from us, you may escalate your concern to our Privacy Liaison by sending an email to or to contact the Privacy Liaison at 45/A Bulgaria Blvd., Sofia 1404, Bulgaria. We will acknowledge your complaint within 14 days and seek to resolve your concern within one month of receipt. Where the concern is complex or we have a large volume of concerns, we will notify you that the concern will take longer than one month to resolve, and we will seek to resolve your concern within three months of the concern being first raised.

If you believe that KPMG has not complied with your data protection rights, you always have the right to lodge a complaint with the Commission for Personal Data Protection of the Republic of Bulgaria and to report concerns you may have about our data handling practices at:

Postal address:           2 Prof. Tsvetan Lazarov Blvd., Sofia 1592       

Phone number:            +359 (2) 91-53-518

Email address:  

Internet address:

11. What about personal data security?

We have put appropriate technical and organisational security measures in place to protect personal data (including sensitive personal data) from loss, misuse, alteration or destruction. We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect personal data.

12. Do we change this Privacy Statement?

We regularly review this Privacy Statement and will post any updates to it on this webpage. When we make amendments to this privacy statement, we will revise the “updated” date at the top of this page. This privacy statement was last updated April 2024.

Any changes to the processing of personal data as described in this privacy statement affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.