Last updated 8 June 2023
This privacy statement explains how we handle the information that we collect, including personal information, and how we comply with the requirements of applicable privacy laws, including the New Zealand Privacy Act 2020 (‘Privacy Act’). We may use personal information provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.
In this privacy statement, ‘KPMG’, ‘we’, ‘us’, and ‘our’ is a reference to KPMG, a New Zealand partnership, and includes its controlled entities carrying on business in New Zealand and the Cook Islands. References to ‘you’ and ‘your’ is used to refer to the individual who is the subject of the personal information.
KPMG may modify this privacy statement at any time by publishing an updated version on this webpage.
- 1. Collection and use of personal information
- 2. Sharing and transfer of personal information
- 3. Security and retention of personal information
- 4. General Data Protection Regulation
- 5. Links to other sites
- 6. Your privacy rights
- 7. Our controller and processor status
- 8. How to contact us
- 9. Changes to this privacy statement
Automatic collection of personal information
Automatic collection of personal information
1. Collection and use of personal information
1.1. Personal information we collect
Personal information (or personal data) is any information about an identifiable individual. Processing is how we sometimes refer to the handling, collecting, protecting or storing of personal information.
We collect, hold and process personal information from actual and prospective clients, suppliers, employees, job applicants, contractors and other individuals. We collect and hold this information for our necessary business purposes.
The type of personal information we collect, hold and process includes:
- Contact details (e.g. names, addresses, telephone numbers, email addresses and job titles).
- Professional details (e.g. job and career history, educational background and professional memberships, published articles, social media details).
- Family and beneficiary details for insurance and planning services (e.g. names and dates of birth).
- Financial information (e.g. tax, payroll, investment interests, superannuation, assets, bank details, insolvency records).
- Identification documents (e.g. passport, driver’s licence, tax file number or other government-issued identification numbers) and additional information required to verify your identity (e.g. where you ask us to provide a service that is a designated activity under applicable anti-money laundering laws and regulations).
- CCTV at our sites may collect images of visitors.
- General user information and location-based data such as internet protocol addresses, browser type and internet service provider details and other technical information when you visit our associated websites.
We generally do not intend to collect, and we ask you not to submit, any special categories of personal information. Special categories of personal information includes information about an individual’s race or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data that uniquely identifies someone, sexual orientation and criminal records.
If you choose to provide special categories of personal information about yourself to us for any reason, the act of doing so constitutes your explicit consent (where such consent is necessary and where obtaining such consent in such manner is permitted under applicable law), for us to collect and use that information as necessary in the ways described in this privacy statement or as described at the point you choose to disclose this information.
Due to the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or through the use of a pseudonym, although sometimes this is possible (e.g. when seeking client or staff feedback generally).
1.2. Lawful reasons for processing personal information
We may rely on the following lawful reasons when we collect and use personal information to operate our business and provide our products and services:
- Contract – We may process your personal information in order to perform our contractual obligations to the relevant individuals.
- Legitimate interests – We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. These may include:
- Delivering services to you and our other clients – To deliver the professional services our clients have engaged us to provide including information on new products and services.
- Marketing – Where permitted by law, to conduct and analyse our marketing activities and conduct surveys. To deliver timely market insights and speciality knowledge including a tailor-made online experience we believe is welcomed by our clients, subscribers and individuals who have interacted with us.
- Maintaining the security of our and our client’s data, our IT systems and physical security – To prevent fraud, criminal or other unlawful activity, protect our and our client’s data, our IT systems and premises.
- Corporate responsibility – To comply with our corporate and corporate social responsibility commitments, such as inclusion and diversity and managing our supply chain.
- Legal obligations – We may process personal information in order to meet our legal and regulatory obligations or mandates, as reasonably necessary, such as assisting a law enforcement agency or an agency responsible for national security in the performance of their functions, or to enforce or protect our legal rights, or those of our clients and others.
- Public Interest – Where permitted by law, we may process personal information in order to perform a specific task in the public interest.
- Vital Interests – We may process personal information to protect the vital interests of the individual or another natural person, such as to prevent or lessen a serious threat to the life or health of the person.
- Legal claims – We may process personal information where it is necessary for us to establish, exercise or defend a legal claim.
- Employment and social protection law – We may process data to carry out our obligations and exercise our or your rights in the field of employment and social protection law.
- Consent – Where no other processing condition is available or where specifically required by applicable law, if you have agreed to us processing your personal information for the relevant purpose.
1.3. Why we need personal information
We aspire to be transparent when we collect, hold and process personal information and tell you why we need it, which typically includes the following primary purposes:
- Providing professional advice and delivering reports related to our tax, advisory, audit and assurance and other professional services. Our services may include reviewing client files for quality assurance purposes, which may involve processing personal information for the relevant client.
- Promoting our professional services, products and capabilities to existing and prospective clients.
- Sending invitations and providing access to guests attending our events and webinars or our sponsored events.
- Personalising online landing pages and communications we think would be of interest, based on interactions with us and KPMG member firms.
- Security, quality and risk management activities – We have security measures in place to protect our information and information systems and our client’s information (including personal information), which involves detecting, investigating and resolving security threats. This may include:
- Automated scans to identify harmful emails.
- Monitoring the services provided to clients for risk and quality purposes, which may involve processing personal information stored on the relevant client file.
- Carrying out conflict and risk searches to ensure there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions, conduct or other reputational issues).
- Authenticating registered users to certain areas of our sites.
- General management and reporting activities, such as invoicing and account management.
- In relation to the employment of our personnel, providing internal services to our staff, seeking qualified candidates, and forwarding candidate career inquiries to our People team, which may be governed by different privacy terms and policies.
- Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
- Contacting media regarding corporate press releases and highlighting messages that may be of interest on specific industry topics.
- Helping support clients to run a series of development programs for education and learning purposes to inform industry leaders.
- Complying with any requirements of law, regulation or a professional body of which we are a member.
- Compiling health and safety data (directly or indirectly) following an incident or accident. Indirect data can take many forms including an incident report, first aider report, witness statements and CCTV footage.
- Collecting health data to assess, monitor and control spread of infectious diseases and to provide a safe environment for our employees, clients and suppliers.
- For other purposes related to our business.
Your personal information will not be used for other purposes unless we obtain your consent to the secondary use, or the secondary use is required or permitted by law.
In some cases where you have registered for certain services, we may store your email address temporarily until we receive confirmation of the information you provided via an email (for example where we send an email to the email address provided as part of your registration to confirm a subscription request).
If you choose not to provide us with personal information which we have requested from you, we may be unable to fulfil any of the above purposes, including providing professional services to you, responding to your requests, paying your invoices or processing your application for employment.
We may collect, hold and use personal information about individuals to market our services, including by email. If you opt-in for particular services or communications, such as an e-newsletter, you can unsubscribe at any time by following the instructions included in each communication or by sending an email to email@example.com.
1.4. How we collect personal information
- Directly – We obtain personal information directly from individuals in a variety of ways, including from individuals who provide us with their business cards, complete our online forms, subscribe to our newsletters and preference centre, register for webinars, attend meetings or events we host, visit our offices or for recruitment purposes. We may also obtain personal information directly when, for example, we are establishing a business relationship, performing professional services through a contract, or through our hosted software applications.
- Indirectly – In some instances, we may obtain your personal information indirectly from a variety of sources, including publicly available sources, our clients, recruitment, third-parties or other KPMG member firms (see section 2.1):
- Public sources – Personal information may be obtained from public registers, government agency publications, news articles, sanctions lists, internet searches and social media sites.
- Our clients – Our clients may engage us to perform professional services which involves sharing personal information they control as part of that engagement. Our services may also include processing personal information under our clients’ control on our hosted software applications, which may be governed by different privacy terms, policies and notices.
- Service providers and other third parties – We may obtain personal information from our service providers such as recruitment and credit reference agencies and other third parties such as previous employees, previous employers, law enforcement agencies, banks, other financial institutions and screening providers who assist us with our legal obligations to conduct anti-money laundering, sanctions screening and regulatory checks.
- Third-party single sign-on service – You may register or login to our website using a third-party single sign-on service. Where you log in this way, the service authenticates your identity and connects your social media login information (e.g. LinkedIn, Google, Twitter or Facebook) with KPMG. We will collect any information or content needed for the registration or login that you have permitted the social media provider to share with us, such as your name and email address. Other information we collect will depend on the privacy settings you have set with your social media provider and their privacy statement.
- Personal information about others – Where you provide personal information to us about other people (such as your customers, directors, officers, shareholders, beneficial owners or employees), you must ensure that you have a lawful basis to make such disclosure.
KPMG understands the importance of protecting children's privacy, especially in an online environment.
Our websites are not intentionally designed for or directed at children under the age of 16. It is our policy never to knowingly collect or maintain information about anyone under the age of 16, except as part of an engagement to provide professional services.
2. Sharing and transfer of personal information
2.1 Transfers within the global KPMG network
KPMG is a New Zealand partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, an English entity. Member firms are located around the world.
We may share your personal information with other entities in the KPMG global network where necessary for administrative purposes and to provide professional services to our clients (e.g., when providing services involving advice from KPMG member firms in different territories), when your engagement is an international engagement, or to meet our legal and regulatory obligations in jurisdictions outside of New Zealand.
We may use other entities in the KPMG global network to provide services to us and you. These services might include hosting and supporting IT applications, the provision of certain forms of insurance for member firms and clients, performing client conflict checks or identity verification checks (where required) and assisting with client engagement services. We may store, process or back-up your personal information on servers that are located overseas (including through third-party service providers).
2.2 Sharing with third parties
The information you provide to us may be shared with third-parties to the extent necessary to carry out our professional and business needs, to complete your requests, where we are required to disclose that information by law or for safety reasons, with your consent or as otherwise stated in this privacy statement.
Examples of this might include:
- Sharing with our service providers – We work with reputable service partners and agencies to meet our business needs, as well as to assist in our delivery of services to you. We may share your personal information with these providers where, and to the extent that, it is required in the provision of the services you have asked that we provide, or use their applications and APIs. Some applications may enable or require you to interact with us through APIs in a way that requires you to log in or otherwise provide personal information. KPMG will only share personal information with providers who have met our standards on the processing of data and security.
- Sharing with professional advisers – We may share your personal information with our professional advisers, including lawyers and insurers.
- Sharing for internal and compliance purposes – The disclosure of your personal information might be necessary for crime prevention, anti-money laundering compliance, sanctions screening, data privacy or security audits, other audits required by local legislation, client conflicts and independence checks, or where we are required to investigate or respond to a complaint or a security threat.
- Sharing as required under applicable laws, regulations or professional standards – There may be occasions where courts, tribunals, regulatory or professional standards bodies or other third parties require KPMG to share information with them, or it may be prudent for KPMG to comply with such request, in accordance with applicable law, regulations, professional standards or national and international sanctions.
- Sharing in the event of sale or transfer – In the event KPMG or the business of the website is sold, transferred or assigned disclosure might be necessary for that sale, transfer, merger or assignment, or as a result of the sale, transfer, merger or assignment.
- Sharing with payment, marketing and recruitment service providers – We may share your personal information with payment, marketing and recruitment service providers.
- Sharing with health government bodies and external service providers – We may share your personal information with health government bodies and external service providers (health, facilities, estate management) to assess, monitor and control the spread of infectious diseases.
In some cases, the third parties we share your personal information with may be located overseas, in particular, in the United States of America, the United Kingdom, the European Economic Area (including the Netherlands, Ireland and Germany), Australia, Singapore, Hong Kong, Japan, Argentina, Cook Islands, India, and those countries in which KPMG member firms are located. We require these third-parties to take appropriate measures to protect and restrict how they use that information, in accordance with our contractual obligations and applicable privacy laws.
We may also share non-personal, de-identified and aggregated information for research or promotional purposes. At no time will KPMG sell your personal information to any third parties or transfer your personal information to any third parties for their direct marketing use.
3. Security and retention of personal information
KPMG has security policies and procedures in place to protect our information and client information (including personal information) from loss, unauthorised access, use, modification, disclosure or misuse. Despite KPMG’s best efforts, security cannot be guaranteed against all threats. To the best of our ability, access to your personal information is limited to those who need to know. Those individuals who have access to the data are required to maintain the confidentiality of the information. We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect your personal information.
We retain personal information to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to. We retain personal information for as long as is necessary for the processing purposes for which the information was collected, and any other permissible, related purpose. The criteria we use to determine the retention periods also include:
- whether there are contractual or legal obligations that exist that require us to retain the personal information for a period of time;
- whether you have interacted with us recently; and
- whether any applicable law, statute, regulation or professional standard allows for a specific retention period.
Unless a different time frame applies as a result of business need or specific legal, regulatory or contractual requirements, where we retain personal information in accordance with these purposes, we retain such personal information for ten years.
4. General Data Protection Regulation
The General Data Protection Regulation (‘GDPR’) came into effect on 25 May 2018 and, depending on where you are located or the KPMG entity you interact with, it may apply to your personal information. Following the United Kingdom’s exit from the European Union, the GDPR is also retained in domestic law in the United Kingdom. Under the GDPR, the term ‘Personal Data’ is used in the place of ‘Personal Information’.
Where the GDPR applies, you have additional rights under the GDPR in respect of your personal information, subject to applicable law. These include rights in certain circumstances to:
- Access – Access your personal information.
- Correction – Have inaccurate personal information rectified.
- Erasure – Erase your personal information (right to be forgotten).
- Processing restrictions – Restrict our use of your personal information (including preventing processing for the purpose of direct marketing).
- Data portability – Request that your personal information be transmitted (in a structured, commonly used, and machine-readable format) directly to another company if it is technically feasible.
- Automated individual decision-making – Request review of any decisions made about you which we made solely based on automated processing, including profiling.
- Withdrawal of consent – Withdraw your consent that you have previously given to one or more specified purposes to process your personal data (without affecting the lawfulness of any processing carried out before you withdraw your consent).
- Complaints – Lodge a complaint with your local data protection authority.
If you have any questions or you would like to discuss or exercise such rights, please email firstname.lastname@example.org.
5. Links to other sites
KPMG’s websites may contain links to other sites, including sites maintained by other KPMG member firms that are not governed by this privacy statement. These sites will be governed by a privacy statement that relates to that member firm’s jurisdiction. We encourage users to review the privacy statement of each website before disclosing any personal information.
6. Your privacy rights
Where we hold personal information about you:
- you have the right to access that information where it can be readily retrieved, except in the limited circumstances in which it is permitted for us to withhold this information; and
- if that information is incorrect, you may ask that we correct it.
You can make requests to access personal information by emailing email@example.com. In most instances, we will require you to provide some form of identification (such as a driver’s licence or passport) so we can verify that you are the person to whom the information relates.
Please visit the Office of the Privacy Commissioner’s website for further information about your rights.
7. Our controller and processor status
Where we process or hold personal information solely on behalf of another organisation, we do as an “agent” under the Privacy Act and to the extent applicable, a data processor under the GDPR. Where we process, use or disclose personal information for our own purposes, for purposes related to our business, or where professional standards regulations apply, we will be an agency governed by the Privacy Act and to the extent applicable, a data controller under the GDPR. You should bring this notice to the attention of your relevant individuals.
8. How to contact us
If you have a query about this privacy statement or the privacy of your information, or if you would like to enforce your privacy rights, please contact KPMG as follows:
KPMG New Zealand
P O Box 1584
9. Changes to this privacy statement
KPMG may modify this privacy statement at any time by publishing an updated version on this webpage. So you know when we make changes to this privacy statement, we will amend the revision date at the top of this statement. The newly amended privacy statement will apply from that revision date, and will apply to personal information previously received from you. We encourage you to review this privacy statement periodically to stay informed about how we are protecting your information.
Any amended privacy statement will apply between us whether or not we have given you specific notice of any change.