Skip to main content
Submit RFP
      Last updated 26 May 2025

       

      This privacy statement explains how we handle the information that we collect, including personal information, and how we comply with the requirements of applicable privacy laws, including the New Zealand Privacy Act 2020 (‘Privacy Act’).  We may process personal information for any of the purposes described in this privacy statement or as otherwise stated at the point of collection. 

      In this privacy statement, ‘KPMG’, ‘we’, ‘us’, and ‘our’ is a reference to KPMG, a New Zealand partnership, and includes its controlled entities carrying on business in New Zealand and the Cook Islands.  References to ‘you’ and ‘your’ is used to refer to the individual who is the subject of the personal information. 

      KPMG may modify this privacy statement at any time by publishing an updated version on this webpage. 

      Automatic collection of personal information
      Read more

      1.1.  Personal information we collect

      Personal information (or personal data) is any information about an identifiable individual.  Processing is how we sometimes refer to the collecting, handling, use, protecting or storing of personal information.

      We process personal information from actual and prospective clients, suppliers, employees, job applicants, contractors and other individuals.  We process this information for our necessary business purposes.

      The type of personal information we process includes:

      • Contact details (e.g. names, addresses, telephone numbers, email addresses and job titles).
      • Professional details (e.g. job and career history, educational background and professional memberships, published articles, social media details).
      • Family and beneficiary details for insurance and planning services (e.g. names and dates of birth).
      • Financial information (e.g. tax, payroll, investment interests, superannuation, assets, bank details, insolvency records).
      • Identification documents (e.g. passport, driver’s licence, tax file number or other government-issued identification numbers) and additional information required to verify your identity (e.g. where you ask us to provide a service that is a designated activity under applicable anti-money laundering laws and regulations).
      • CCTV at our sites may collect images of visitors.
      • General user information and location-based data such as internet protocol addresses, browser type and internet service provider details and other technical information when you visit our associated websites.

      We generally do not intend to process, and we ask you not to provide, any special categories of personal information.  Special categories of personal information includes information about an individual’s race or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data that uniquely identifies someone, sexual orientation and criminal records.

      If you choose to provide special categories of personal information about yourself to us for any reason, the act of doing so constitutes your explicit consent (where such consent is necessary and where obtaining such consent is permitted under applicable law), for us to process that information as necessary in the ways described in this privacy statement or as described at the point you choose to disclose this information.

      Due to the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or through the use of a pseudonym, although sometimes this is possible (e.g. when seeking client or staff feedback generally).

      1.2.  Lawful reasons for processing personal information

      We may rely on the following lawful reasons when we process personal information to operate our business and provide our products and services:

      • Contract – To perform our contractual obligations to the relevant individuals.
      • Legitimate interests – We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.  These may include:

      ­    - Delivering services to you and our other clients – To deliver the professional services our clients have engaged us to provide including information on new products and services.

      ­     - Marketing – Where permitted by law, to conduct and analyse our marketing activities and conduct surveys.  To deliver timely market insights and speciality knowledge including a tailor-made online experience we believe is welcomed by our clients, subscribers and individuals who have interacted with us.

      ­     - Maintaining the security of our and our client’s data, our IT systems and physical security – To prevent fraud, criminal or other unlawful activity, protect our and our client’s data, our IT systems and premises.

      ­    - Corporate responsibility – To comply with our corporate and corporate social responsibility commitments, such as inclusion and diversity and managing our supply chain.

      •  Legal obligations – To meet our legal and regulatory obligations or mandates, as reasonably necessary, such as assisting a law enforcement agency or an agency responsible for national security in the performance of their functions, or to enforce or protect our legal rights, or those of our clients and others.
      •  Public Interest – Where permitted by law, to perform a specific task in the public interest.
      • Vital Interests – To protect the vital interests of an individual, such as to prevent or lessen a serious threat to the life or health of a person.
      • Legal claims – Where it is necessary for us to establish, exercise or defend a legal claim.
      • Employment and social protection law – To carry out our obligations and exercise our or your rights in the field of employment and social protection law.
      • Consent – Where no other processing condition is available or where specifically required by applicable law, if you have agreed to us processing your personal information for the relevant purpose.

      1.3.  Why we need personal information

      We aspire to be transparent when we process personal information and tell you why we need it, which typically includes the following primary purposes:

      • Providing professional advice and delivering reports related to our tax, advisory, audit and assurance and other professional services.  Our services may include reviewing client files for quality assurance purposes, which may involve processing personal information for the relevant client.
      • Promoting our professional services, products and capabilities to existing and prospective clients.
      • Sending invitations and providing access to guests attending our events and webinars or our sponsored events.
      • Personalising online landing pages and communications we think would be of interest, based on interactions with us and KPMG member firms.
      • Security, quality and risk management activities – We have security measures in place to protect our information and information systems and our client’s information (including personal information), which involves detecting, investigating and resolving security threats.  This may include:

      ­    -  Automated scans to identify harmful emails.

      ­    -  Monitoring the services provided to clients for risk and quality purposes, which may involve processing personal information stored on the relevant client file.

      ­     - Carrying out conflict and risk searches to ensure there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions, conduct or other reputational issues).

      ­     - Authenticating registered users to certain areas of our sites.

      • General management and reporting activities, such as invoicing and account management.
      • In relation to the employment of our personnel, providing internal services to our staff, seeking qualified candidates, and forwarding candidate career inquiries to our People team, which may be governed by different privacy terms and policies.
      • Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
      • Contacting media regarding corporate press releases and highlighting messages that may be of interest on specific industry topics.
      • Helping support clients to run a series of development programs for education and learning purposes to inform industry leaders.
      • Complying with any requirements of law, regulation or a professional body of which we are a member.
      • Compiling health and safety data (directly or indirectly) following an incident or accident.  Indirect data can take many forms including an incident report, first aider report, witness statements and CCTV footage.
      • Collecting health data to assess, monitor and control spread of infectious diseases and to provide a safe environment for our employees, clients and suppliers.
      • For other purposes related to our business.

      Your personal information will not be used for other purposes unless we obtain your consent to the secondary use, or the secondary use is required or permitted by law. 

      In some cases where you have registered for certain services, we may store your email address temporarily until we receive confirmation of the information you provided via an email (for example where we send an email to the email address provided as part of your registration to confirm a subscription request).

      If you choose not to provide us with personal information which we have requested from you, we may be unable to fulfil any of the above purposes, including providing professional services to you, responding to your requests, paying your invoices or processing your application for employment.

      We may process personal information about individuals to market our services, including by email.  If you opt-in for particular services or communications, such as an e-newsletter, you can unsubscribe at any time by following the instructions included in each communication or by sending an email to  privacy@kpmg.co.nz.

      1.4.  How we collect personal information

      • Directly – We obtain personal information directly from individuals in a variety of ways, including from individuals who provide us with their business cards, complete our online forms, subscribe to our newsletters and preference centre, register for webinars, attend meetings or events we host, visit our offices or for recruitment purposes.  We may also obtain personal information directly when, for example, we are establishing a business relationship, performing professional services through a contract, through our hosted software applications or through AI Tools provided as part of our services. 
      • Indirectly – In some instances, we may obtain your personal information indirectly from a variety of sources, including publicly available sources, our clients, recruitment, third-parties or other KPMG member firms (see section 2.1):

      ­     - Public sources – Personal information may be obtained from public registers, government agency publications, news articles, sanctions lists, internet searches and social media sites.

      ­     - Our clients – Our clients may engage us to perform professional services which involves sharing personal information they control as part of that engagement.  Our services may also include processing personal information under our clients’ control on our hosted software applications, which may be governed by different privacy terms, policies and notices.

      ­     - Service providers and other third parties – We may obtain personal information from our service providers such as recruitment and credit reference agencies and other third parties such as previous employees, previous employers, law enforcement agencies, banks, other financial institutions and screening providers who assist us with our legal obligations to conduct anti-money laundering, sanctions screening and regulatory checks.

      ­    - Third-party single sign-on service – You may register or login to our website using a third-party single sign-on service.  Where you log in this way, the service authenticates your identity and connects your social media login information (e.g. LinkedIn, Google, Twitter or Facebook) with KPMG.  We will collect any information or content needed for the registration or login that you have permitted the social media provider to share with us, such as your name and email address.  Other information we collect will depend on the privacy settings you have set with your social media provider and their privacy statement.

      • Personal information about others – Where you provide personal information to us about other people (such as your customers, directors, officers, shareholders, beneficial owners or employees), you must ensure that you have a lawful basis to make such disclosure, provide all required notifications to and obtain required consents from those people in connection with our processing of that personal information.

      1.5. Cookies

      Our websites may use cookies.  Where cookies are used, a statement will be sent to your browser explaining the use of cookies.  To learn more, please refer to our Cookies Notice.

      1.6.  Children

      KPMG understands the importance of protecting children's privacy, especially in an online environment.

      Our websites are not intentionally designed for or directed at children under the age of 16.  It is our policy never to knowingly process information about anyone under the age of 16, except as part of an engagement to provide professional services.

      1.7.  AI Tools

      KPMG may use AI Tools in the course of operating our business or providing services to our clients.  Where we use AI Tools to process your personal information, we will comply with all applicable laws, professional standards and this privacy statement.  Your continued use of our services or engagement with us will constitute your explicit consent (where such consent is necessary and where obtaining such consent is permitted under applicable law) to our use of AI Tools to process any special categories of personal information that we have already collected, as described in this privacy statement. 

      2.1     Transfers within the global KPMG network

      KPMG is a New Zealand partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, an English entity.  Member firms are located around the world.

      We may share your personal information with other entities in the KPMG global network where necessary for administrative purposes and to provide professional services to our clients (e.g., when providing services involving advice from KPMG member firms in different territories), when your engagement is an international engagement, or to meet our legal and regulatory obligations in jurisdictions outside of New Zealand. 

      We may use other entities in the KPMG global network to provide services to us and you.  These services might include hosting and supporting IT applications, the provision of certain forms of insurance for member firms and clients, performing client conflict checks or identity verification checks (where required) and assisting with client engagement services.  We may store, process or back-up your personal information on servers that are located overseas (including through third-party service providers).  

      2.2       Sharing with third parties

      The information you provide to us may be shared with third parties to the extent necessary to carry out our professional and business needs, to complete your requests, where we are required to disclose that information by law or for safety reasons, with your consent or as otherwise stated in this privacy statement.

      Examples of this might include:

      • Sharing with our service providers – We work with reputable service partners and agencies to meet our business needs, as well as to assist in our delivery of services to you.  We may share your personal information with these providers where, and to the extent that, it is required in the provision of the services you have asked that we provide, or to use their applications, AI Tools and APIs.  Some applications may enable or require you to interact with us through APIs in a way that requires you to log in or otherwise provide personal information.  KPMG will only share personal information with providers who have met our standards on the processing of data and security. 
      • Sharing with professional advisers – We may share your personal information with our professional advisers, including lawyers and insurers.
      • Sharing for internal and compliance purposes  The disclosure of your personal information might be necessary for crime prevention, anti-money laundering compliance, sanctions screening, data privacy or security audits, other audits required by local legislation, client conflicts and independence checks, or where we are required to investigate or respond to a complaint or a security threat.
      • Sharing as required under applicable laws, regulations or professional standards – There may be occasions where courts, tribunals, regulatory or professional standards bodies or other third parties require KPMG to share information with them, or it may be prudent for KPMG to comply with such request, in accordance with applicable law, regulations, professional standards or national and international sanctions. 
      • Sharing in the event of sale or transfer  In the event KPMG or the business of the website is sold, transferred or assigned disclosure might be necessary for that sale, transfer, merger or assignment, or as a result of the sale, transfer, merger or assignment.   
      • Sharing with payment, marketing and recruitment service providers – We may share your personal information with payment, marketing and recruitment service providers.
      • Sharing with health government bodies and external service providers – We may share your personal information with health government bodies and external service providers (health, facilities, estate management) to assess, monitor and control the spread of infectious diseases.

      In some cases, the third parties we share your personal information with may be located overseas, in particular, in the United States of America, the United Kingdom, the European Economic Area (including the Netherlands, Ireland and Germany), Australia, Singapore, Japan, Malaysia, Argentina, Cook Islands, India, Canada, Mexico and those countries in which KPMG member firms are located. We require these third parties to take appropriate measures to protect and restrict how they use that information, in accordance with our contractual obligations and applicable privacy laws.

      We may also share non-personal, de-identified and aggregated information for research or promotional purposes.  At no time will KPMG sell your personal information to any third parties or transfer your personal information to any third parties for their direct marketing use.

      KPMG has security policies and procedures in place to protect our information and client information (including personal information) from loss, unauthorised access, use, modification, disclosure or misuse.  Despite KPMG’s best efforts, security cannot be guaranteed against all threats.  To the best of our ability, access to your personal information is limited to those who need to know.  Those individuals who have access to the data are required to maintain the confidentiality of the information.  We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect your personal information.

      We retain personal information to provide our services, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to.  We retain personal information for as long as is necessary for the processing purposes for which the information was collected, and any other permissible, related purpose.  The criteria we use to determine the retention periods also include:

      • whether there are contractual or legal obligations that exist that require us to retain the personal information for a period of time;
      • whether you have interacted with us recently; and
      • whether any applicable law, statute, regulation or professional standard allows for a specific retention period.

      Unless a different time frame applies as a result of business need or specific legal, regulatory or contractual requirements, where we retain personal information in accordance with these purposes, we retain such personal information for ten years. 

      The General Data Protection Regulation (‘GDPR’) came into effect on 25 May 2018 and, depending on where you are located or the KPMG entity you interact with, it may apply to your personal information.  Following the United Kingdom’s exit from the European Union, the GDPR is also retained in domestic law in the United Kingdom.  Under the GDPR, the term ‘Personal Data’ is used in the place of ‘Personal Information’.

      Where the GDPR applies, you have additional rights under the GDPR in respect of your personal information, subject to applicable law.  These include rights in certain circumstances to:

      • Access – Access your personal information.
      • Correction – Have inaccurate personal information rectified.
      • Erasure – Erase your personal information (right to be forgotten).
      • Processing restrictions – Restrict our use of your personal information (including preventing processing for the purpose of direct marketing).
      • Data portability – Request that your personal information be transmitted (in a structured, commonly used, and machine-readable format) directly to another company if it is technically feasible.
      • Automated individual decision-making – Request review of any decisions made about you which we made solely based on automated processing, including profiling.
      • Withdrawal of consent – Withdraw your consent that you have previously given to one or more specified purposes to process your personal information (without affecting the lawfulness of any processing carried out before you withdraw your consent).
      • Complaints – Lodge a complaint with your local data protection authority.

       If you have any questions or you would like to discuss or exercise such rights, please email privacy@kpmg.co.nz.

      KPMG’s websites may contain links to other sites, including sites maintained by other KPMG member firms that are not governed by this privacy statement.  We encourage users to review the privacy statement of each website before disclosing any personal information.

      Where we process personal information about you:

      • you have the right to access that information where it can be readily retrieved, except in the limited circumstances in which it is permitted for us to withhold this information; and
      • if that information is incorrect, you may ask that we correct it.

      You can make requests to access personal information by emailing privacy@kpmg.co.nz.  In most instances, we will require you to provide some form of identification (such as a driver’s licence or passport) so we can verify that you are the person to whom the information relates.

      Please visit the Office of the Privacy Commissioner’s website for further information about your rights.

      Where we process personal information solely on behalf of another organisation, we do as an “agent” under the Privacy Act and to the extent applicable, a data processor under the GDPR.  Where we process personal information for our own purposes, for purposes related to our business, or where professional standards regulations apply, we will be an agency governed by the Privacy Act and to the extent applicable, a data controller under the GDPR.  You must bring this notice to the attention of your relevant individuals.

      If you have a query about this privacy statement or the privacy of your information, or if you would like to enforce your privacy rights, please contact KPMG as follows:

      Privacy Liaison
      KPMG New Zealand 
      P O Box 1584
      Auckland 1140
      privacy@kpmg.co.nz

      KPMG may modify this privacy statement at any time by publishing an updated version on this webpage.  So you know when we make changes to this privacy statement, we will amend the revision date at the top of this statement.  The newly amended privacy statement will apply from that revision date and will apply to personal information previously received from you.  We encourage you to review this privacy statement periodically to stay informed about how we are protecting your information.

      Any amended privacy statement will apply between you and us whether or not we have given you specific notice of any change. 

      Connect with us

      pin_drop

      Prefer to speak to KPMG directly? Find the telephone and address details of an office near to where you are through our locations selector.

      Find office locations
      mail_outline

      Get in touch with one of our professionals, specialist groups or KPMG offices.

      Email us
      app_registration

      Find out how KPMG’s expertise can help you and your organisation.

      Request now