Processing of personal data

For an audit and advisory firm such as KPMG AB ("KPMG"), it is essential that client-related information, including personal data, is treated securely and confidentially and that applicable regulations are complied with. The same applies to the information that the company handles regarding employees and suppliers.

This text aims to describe KPMG's processing of personal data in KPMG’s engagement business in an open and transparent manner so that persons whose personal data KPMG processes will understand how and why their personal data is handled in KPMG's business and what rights they have in relation to the company. 

This text also covers personal data collected via KPMG's external website.

Information to KPMG's employees is provided in KPMG’s information on the processing of employee data, which is available via the company's intranet. 

In the case of recruitment activities, information is provided to recruitment candidates in the company's recruitment policy, which is available in connection with the company's recruitment advertisements.

Below you find a link to a document describing how the fundamental principles for processing of personal data is applied in KPMG’s business operations.

There is also a link to a summary table that provides an overall description of KPMG's processing of personal data. 

The other sections of this information text contain descriptions of KPMG's processing of personal data in running text. Click the headlines under “Contents” above to get directly to a specific area of information.

Here you can read about the fundamental principles for processing of personal data within KPMG’s operations.

KPMG offers audit and advisory services in three practice areas; Audit, Advisory and Tax & Legal. 

KPMG handles a large number of engagements for companies/organizations, authorities and natural persons. KPMG has clients which are large companies with national and international operations as well as a large number of local companies with different locations in Sweden. Our clients range from large, listed companies to small companies with operations in a large number of different sectors. 

In our audit business, KPMG has an important public role of public interest where the statutory audit aims to review the quality of and strengthen confidence in organizations' financial reporting. As KPMG is an auditing and consultancy firm, our activities are regulated in several respects and the company has a number of statutory obligations.

The conditions described above mean that KPMG needs to process personal data in many different contexts. In order for KPMG to be able to conduct business, personal data need to be handled when fulfilling engagements in Sweden and internationally, in contacts with other firms within KPMG and also in connection with marketing activities. KPMG also needs to process personal data regarding employees, consultants and former employees.

Further information about KPMG's operations can be found in the company's annual reports, transparency reports and sustainability reports available on our website. 

KPMG is a member of KPMG's Global Association of Independent Member Firms ("KPMG International"), one of the leading global networks of audit and advisory firms with operations in a large number of countries globally. KPMG International does not conduct any business towards clients, but is an umbrella organization for member firms in the network (“KPMG firms”). KPMG firms work locally and independently all over the world. They have access to common resources, methods and the international network's collective knowledge and expertise.   

Further information about the network is available via annual reports and Transparency Reports via the network's website.

KPMG AB is the data controller for the processing of personal data that it is carried out for KPMG’s own purposes, as described in this text. 

Contact details and information about representatives of KPMG are available here.

Within the framework of KPMG’s operations, KPMG performs engagements both as controller and/or engagements as processor. KPMG's employees have access to guidance for assessing if KPMG acts as controller or processor for individual engagements. 

KPMG has appointed a Data Protection Officer, who can be contacted via the e-mail address DPreporting@kpmg.se.

The Board of Directors of KPMG has adopted a policy for the processing of personal data that applies to the entire company's operations. The Data Privacy Policy sets out the basic principles that apply to all processing of personal data in the business. The Data Privacy Policy also states that the company management shall establish the rules and procedures required so that KPMG’s processing of personal data is conducted in accordance with the General Data Protection Regulation (GDPR). It is also stated in the Policy that the KPMG's employees must regularly undergo adequate training and that they must have access to support and guidance in their application of the regulations.   

KPMG's management team has established instructions for the company's processing of personal data. The Management Instructions specify detailed requirements for training for employees and how the company shall provide information and support to employees on processing of personal data. The instructions also state that there must be written guidelines and procedures to support employees' application of the regulations on the processing of personal data in their daily work. It also sets out requirements for control activities and appointment of a Data Protection Officer.   

Based on the Data Privacy Policy and the Management Instructions for the processing of personal data, KPMG has established guidelines and procedures for the company's processing of personal data and communicated these to the KPMG's employees. There are guidelines regarding, among other things, processing of personal data in the engagement business, for marketing activities and in recruitment activities. KPMG’s data processing procedures include, among other things, procedures regarding personal data breach, the right to access personal data being processed, including information of the processing, and correction of personal data.      

Within the scope of KPMG’s engagement business, KPMG processes personal data for the purpose of fulfilling the obligations arising from the engagement agreements with our clients. The legal grounds for processing in the engagement business are usually that: 

• the processing is necessary for compliance with a legal obligation.
• the processing is necessary for the performance of an agreement with the data subject (is cases where the client is a natural person).
• processing is permitted through a  balancing test where KPMG’s (or someone else’s) legitimate interests are balanced against the rights of the data subject. 

The balancing test in the engagement business is based on a balance between KPMG's interest in being able to conduct business and comply with the commitments arising from the engagement agreements clients as well as the client's interest in KPMG being able to carry out the engagement  in relation to the data subjects' possible conflicting interests regarding the protection of their personal data. KPMG's clients often have an interest in being able to engage specialist help regarding a need that the client has – e.g. to fulfil its legal obligations or agreements, support in handling accounting or tax issues or support in developing its own business or organization.

Personal data that KPMG needs to processin order to carry out engagements is as a starting point collected from the client, but it may also be collected from other parties or authorities, e.g. from the Swedish Companies Registration Office (Sw. Bolagsverket) or company databases. 

Personal data collected for use in engagements may be contact details, information about executives and other information regarding employment, client or supplier relationships. Personal data may, if necessary, be disclosed in accordance with instructions from the client or if it follows from the engagement, for example when the engagement involves providing authorities with certain personal data.

The persons who process personal data in KPMG's engagement business are employees and contractors of KPMG and, in some cases, third party vendors such as sub-consultants working in the engagement. KPMG also uses system support for performing engagements, which involves processing of personal data by the service providers providing such system support (for example cloud service providers).

Statutory audit and statutory additional engagements

KPMG’s audit activities consists of execution and reporting of audit engagements, primarily statutory audits, and the additional engagements that follow from the engagement as auditor (e.g. review andissuing opinions in connection with share issues). Processing of personal data in audit activities takes place for the purpose to conduct and report audits in accordance with the laws and standards that apply to audit engagements and in accordance with generally accepted auditing and auditing practice. 

This means that the processing of personal data takes place during planning, conducting and reporting the audit. Examples of personal data processed are contact information, information about board members and senior executives and such personal data as is needed to review the company's accounting and administration, e.g. personal data relating to the client's clients, suppliers and employees. 

Personal data is processed in the systems that the KPMG uses to carry out and document audit engagements. 

 The lawful basis for the processing is that it is necessary to fulfil a legal obligation (perform statutory audit or statutory additional engagementaccording to applicable company law or the Audit Act). The lawful basis may also be to perform a task of public interest, where the auditor's review and reporting have an important function in the national economy.

Other assurance and audit engagements

In addition to the statutory audit, KPMG and KPMG's audits perform other assurance and audit engagements on behalf of clients. 

The purpose of processing personal data for other assurance and audit engagements is to carry out these engagements. 

The lawul basis for the processing of personal data is KPMG's legitimate interest in performing engagements in accordance with agreements and applicable standards and the client's and, where applicable, third parties' interest in KPMG performing the engagement.

As part of KPMG’s accounting operations, KPMG assists clients with accounting advice, accounting, financial reporting and payroll management. The clients provide documentation that may include personal data in order for KPMG to be able to fulfil its commitments under the engagement agreement with the client, for example documentation for salary payments, other remuneration and benefits for employees and documentation for the client's invoicing and payments to suppliers. The purposes of the processing of personal data in performing accounting services are stated in the agreement with the client and are often to assist the client with accounting matters, accounting, financial reporting and payroll administration. 

In the case of engagements where KPMG is the data controller for the processing of personal data for the accounting engagement, the lawful basis for the processing is KPMG's legitimate interest is to be able to conduct its accounting business and fulfil engagements in accordance with the agreements with the client and also the client's interest in being able to engage KPMG to handle a need of the client (for example, to assess qualified accounting matters).

KPMG’s advisory practice consists of providing advice to organizations in various contexts, including within the service areas: transactional services, tax services and legal and regulatory services. The engagements may also include assisting clients with issues relating to internal control, in the preparation of internal governing documents or in in connection with organizational changes. The performance of the engagements may include a variation of processing activities and to different extents. For some engagements, processing of personal data is a fundamental feature of the engagement (for example for payroll engagements or when preparing tax returns for natural persons) and for some engagements processing of personal data is very limited, for example limited to the communication between KPMG’s and the client’s employees needed to perform the engagement. 

Personal data is processed with the system tools that KPMG uses for the execution of engagements and for documenting completed engagements. The purpose of the processing of personal data is to fulfil the obligations arising from the engagement agreement with the client.

In the case of advice that means that KPMG is the data controller for the processing of personal for the engagement, the lawful basis for the processing is KPMG's legitimate interest is to be able to its conduct business and fulfil engagements according to agreements and the client's interest in having the engagement performed for various reasons that vary depending on the type of engagement.

KPMG retains engagement documentation in accordance with external as well as internal rules and procedures that apply to engagement documentation. These rules and procedures entail, among other things, that the engagement documentation is subject to professional secrecy and information security measures. 

The purpose of the retention of personal data in engagement documentation where required by law is to fulfil retention requirements under applicable law, e.g. retention of accounting information, audit documentation and information from client due diligence measures under the anti-money laundering regulations. Retention of personal data in such engagement documentation is based on KPMG’s legal obligation to maintain the data. 

The purposes of retaining personal data in the engagement documentation in other cases are that it is necessary for KPMG's legitimate interest in being able to answer questions from clients about engagements after termination of the engagement and also to be able to safeguard KPMG’s legal interests in various respects, e.g. in connection with government, insurance or litigation matters. 

Engagement documentation is normally retained for 10 years after engagement completion and is then destroyed. 

Background

KPMG has statutory obligations arising from the fact that it conducts auditing activities. This means, among other things, that the company has obligations to carry out certain controls that need to include the processing of personal data. 

KPMG complies with rules regarding, among other things, identity checks and other client due diligence measures in accordance with the anti-money laundering regulations, conflict of interest checks in relation to various clients and procedures for impartiality and independence controls in relation to audit clients. Furthermore, the company needs to carry out checks regarding sanctions when accepting clients and engagements. 

Purpose and lawful basis

Processing of personal data in the checks required by the anti-money laundering regulations are carried out on the basis of and for the purpose of fulfilling KPMG’s legal requirements.

Furthermore, KPMG processes personal data for impartiality and independence controls for compliance with the independence requirements according to law and professional standards. Such controls have the purpose of ensuring KPMG's compliance with such requirements and the associated processing of personal data is based on legal requirements under law. The processing of personal data for independence controls which is not strictly necessary for complying with a legal obligation is based on KPMG’s and other KPMG firm’s legitimate interest to facilitate and support compliance with legal obligations related to impartiality and independence e.g. to the extent that the controls do not follow directly from a legal obligation but from professional ethics rules or the KPMG's internal policies and procedures developed to support legal compliance. 

KPMG further processes personal data in connection with the conflicts of interest controls. Such controls are carried out before and during the execution of engagements. The purpose of the controls is to avoid situations where different clients may have conflicts of interest in the services provided by KPMG or other KPMG firms, for example in the case of the KPMG's participation in disputes as an expert. The lawful basis for the processing is KPMG's, other KPMG firms’ and the client's legitimate interest in avoiding conflicts of interest.

KPMG processes personal data for the purpose of complying with sanctions legislation. The controls include searching sanction lists. The lawful basis for this processing is KPMG’s legitimate interest in not violating applicable sanctions legislation. 

Origin and recipients of the personal data 

The controls described above include personal data collected from the potential or existing client, company databases and directly from relevant representatives and officers. 

If necessary, the data may be shared with other KPMG firms.

How long is personal data stored?

The results of the controls described above are retained together with the engagement documentation during the retention period for engagement documentation (see above), or, unless there is a legal requirement or, where applicable, a professional obligation to retain the data for as long as the engagement documentation is kept; as long as the data must be retained in accordance with anti-money laundering legislation or other relevant regulations.

Purpose

In order for KPMG to be able to reach the market with KPMG's services, marketing activities are conducted for the purposes to market KPMG, KPMG’s employees and KPMG’s services as well as creating, improving and documenting KPMG’s client relationships and business opportunities. Such activities include sending newsletters or invitations to events such as seminars or training. 

The purpose of KPMG's business contacts records is to promote the above purposes and to make the information available internally to those employees who need the information in order to reach out to the KPMG’s target groups or to monitor or follow up business opportunities. 

Categories of personal data

The categories of personal data processed for these purposes are primarily information about executives such as contact details, information about position, employer, industry, professional role, connections to business opportunities, areas of interest (regarding areas in which KPMG offers services), previous positions and employers, that the person has participated in a market activity in the past or been the recipient of an offer and, where applicable, information that the person has previously been employed by KPMG. 

Lawful basis for processing

The lawful basis for processing personal data in connection with marketing activities is KPMG’s legitimate interests or, in some cases, consent. The balance of interests test is based on KPMG’s interest in marketing the business and KPMG’s employees, offering the market the KPMG's services, creating and improving relationships with clients and creating business opportunities. Based on an individual assessment of each business contact’s professional role and employer, KPMG's business contacts can be assumed to have an interest in informing themselves about KPMG's range of services and in receiving information offered in newsletters, seminars and other activities.

The lawful basis for processing personal data in KPMG's business contacts records is KPMG’s legitimate interest in documenting business contacts and information needed about them in order to be able to target relevant marketing, invitations and surveys to them, and to make the data available to KPMG's employees who work with reaching out to business contacts for marketing and client relationship purposes.  

Origin and recipients of the personal data 

The personal data is collected directly from the data subject, from KPMG's clients or from KPMG's employees. In some cases, the data is obtained from someone else, such as an alliance partner of KPMG or from publicly available sources. 

Personal data is processed in the systems and tools the company uses to manage marketing activities. KPMG uses external suppliers for the storage of information and for mailing systems. 

Personal data (e.g. participant lists) may, if necessary, be disclosed to recipients who assist KPMG with marketing activities, such as restaurants and companies that provide premises for courses or events or marketing agencies and printing houses.

Personal data of business contacts may also be disclosed to other KPMG firms or alliance partners for common business or marketing activities.

How long is the data stored?

Personal data collected for marketing and evaluation purposes is stored for as long as it is necessary for the purpose. 

Data processed after the data subject has made an expression of interest (e.g. signed up for KPMG's newsletter) is processed until the person reports that he or she is no longer interested in receiving newsletters or invitations from KPMG, or until an employee of KPMG makes the assessment that the person can no longer be assumed to have an interest in the communication. 

Contact information for business contacts such as existing or potential clients is normally retained for as long as the company assesses that the person's position or professional role can be assumed to lead to an interest in KPMG’s services. 

In order for the company to be able to make relevant selections regarding the sending of newsletters and invitations to events, profiling is used in such a way that selections for mailings are based on information about industry segments, professional role/position, employer or previous interaction with KPMG (such as registration for a seminar). Such profiling is limited to such categories of data and aims to ensure that the content of KPMG’s communications is relevant, of interest and useful to the recipient.

Purpose

KPMG conducts voluntary surveys and evaluations for follow-up purposes in terms of client satisfaction, market perception and to create a basis for improving services and service.

Categories of personal data

The categories of personal data processed for this purpose are contact details, connection to client and engagement, information about participation in a survey and information about the data subject's perception and answers to questions (the latter unless the survey is conducted anonymously).

Lawful basis for processing

Processing of personal data in connection with surveys and evaluations takes place on the basis of KPMG’s legitimate interest in following up, for example, completed engagements and client perception. 

In some cases, the basis for processing may be consent. Given that participation in a survey is always voluntary, the lawful basis is usually a legitimate interest.

Origin of personal data and to whom it may be disclosed

Contact information is obtained from KPMG's client or engagement register or from clients. Information relating to answers in the survey is obtained from the person who has chosen to participate.  

The data may be processed by suppliers to KPMG who assist KPMG in carrying out the investigation or who provide KPMG with technology tools for handling of surveys. 

Anonymized results of surveys may be shared with external parties for marketing purposes as well as with other KPMG firms that, for example, participated in the execution of engagements that the survey relates.

How long is the data stored?

Personal data linked to a survey is stored for a maximum of six months after the survey has been conducted. 

Clients, suppliers, jobseekers and others visiting KPMG's offices are normally registered with their name, company/organisation, information about who they are going to visit and the time of the visit. Such data is registered for security reasons, both to prevent and protect employees, visitors, assets and information from unauthorized access to KPMG's premises and in the event of fire or other crisis situations.

The data on visits is saved for five days, unless a special event (e.g. fire) causes that the data is saved longer. 

Camera surveillance takes place at the entrance of KPMG's office in Stockholm in order to prevent unauthorized access to KPMG's premises for the reasons stated in the first paragraph above and for follow-up of security incidents that have occurred. Recorded material is retained for five days unless a special event (e.g. burglary) causes a recording to be saved longer.

Purpose

KPMG processes personal data contained in procurement documents and proposals for purposes relating to KPMG being able to:

• submit proposals.
• enter into contracts.
• document the contractual relationship.
• comply with legal requirements for preservation of accounting information.
• have control over and be able to compare with what has previously been offered (e.g. a certain consultant with a certain competence). 

Categories of personal data

The personal data processed for these purposes are normally contact details of persons at contracting organisations, as well as, where applicable, information on professional role, title and area of responsibility. 

Lawful basis

Personal data in proposals and procurement documents is handled and stored on the basis of KPMG's legitimate interests in submitting proposals and entering into contracts and in preserving the data as part of KPMG's engagement documentation or for comparative purposes when submitting proposals. 

Personal data in proposals and procurement documents that have led to entering into a contract are saved on the basis of a legal obligation to the extent that they constitute accounting information. KPMG's legal obligation is to retain accounting information in accordance with the Swedish Accounting Act (Sw. Bokföringslagen). This obligation means that accounting information must be kept for seven years. Following the end of this period the information will be saved for a longer time in KPMG’s engagement documentation based on a legitimate interest as described in the previous paragraph.

Origin of personal data and to whom it may be disclosed

The data is collected from KPMG's clients, subcontractors or suppliers.

The data may be shared with sub-consultants (e.g. other KPMG firms) if necessary. Data collected from subcontractors is shared with KPMG's clients when subcontractors' services are to be offered to a client.

How long is the data stored?

Personal data contained in procurement documents and proposals are saved for ten years after the end of the financial year in which the agreement was concluded. 

In the case of personal data in tenders and procurement documents that do not lead to the conclusion of an agreement, such data is saved for two years after the submission of the offer.

Purpose

KPMG processes personal data contained in contracts and invoices for the purposes of:

• preserving agreements and invoices in accordance with applicable rules.
• fulfilling agreements and being able to request fulfilment of agreements.
• to document and follow up the contractual relationship.
• invoicing. 

Categories of personal data

The personal data that appears in contracts and invoices is usually contact information to persons at contracting organizations, signatures, reference and, in some cases, information about what work a person has performed and time spent. 

Lawful basis and storage period

Agreements are saved for the period which the contract is valid and as further set out below.

Agreements are stored for seven years on the basis of a legal obligation, where KPMG has an obligation to keep supporting documents that are accounting information. 

Agreements are maintained on the basis of KPMG’s legitimate interest in being able to defend legal claims. The data is stored for ten years after the termination of the contractual relationship for this purpose. 

Origin of personal data and to whom it may be disclosed

Data is collected from KPMG's: employees, clients' employees and suppliers' employees or other parties with whom KPMG has or is about to enter into a contractual relationship. 

Recipients of data are any sub-consultants and sub-processors who retain information in the financial systems used by KPMG.

How long is the data stored?

Agreements are retained for ten years. Invoices are retained for seven years, except for invoices for client engagements, which are saved for ten years following the end of the engagement as part of the engagement documentation.

Purpose

Processing of personal data occurs in e-mails, in collaborative platforms and cloud services for a large part of KPMG's business. The purpose is to store, communicate and transmit or share information in the company's operations. 

Lawful basis for processing

The lawful basis for the processing of personal data in e-mails, collaborative platforms and cloud services is KPMG's legitimate interest in storing, communicating and transmitting information internally and externally between KPMG and clients or other parties in order to conduct KPMG’s business, or to significantly simplify and streamline such handling of information. 

KPMG's clients and other parties also have a legitimate interest in the timely and secure storage and transmission of information.

Categories of personal data

Data processed is contact information and all other personal information processed in connection with KPMG’s business activities as described in this text. A more detailed description of which categories of data are processed can be found under the description for each underlying purpose in this information text (for example, which categories of personal data are processed for marketing activities). 

For example personal data in e-mails may be processed for the purpose of communication in order for KPMG to be able to perform an engagement, where the underlying purpose for the communication is then executing the engagement.

Origin of personal data and to whom it may be disclosed

The data is collected from KPMG's employees, KPMG's clients' employees, KPMG's suppliers or third parties such as potential clients or partners.

KPMG uses external service providers for email, collaboration and cloud platform services. 

Data in e-mails, collaboration platforms and cloud service platforms is shared, as necessary, with KPMG's employees, KPMG's clients' employees or other parties with whom KPMG has communications for the respective purposes described in this information text.

How long is the data stored?

The data is saved as long as it is needed and set out for each underlying purpose described in this information text. 

For example, if an email is relevant to the performance of an engagement contract, the email is retained in the engagement documentation for as long as the engagement documentation is retained as described above.

In some cases, KPMG processes personal data relating to clients and in some cases other categories of data subjects, in material that has been recorded with audio or sound and image (video).

Recordings appear in the following contexts.

Training

Some trainings and seminars held by KPMG are recorded for the purpose of re-use, to be sent to participants and also for the purpose of evaluating and improving the quality of KPMG's training. 

As a starting point, only the person or persons who hold the education, seminar or lecture are filmed, but it also happens that participants who participate with video at digital gatherings are filmed, e.g. if they choose to participate with their camera on. To the extent that participant ask questions or have comments, it is recorded with audio and/or video. 

The lawful basis for such processing of personal data is consent or a legitimate interest, where KPMG has legitimate interests in being able to reuse training, distribute the recording material to participants and to evaluate and improve the quality of training afterwards.

Marketing

KPMG uses recorded material for communication and marketing purposes. Such material may include presentations of KPMG, interviews with employees, clients or similar. Persons who participate in recordings for marketing material are asked if they want to participate and the lawful basis for the processing is consent or KPMG’s legitimate interests in marketing KPMG’s services. Even when a weighing of interests is applied as lawful basis the data subject who is to be recorded should be asked if he or she wants to participate first, and the processing may not take place if the person has objected to the recording.

Meetings

Some meetings are recorded for the purpose of documenting the meeting. Such recordings may include personal data relating to the business activities of KPMG, KPMG's clients and KPMG's suppliers and their employees. Such processing is deemed lawful on the basis of consent or KPMG’s legitimate interest in documenting the meeting in order to streamline or simplify the work or for the recording to serve as evidence, e.g. about what has been agreed or what oral advice has been given by KPMG.

How long is the data stored?

How long the recordings are saved depends on the purpose of the recording, but it is usually saved for a maximum of two years after the time of recording. If the recording is part of the performance of an engagement, the recording is retained for as long as the engagement documentation (see above).

Purpose

KPMG has an alumni network for former employees in order to keep in touch with former employees, which includes sending them newsletters and invitations to seminars and events.

Categories of personal data

Personal data processed about members of the alumni network are names, contact details, employer (or own company), new and previous professional role, industry and areas of interest. 

An alumni member can also be a business contact to KPMG. KPMG registers information that business contacts have previously been employed by KPMG in KPMG’s business contact management system.

Lawful basis

The processing is permitted on the basis of consent. If consent is withdrawn, it means that KPMG will remove the person from the alumni register and will no longer communicate with the person regarding the alumni network, but it will not affect the admissibility of the processing before the consent was withdrawn. 

Origin of personal data and to whom it may be disclosed

The data is obtained from the network member or from KPMG employees or publicly available sources (e.g. social media for professionals). 

Contact details and information linked to registration for events are shared with event organizers, printers and hotels and restaurants that assist KPMG with the event.

How long is the data stored?

The personal data in the alumni register is saved until the person reports to KPMG that the person no longer wishes to be part of the network, or until KPMG's employees assess that the person can no longer be assumed to be interested in joining the network, e.g. because the person is no longer a professional in KPMG's target groups.

General information about the transfer of personal data to external recipients

As a member of KPMG International, KPMG handles information partly in systems managed by KPMG and partly in systems managed by KPMG International or by third parties. 

KPMG and KPMG International engage suppliers for services that include managing information. The information handled by KPMG and by KPMG International as well as by suppliers is handled with due regard to the confidentiality obligation that applies to our clients' and employees' conditions, including regarding personal data. 

The information that KPMG handles is normally retained within the EU/EEA. 

Transfers to third countries

The systems used by the company mean that personal data is normally processed in Sweden and within the EU/EEA. 

In addition, KPMG transfers personal data outside the EU/EEA. Such transfers normally take place to other KPMG firms within the KPMG network. Within the KPMG network, an agreement has been drawn up that regulates rights and obligations between KPMG firms when personal data is transferred between KPMG firms. This agreement includes, among other things, rules on professional secrecy and the latest EU Standard Contractual Clauses on the transfer of personal data to third countries. 

Personal data may be transferred to third countries:

• for clients with cross-border activities in third countries for the performance of the engagement, to submit a proposal to a third country or in connection with the controls described above (including regarding identities and conflicts of interest).
• in cases where the engagement involves the use of system tools in which information is handled outside the EU/EEA.
• in cases where a sub-consultant located outside the EU/EEA is engaged in the execution of the engagement and has a need to process personal data. 

In these cases, the transfer is covered by the EU Standard Contractual Clauses. Where appropriate, an assessment of the need for additional safeguards is also carried out.

KPMG has established and provides guidance to support employees in assessing whether such transfers are in accordance with the data protection regulations. 

Transfer of personal data as required by law

KPMG’s operations are regulated by laws which sometimes mean that KPMG may be required by law to transfer personal data to another party. Such an obligation follows from the anti-money laundering regulations, which means, among other things, that suspected money laundering and terrorist financing must be reported to the authorities. Furthermore, it follows from the Swedish Companies Act that, under certain conditions, an auditor has to report suspicions of crime to authorities. Such reports will normally include certain personal data, including to whom the suspicions relate. 

The audit activities conducted by KPMG are supervised by, among others, the Swedish Inspectorate of Auditors. It may happen that supervisory authorities request access to information about KPMG’s activities, which means that personal data may be transferred to authorities. It may also happen that authorities order the company to provide information during authority investigations that includes personal data, for example in a tax audit. 

Employees of the company may have to provide information to investigators within the framework of preliminary investigations, which may include the disclosure of personal data.

Furthermore, the Company's employees have an obligation to be available to testify in legal proceedings, which may involve the disclosure of personal data. A legal procedure may mean that the authority/court orders the company to hand over information that may include personal data.  

Engagement of data processors

KPMG may engage data processors to process personal data on behalf of KPMG. Such processors may have access to personal data to the extent necessary for the purpose for which the personal data processor was engaged. Examples of processing of personal data carried out by data processors:

• Storage in cloud services (within EU/EEA).
• Communication and collaboration tools.
• Technical Support.
• System support for case management.

Who these assistants are is stated in the agreement that is established with the client/personal data controller (personal data assistant agreement). In agreement with KPMG, the Data Processors have undertaken to treat personal data confidentially and to notify KPMG of any engaged processors and the replacement of such processors. 

Processing of personal data for statistical and analysis purposes

KPMG uses information collected from engagements for the compilation of statistics and market analyses. Such information is used, for example, to create added value for clients through comparisons and insights, or to improve KPMG's services. 

Before compiling and/or analysing the information, the information is anonymised so that it cannot be linked to a person, company or client. In cases where anonymization itself involves the processing of personal data, the lawful basis for the processing is a weighing of interests, where KPMG's legitimate interest is to carry out the anonymization of personal data in order to use the information for statistical or analysis purposes.

What information we collect online

If you choose to register or login to a KPMG web site using a third party single sign-in service that authenticates your identity and connects your social media login information (e.g., LinkedIn, Google, or Twitter) with KPMG, we will collect any information or content needed for the registration or log-in that you have permitted the social media provider to share with us, such as your name and email address. Other information we collect may depend on the privacy settings you have set with your social media provider, so please review the privacy statement or policy of the applicable service.

If you register to a KPMG web site and provide information about your preferences we will use this information to personalize your user experience. The data of such personal account will be maintained until you chose to delete your account or until KPMG chooses to close the account functionality. Where you register or login using a third party single user sign-in we may also recognize you as the same user across any different devices you use and personalize your user experience across other KPMG sites you visit.

When we process your personal information collected via our external web, we will rely on one of the following legal grounds for processing:

Legitimate interests: we may process information about you where it is in our legitimate interest in running a lawful business to do so in order to further that business, so long as it doesn’t outweigh your interests; or

Your consent: we may occasionally ask you for specific permission to process some of your personal information, and we will only process your personal information in this way if you agree to us doing so. You may withdraw your consent at any time by contacting KPMG at DPreporting@kpmg.se.

Examples of the ‘legitimate interests’ referred to above are:

• To offer information and/or services to individuals who visit our website or offer information about employment opportunities.
• To prevent fraud or criminal activity and to safeguard our IT systems.
• To customize individuals’ online experience and improve the performance usability and effectiveness of KPMG’s online presence.
• To conduct, and to analyze, our sales and marketing activities.
• To meet our corporate and social responsibility obligations.
• To exercise our fundamental rights in the EU under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property.

Automatic collection of personal information

In some instances, KPMG and our service providers uses cookies, web beacons and other technologies to automatically collect certain types of information when you visit us online, as well as through emails that we may exchange. The collection of this information allows us to customize your online experience, improve the performance, usability and effectiveness of KPMG's online presence, and to measure the effectiveness of our marketing activities. The information may also be used in our sales and marketing activities.

IP addresses

An IP address is a number assigned to your computer whenever you access the internet. It allows computers and servers to recognize and communicate with one another. IP addresses from which visitors appear to originate may be recorded for IT security and system diagnostic purposes. This information may also be used in aggregate form to conduct web site trend and performance analysis.

Cookies

Cookies will typically be placed on your computer or internet-enabled device whenever you visit us online. This allows the site to remember your computer or device and serve a number of purposes, as outlined below.

On some of our web sites, a notification banner will appear allowing you to manage your consent to collect cookies (cookie banner). Below is a summary of the categories of cookies collected on our websites, and how your consent may impact your experience of certain features as you navigate those websites:

• Strictly necessary cookies: Strictly necessary cookies are essential in order to enable users to move around the website and use its features, such as accessing secure areas of the website. These cookies must be enabled or the site will not function, and cannot be blocked.
• Performance cookies: Performance cookies are cookies used to gather data to enhance the performance of a website.
  You can manage your consent for performance cookies using the cookie banner, or by updating your browser’s settings (often found in your browser’s Tools or Preferences menu) to not accept cookies.
•  Functionality cookies: Functionality cookies are used to remember customer selections that change the way the site behaves or looks. You may opt-out of these cookies, but it will impact your experience on the website, and you may need to repeat certain selections each time you visit.
  You can manage your consent for functionality cookies using the cookie banner, or by updating your browser’s settings (often found in your browser’s Tools or Preferences menu) to not accept cookies.
• Targeting cookies or advertising cookies: Targeting cookies are used to deliver content relevant to your interests They are also used to limit the number of times you see certain marketing materials, as well as help measure the effectiveness of those marketing materials. If you do not provide consent for targeting cookies, your computer or internet-enabled device will not be tracked for marketing-related activities.
  You can manage your consent for targeting cookies using the cookie banner, or by updating your browser’s settings (often found in your browser’s Tools or Preferences menu) to not accept cookies.

Although most browsers automatically accept cookies, you can choose whether to accept cookies via the cookie consent banner or your browser’s settings (often found in your browser’s Tools or Preferences menu). If you wish to revoke your selection, you may do so by clearing your browser’s cookies, or by updating your preferences in the cookie banner.

Further information about managing cookies can be found in your browser’s help file or through sites such as www.allaboutcookies.org.

A list of the types of cookies used on our web sites is available via the link "Cookie settings" located in the footer section on this page.

Cookies by themselves do not tell us your email address or otherwise identify you personally. In our analytical reports, we may obtain other identifiers including IP addresses.

Web beacons

A web beacon is a small image file on a web page that can be used to collect certain information from your computer, such as an IP address, the time the content was viewed, a browser type, and the existence of cookies previously set by the same server. KPMG only uses web beacons in accordance with applicable laws.

KPMG or its service providers may use web beacons to track the effectiveness of third party web sites that provide us with recruiting or marketing services or to gather aggregate visitor statistics and manage cookies.

You have the option to render some web beacons unusable by rejecting their associated cookies. The web beacon may still record an anonymous visit from your IP address but cookie information will not be recorded.

In some of our newsletters and other communications, we may monitor recipient actions such as email open and click through rates through embedded links within the messages. We collect this information to gauge user interest and to enhance future user experiences and marketing activities.

Location-based tools

KPMG may collect and use the geographical location of your computer or mobile device. This location data is collected for the purpose of providing you with information regarding services which we believe may be of interest to you based on your geographic location, and to improve our location-based products and services.

Social media widgets and applications

KPMG web sites may include functionality to enable sharing via third party social media applications, such as the Facebook Like button and Twitter widget. These social media applications may collect and use information regarding your use of KPMG web sites (see details on 'Social Sharing' cookies above). Any personal information that you provide via such social media applications may be collected and used by other members of that social media application and such interactions are governed by the privacy policies of the companies that provide the application. We do not have control over, or responsibility for, those companies or their use of your information.

In addition, KPMG web sites may host blogs, forums, crowd-sourcing and other applications or services (collectively "social media features"). The purpose of social media features is to facilitate the sharing of knowledge and content. Any personal information that you provide on any KPMG social media feature may be shared with other users of that social media feature (unless otherwise stated at the point of collection), over whom we may have limited or no control.

Children

KPMG understands the importance of protecting children's privacy, especially in an online environment. In particular, our sites are not intentionally designed for or directed at children under the age of 13.

Links to other sites

Please be aware that KPMG web sites will typically contain links to other sites, including sites maintained by other KPMG member firms that are not governed by this Privacy Statement, but by other privacy statements that will often differ somewhat. We encourage users to review the privacy policy of each web site visited before disclosing any personal information.

By registering on any KPMG web site and then navigating to another KPMG web site while still logged in, you agree to the use of your personal information in accordance with the privacy statement of the KPMG web site you are visiting.

The insurance company Bohlinsgruppen i Sverige Försäkring AB provides insurance under an agreement with KPMG. The operations of Bohlinsgruppen i Sverige Försäkring AB are managed by KPMG's staff under an agreement between KPMG and Bohlinsgruppen i Sverige Försäkring AB. KPMG is a data processor to Bohlinsgruppen i Sverige Försäkring AB with regard to the operations of the insurance company. In the insurance company's operations, personal data is mainly processed for the following purposes.

Accounting and bookkeeping

KPMG and Bohlinsgruppen i Sverige Försäkring AB process personal data as part of fulfilling accounting obligations and obligations regarding financial reporting and in connection with the handling of accounts payable. The categories of personal data processed for these purposes are contact details (e.g. on invoices), financial data, information about employees, consultants and time spent, as well as insurance information. The categories of data subjects whose personal data are processed for these purposes are KPMG's employees, contact persons at suppliers, contact persons at clients or former clients and persons who appear in claims cases.

The lawful basis for the processing is a legal obligation with regard to accounting and financial reporting and a weighing of interests with regard to the handling of supplier invoices.

Personal data is collected from suppliers, clients, KPMG employees, persons involved in claims and, where applicable, from public registers and handled by KPMG's staff and suppliers.

The personal data is retained for the time required by the Accounting Act.

Regulatory compliance

KPMG has statutory obligations to comply with with regard to, among other things, certain controls.

In addition to what is stated about accounting and bookkeeping above, Bohlinsgruppen i Sverige Försäkring AB has statutory obligations to relate to, such as obligations regarding taxes and fees and obligations as an employer. In fulfilling such obligations, personal data is processed primarily regarding KPMG's and Bohlinsgruppen Aktiebolag's employees. The purposes and lawful basis for such processing of personal data is to fulfill legal obligations. The categories of personal data processed for these purposes include name and contact details, social security number, employee number and personal circumstances. With regard to KPMG's obligations to process personal data relating to employees, reference is made to the internal company information on the processing of employees' personal data.

The insurance company, as an insurance company, has statutory obligations regarding risk and compliance and processes personal data when fulfilling such obligations. The categories of personal data that may be processed for these purposes are contact details, financial and insurance data as well as data related to claims and engagements carried out by KPMG. The categories of data subjects whose personal data are processed for these purposes are KPMG's employees, contact persons at clients or former clients and persons involved in claims cases. The lawful basis for the processing is legal obligations.

Personal data is collected from KPMG's clients or KPMG's former clients, KPMG's employees, persons involved in claims and, where applicable, from public registers and handled by KPMG's staff and, where applicable, suppliers.

The personal data is retained as a starting point for at least ten years in order to comply with the regulatory work and in addition for the time needed to defend legal claims.

Claims management

The insurance company handles reported claims in accordance with an agreement with the policyholder in order to fulfil obligations to the policyholder, assess claims and liability for compensation, and investigate the insurance company's and the policyholder's legal claims. The insurance company and KPMG have been deemed to be joint controllers for claims handling.

The categories of personal data that may be processed for these purposes are contact details, financial and insurance data as well as data related to claims and engagements carried out by KPMG. The categories of data subjects whose personal data are processed for these purposes are KPMG's employees, contact persons at clients or former clients and persons involved in claims cases.

The lawful basis for the processing is a weighing of interests where the insurance company's and the policyholder's legitimate interests relate to the purposes described in the first paragraph above.

Personal data is collected from KPMG's clients or KPMG's former clients, persons involved in claims and, where applicable, from public registers and handled by KPMG's staff and, where applicable, suppliers.

The personal data is retained for the time necessary to defend legal claims, and as a starting point for at least ten years.

Contact details and exercise of data subjects' rights

With regard to contact details and information on data subject rights in relation to the insurance company, reference is made to the same information on these rights and the same contact details as those indicated for KPMG in this information text. 

You have a number of rights related to KPMG’s processing of your personal data. Your rights and contact channels are described below.

In case you reach out to us to exercise your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. No fee is required to make a request unless your request is clearly unfounded or excessive. 

Right to information

According to the regulations on the processing of personal data, the data subject has the right to receive information when his or her personal data is processed. Information on the processing shall be provided both when data are collected, or shortly thereafter when the data are not collected from the data subject, and when the data subject so requests. In addition, there are certain occasions when special information must be given to the data subject, for example if a data breach or similar occurs.

Information must be provided, among other things, on contact information to the person responsible, the lawful basis and purpose of the processing.

This document includes, among other things, such information that KPMG has to provide to the persons whose personal data is processed in the course of its operations.

A request for access to information is reported to the contact person for a possible engagement and otherwise to DPreporting@kpmg.se.

A request for access to information will be handled based on the regulations regarding the processing of personal data and in accordance with the company's procedure for handling such requests.    

Right to rectification

The regulations on the processing of personal data mean that the data subject has the right to turn to companies that process personal data and ask for correction of incorrect personal data and to supplement with such missing personal data that is relevant for the purpose of the processing.

A request for rectification is reported to the contact person for a possible engagementand otherwise to DPreporting@kpmg.se.

A request for rectification will be handled based on the regulations regarding the processing of personal data and in accordance with the company's procedure for handling such requests.

Right to erasure

According to the regulations on the processing of personal data, a data subject has the right to turn to companies and request that the data relating to him or her be deleted.  

A request for deletion is reported to the contact person for any engagement and otherwise to DPreporting@kpmg.se.

A request for deletion will be handled based on the regulations on the processing of personal data and in accordance with the company's procedure for handling such requests.

Right to limitation of processing

The persons whose personal data is processed have the right in certain cases to demand that processing be restricted. Restriction means that personal data is marked so that in the future it may only be processed for certain limited purposes.

A request for restriction of processing of personal data is reported to the contact person for any engagement and otherwise to DPreporting@kpmg.se.

A request for restriction will be handled on the basis of the regulations regarding the processing of personal data and in accordance with the company's procedure for handling such requests.

Right to withdraw consent

Persons whose personal data processed with consent as a lawful basis have the right to withdraw their consent.

A withdrawal of consent is reported to DPreporting@kpmg.se. 

Data portability

In some cases, the person who has provided their personal data has the right to obtain and use their personal data elsewhere. The person who has received such information has an obligation to facilitate such transfer.

A request for personal data for use elsewhere is reported to DPreporting@kpmg.se.

A request for data portability will be handled based on the regulations regarding the processing of personal data and in accordance with the company's procedure for handling such requests.

Right to object

In certain cases, an individual has the right to object to the controller's processing of the controller's personal data. This right applies, among other things, to personal data processed after a weighing of interests and includes the right to object to profiling.

A request to object to the processing of personal data is sent to DPreporting@kpmg.se.

A request for objection will be handled on the basis of the regulations regarding the processing of personal data and in accordance with the company's procedure for handling such requests.

Complaint

Complaints regarding KPMG's processing of personal data should be sent to DPreporting@kpmg.se.

Complaints received will be investigated in accordance with the Company's Complaint Handling Procedure.

The person whose personal data is processed also has the right to report complaints to the Swedish Authority for Privacy Protection. We refer to further information about this on the Swedish Authority for Privacy Protection's website. 

Preservation of requests for the exercise of rights

KPMG retains requests for the exercise of data subject rights in order to assess and demonstrate how requests have been handled retrospectively, for as long as necessary to establish, exercise or defend legal claims.