Candidate Privacy Notice
Last Updated 18 Dec 2024
1. Introduction
KPMG is committed to protecting your privacy and safeguarding your personal data. This Privacy Notice is issued by KPMG LLP (in the UK) (“KPMG UK”), KPMG Holding LLP (in the UK), KPMG Limited (in Gibraltar) (“KPMG Gibraltar”) and KPMG Crimsonwing Malta Limited (“MBS Malta”) (collectively,” KPMG”, “firm”, ‘we’, ‘our’, or “us”) in accordance with the UK General Data Protection Regulation and the UK Data Protection Act 2018. This privacy notice is under regular review to ensure it remains up to date and accurate.
The purpose of this privacy notice is to describe how KPMG collects and uses your personal data during the candidate application and recruitment process, as required by Data Protection Laws.
2. Who does this privacy notice apply to?
This privacy notice applies to people who are applying for roles with us, including current and former candidates as KPMG partners, employees, associates, temporary worker or contractor (collectively referred to as “Candidates”).
3. What is Personal Data
What kind of personal data do we process
Personal data is any information about a person by which they could be identified.
Processing means use of personal data including the collection, storing, changing, retrieving, sharing, deleting and other uses.
The categories of personal data that we process in connection with the candidate application and recruitment activity may include the following:
- information shared as part of the recruitment process, including but not limited to contact details such as name, address, personal email address, telephone number, national insurance number, date and country of birth. Employment history (inc. names of employer, dates of employment, roles held, salary).
- Educational history
- Employer feedback / references (exc. contractors).
- Copies of right to work documentation, including passport, visa, ID cards or any other official documentation which demonstrates that you have a legal right to work in the UK. (exc. contractors).
- Results of KPMG assessments (voice and video footage from any recorded assessments).
- Results of pre-employment screening checks (e.g., credit history, criminal records checks).
- Physical and/or mental health where this requires KPMG to make reasonable adjustments in the candidate and recruitment process (e.g. accessibility to premises).
- Performance management information (internal candidates only).
In addition to the above, the following personal data may also be processed in connection with the candidate application and recruitment activity for Partners, Associate Partners, and Directors:
- Social media and online activity.
- Psychometric assessment.
- Gender.
Data protection laws identify some personal data as being particularly sensitive and refer to this data as ‘special category data’. This data collection is not used in the selection decision.
KPMG monitors diversity and inclusion therefore, candidates (exc. contractors) may voluntarily provide the following personal data (“Diversity Data”) to KPMG during the candidate application and recruitment activity to contribute to KPMG’s promotion of diversity within its workforce:
- Physical and/or mental health.
- Ethnic background.
- Sexual orientation.
- Religious beliefs.
- Gender.
- Social economic background.
If you fail to provide personal data
The provision of your personal data (other than Diversity Data) is necessary for us to enter and maintain our contract with you. If you fail to provide certain personal data items when requested, we may not be able to perform any contract we decide to enter with you, or to comply with our legal obligations. As a result, we may not be able to progress your application.
How do we collect your personal data?
- Directly. We obtain personal data directly from individuals in a variety of ways, where you provide information to us by applying directly for a role at KPMG, or information that we learn about you through your interactions with us.
- Indirectly. We may also collect additional information about you from third parties including former employers, employment agencies, specialty search firms, credit reference agencies, background check providers, other service providers, and from other sources where you have made your personal information publicly available for the purposes of recruitment on jobs boards (e.g. LinkedIn).
How do we use your personal data?
We use your personal data during our recruitment activity to process your application for the role for which you have applied, as well as to meet our legal obligations. We may also process Diversity Data to promote diversity within our workforce. In doing so, we ensure that we comply with Data Protection Laws.
In addition to using your personal information data for the role for which you have applied, we may retain and use your personal information to consider you for other roles. If you do not want to be considered for other roles or would like to have your personal data removed, you may contact us as specified under ‘Who can answer your privacy questions or complaints?’ below.
KPMG will only use your personal data collected during the candidate application and recruitment activity for the purposes set out in this Privacy Notice. For full details of how and why we process each type of personal data, please see Annex 1 below.
What lawful basis do we have for processing personal data?
We may rely on the following lawful bases when we process your personal in the course of the candidate application and recruitment process:
- Contract – We may process personal data to perform our contractual obligations.
- Legal obligation – We may process personal data to meet our legal and regulatory obligations.
- Consent - We may rely on your freely given consent at the time you provided your personal data to us.
- Legitimate Interests – We may rely on legitimate interests of KPMG for processing your data where this does not unduly affect your interests or fundamental rights and freedoms.
- Public Interest – We may process your data to perform a task carried out in the public interest
- Vital Interest – We may process your data to protect your vital interests
For full details as to which lawful basis we rely on to process each type of personal data, please see the Annex 1 below.
4. Providing your personal data to others
Do we share your personal data?
The extent to which your personal data is shared both internally and externally will differ for each candidate but will always be strictly limited individuals who need to access your personal data in order meet the specific purpose for which it is processed.
Your personal information may be shared internally within KPMG with the following people:
- Those employees who would have managerial responsibility for you or are acting on their behalf.
- Employees in HR who have responsibility for certain HR processes (for example, recruitment, assessment, pre-employment screening).
- Employees with responsibility for investigating issues of non-compliance with laws and regulations, internal policies and contractual requirements.
- Employees in IT and system owners who manage user access (sharing personal email address and mobile telephone number with IT department to provide login details and deploy multi-factor authentication)
- Quality and risk management team for independent and risk assurance checks. To review and monitor ‘conflicts of interest’ and compliance with ‘fit and proper’ regulation.
KPMG may also need to share your information externally with certain external third parties including:
- Companies who provide recruitment and candidate interview and assessment services to us.
- Suppliers who undertake background screening on behalf of KPMG (credit checking agencies, criminal checking bureaus, social media checks etc.).
- Academic institutions (Universities, colleges, etc.) in validating information you’ve provided.
- Individuals and companies that you have previously worked for who may provide references/recommendations to the KPMG.
- Other third-party suppliers (or potential suppliers), who provide services on our behalf.
- Third parties to conduct assessments for your suitable for the role you have applied for.
We aim to keep the sharing of your personal data as minimal as possible and do not make financial gain from the information you provide. When we do share your personal data, we ensure that we impose appropriate security and privacy obligations in line with our policies. We require third party service providers to only process your personal data on our instructions and not use it for their own purposes.
Do we transfer your personal data abroad?
We store your personal data on servers located in the European Economic Area (EEA) only and will only transfer your personal data outside of the EEA to other KPMG member firms and reputable third-party organisations where it is strictly necessary in order to meet the purpose of the processing. Each recipient organisation is required to safeguard personal data in accordance with our contractual obligations and Data Protection legislation.
What pre-employment screening checks to we undertake?
KPMG will typically only transfer your personal to an external third party for the purpose of pre-employment checks.
If you are offered a role, we will determine which checks need to be carried out for the role in question. A number of these checks will be performed for all roles, but some of the checks will only be performed for certain role. KPMG will only perform screening checks if it is appropriate given the nature of your role, your offer will be subject to the successfully completion of the screening checks.
In keeping with its Values and Code of Conduct, KPMG expects all applicants to act with honesty and integrity during the recruitment process. We will use assessment technology that includes measures for the prevention, deterrence and detection of cheating and inappropriate candidate behaviour, including measures to detect unauthorised sharing of assessments.
Criminal records checks
Given the nature of our business, we have legal and regulatory obligations to ensure that the people we employ can be relied upon. We therefore envisage that where appropriate during the recruitment process, we will collect and hold information about criminal convictions. As part of pre-employment screening checks we may ask questions about any prior civil or criminal proceedings you may have been subject to and may also conduct criminal record checks.
We will use information about criminal convictions and offences in the following ways:
- To establish whether to offer / withdraw an offer of employment
- If successful in your application, in assigning or re-assigning you to appropriate client engagements according to agreed client screening requirements.
Fraud prevention checks
To prevent or detect fraud, or assist in verifying your identity, we may make searches of Group records using fraud prevention agencies. Should our investigations identify fraud or the commission of any other criminal offence by you (on your part) when applying for, or during the course of your employment with us, we will record details on this on the fraud prevention database. This information may be accessed from the UK and other countries and used by law enforcement agencies, us and other employers (and potential employers) to prevent fraud.
Personal information we have collected from you will be shared with the Credit Industry Fraud Avoidance System CIFAS who will use it to assess and prevent fraud, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct. If any of these are detected, you could be refused certain services or employment.
Regulatory screening
In order to comply with our legal and regulatory obligations in relation to anti-money laundering and sanctions restrictions, we will screen your name against global sanctions lists. The screening will simply involve searching our internal and third-party databases to ensure you are not listed on the sanctioned list. We are not able to employ anyone on a sanctions list. In addition, in order to comply with our legal obligations relating to anti-bribery and corruption, we will also perform searches and ask questions to assess whether there is a potential bribery or corruption risk to the role based on your personal and political associations. If there is a risk, we will look to assess what additional internal controls we need to put in place to reduce that risk prior to your employment.
Once employed, KPMG may process your nationality information to provide guidance, as appropriate, in relation to any sanctions that may apply to you.
Ethics & Independence checks
In order to comply with our legal and regulatory obligations, KPMG will review and monitor ‘conflicts of interest’ and compliance with ‘fit and proper’ regulation. This may include processing of financial information, investments/assets as well as director/shareholding interests of KPMG personnel and their relatives.
5. How long do we keep your personal data?
We will only keep your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means and the applicable legal requirements.
In some circumstances, we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We may retain your information for longer periods under exceptional circumstances, for example, where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators.
6. How do we keep your personal data secure?
We have put appropriate technical and organisational security policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We may apply pseudonymisation, de-identification and anonymisation techniques in efforts to further protect personal data.
If you have access to parts of our websites or use our services, you remain responsible for keeping your user ID and password confidential. Please be aware that the transmission of data via the Internet is not completely secure. Whilst we do our best to try to protect the security of your personal data, we cannot ensure or guarantee the security of your data transmitted to our site; any transmission is at your own risk.
7. What are you Personal Data Rights?
KPMG is committed to being transparent about how we collect and use the personal data entrusted to us. In accordance with the Data Protection Laws, you have the right to know what personal data KPMG holds about you and how it is used. Your rights regarding your personal data are set out below:
a) Access – You have the right to access your personal data to ensure we are processing it fairly and lawfully. This is known as a Data Subject Access Request. You will be provided with a copy of the personal data that is disclosable to you free of charge and will be responded to within one calendar month in most instances.
b) Correction – If the information we hold about you is incorrect or incomplete, you have the right to ask us to correct it.
c) Object to processing – You have the right to object to us processing your personal data if we are no longer entitled to do so.
d) Deletion/Erasure – In certain circumstances you may have the right to have your personal data deleted if we are no longer entitled to retain it.
e) Restriction – In certain circumstances, you may have the right to have the processing of your personal data restricted.
f) Transfer – In certain circumstances, you may have the right to request the transfer of your personal data to another party.
To exercise any of these rights, please email DataPrivacy@kpmg.co.uk your request to setting out which right you wish to exercise. Please note that we may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.
8. Who can answer your privacy questions or complaints?
If you have questions or comments about this Privacy Notice or how we handle personal data, please direct your correspondence to: KPMG LLP, Data Protection and Privacy Office, 15 Canada Square, London UK E14 5GL or email DataPrivacy@kpmg.co.uk. We aim to respond within 30 days from the date we receive privacy-related communications.
You may also withdraw consent to the processing of your personal information or submit complaints and/or objections to the processing of your personal information by sending a request in writing to: The Data Privacy Office at DataPrivacy@kpmg.co.uk.
When asked to remove a record from our database, KPMG will retain minimal personal information in order to prevent future contact and where required in accordance with legal / regulatory requirements.
In respect of personal data processed by KPMG UK, you also have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues, at:
The ICO’s address:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
In respect of personal data processed by KPMG Gibraltar, you also have the right to make a complaint at any time to the Gibraltar Regulatory Authority (“GRA”), the Gibraltar supervisory authority for data protection issues, at info@gra.gi.
9. Keeping us Informed
We take care to ensure that your personal data is accurate and up to date. Please be sure to keep us informed of any changes to your personal data changes at any stage of your application and recruitment process. This can be done through the recruitment portal using your sign-in credentials, alternatively please contact the recruitment team for further assistance on this.
10. Appendix 1 How we use your personal Data
The table below summarises the categories of personal data that we process, the purpose and legal basis of such processing, and who we share it with. It is not an exhaustive list and will be updated from time to time. Some of the grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
Processing Purpose
|
Categories of Personal Data Processed
|
Lawful Basis for Processing
|
Potential Recipients of your Personal Data (in addition to other KPMG member firms
|
Assessment and recruitment.
|
Name. Personal telephone numbers. Current and previous personal addresses. Personal email addresses. Identification information (name, role, title, place of birth, staff number, photo ID card, passport numbers, NI and equivalent numbers). Electronic identification data (login information, access rights, staff pass information, IP address, online identifiers/cookies, logs and connection times, sound or image recording such as CCTV or voice recordings). Employment history Compensation history Country of birth, nationality, and residence References CVs and cover letter information. Education and academic achievement Physical and/or mental health |
Contract – the processing is necessary in order for KPMG to enter into a contract of employment with you. Consent - We may rely on your freely given consent at the time you provided your personal data to us.
|
Home Office Professional regulatory bodies (e.g. ICAEW, FCA) Professional insurers
|
|
Gender (Partners, Associate Partners and Directors only). |
Public Interest – the processing is necessary for the performance of a task carried out in the public interest. |
n/a |
New employee on-boarding |
Copies of right to work documentation
Background checks (inc. criminal records)
Nationality
|
Legal Obligation – the processing is necessary for KPMG to comply with the law. |
Third party screening providersProfessional regulatory bodies (e.g. ICAEW, FCA)Professional insurersHome Office
|
Promotion of inclusion, diversity and social equality |
Physical or mental health condition Ethnic background Sexual orientation Religion or other similar belief Gender Social economic background |
Public Interest – the processing is necessary for the performance of a task carried out in the public interest. Substantial Public Interest (Article 9, II (g)) - processing is necessary for reasons of substantial public interest
|
n/a |
Regulatory and Risk Management |
Financial and Investment data from partner or dependents Trustee and Board appointments Insurance coverage Relationship with clients Employment History Public records Identification Documents (e.g., passports, visas)
Sanctions Screening |
Contract – the processing is necessary for a contract KPMG has with you. Legal Obligation – the processing is necessary for KPMG to comply with the law. Legitimate Interests – the processing is necessary to ensure KPMG runs its business operations efficiently
|
Professional regulatory bodies (e.g. ICAEW, FCA)Professional insurersCIFAS (Credit Industry Fraud Avoidance System)
|