KPMG LLP – Firm Personnel Data Privacy Notice
Last updated January 22, 2025
KPMG LLP1 (“KPMG”) is dedicated to protecting the confidentiality and privacy of information entrusted to it, including Personal Information (also known as “personal data,” “Personally Identifiable Information,” or “PII”). This Firm Personnel Data Privacy Notice (“Data Privacy Notice”) aims to give Firm Personnel (as defined below) information on how their Personal Information (as defined below) is collected, processed, used, and retained by KPMG. For the purposes of this Data Privacy Notice: (i) “Firm Personnel” includes current and former partners, principals, employees, directors, officers, interns, and Third Party Personnel2 of KPMG; and (ii) “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Firm Personnel, or a particular household that Firm Personnel is a member of. Please review this Data Privacy Notice to learn about how we collect, use, share, and protect Firm Personnel’s Personal Information.
KPMG’s collection of Personal Information from and about Firm Personnel is necessary in order for KPMG to fulfill its legal, professional, and contractual obligations, and for the performance of current and former partnership or employment relationships, as applicable. Therefore, the failure by any Firm Personnel to provide Personal Information, in whole or in part, could prevent KPMG from fulfilling some or all of its obligations regarding the partnership or employment relationship, or as may be required under contract, applicable law, or our professional standards, including, but not limited to, obligations related to auditor independence rules, payroll, social security contribution, tax, and insurance.
KPMG may process the following types of Personal Information, including Sensitive Personal Information (as defined below), for the purposes set out in this Data Privacy Notice, and subject to and in accordance with applicable law:
KPMG may process Sensitive Personal Information (as defined below) if and to the extent such processing is: (i) necessary for compliance with applicable law; (ii) specifically authorized or required by law; or (iii) of Sensitive Personal Information that is voluntarily shared by any Firm Personnel with KPMG. What constitutes Sensitive Personal Information may vary by law, but for the purposes of this Data Privacy Notice, “Sensitive Personal Information” is Personal Information is that may reveal an individual’s person's race, ethnicity, political beliefs, trade union membership, religious or similar beliefs; Social Security, Driver’s License, government ID, and passport number; citizenship and immigration status; financial account information; physical or mental health; biometrics; genetics; precise geolocation; sexual orientation; or criminal record. Please refer to the firm’s Biometric Consent and Retention Notice for more information about processing biometrics.
We may create de-identified or anonymized data from Personal Information by removing data components that make the data personally identifiable to you, or through obfuscation or other means. Our use of de-identified or anonymized data is not subject to this Data Privacy Notice.
KPMG may also collect certain information from or regarding the spouses, partners, dependents, beneficiaries, and/or other household members of Firm Personnel, excluding Third Party Personnel (“Family Members”), such as emergency contact details and contact information and information in connection with the administration of health, medical, or other employment benefits. In addition, to comply with federal law, regulations, and professional standards, KPMG is required to collect certain information from or regarding Family Members of Firm Personnel, including certain financial information, such as brokerage account information, and certain Personal Information that we require to fulfill our obligations under applicable professional standards and laws, including, without limitation, auditor independence rules. KPMG’s collection and processing of Personal Information of Family Members of Firm Personnel is subject to KPMG’s external Privacy Statement.
Personal Information may be processed by KPMG for the purposes set out below:
We do not share Personal Information with unaffiliated third parties, except as stated in this Data Privacy Notice, including as necessary for our legitimate professional and business needs, to carry out your requests, to market our services, and/or as required or permitted by law or professional standards, or otherwise with your consent.
In some instances, KPMG may share Personal Information about you with various third-party service providers working on our behalf, or to help fulfill your requests. These third parties include, for example, providers of administrative, identity management, website hosting, data analysis, data back-up, and security management services. Third parties receiving Personal Information from KPMG are obligated to protect Personal Information in accordance with their contractual obligations and data protection legislation applicable to their provision of services.
Our service providers also may use aggregated, deidentified or anonymized data for improving the delivery or quality of services or technology, among other lawful uses and for research and development. As set forth above, de-identified or anonymized data does not identify you individually but rather helps to identify trends in preferences and behaviors of Firm Personnel at an aggregate level.
KPMG may disclose Personal Information to address or respond to requests of, or guidance provided by, government entities, bodies, or agencies, law enforcement agencies, or other entities or organizations, such as public health agencies, authorized by, or otherwise acting or operating pursuant to the lawful direction or authority of, an international, federal, state, or local governmental body, including to meet national security or law enforcement requirements and for health and safety purposes. We may also disclose Personal Information where disclosure is required by applicable laws, court orders, government regulations, or other legal process, or where we believe disclosure is necessary or appropriate to protect the rights or safety of KPMG, Firm Personnel, or other third parties.
In the event that the ownership of KPMG or an affiliate or their assets changes as the result of a merger, acquisition, or sale of assets, information owned or controlled by KPMG may be transferred to another company. Information may also be shared in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company, or we sell, liquidate, assign, or transfer all or a portion of our assets. If any such transaction occurs, the purchaser will be entitled to use and disclose the Personal Information collected by KPMG in the same manner that we are able to, and the purchaser will assume the rights and obligations regarding Personal Information as described in this Data Privacy Notice.
KPMG may also need to disclose certain Personal Information in connection with audits and/or to investigate or respond to a complaint or security threat.
KPMG neither sells Firm Personnel’s Personal Information to any third parties nor shares Firm Personnel’s Personal Information with any third parties for cross-context behavioral advertising.
Further, Personal Information may be disclosed to the extent necessary for the purposes described in this Data Privacy Notice to the following recipients:
Pursuant to the Corporate-Liable Mobile Device Policy, corporate-liable mobile devices may collect your personal information, including precise geolocation data, which may be processed by the firm and/or our mobile device service providers and wireless carriers. Geolocation data will be collected and processed only for legitimate business purposes and in accordance with this Data Privacy Notice. Additionally, eligible Firm Personnel are expected and permitted to turn off their corporate-liable mobile devices (or may elect to turn off any geolocation features) during non-working time.
You acknowledge and agree to be interviewed, audiotaped, or videotaped, recorded, or transcribed as part of your employment or contract with the firm and participation in firm events or meetings. You acknowledge that KPMG may produce the foregoing for legitimate business purposes, including for archival, engagement, marketing, recruitment, or training purposes, and KPMG may distribute such materials to other internal and external audiences, including clients.
We may collect Personal Information from or about you if you are in a jurisdiction other than the U.S. for purposes of your employment or relationship with KPMG. Similarly, if you are in the U.S., we may transfer outside of the U.S. the Personal Information we collect from or about you. Regardless of where you are located, we may transfer certain Personal Information across geographical borders to KPMG International, other member firms affiliated with KPMG International or to various third-party providers working on our behalf, or we may receive Personal Information in the U.S. or elsewhere transferred from KPMG International, another member firm affiliated with KPMG International or an unaffiliated third party. KPMG may also store Personal Information in a jurisdiction other than where you are based, and such jurisdiction may not provide the same level of protection for your Personal Information as your home country. By providing your Personal Information to KPMG, you understand that your Personal Information may be collected, transferred, and/or stored in a jurisdiction other than your home country. Each member firm affiliated with KPMG International is required to safeguard Personal Information in accordance with its contractual obligations and data protection legislation applicable to its provision of services. Your Personal Information will only be transferred if appropriate or suitable safeguards are in place.
The following provisions in this section apply only to Firm Personnel who are residents of European Economic Area member countries and the United Kingdom.
KPMG and its subsidiaries, KPMG Corporate Finance LLC, and KPMG US Tax Services (London) LLP, comply with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. KPMG and its subsidiaries have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regards to the processing of Personal Information received from the European Union in reliance on the EU-U.S. If there is any conflict between the terms in this Data Privacy Notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification page, please visit https://www.dataprivacyframework.gov/.
For more details about your rights and KPMG’s liability in cases of onward transfers to third parties, please review the KPMG LLP Data Privacy Framework Policy, which applies to Personal Information transferred from member countries of the European Economic Area and the United Kingdom (including Gibraltar), pursuant to the DPF.
The Federal Trade Commission has jurisdiction over KPMG’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In compliance with the DPF, KPMG commits to resolve EU-U.S. DPF Principles-related complaints about our collection and use of your Personal Information. EEA or UK individuals with inquires or complaints regarding our handling of Firm Personnel’s Personal Information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Talent & Culture by emailing US-FM HR Privacy. Third Party Personnel may address questions by first contacting the Contingent Workforce Center of Excellence at US-HR-CWO@kpmg.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, KPMG further commits to cooperate and comply (respectively) with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (“ICO”), and the Gibraltar Regulatory Authority (“GRA”), with regard to unresolved complaints concerning our handling of Firm Personnel’s Personal Information received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship. If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf for further information.
Rights of Firm Personnel
It is the responsibility of all Firm Personnel to provide the Talent & Culture Department with accurate Personal Information. If you have provided Personal Information to KPMG, under most circumstances, subject to applicable law, you have the right to reasonable access to that Personal Information to correct any inaccuracies. You can also make a request to update or remove Personal Information about you, and we will make all reasonable and practical efforts to comply with your request, so long as it is consistent with applicable law and professional standards.
To make a Data Privacy Request, please contact the U.S. Confidentiality & Privacy Office by:
In addition, you may make corrections to certain Personal Information that you provide to the firm via Self Service Connection.
KPMG seeks to limit its collection of Personal Information to information that is relevant for our intended processing purposes.
We also endeavor to retain Personal Information only as long as such information is needed for legitimate business purposes or pursuant to applicable law, provided that we might in certain cases retain Personal Information for longer periods to comply with a data subject’s request that necessitates our continued processing of the information, or for shorter periods if the data subject validly requests that the information be deleted.
Furthermore, the firm will retain Personal Information subject to any record retention requirements set forth in the Enterprise Retention Schedule and Chapter 10.6 of the U.S. Risk Management Manual. Your Personal Information may also be subject to preservation requirements in accordance with the firm’s Preservation Guidelines.
Rights of Firm Personnel Residing in California
The California Consumer Privacy Act, as amended and including its regulations, (“CCPA”), grants rights to Firm Personnel, who are California residents, with regard to their Personal Information. If you are a California resident, the following explains your CCPA rights and our Personal Information practices as applicable.
For purposes of the CCPA, “Personal Information,” “Sensitive Personal Information,” and other terms below have the meaning defined in the CCPA.
Our Personal Information collection practices, including during the preceding 12 months, are identified above.
If you are a California resident, you have the right to request the following:
To exercise any of your rights, please contact the U.S. Confidentiality & Privacy Office by:
In addition, you may make corrections to certain Personal Information that you provide to the firm via Self Service Connection.
We will respond to authorized and verified requests as soon as practicable and as required by law, including any reason for denying or restricting a request. The above rights are subject to various exclusions and exceptions under firm policies and applicable laws (including professional standards), and under certain circumstances we may be unable to fulfill your request. The firm will retain Personal Information subject to any record retention requirements set forth in the Enterprise Retention Schedule and Chapter 10.6 of the U.S. Risk Management Manual. Your Personal Information may also be subject to preservation requirements in accordance with the firm’s Preservation Guidelines.
You may authorize someone to exercise the above rights on your behalf. If we have collected information about your Family Members, including minor children, you may exercise the above rights on behalf of your Family Members.
Note, KPMG neither sells Firm Personnel’s Personal Information to any third parties nor shares Firm Personnel’s Personal Information with any third parties for cross-context behavioral advertising.
KPMGConnect Alumni Portal
Current and former partners, principals, and employees may enroll in the firm’s alumni community portal, available at KPMGConnect.com (“KPMGConnect”). KPMGConnect is a voluntary social platform to connect firm professionals. This Data Privacy Notice applies to the collection and processing of Personal Information on KPMGConnect, in conjunction with its Terms of Use. The Personal Information associated with your KPMGConnect profile, including but not limited to your name, address, email address, telephone number, employment history, and your service on corporate boards and advisory councils, is visible to professionals who are enrolled in KPMGConnect, and may be made available upon reasonable request. KPMGConnect provides registered users with the ability to set privacy preferences through its portal settings.
KPMG has, and requires its service providers to have, security policies and procedures in place to help protect Personal Information from loss, destruction, and unauthorized access, disclosure, transfer, use, or modification. Despite KPMG’s efforts, however, security cannot be guaranteed against all threats. We seek to limit access to your Personal Information to those who have a need to know. Those individuals who have access to such information are required to maintain its confidentiality.
In addition, KPMG has a comprehensive incident response program that includes procedures for incident notification, mitigation, and prevention, as applicable. For information about what constitutes an ‘incident’ and notification procedures for incidents involving personal information, please refer to the Acceptable Use Policy.
Please be aware that KPMG websites, applications, and social media platforms may contain links to other sites, including sites maintained by KPMG International and other member firms affiliated with KPMG International, that are not governed by this Data Privacy Notice, but by other privacy statements that may differ. KPMG is not responsible for the content or practices of these other sites. We encourage Firm Personnel to review the privacy policy of each website visited before disclosing any Personal Information.
KPMG may update or modify this Data Privacy Notice from time to time to reflect our current privacy practices. When we make changes to this Data Privacy Notice, we will revise the "last updated" date at the top of this page. We encourage you to periodically review this Data Privacy Notice to be informed about how the firm is protecting your Personal Information.
KPMG is committed to protecting the privacy of your Personal Information. If you have questions about our privacy practices, please contact the U.S. Confidentiality & Privacy Office at us-privacy@kpmg.com. You may also use the foregoing email address or contact KPMG’s Ethics and Compliance Office at us-eandc@kpmg.com, to communicate any concerns you may have regarding our compliance with this Data Privacy Notice.
1 “KPMG,” “we,” “our,” and “us” refers to KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited (“KPMG International”), a private English company limited by guarantee. KPMG International and its related entities do not provide services to clients.
2 “Third Party Personnel” means “Individual(s) engaged with KPMG through a third party,” including Contractor Personnel, as such terms are defined in Ch. 16 of the U.S. Risk Management Manual. Note, if the data privacy terms in a Third-Party Personnel’s agreement with KPMG conflict with this Data Privacy Notice, the terms of the agreement will prevail. Any additional questions may be addressed by contacting the Contingent Workforce Center of Excellence at US-HR-CWO@kpmg.com.