We are dedicated to protecting the confidentiality and privacy of information entrusted to us. We comply with applicable Data Protection Regulations including in particular the Swiss Federal Act on Data Protection (FADP). Please read this Privacy Notice to learn about your rights, what personal data we collect, how we use and protect it.
This website is operated by KPMG AG. KPMG AG is a group company of KPMG Holding LLP. KPMG Holding LLP is a member of the KPMG global organization of independent firms affiliated with KPMG International Limited (‘KPMG International’), a private English company limited by guarantee. KPMG International provides no client services.
The following Privacy Notice informs our clients, employees of our clients, suppliers, attendees of KPMG events and visitors to our website about the processing of personal data.
For information on the processing of personal data in the application process, the Talent Community, career events and job mailings, please refer to the separate Privacy Notice here.
Contents
- Who is responsible for data processing and who can I contact?
- How do we collect personal data?
- What categories of personal data do we process and for what purposes?
3.1 Clients and employees of our clients
3.2 Suppliers
3.3 KPMG event attendees
3.4 Visitors to our office buildings
3.5 Website visitors
3.6 KPMG alumni network
3.7 Benefactors of the KPMG Foundation and employees of beneficiary institutions
3.8 Other persons in contact with KPMG - What lawful reasons do we have for processing personal data?
- Do we share personal data with third parties?
- Do we transfer your personal data to recipients outside Switzerland or Liechtenstein?
- What are your data protection rights?
- How is personal data protected?
- How long do we keep personal data?
- Have you read the further information on the use of cookies on our website and on the use of links to other websites?
- Do we make changes to this Privacy Notice?
1. Who is responsible for data processing and who can I contact?
This privacy notice applies to KPMG AG, KPMG (Liechtenstein) AG, KPMG Tax & Legal Services AG as well as KPMG Foundation (collectively ‘KPMG’, ‘we’ or ‘us’).
If you have any questions or comments about this privacy notice or our handling of personal data, please direct your correspondence to:
KPMG AG
Data Protection Officer
Badenerstrasse 172
P.O. Box 8036
Zurich
Switzerland
DPO@kpmg.ch
2. How do we collect personal data?
- Directly: We obtain personal data directly from individuals in a variety of ways, including obtaining personal data from individuals who provide us with their business card, complete our online forms, subscribe to our newsletters and make entries in our preference center, register for webinars, attend meetings or events we host, or visit our offices. We may also obtain personal data directly when, for example, establishing a business relationship, performing professional services through a contract or through our hosted software applications.
- Indirectly: We obtain personal data indirectly about individuals from a variety of sources, including recruitment services and our clients. We may attach personal data to our customer relationship management records to better understand and serve our business clients, prospects, subscribers and individuals, satisfy a legal obligation, or pursue our legitimate interests.
- Public sources – Personal data may be obtained from public registers (such as commercial registers), news articles, sanctions lists and internet searches.
- Social and professional networking sites – If you register or log in to our websites using social media (e.g. LinkedIn, Google or Twitter) to authenticate your identity and connect your social media login information with us, we will collect all the information or content needed for the registration or login that you permitted your social media provider to share with us. That information may include your name and email address, and depending on your privacy settings, additional details about you, so please review the privacy controls on the applicable service to set how much information you want shared with us.
- Business clients – Our business clients may engage us to perform professional services, which involves sharing personal data they control as part of that engagement. For example, we will review payroll data as part of an audit and we often need to use personal data to provide global mobility and pension services. Our services may also include processing personal data on our hosted software applications, which may be governed by different privacy terms and policies, if indicated as such in the software application.
- Recruitment services / suppliers / agents / former employers / credit bureaus – We may obtain personal data from employment agencies and other third parties including suppliers, agents, former employers and credit bureaus.
- Visitors to our websites – We may receive personal data when you visit our website. Please read Section 10 below.
- Visitors to events – We may receive personal data when you attend events organized or co-organized by us.
3. What categories of personal data do we collect and for what purposes?
We may obtain the following categories of personal data about individuals through direct interactions with us, or from information provided through client engagements, from suppliers and through other situations.
In some situations, the provision of personal data is required to provide certain services. In such cases this will be indicated on our website or pointed out in the disclaimers or contractual agreements. Furthermore, we may be required to collect certain personal data by law. If you fail to provide such data, we may not be able to provide the services, or we may have to cancel a product or service you have ordered from us.
3.1 Clients and employees of our clients
In connection with the provision of our contracted services to our clients, we process personal data that we need to provide the services and to protect our interests, and that we require by law or other binding regulations.
- Personal data. We commonly collect the following personal data on our clients or employees of clients. The type of personal data may vary, depending on the agreed service.
- Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details).
- Personal details (e.g. age and date of birth, marital status, passport/ID details, social security number (OASI), family circumstances and information about spouse, partner, children, other dependents).
- Professional details (e.g. career history, employers, educational background and professional memberships, published articles).
- Family and beneficiary details for mobility, official approvals and permits, insurance and pension planning services (e.g. names and dates of birth).
- Financial information (e.g. taxes, payroll, investment interests, pensions, assets, bank details, insolvency records).
- Data regarding risk management and conflict of interest checks on the part of KPMG (e.g. credit rating information, commercial register data, data from sanctions lists, the KPMG network or online sources).
- Personal data requiring special protection (also called ‘special categories of personal data’): Special categories of personal data that we receive includes:
- Personal identification documents that may also provide information on racial or ethnic origin, religious beliefs, physical health and biometric data of individuals or beneficial owners of legal entities.
- Expense receipts submitted for individual tax or accounting advice that reveal affiliations with trade unions or political opinions.
- Adverse information about potential or existing clients and applicants that may reveal criminal convictions or offenses.
- Other data requiring special protection that our clients provide to us as part of a business relationship.
- Children's data: Although our services are not intentionally designed for or directed at children, we may occasionally receive details about children, e.g., as part of an engagement to provide professional services.
We process the personal data listed for the following purposes:
- To fulfill our contractual obligations: The contractually agreed services may relate to: providing professional advice and delivering reports and services related to our tax, advisory, audit and assurance, pension scheme administration, legal, restructuring, mergers and acquisitions and other professional services and products.
- To safeguard our legitimate interests:
- Promoting our professional services, products and capabilities to existing and prospective business clients.
- Administering, maintaining, developing and ensuring the security and functionality of our information systems, applications and websites.
- Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
- Preventing fraud or criminal activity, safeguarding our IT systems and handling claims.
- Quality assurance, avoiding conflicts of interest, safeguarding our independence and legitimate claims (e.g. debt collection measures) and defending ourselves against unjustified claims.
- Complying with legal and regulatory obligations relating to sanctions, embargo assessment, countering money laundering, terrorist financing, fraud and other forms of financial crime.
When you provide services for us, we process such personal data that we need to process the business relationship.
We commonly process the following personal data:
- Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details).
We process the personal data listed for the following purposes:
- Contract: Processing and fulfillment of the business relationship and communication.
- Safeguarding our legitimate interests, such as avoiding conflicts of interest, maintaining independence, quality assurance, administering, maintaining, developing and ensuring the security and functionality of our information systems, applications and websites.
- Complying with legal and regulatory obligations relating to sanctions, embargo assessment, countering money laundering, terrorist financing, fraud and other forms of financial crime.
When you attend a KPMG event, we commonly process the following personal data.
- Personal data may vary depending on the type of event:
- Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details).
- Professional details (e.g. career history, employers, educational background and professional memberships, published articles).
- Examples of special categories of personal data we receive include dietary restrictions, when registering for events, that may reveal religious beliefs or physical health.
- Children's data: Although our services are not intentionally designed for or directed at children, we may occasionally receive details about children, e.g. when children attend events we host, accompanied by their parents or guardians.
We process the personal data listed for the following purposes:
- Our legitimate interests:
- Promoting our professional services, products and capabilities to existing and prospective business clients.
- Sending invitations and admitting guests to our events and webinars or to events we sponsor.
- To log your event registration and process it further for you to attend the event.
3.4 Visitors to our office buildings
When you visit our office premises, we commonly process the following personal data:
- Video surveillance systems on our business premises may collect images of visitors. We automatically erase such video footage within five days.
- Visitors may be required to register at the reception desk and leave their contact information, such as name, job title, work and private telephone numbers, work and private email addresses, other contact information or their reason for visiting.
- Children's data: Although our services are not intentionally designed for or directed at children, we may occasionally receive details about children, e.g. when children attend our events, accompanied by their parents or guardians.
We process the personal data listed for the following reasons:
- Safeguarding our legitimate interests, e.g. security in our buildings, traceability, identification, and processing and administration of guests in our buildings.
When you visit our website, we commonly process the following personal data:
- Personal Preference Center: Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details you share with us).
- Newsletter subscription: Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details you share with us).
- Request for Proposal (RfP): Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details you share with us).
- Document Downloads (Gated Content): Contact details (e.g. name, job title, work and private telephone numbers, work and personal email addresses, and other contact details you share with us).
- Location-related data: We may process geographical locations, e.g. when you are using our website to locate an office near you.
We process the personal data listed for the following reasons:
- Personalizing online landing pages and communications we think would be of interest based on interactions with us and KPMG member firms.
- Authenticating registered users to certain areas of our websites (Personal Preference Center).
- Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
- Sending newsletters to which you have subscribed.
When you register as an Alumni, we commonly process the following personal data:
- Data about our Alumni: Contact details (e.g., name, job title, work and private telephone numbers, work and private e-mail addresses, language, former job title within KPMG, period of employment at KPMG, other contact information you share with us).
- Sending newsletters: Contact details (e.g., name, job title, work and private telephone numbers, work and private e-mail addresses, other contact information you share with us).
Below we list the purposes for which we process the personal data listed:
- Pursuing the purpose of the alumni programme, in particular for the communication of target group-specific information about KPMG;
- Dispatch of newsletters;
- Invitations to events;
- To be contacted for business opportunities;
- Safeguarding our legitimate interests, e.g. traceability, identification, as well as processing, administration, planning, addressing.
3.7 Benefactors of the KPMG Foundation and employees of beneficiary institutions
When you contact us, we process the following personal data in particular:
- Contact details (e.g. name, job title, work and private telephone numbers, work and private e-mail addresses, other contact information that you share with us).
- Financial data (e.g. financial institution, account details, etc.).
We process the personal data listed for the following reasons:
- Pursuit of the KPMG Foundation's purpose, in particular the organisation of donations for innovative projects in the areas of culture, education and social affairs (socially excluded persons, the disabled and people in need).
- Safeguarding our legitimate interests, e.g., traceability, identification, processing and administration.
- Fulfilment of the KPMG Foundation's donation commitment to the beneficiary institutions.
3.8 Other persons in contact with KPMG
KPMG may process personal data of employees of public authorities or other persons who are in contact or come into contact with KPMG. This includes, for example, contacting journalists regarding market insights, corporate news, invitations to press conferences, or highlighting messages that may be of interest on specific industry topics.
The type of personal data may vary depending on the context of your contact with us.
4. What lawful reasons do we have for processing personal data?
We may rely on the following lawful reasons when we collect and use personal data to operate our business and provide our products and services:
- Contract: We may process personal data in order to fulfill our contractual obligations.
- Consent: We may rely on your freely given consent at the time you provided your personal data to us.
- Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. These interests include:
- Delivering services and products – To deliver the services and products our clients have engaged us to provide.
- Marketing – To deliver timely industry insights and professional knowledge, offerings and invitations we believe are welcomed by our business clients, prospects, subscribers and other individuals.
- Legal obligations and public interest: We may process personal data in order to meet regulatory and public interest obligations or mandates.
5. Do we share personal data with third parties?
We may share personal data with trusted third parties to help us deliver efficient and quality services and products. These recipients are contractually bound to safeguard the data we entrust to them. We may engage with several or all of the following categories of recipients:
- Member firms of the KPMG network, where necessary for administrative purposes (e.g. hosting and supporting IT applications, performing client conflict checks, HR support functions) and to provide professional services to our clients (e.g. when providing services involving advice from KPMG member firms in different territories).
- Third parties that support us as we provide our services and products (e.g. providers of telecommunication systems, mailroom support, IT system support, archiving services, document production services and cloud-based software services, scanning services).
- Our professional advisers, including lawyers, auditors and insurers.
- A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger/acquisition of part or all of our business or assets, or any associated rights or interests.
- Payment service providers.
- Marketing service providers.
- Law enforcement or other government and regulatory agencies (e.g. FAOA, FINMA) or other third parties as required by, and in accordance with, applicable law or regulations.
- Recruitment service providers.
6. Do we transfer your personal data to recipients outside Switzerland or Liechtenstein?
We store personal data on servers mainly located in Switzerland, in the European Union and in some cases in Liechtenstein.
We may transfer personal data to KPMG International, KPMG member firms (a list of all KPMG member firms can be found here) and carefully selected third parties situated within or outside Switzerland and Liechtenstein, wherever we consider such cooperation reasonably necessary to support our business activities.
KPMG engages with KPMG Delivery Centers located in Romania, Poland, Hungary and India to provide service delivery support.
Furthermore, KPMG works with service providers within and outside Switzerland (India, Romania, Poland and Hungary) who supply products or provide services to KPMG, including IT providers who have no direct connection to the provision of services, but who are occasionally granted access to personal data in order to process it on behalf of KPMG.
Each organization is required to safeguard personal data in accordance with our contractual obligations and applicable data protection legislation. Possible protective measures are the transfer to countries in which an adequate level of protection is provided according to Annex I to the Data Protection Regulation of August 31, 2022, the application of data protection model clauses/contracts or other measures that ensure adequate protection of personal data.
7. What are your data protection rights?
If KPMG processes personal data about you, you have the rights listed below. Before responding to your request, we may ask for proof of identity. This helps us to ensure that personal data is not disclosed to any person not authorized to receive it. We may also ask you for sufficient information about your interactions with us so that we can locate your personal information.
- Access: You can ask us to verify whether we are processing personal data about you, and if so, to provide more specific information.
- Correction: You can ask us to correct our records if you believe they contain incorrect or incomplete information about you.
- Erasure: You can ask us to erase your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected and no retention requirements exist.
- Processing restrictions: You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, or prefer to restrict its use rather than having us erase it.
- Data portability: In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data in electronic form if technically feasible.
- Automated individual decision-making: You can ask us to review any decisions made about you that we made solely based on automated processing, including profiling, that produced legal effects concerning you or that significantly affected you.
- Right to object to marketing, including profiling: You can object to our use of your personal data for marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you.
- Right to object to active sourcing: You can object to our use of your personal data for active sourcing purposes. We may need to keep some minimal information to comply with your request to cease recruiting activities.
- Right to withdraw consent: You can withdraw your consent that you have previously given to one or more specified purposes for processing your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
Please direct any inquiries regarding your personal information to:
KPMG AG
Data Protection Officer
Badenerstrasse 172
P.O. Box 8036
Zurich
Switzerland
DPO@kpmg.ch
We aim to respond within 30 days from the date we receive privacy-related communications.
No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
If you have any concerns regarding our handling of personal data, you can also contact the relevant data protection supervisory authority:
- Switzerland: Federal Data Protection and Information Commissioner
- Liechtenstein: Data protection authority in Liechtenstein
8. How is personal data protected?
We have put appropriate technical and organizational security policies and procedures in place to protect personal data (including special categories of personal data) from loss, misuse, alteration or destruction. KPMG’s protection of client data in relation to the provision of professional services, including individuals, processes and technology for the development, deployment and support of the data processing infrastructure, is certified according to ISO 27001:2013. We limit access to personal data in general. Those individuals who have access to personal data are required to maintain the confidentiality of such information. We may apply pseudonymization, de-identification and anonymization techniques in efforts to further protect personal data.
If you have access to parts of our websites or use our services, you remain responsible for keeping your user ID and password confidential. Please be aware that the transmission of data via the internet is not completely secure. Whilst we do our best to try to protect the security of your personal data, we cannot ensure or guarantee the security of your data transmitted to our website; any transmission is at your own risk.
9. How long do we keep personal data?
We retain personal data to provide our services, offer proposals, stay in contact with you and to comply with applicable laws, regulations and professional obligations that we are subject to. We retain personal data for so long as the personal data is needed for the purposes for which it was collected or in line with legal and regulatory requirements or contractual arrangements. As a rule, the statutory retention period is ten years from the end of the business relationship. We will dispose of personal data when we no longer need it.
10. Have you read the further information on the use of cookies on our website and on the use of links to other websites?
In some instances, KPMG and its service providers use cookies, web beacons and other technology to automatically collect certain types of information when you visit us online, as well as through emails that we may exchange. The collection of this data allows us to customize your online experience, improve the performance, usability and effectiveness of KPMG’s online presence, and to measure the effectiveness of our marketing activities. Generally, this data is not considered to be personal data. On websites where cookies are used, a statement will be sent to your browser explaining the use of cookies. For more information, we refer you to our detailed information in our cookie banner, which you can access at any time via ‘Cookie-Settings’ to view it (see footer).
We use the following third-party services to monitor and analyse your utilization of our website, along with other digital services:
- Adobe Analytics
The provider is Adobe Systems Software Ireland Limited, based in Ireland.
Further data protection information can be found at: Adobe Data Protection Centre. - Adobe Campaigne
The provider is Adobe Systems Software Ireland Limited, based in Ireland.
Further data protection information can be found at: Adobe Data Protection Centre. - Facebook
The provider is Meta Platforms Ireland Limited, based in Ireland.
Further data protection information can be found at: Meta Privacy Policy. - Google Analytics
The provider is Google Ireland Limited, based in Ireland.
Further data protection information can be found at: Privacy Policy - Google. You can find an opt-out option at: Download page for the browser add-on to deactivate Google Analytics. - Google Tag Manager
The provider is Google Ireland Limited, based in Ireland.
Further data protection information can be found at: Privacy Policy - Google. - Google Ads
The provider is Google Ireland Limited, based in Ireland.
Further data protection information can be found at: Privacy Policy - Google. - Instagram
The provider is Meta Platforms Ireland Limited, based in Ireland.
Further data protection information can be found at: Meta Privacy Policy. - LinkedIn
The provider is LinkedIn Ireland Unlimited Company, based in Ireland.
Further data protection information can be found at: LinkedIn Privacy Policy.
Our websites will typically contain links to other sites, including sites maintained by other KPMG member firms that are not governed by this Privacy Notice. Please review the destination websites’ privacy policies before submitting personal data on those sites. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security or privacy practices employed by other websites.
11. Do we make changes to this Privacy Notice?
We regularly review this Privacy Notice and will post any updates to it on this web page. This Privacy Notice was last updated October 1, 2024.