General Privacy Statement

To view the French version of this statement, click here.

In accordance with Law n°1.565 of the 3^rd December 2024 and the General Data Protection Regulation (EU) 2016/679 ("GDPR"), KPMG is committed to the protection and confidentiality of personal data.

The terms "KPMG", "we", "us" and "our" refer to KPMG GLD et Associés S.A.M. ("KPMG GLD et Associés Monaco" or "KPMG Monaco"), a Monegasque public limited company that is a member of the KPMG network of independent firms affiliated with KPMG International Limited ("KPMG International"), a private company limited by guarantees under English law and/or KPMG Multi Family Office S.A.M. ("KPMG Multi Family Office",  "KPMG MFO Monaco" or "KPMG Monaco"), a Monegasque public limited company, member of the KPMG network of independent firms affiliated with KPMG International Limited ("KPMG International"), a private company limited by guarantees under English law.

KPMG Monaco is committed to preserving the confidentiality of data and protecting the data entrusted to it. As part of its fundamental obligations, KPMG is committed to implementing an adequate level of protection for the personal data collected.

Please review this Data Privacy Statement to learn more about how we collect, use, share, and protect personal data obtained from you.

In view of the amount of information we wish to share with you and the sheer diversity of activities and services offered by KPMG, we have included most of the information relating to the processing of your personal data in this policy.

Depending on the case and to ensure a high level of accuracy, additional information may be provided to you through other media:

Our online privacy statement provides visitors to our websites with comprehensive information about the personal data collected during their browsing.
To view our online privacy statement, click here.

• An memo  available to all KPMG employees and partners to provide them with complete information on the collection and use of their personal data.
• If a client subscribes to one of the services offered by KPMG, detailed information is provided in the contract signed by both parties.
• When KPMG uses suppliers or service providers, both parties sign an agreement on data processing.

Personal data is any information that relates to you as an individual. You are identifiable once such data is collected. You are identifiable once such data is collected.

We share your personal data with other KPMG network member entities in connection with international commitments and with KPMG International and other member entities when necessary or desirable to comply with our legal and regulatory obligations around the world.

When performing our engagements, KPMG acts as Data Controller. Consequently, we determine the main objective for use of your personal data and the means for achieving that objective.

During some engagements, KPMG may use suppliers or service providers who will act as Processors. As part of some of its missions, KPMG may be required to act as a Data Processor within the meaning of the provisions of Articles 4 and 28 of the GDPR and Chapter IV of Law n°1.565. KPMG will then process your personal data on behalf of the Data Controller and on its instructions only. Appropriate technical and organisational measures are implemented in such a way that the processing meets the requirements of the GDPR and Law n°1.565 by guaranteeing your rights. A contract governs our relationship with the Controller and incorporates all the provisions required under Article 28 of the GDPR and Article 26 of Law n°1.565.

When you visit our websites, we collect your personal data, either through cookies or "trackers", or through forms when you register for events we organise, subscribe to a newsletter, or make requests for information.

To view our online privacy policy, click here.

2.2.1. Purposes

Why do we collect your personal data when you visit our premises?

In this case, your personal data is collected by KPMG to:

• Ensure the security of property, people and confidential information at our premises (video surveillance),
• Exercise and defend the rights of Data Subjects and KPMG, 
• Control access to our offices and meeting rooms,
• Protect our information system when you sign on to KPMG's Wi-Fi.

Physical security policies and standards comply with regulations in force and KPMG network standards.

2.2.2. Legal basis for processing

What gives us the authorisation to collect your personal data when you visit our premises?

In accordance with Article 6 of the GDPR and Article 5 of Law n°1.565, the collection of your personal data by KPMG is based on a legitimate interest to:

• Ensure the security of property, people and confidential information within our premises,
• Identify and prevent criminal activity,
• Establish, exercise and defend legal claims.

2.2.3. Categories of Personal Data

What information do we collect when you visit our premises?

To control access and ensure the security of property, people and confidential information within its premises, KPMG collects:

• Your first name and surname,
• The date and time of your visit,
• Your IP address and browsing history when using our Wi-Fi network,
• Video surveillance footage.

Each item of personal data mentioned above is strictly necessary to achieve the objectives defined.

Information boards are placed at the entrance of each area under video surveillance.

2.2.4 Categories of data recipients

Who can access the data we collect when you visit our premises?

The following persons are authorised to access your personal data when you visit our premises:

• Law enforcement officials and legal authorities in the event of disputes or incidents,
• Authorised KPMG personnel in the event of disputes or incidents,
• KPMG Network teams, including staff with access to authentication portals when you sign onto Guest Wi-Fi, 
• Authorised third parties, in the event of disputes or incidents and in connection with equipment maintenance, in accordance with their remit.

Access to video surveillance footage and data is strictly limited to individuals with regularly revised, restricted authorisation.

2.3.1. Purposes of data processing

Why do we collect your personal data when you apply to our job offers?

When looking for new talent and examining job applications, we collect and process information relating to you.

In this case, KPMG collects your personal data to:

• Evaluate your ability to occupy the position being offered,
• Assess your professional skills,
• Communicate with you by telephone, email or post,
• Perform analyses and statistics and prepare reports on the use of our tool,
• Build a CV bank,
• Contact you in the aim to offer you to apply for an offer corresponding to your profile.

The recruitment process may take place through:

• Direct contact with you,
• Specialised employment agencies,
• Campaigns at higher education institutions.

If your application is accepted and we agree to propose a formal offer of employment, KPMG may use all previously sent information relating to you to that end, in compliance with applicable laws and regulations.

2.3.2. Legal basis for processing

What gives us the authorisation to collect your personal data when you apply for one of our employment opportunities?

In accordance with Article 6 of the GDPR and Article 5 of Law n°1.565, the collection of your personal data by KPMG is based on:

• Precontractual measures taken at your request when you apply to our jobs, including in the Careers section at KPMG Monaco,
• Our legitimate interest in building our CV bank,
• Your consent to be contacted for a subsequent offer,
• Our legitimate interest in providing you with aptitude tests during the recruitment process, in order to assess the suitability of your profile for the position,
• Compliance with our legal obligation when we conduct pre-employment checks and make mandatory disclosures.

2.3.3. Categories of Personal Data

What information do we collect when you apply to our job offers?

The categories of personal data that we collect in the context of the search for new talents consist of identification data such as surname(s) and first name(s), contact details (your email address, postal address, telephone number), data relating to your professional background and experience (employment, function, position held), your education (degrees and certificates), your written and oral proficiency in one or several foreign languages, data on your current remuneration and your salary expectations.

If we are interested in your application and offer you an employment contract, we will collect data for which we have a legal obligation under labour law, such as your Social Security number and information relating to any disabilities you may have. We may also ask you to provide us with a criminal history report to preserve the security and integrity of KPMG. The document will be destroyed immediately after it is read, unless there is a regulatory obligation to retain it.

In the Careers section of our website, you can complete your application by providing additional information such as reference letters or the contact details of references, along with your CV, a cover letter, previous employment certificate or your photograph. When you provide the personal data of a third party in our tool, it is your responsibility to obtain their prior consent.

Throughout the process, it is your responsibility to ensure that the data you provide is accurate, complete and up to date. If it is not, you could be disqualified from the position to which you are applying.

2.3.4. Categories of data recipients

Who can access the data we collect when you apply for our job offers?

The following persons are authorised to access your information in connection with your application:

• Individuals involved in the recruitment process who are so authorised at KPMG (recruitment department, future manager and his or her team),
• Our suppliers, partners and service providers (recruitment agencies, language test providers, spelling test providers),
• Social security agencies, if your application is chosen and an employment contract is drafted (declaring the intent to hire).

If our suppliers, partners and/or service providers access your personal data, we draft an agreement to ensure that adequate security measures and appropriate safeguards are set up.  When you send us your personal data, you consent to their transfer.

Data we collect in the recruitment process described above may be used as follows, and additional data may be requested to:

• File declarations required under French labour law,
• Verify the personal independence of our partners and employees,
• Handle payroll and all related filings, 
• Organise our work, and engagements in particular,
• Assess performance and propose training programs,
• Ensure the safety of people and access to our premises.

The processing operations that we carry out throughout your employment with KPMG are detailed and presented in an information leaflet given to employees and partners upon hiring. This information leaflet is revised whenever necessary and, in any case, presented annually to partners and employees when they sign their annual compliance statement.

2.5.1. Purposes of data processing

Why do we collect your personal data?

When entering into agreements with our suppliers, partners and service providers, KPMG may process their personal data if they are natural persons, or their employees’ personal data, for the following purposes: 

• Manage the business relationship, 
• Provide services and support,
• Perform internal and external communication actions,
• Administer, manage and develop digital tools and solutions,
• Administer, manage and develop our activities and service offers,
• Ensure information system security, risk management and quality control,
• Meet our legal, regulatory and ethics obligations,
• Establish, exercise and defend the rights of KPMG before the competent courts.

2.5.2. Legal basis for processing

What gives us the authorisation to collect your personal data?

In accordance with Article 6 of the GDPR and Article 5 of Law n°1.565, the collection of your personal data by KPMG is based on:

• The contract you signed with KPMG,
• The legitimate interest of KPMG in managing payments, expenses, fees and collecting amounts owed to it,
• KPMG's legal obligation to prevent all conflicts of interest, and more generally to ensure compliance with ethical rules and applicable law and regulations,
• KPMG’s legitimate interest in exercising its rights before the competent courts.

2.5.3. Categories of Personal Data

What data do we collect?

The personal data of our suppliers, partners and service providers that we process comprise identification data (surnames and first names), professional data (position held), contact details (email address, telephone number, workplace), and financial data.

KPMG reserves the right to process any other type of personal data required to execute our contracts. For an exhaustive list of the types of data processed, please refer to your contract with KPMG.

2.5.4. Categories of data recipients

Who accesses the data we collect?

The Recipients of the personal data of our suppliers, partners and service providers are:

• KPMG employees and partners involved in executing the agreement,
• Where applicable, employees and partners of Member Firms within the KPMG network and KPMG International Limited, as well as external service providers and employees or any experts who need to process the Client's personal data for the above-mentioned purposes,
• KPMG suppliers, in order to provide their services and in strict compliance with the technical and organisational security measures determined by KPMG.

These Recipients are subject to strict confidentiality and security obligations.

KPMG may be required to share personal data at the request of legal and/or administrative authorities, particularly if a warrant is served. KPMG may also share personal data to audit personal data privacy or security and/or to look into or respond to a complaint regarding, or threat to, KPMG's information system.

KPMG may also transfer personal data to a third party in the event of restructuring, sale or any other transfer of the business to which the personal data relates.

2.6.1. Purposes

Why do we collect your personal data when you are a prospect?

KPMG collects your personal data to:

• Send you information on our services, through newsletters or marketing activities in line with your business and your preferences,
• Invite you to events that we are organising,
• Inform you of training opportunities,
• Administer and manage the new client acceptance process.

2.6.2. Legal basis for processing

What authorises us to collect your personal data when you are a prospect?

In accordance with Article 6 of the GDPR and Article 5 of Law n°1.565, KPMG is authorised to collect your personal data based on:

• Your consent given when you fill out a form on one of our websites or sign up for a newsletter,
• Our legitimate interest in providing information on our service offers, events and training courses,
• Our legal obligation to evaluate our new customers.

2.6.3. Categories of Personal Data

What information do we collect if you are a prospect?

To inform you about our service offerings, events and training, KPMG collects:

• Your surname,
• Your first name,
• Your contact details (personal and/or professional email address),
• Your telephone number (personal and/or professional),
• The name of your employer or the organisation with which you are associated,
• Your function,
• Your date of birth as part of the process of accepting a new client,
• Your criminal record (criminal convictions and offences) as part of the process of accepting a new client,
• Your responses to invitations and confirmations of participation in events,
• Any other optional personal data that you provide to us as part of our prospecting actions or subscribing to one of our newsletters.

Each item of personal data mentioned above is strictly necessary to achieve the objectives defined.

No sensitive data under Article 9 of the GDPR and Article 2 of Law n°1.565 is collected intentionally. However, you may send us such data in connection with your participation in our events (e.g. a special diet that reveals your religious affiliation or possible food allergies). The processing of personal data relating to criminal convictions and offences (Article 10 of the GDPR and Article 80 of Law n°1.565) is necessary for compliance with our legal obligation in the fight against money laundering and terrorist financing.

2.6.4. Categories of data recipients

Who accesses the data we collect when you are a prospect?

The personal data that you provide us with to be informed of our service offers, events and training may be accessed by:

• Authorised persons in our Marketing and Communication department in the context of sending communications (service offers, events, training courses),
• Our e-learning and event partners,
• Government bodies and public authorities, in the case of training delivered by KPMG.

The personal data we collect as part of the new customer acceptance process may be accessed by:

• Les personnels habilités de notre service Risk Management ;
• La Direction et le Conseil d’administration de KPMG ;
• Les entités membres du réseau KPMG ;
• AMSF dans le cadre d’une déclaration de soupçon d’une infraction.

2.7.1. Purposes

Why do we collect your personal data when you are a client?

KPMG offers clients a broad range of services, including audit, chartered accounting, statutory audit, advisory, international support and training.

Please note that any data you provided when you were a prospect can be used and supplemented in order to build our relationship once you are a client.

If you enter into a contract with KPMG, your personal data may be collected to:

• Provide the services outlined in the contract,
• Carry out IT support and administration activities in connection with our engagements (email system, support applications for our business lines),
• Manage accounting and financial matters, including billing for our services,
• Conduct marketing and business development initiatives (including satisfaction polls, email campaigns relating to our service offers, events and training sessions),
• Manage your attendance at KPMG events and training,
• Generate statistics,
• Administer and manage the client renewal process,
• Provide on-call assistance,
• Reply to requests from the competent authorities,
• Exercise our rights before the competent authorities.

In connection with certain services, KPMG may collect and use the personal data of your employees, suppliers and clients. As this data is collected indirectly, it is the client’s responsibility to inform the Data Subjects of the processing of their personal data in accordance with the regulations. For example, we may collect the data of these individuals in connection with our engagements:

• Audit and statutory auditing,
• Chartered accounting,
• Outsourced payroll management,
• Advice and support, including tax support,
• Legal support.

2.7.2. Legal basis for processing

What gives us the authorisation to collect clients’ personal data?

In accordance with Article 6 of the GDPR and Article 5 of Law n°1.565, KPMG is authorised to collect your personal data based on:

• Our legitimate interest in providing the contractually agreed services and creating the right conditions for the proper performance of our engagements,
• Our legitimate interest in communicating with you to provide information, organise events and for direct marketing purposes,
• Our legal, regulatory or ethical obligations (including providing information to a government body, fighting against money laundering and the financing of terrorism).

2.7.3. Categories of Personal Data

What information do we collect when you are a client?

To provide the contractually agreed services and create the right conditions for the proper performance of our engagements, KPMG collects:

• Your identity data (surname, first name, gender, date of birth, postal address, etc.),
• Your contact details (personal and/or work email address, phone number, etc.),
• Data relating to your professional activity (name of the organisation, department, function, seniority, absences, sick leave, information relating to occupational insurance and pensions, etc.),
• Your financial data (data relating to salary, taxes, investments, etc.),
• Any other personal data, concerning you or third parties, that you provide us with that is necessary for the provision of our services or pre-contractual exchanges (spouse, number and age of dependent children, etc.).

For an exhaustive list of the types of data processed, please refer to your contract with KPMG.

2.7.4. Categories of data recipients

Who can access the data we collect when you are a client?

Personal data you send us to obtain the service requested can be accessed by:

• Authorised persons at KPMG for strictly internal use to carry out their engagements,
• External auditors in connection with their engagements,
• Our suppliers, partners and service providers,
• KPMG network member firms,
• Government bodies and public authorities.

How long do we keep the data we collect?

The personal data collected or entrusted is kept for a period of time in accordance with the legal provisions governing KPMG's activities in Monaco, plus the limitation periods provided for by law.

At the end of the retention period, the documents or files are securely deleted in accordance with our policies.

Is your personal data transferred outside the European Economic Area (EEA) or out of countries listed as adequate?

KPMG favours the European Economic Area (GDPR) and countries listed as adequate (Law n°1.565: list-of-countries-with-a-level-of-adequate-protection) for the processing of personal data entrusted to it.

The personal data entrusted to us may, however, be transferred to:

• Other member firms of the KPMG international network

There are KPMG member firms in more than 150 countries around the world. They may receive your personal data for administrative reasons or to carry out some of our services. As a result, your personal data may be transferred to countries outside adequate countries that do not offer an adequate level of protection recognised by the APDP.

In the event of such a transfer, KPMG is committed to complying with the appropriate safeguards set forth in Article 46 of the GDPR and Article 98 of Law n°1.565 by means of a document ratified by the entire KPMG network and providing a framework for transfers within the KPMG network. The document reflects the regulatory requirements modified by the “Schrems II” ruling, including the modernised standard contractual clauses for data transfers released by the European Commission on 4 June 2021, and resulting requirements such as Transfer Impact Assessments.

To learn more about the entities that are members of the KPMG international network, click here.

• Our suppliers, partners and service providers

In the context of the performance of the services, KPMG may share your personal data with suppliers, partners and service providers (e.g. suppliers of IT technologies, cloud hosting solutions, website maintenance). If these third parties are located outside the European Economic Area, your personal data may be transferred to a country that does not offer a level of protection deemed sufficient by the European Commission.

In the event of such a transfer, KPMG is committed to complying with the appropriate safeguards set forth in Article 46 of the GDPR and Article 98 of Law n°1.565, including the standard contractual clauses adopted and published by the APDP.

Finally, if the agreement between us stipulates that personal data entrusted to us must be located in a certain geographical region, we undertake not to modify it without your prior agreement.

Are any wholly automated decisions made using your personal data?

A wholly automated decision is one based solely on algorithms applied to your personal data, without any human involvement.

No personal data processing at KPMG envisages wholly automated decision-making. Although algorithms may be occasionally used to facilitate decision-making, KPMG systematically re-examines the final decision to ensure it is sound, fair and objective.

Should an automated decision-making process be set up, when KPMG collects your data, and at any other moment upon your request, KPMG undertakes to inform you of the process, the rationale behind it, and foreseen consequences. You would also have the right to human involvement to express your viewpoint and dispute the decision.

How do we protect your personal data?

KPMG has put in place reasonable security procedures and policies to protect personal data from unauthorised misuse, loss, alteration or destruction. Despite all the efforts made by KPMG, absolute protection against all threats cannot be provided. We strive to ensure that access to your personal data is limited to only those who need to know it. Persons with access to the data are obliged to treat them confidentially.

Additionally, to guarantee a high level of data protection, KPMG systematically analyses the risks pertaining to all personal data processing operations implemented. If it finds data processing operations that are likely to result in a high risk to your rights and freedoms, KPMG conducts an in-depth analysis to reduce the level of risk and guarantee your privacy. This analysis is called a “data protection impact assessment” (DPIA), as described in Article 35 of the GDPR and Article 35 of Law n°1.565.

What are your rights to control your personal data and how can you exercise them?

What are your GDPR rights?

In accordance with the regulation in force, KPMG enables you to exercise your rights:

• Right of access (Art. 15 of the GDPR)
  You can ask us whether or not we have any data concerning you, and to send it to you to verify the content and whether or not it is accurate.
• Right to rectification (Art. 16 of the GDPR)
  You can ask us to rectify incorrect or incomplete information concerning you.
• Right to erasure or “right to be forgotten” (Art. 17 of the GDPR)
  You can ask for personal data concerning you to be erased.
• Right to restriction of processing (Art. 18 of the GDPR)
  You can ask for the use of some of your personal data to be temporarily suspended.
• Right to data portability (Art. 20 of the GDPR)
  You may receive part of your data in an open, commonly used format in order to transfer it to a third party of your choice, in order to reuse it for other purposes.
• Right to object (Art. 21 of the GDPR)
• At any moment, you may object to KPMG's use of some of your data.
• Right to withdraw consent (Art. 7 of the GDPR)
• If KPMG uses your personal data with your prior consent, you may withdraw this consent at any time. After you withdraw your consent, KPMG will no longer use your data.
• Right to “digital death” (Art. 85 of the French Act on Data Processing, Data Files and Individual Liberties)
  You can give instructions regarding the storage, erasure and communication of your personal data after your death.
• Right to file a complaint with the CNIL (Art. 12 GDPR)

What are your rights under Law n°1.565 (Chapter 3)?

• Right to information: a person must be informed in a clear and comprehensible manner about the use of his or her personal data, i.e. what data is collected, by whom and for what purpose.
• Right of access: a person may ask a controller to confirm that personal data concerning him or her has been processed, and if so, to provide it in a legible and understandable form (copy of the personal data being processed).
• Right to rectification: a person may request, upon providing supporting documents, that data that is inaccurate or incomplete be rectified or completed.
• Right to erasure: a person may obtain, in cases precisely defined by law, that his or her data be erased, whether or not it is public.
• Right to restriction of processing: a person can report certain personal data to the controller so that they are temporarily no longer processed, except for their storage.
• Right to object: a person may object to his or her data being used by a controller for a specific purpose, for example when the processing is based on a reason of public interest or the legitimate interest of the controller.  To do so, it must put forward "reasons relating to its particular situation", except in the case of commercial prospecting, which it can oppose without reason.
• Right to data portability: a person may, under certain conditions provided for by law, obtain from a data controller the personal data that he or she has provided in a structured, commonly used and machine-readable format. In this way, it will be able to easily reuse this data and, if they wish, have the data transmitted to another controller.
• Right not to be subject to an automated individual decision: a person may not be subject to a decision that is based exclusively on automated processing, without any human intervention when the decision produces legal effects with regard to the data subject or significantly affects him/her.

In the event that you become aware of a breach in the processing of your personal data, we invite you to contact us at mc-privacy@kpmg.mc so  that KPMG can process your request as soon as possible. In any event, you have the right to file a complaint with the personal data protection authority (APDP) in Monaco.

How to exercise your rights?

• You can exercise your rights and send us a complaint through our dedicated form, at mc-privacy@kpmg.mc.
• If you have any questions or comments about this Privacy Policy, you can contact our Data Protection Officer at mc-privacy@kpmg.mc.

What are KPMG's rights and obligations?

KPMG has one month to reply after it receives your request to exercise a right. It is possible to extend this delay in certain justified circumstances. If this happens, we will inform you of this delayed reply and explain why within one month of receiving your request. When you make your request, you will be asked to provide ID to keep your data secure and confidential.

KPMG may reject your request to exercise your rights in the cases provided for in the regulations (unfounded request, infringement on third party rights, compliance with a confidentiality obligation, etc.). If this happens, we will explain our refusal.

Finally, KPMG reserves the right not to reply to requests that are manifestly unfounded or excessive because of their number or repetitive or systematic nature.  

This privacy policy may be modified to reflect our current data privacy practices. The date of the latest update is shown at the top of this page. The latest version of the privacy policy is binding.