Data protection information for the KPMG Direct Services Portal of KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG)

Last updated in February 2019

Our services are based on trust. For an accounting firm such as KPMG the protection of personal data (data protection) is a primary concern. KPMG observes all applicable data protection laws and continuously strives to improve data protection. KPMG is the controller for processing the personal data on these websites as defined by the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act [BDSG].

KPMG Direct Services is a web platform made available by KPMG for web-based services, providing our clients with fast, easily accessible solutions for all essential transformation issues. This particularly also includes our catalogue of services in the area of tax advisory. KPMG Direct Services helps you find suitable services quickly for an array of tasks, clarify their details, and submit a request swiftly.

The following data protection policy is to inform you about how we process personal data on the KPMG Direct Services website of KPMG and about the rights of data subjects.

 


This privacy statement exclusively applies to the collection, processing and use of personal data in the KPMG Direct Services Portal.

The general data protection policy for processing personal data in the course of our general business activities and services (e.g. assessments/events), which can be commissioned via KPMG Direct Services, can be downloaded here.


1. Who is responsible for data processing on this website?

KPMG Wirtschaftsprüfungsgesellschaft AG
Klingelhöferstr. 18
10785 Berlin

Telefon:  +49 30 2068 - 0
Fax:  +49 30 2068-2000
Email:  information@kpmg.de

2. How can the data protection officer be reached?

Either using the postal address provided under item 1 or by email:
de-datenschutz@kpmg.com

3. For what purpose do we process your data on this website and on what legal basis?

KPMG collects and uses personal data for making the website and our information and services available in accordance with Article 6 (1)(a) to (f) of the European General Data Protection Regulation (GDPR), i.e. to the extent permissible under the GDPR or another regulation or if the user (data subject) has given consent to the processing.  Legally standardised data protection contracts are agreed with all service providers which we use as processors pursuant to Article 28 EU GDPR and the service providers first undergo an IT security assessment.

In addition, KPMG processes personal data collected when visiting this website as follows:

a) Log files

Each time our website is visited, log files are automatically saved based on our legitimate interest pursuant to Articles 6 (1)(f) EU GDPR. These log files contain information on the computer visiting our website, e.g. information on the type of browser, the operating system used, the internet service provider, the IP address, date and time of access.
It is necessary to store this data in order to be able to make our website available to users for the duration of the visit. We also use this data to optimise our website and to ensure the security of our IT systems. The log file data is deleted as soon as it is no longer required for the specified purposes.

b) Registration for KPMG Direct Services

It is initially possible to use the publicly accessible website of KPMG Direct Services without providing personal data.
If you want to use KPMG Direct Services as a client to commission services, it is necessary to register, which requires personal data. 
On first-time registration, a password-protected personal account and access to the internal pages of KPMG Direct Services are set up. This requires your surname, first name and (business) email address.
Registration also requires the provision of company information (e.g. company name, legal form, invoicing address), which usually is not related to a particular person. This information is used for client identification and verification purposes.
KPMG collects, stores and processes your personal data for the entire user administration of KPMG Direct Services.
On registration, login and use of the user account, the user's IP address and time of login are also logged. A legitimate interest pursuant to Article 6 (1)(f) EU GDPR is pursued by KPMG for security reasons (e.g. protection against abuse, unauthorised use).

c) Commissioning of services via KPMG Direct Services

When services are commissioned via KPMG Direct Services, the personal data required for the proposal to be submitted and reviewed is processed based on Article 6 (1b) respectively Article 6 (1f) EU GDPR. Further information on data protection for the processing of personal data as part of general business activities and services provided by KPMG that can be commissioned via KPMG Direct Services can be downloaded here. If you would like to commission services from KPMG Direct Services which are not provided by KPMG (e.g. services provided by KPMG Law Rechtsanwaltsgesellschaft mbH), the data will be forwarded to the service provider to the extent necessary.

d) Newsletters, mailings, downloads

We make a wide range of newsletters, mailings and downloads available on KPMG's web pages based on the user's consent pursuant to Article 6 (1)(a) EU GDPR in conjunction with Section 7 (2)(3) of the German Act Against Unfair Competition [UWG] where applicable. We can also send certain information to data subjects by email as permitted by law (Section 7 (3) UWG) depending on the circumstances.
Registration for newsletters and mailings on specific topics and download of certain KPMG documents (e.g. studies) requires the user's name and email address. Registration or download also gives KPMG permission to log future visits of our website by a user for that specific person, in order to be able to provide this user with subject-specific information that is targeted to his or her personal interests (e.g. current studies, surveys). To this end, we use a cookie of our service provider Hubspot to log the individual KPMG web pages and topics which a registered user looks at during a visit (see also below under item 3e (3)).
After registration for newsletters, mailings or downloads on the KPMG website each user receives confirmation by email sent to the specified email address (so-called double opt-in procedure). Registration is only complete once confirmation has been received via the link provided in this email.
Consent to receive newsletters, mailings or downloads once given can be withdrawn at any time via the link at the end of each email or by sending a message to the KPMG mailbox de-webteam@kpmg.com.
Registrations for newsletters, mailings or downloads are logged on the basis of our legitimate interest to the able to proof a user's consent at any time (Art. 6 (1)(f) EU GDPR).
Should you not have used our range of services in any form during a specific year, you will be considered not interested and therefore will be automatically deleted from Hubspot.

e) Contact form

To request further information, we will make contact forms available for you at various locations on our website which you can use to contact us directly. We will process the personal data (e.g. name, email address) entered there in accordance with legal provisions for processing the request pursuant to Article 6 (1)(b) or Article 6 (1)(f) EU GDPR.

f) Cookies and analytics

KPMG uses cookies to improve presentation and navigation. A cookie is a text file that is sent by the web server to the browser. This file contains the URL that was visited as well as the date of the visit and an expiry date which determines the period of activity of the cookie. Cookies are used by KPMG on the one hand to determine the pages of KPMG's website that are visited most frequently and on the other to allow the user to save his or her personal settings so that these are available again on the next visit of the page. A cookie banner appears on internet pages in which cookies are used about the use of cookies.

KPMG uses cookies based on a legitimate interest pursuant to Article 6 (1)(f) EU GDPR. Each user has the fundamental choice to accept or reject cookies. Each browser can be set such that users are notified when they receive a cookie or cookies can be generally rejected in the browser settings.

If cookies are generally rejected, it is possible that not all website functions can be fully used. Further information on handling cookies can be found on the help pages of the browser used and also for example on the internet page: http://www.allaboutcookies.org/ge/.

The following table summarises the various types of cookies that we use on our website:

Purpose Description Storage period
Performance (e.g. user's browser) When using our website, cookies (e.g. to identify the browser) are used to improve performance (e.g. faster loading of content). Session cookies - are deleted on closing the browser.

Security cookies (e.g. aps.net)

If you register for pages with restricted access, these cookies will ensure that your devices will remain logged in for the duration of your visit. You will need a user name and password in most cases to access these pages.

Session cookies - are deleted on closing the browser.

Preferences

Our cookies can also remember your preferences, e.g. language settings. It is also possible to send you personalised greetings or content. This however exclusively refers to pages with restricted access, i.e. those requiring registration.

Session cookies - are deleted on closing the browser.

Analysis cookies

We use analysis cookies from third-party providers in order to understand how our visitors use our website. This helps us to improve the quality and content of our site. The aggregated statistical information includes data such as total number of visitors. Please see items III.2 and III.3 for further information.

Remain, but are automatically deleted after two years if the KPMG site was no longer visited.

Feedback from users of the website

We use a survey tool from an external provider to request feedback from some of the visitors of our website. The cookies ensure that the visitor is not invited to participate in the survey repeatedly.

The first cookie is placed when the visitor was not invited to participate to ensure that the visitor is not invited while visiting the pages.

The second cookie is placed when the visitor was invited to participate in the survey. This is to ensure that the visitor will not receive another invitation until 90 days later.

1st cookie

Is deleted on closing the browser.

2nd cookie

Is deleted automatically after 90 days or the invitation to the survey is shown.

Social media widgets

We use social media widgets to allow sharing of content via social media channels or email. When using these social media widgets, cookies can also be saved on your devices. However, how these cookies are saved depends entirely on the privacy policy of the social media provider concerned.

Remain, but are automatically deleted after two years if the KPMG site was no longer visited.

 

KPMG uses the following cookies and analytics tools of third-party providers on these web pages:

(1) Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc. ('Google').
Google Analytics uses cookies, i.e. text files that are saved in the browser and allow analysis of use of the website by the user. The information generated by the cookie on use of this website is usually transferred to a Google server in the US and stored there. In the event of activation of IP anonymisation on this website, the user's IP address is first truncated by Google within member states of the European Union or other Contracting Parties of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a server of Google in the US and truncated there. Google will use this information on behalf of the operator of this website to analyse use of these web pages, to compile reports on website activity and to provide further services related to website and internet use for the website operator.
The IP address sent by the browser used within the scope of Google Analytics is not combined with other Google data.
Each user can prevent the storage of cookies by means of browser settings; moreover, the collection and transmission of data generated by the cookie and relating to use of the website (including your IP address) to Google as well as processing of this data by Google can be prevented by downloading and installing the browser plug-in available at http://tools.google.com/dlpage/gaoptout?hl=en-GB
Furthermore, collection by Google Analytics can be prevented through confirmation of the following link. An opt-out cookie is then placed in the user's browser, which prevents future collection of data by Google Analytics when visiting this website: Deactivate Google Analytics
Please note also that on this website Google Analytics was expanded by the code 'anonymizeIp' in order to ensure anonymised collection of IP addresses (so-called 'IP masking').
Please visit http://www.google.com/analytics/terms/gb.html or https://www.google.de/intl/gb/policies/ for more information on terms of use and data protection.

(2) Conversion Tracking

On these web pages, further tools from third parties are used, which collect data for analysis, marketing and optimisation purposes in order to improve marketing measures and our web page. The data collected are used to link advertising contacts and clicks on advertisements with the subsequent use of these websites. In this way, it can be determined whether Internet users who have seen advertisements visit this website and which services they are interested in. The collected data can also be used to deliver advertisements based on your interests. For this purpose, pseudonymous online identification numbers (Online ID) such as Cookie IDs, IP addresses, Device IDs, Advertising ID / IDFA (e.g. on Android or Apple smartphones) are used. The data collected will not be used to personally identify users of this website or app without your consent. If you do not wish for your data to be recorded as described, you can object as described below, also in relation to the respective provider.

We currently use tools from the following providers:

- “Adform” of Adform A/S Wildersgade 10B, sal. 1 DK-1408 Copenhagen, Denmark. Under the following link you will find an explanation of how you can deactivate data collection on your computer or mobile device by Adform: https://site.adform.com/privacy-policy-opt-out/

- “The Trade Desk” of The UK Trade Desk Ltd. (Co. No. 8539108), 11th Floor Whitefriars Lewins Mead, Bristol, BS1 2NT. Under the following link you will find an explanation of how to disable data collection on your computer or mobile device: http://www.adsrvr.org/

- “Display & Video 360” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Under the following link you will find an explanation of how to disable data collection on your computer or mobile device: https://support.google.com/ads/answer/7395996

- “Amazon Advertising Platform” of Amazon Online Germany GmbH, Marcel-Breuer-Straße 12, 80807 Munich, Germany. Under the following link you have the possibility to deactivate the data collection by Amazon on your computer or mobile device. To do this, activate the checkbox “Opt Out” in the displayed list under “Amazon Ad System”: http://optout.aboutads.info/?c=2&lang=EN

- “Google AdWords”. As Google AdWords customer, we also use Google Conversion Tracking, an analysis service of Google. Under the following link you have the possibility to deactivate the data collection by Google on your computer or mobile device: https://www.google.de/settings/ads

(3) Use of Hubspot

KPMG uses Hubspot, a service provided by Hubspot Inc., on its web pages for analysis purposes. Hubspot is certified under the EU-US Privacy Shield.
This involves the use of 'web beacons' as well as cookies, which are stored on your computer and which allow us to analyse your use of the website. Hubspot analyses the collected information (e.g. IP address, geographic location, type of browser, duration of visit and pages accessed) on behalf of KPMG in order to generate reports on visits and the visited KPMG pages.
If, as presented in item 3b, KPMG email news is subscribed and studies as well as other documents are received, with Hubspot, we can link a user's visits to KPMG websites also to personal information (mainly name/email address) based on consent, and thereby collect them for particular persons and inform users individually in a targeted manner on preferred topics.
If collection via Hubspot is not desired in general, the storage of cookies can be prevented at any time through browser settings (see above under item 3c).
Further information on how Hubspot works can be found in the privacy statement of Hubspot Inc., which can be retrieved at: https://legal.hubspot.com/privacy-policy

4. How long will data be stored?

Unless otherwise explicitly stated, KPMG stores personal data for as long as necessary for the above-mentioned purposes. This is subject to the statutory retention obligations. KPMG employees are instructed to regularly check the duration of storage of personal data and to delete these if necessary.

5. What data protection rights do data subjects have?

Data subjects are afforded rights of access pursuant to Article 15 EU GDPR regarding the processing of their personal data by KPMG (also regarding the purpose of processing, any possible recipients and the expected duration of the storage of data), rights to rectify incorrect data (Art. 16 EU GDPR), rights to erasure (Art. 17 EU GDPR), rights to restriction of processing and the data portability of the data provided (Art. 18, 20 EU GDPR) and the right to object against the use of their data for marketing purposes and based on a legitimate interest (Art. 21 EU GDPR).
Any consent given to KPMG can be revoked at any time with future effect. In order to safeguard these rights any data subject can contact the KPMG data protection officer (see item 2). Furthermore, they also have the right to complain to a data protection supervisory authority. Data subjects can lodge their complaint with the competent data protection supervisory authority in their place of residence or with any other data protection supervisory authority.