IT Risk Advisor/ Senior IT Risk Advisor

Privacy Notice for Processing Personal Data of Job Applicants

We hereby present you information on how KPMG Delivery Network Bulgaria LLC, UIC 208156551 (“KDN BG” or the “Company”), in its capacity as data controller within the meaning of the General Data Protection Regulation, collects, processes, stores or otherwise uses your personal data, which you provide when applying for a job at KDN Bulgaria.

1. What are the purposes and legal grounds for processing your personal data?

By submitting your CV and the supporting documentation thereto under an advertisement for a job at KDN BG, published on Company’s internet page or on a job searching platform, as well as where you provide consent before a recruitment/temporary staffing services company engaged by us, you allow us to process your personal data in the course of the current recruitment campaign for the following purposes:

• Assessment of your suitability for the advertised position and whether your skills, motivation, education and experience suffice with the requirements set by KDN BG.
• Receiving evidence for the qualities and qualifications, necessary for occupying the respective position.
• Establishing contact with you for setting up an interview. 
• Extending a job offer if your application is successful.
• Granting access to the Company’s recruitment system.

We rely on your consent to process your data when you submit your CV to our email requesting to join our team without applying for a specific open position, as well as where you provided your consent for transfer of your personal data by KPMG IT Service OOD, UIC 203572873, and their processing by KDN Bulgaria.

2. What categories of personal data do we collect?

When you apply for a job, we process the following categories of personal data:

• Identification data, such as your name and citizenship.
• Contact details, such as email, postal address and phone number.
• Information about your education, skills and professional experience, such as acquired qualification degrees, participation in trainings and courses, previous employers, job positions and functions description.
• References you presented from previous employers, superiors or other colleagues in projects you have participated in.
• Information gathered in the course of our interviews, such as interviewer’s notes, test results, etc.
• Information about your current level of remuneration, including benefit entitlements.
• Other information which you have deemed relevant and voluntarily provided within your CV, cover letter or during interviews.
• Images from security cameras, located at the premises of KDN BG, when you visit us (processed on the basis of our legitimate interest to provide safety and security and to protect the property and personnel of the Company).

In the initial stages of the recruitment process, we do not seek to collect special categories of personal data from you, such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, information concerning health, information concerning a natural person's sex life or sexual orientation. 

If you are a selected candidate for employment, KDN BG may require additional personal details, as necessary for the conclusion of an employment contract and/or otherwise you becoming a KPMG person, including special categories of data, if local employment laws requires us to do so and we will notify you explicitly of this. 

Please do not include any special categories of personal information in your application documents.

3. How do we collect personal data for recruitment purposes?

The personal data we process about you are provided to us either by yourself and/or by the recruitment/temporary staffing services company we work with or another entity-assignor upon completion of corporate transformation or other form of restructuring of business activity.

We may obtain information about you from our employees if they refer you as suitable candidate to KDN BG.

If you have a social media profiles with provider facilitating professional communication, such as LinkedIn or on your current employer’s website, we may review it. We will not inspect any purely personal social media activities of yours.

4. Are you obliged to provide your personal data to us?

Providing personal information to us is voluntary, but necessary for the recruiting process. You are under no statutory or contractual obligation to provide your personal information to KDN BG during the recruitment process. However, if you do not provide sufficient information, we may be unable to consider your employment application.

5. Do we share personal data with third parties?

We may share personal data with trusted third parties to help us carry out our business activities and deliver us services. These third parties are contractually bound to safeguard the data we entrust to them. We may share your personal data with the following categories of third parties:

• Member firms of the global KPMG organisation, where necessary, for administrative purposes or in other cases, including entities within the KPMG Delivery Network group of companies.
• Parties that provide certain services (e.g. providers of telecommunication services, postal or transport services, cloud-based software services).
• Our professional advisors, including lawyers.
• Courts, law enforcement or other government and regulatory agencies and bodies or to other third parties as required by, and in accordance with, applicable law or regulation.
• Recruitment agencies.

6. Do we transfer your personal data outside the European Union and the European Economic Area?

KDN BG may share your personal data with KPMG International Limited (“KPMG International”), a private English company limited by guarantee, or with other member firms of the global KPMG organization of independent member firms associated with KPMG International . Your personal data may be shared with companies under the previous sentence only and as far as said companies are based within the European Union (EU) or the European Economic Area (EEA) or, where these are outside said area, these organizations are still based in a country which is considered to provide an adequate level of protection in accordance with a Decision of the European Commission. A complete list of the countries which provide an adequate level of protection may be found on the Internet page of the European Commission at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. If you need further information in this regard, you may contact us.

In addition to the above situations, KDN BG may transfer personal data outside the EU/EEA to KPMG member firms or to external companies, which are based in countries which are not considered to provide an adequate level of protection in accordance with a Decision of the European Commission. If your personal data is to be transferred in inadequate countries outside the EU/EEA, this will be done in the presence of suitable transfer mechanism and protection of the personal data in compliance with applicable legislation, e.g. under a contract containing standard clauses for protection of personal data according to a template approved by the EU Commission, or in the presence of particular statutorily determined conditions, e.g. where the transfer is necessary for the performance of contract between you and KDN BG, or for conclusion or performance of a contract concluded in your interest between KDN BG and another person, or you have provided your explicit consent in this regard.

7. How long do we retain your personal data?

The personal data you provided when applying shall be processed for the purposes of the current recruitment campaign and will be deleted not later than 1 (one) month as of its completion, unless you are a selected applicant. If in the course of the current recruitment campaign you provided original or notarized copies of documents, these documents will be returned to you within the term stated above.

Any internal documentation containing your personal data, which was created by KDN BG in the course of the current recruitment campaign or thereafter on the basis of the information and documents you provided, may be stored by KDN BG for a period of 3 (three) years as of the completion of the campaign for the establishment, exercise or defence of legal claims.

KDN BG, upon your consent, may keep your personal data and use it in the course of subsequent recruitment campaigns to inform you of available positions and include your application in the selection process. Under this scenario, we will store your personal data for a period of 2 (two) years as of the end of the current campaign. After that your personal data will be permanently deleted.

Sometimes KDN BG receives personal data from candidates who are interested in working at KDN BG without applying for a specific job position, for example by sending a CV to our official e-mail address or in the course of KDN BG's participation in various events (e.g. career days organized by universities and others) in order to promote the activities of the Company and recruit potential staff. In these cases, the personal data is processed on the basis of consent given by the job applicant for a period of 2 (two) years upon submission of the relevant application.

8. What are your data protection rights and how you can exercise them?

The General Data Protection Regulation guarantees you a certain set of rights that you may exercise in relation to your personal data processed by us. The Regulation provides for the following rights:

• Access – You can ask us to verify whether we are processing personal data about you, and if so, to provide more specific information in this regard. 
• Correction – You can ask us to correct our records if you believe they contain incorrect, outdated, or incomplete information about you. 
• Erasure (“right to be forgotten”) – You can ask us to erase (delete) your personal data after you withdraw your consent for processing or when we no longer need them for the purposes they were originally collected.
• Restriction of Processing – You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict their use rather than having us erase them, or need us to preserve the data for you to establish, exercise, or defend a legal claim. A temporary restriction may also apply while verifying whether we have overriding legitimate grounds to process your personal data. You can ask us to inform you before we lift that temporary processing restriction.
• Objection to Processing – Where we process your personal data based on legitimate interest, you can object to our use of your personal data if you consider we are not entitled to use them. In these cases, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
• Data portability – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company if technically feasible.
• Withdrawal of Consent - You may withdraw your consent either for the current and/or for subsequent campaigns at any time by sending us your written withdrawal per post at: 1766, Mladost 4 r.a., Business Park Sofia, building 15A, floor 3, or via email sent to the following email address: hufmkdnknitso@kpmg.huThe withdrawal of consent does not affect the lawfulness of the processing completed prior to receiving the withdrawal.

You may exercise your rights by means of sending a request to the above addresses. Before we address your request for withdrawal of consent or for exercising another rights we may request additional information to confirm your identity. 

If you believe that KDN Bulgaria has violated your data protection rights, you can always lodge a complaint with the Commission for Personal Data Protection of the Republic of Bulgaria.

9. Do we change this Privacy Notice?

When we make amendments to this Privacy Notice, we will revise the “updated” date at the top of this documents. Any changes to the processing of personal data as described in this Privacy Notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.

© 2025 KPMG Delivery Network Bulgaria LLC, a Bulgarian limited liability company and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.