Definitiv is committed to managing personal information in accordance with the Privacy Act 1988 (‘Act’) and the European Union General Data Protection Regulation (EU) 2016/679 (the GDPR). The core requirements of the Act are set out in the Australian Privacy Principles (APPs).
1.1 What is personal information?
Personal information is defined in the Act as;
‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.’
2. Personal information Definitiv collects and holds
Definitiv collects, holds, uses and discloses personal information that is reasonably necessary to provide its Services. The types of personal information we may collect from or about individuals, include:
2.1 Employees of Definitiv Clients: Definitiv generally collects the following personal information on employees of Definitiv clients;
- Contact information, including; addresses, phone numbers and e-mail addresses
- Date of birth
- Details regarding gender and marital status
- User ID, log data, device information and location information when using our Services
- Banking and Superannuation account details
- Tax File Number
- Employment and payroll related information, including; salary details, superannuation contributions, payslips, Annual Statements, relevant Awards and Enterprise Agreements, job qualifications, profession, occupation or job title, roster, work schedule and tax informatio
2.2 Client contacts: Definitiv collects contact information from or about clients or prospective clients, including individuals working for clients or prospective clients, and record details of interactions with clients and prospective clients. This could include:
- Contact information – information that allows Definitiv to communicate with the client, such as names, addresses, telephone numbers, email addresses or other contact details that allow Definitiv to send messages.
- Relationship information – information that helps Definitiv do business with the client, such as the types of products and services that the client has shown interest in, information on the organisation’s size, geographic locations, creditworthiness and demographics.
- Services-related Information – information from clients to be able to provide the Definitiv Services, including; purchase history, inquiries, customer account information, bank account information, ABN, default superannuation fund and information about how the client uses the Definitiv websites and applications.
2.3 Employees of Definitiv: Definitiv collects, stores and uses personal information from its employees as described in our Privacy Notice to Employees.
2.4 Applicants for jobs at Definitiv: Definitiv collects and stores contact details, employment history and other background information as required and as permitted by law.
3. How does Definitiv collect and hold personal information?
The most common ways we collect personal information are:
- Through Definitiv Services. In most cases, when using our Services, Definitiv collects personal information about an employee from the Definitiv client that employs the relevant employee or from the employee itself. For example, when a client creates an account for an employee, enters details into the Services on behalf of the employee or when the employee themselves enters personal information directly through the Services.
- Through correspondence with us directly. By the way of dealing with you in person, over the telephone or via email.
- Through participation in customer feedback, surveys, research and other online forms.
- Through signing up for communications, event, seminar or other promotion.
- Through a job application. Definitiv collects information from a job applicant directly from the applicant or publicly available information. With the consent of the applicant, Definitiv may conduct reference, background and criminal record checks.
4. The purposes for which we collect, hold, use and disclose personal information
Definitiv deals with personal information for a number of purposes, such as:
- Enabling customers and employees to access and use the Services;
- Providing payroll and other related consulting services;
- Communicating with individuals by responding to their customer support queries or requests;
- Personalising, customising and improving the functionality and user experience of our Services;
- Sharing contact details including phone numbers and email addresses with an employee’s Employer and Co-workers, where the employer has activated this feature;
- For billing, account management and other administrative matters;
- Providing marketing communications and offers for products and services from Definitiv and, in some cases, Definitiv partners, including offers targeted based on interests, business characteristics and location;
- Providing additional information, such as Definitiv news and announcements, product and service updates and technical service announcements to customers, employees and other subscribers;
- Administering surveys, customer feedback, surveys, research and promotional events;
- Determining eligibility for certain products, services or offers;
- To investigate any complaints about, or made by, an individual;
- To investigate any suspected breach of any of our terms and conditions or unlawful activity engaged in by an individual;
- Internal business operations such as planning, product development and enhancement, research, and reporting to Definitiv related bodies corporate;
- Managing Definitiv’s everyday business needs, such as payment processing and financial account management, product development, contract management, website administration, fulfilment, analytics, security and fraud prevention, corporate governance, reporting and legal compliance, and business continuity; and
- Required by applicable law, legal process or regulation.
The collection, use and disclosure of personal information may be required or authorised under various International, Commonwealth and State laws, including:
- The Income Tax Assessment Acts
- Superannuation Guarantee (Administration) Act 1992 (Cth)
- Fair Work Act 2009 (Cth)
- Payroll Tax Acts
- Long Service Leave Acts
- Occupational Health & Safety Acts
- Workers Compensation Acts
- Tax Agent Services Act 2009 and Tax Agent Services Regulations 2009
- Privacy Act 1988 (Cth)
- European Union General Data Protection Regulation (EU) 2016/679
- Corporations Act 2001 (Cth)
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
- Any secondary legislation pursuant to primary legislation referred to above.
5. Cookies and Statistical Analysis
- server address;
- domain name;
- date and time of visit;
- previous websites visited;
- browser type and operating system; and location data.
We may use Google Analytics to collect and process data. To find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/ or any other URL Google may use from time to time.
6. Disclosure of personal information to third parties
Definitiv understands individuals do not want us to provide their personal information to third parties for their own marketing purposes. Under Definitiv’s policy, personal information may be disclosed to the following third parties where appropriate;
- Australian Taxation Office and other governmental agencies as required by law;
- Banks/financial institutions;
- Superannuation Clearing Houses;
- Superannuation funds;
- Contracted service providers who are bound by law or contract to protect the personal information and only use the personal information in accordance with Definitiv’s instructions;
- Business partners, and related bodies corporate of Definitiv;
- Credit reporting agencies, courts, tribunals and regulatory authorities, in the event a customer fails to pay for goods or services we have provided to them;
- Courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
- Third parties that help enforce Definitiv’s rights, protect Definitiv property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions;
- Third parties, including agents or sub-contractors (sub-processors), who assist us in providing information, products, services or direct marketing to customers and their employees. This may include parties located, or that store data, outside of Australia; and
- Anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred.
By providing us with personal information, you consent to the disclosure of your personal information to third parties who reside outside Australia and, if you are a European Union (EU) citizen, to third parties that reside outside the EU. Where the disclosure of your personal information is solely subject to Australian privacy laws (and not subject to the GDPR), you acknowledge that we are not required to ensure that those third parties comply with Australian privacy laws.
Please note that Definitiv may use and disclose information about individuals that is not personally identifiable. For example, Definitiv may publish reports that contain aggregated and statistical data about Definitiv’s clients. These reports do not contain any information that would enable the recipient to contact, locate or identify an individual. These reports also do not contain any identifiable company information.
Where an individual has applied for employment with Definitiv, the personal information submitted with their job application will be added to Definitiv’s job opportunities database and may be used for recruitment and other customary human resources purposes. For example, Definitiv may send the applicant information about new job opportunities within Definitiv as well as other career development resources.
7. Direct Marketing Materials
We may use personal information for direct marketing reasons, including updating you on Definitiv’s latest products, services and news. These communications may be sent in various forms, including mail, SMS or email, in accordance with applicable marketing laws.
You can opt out of this service at any time by using any of our “unsubscribe” mechanisms or by contacting firstname.lastname@example.org.
8. Our responsibilities as a ‘controller’ under the GDPR
Controllers are defined by the GDPR as natural or legal persons, a public authority, agency or other body to which personal information or personal data has been disclosed, whether via a third party or not, and who determines the purposes and means of processing personal information. We are a controller under the GDPR as we collect, use and store your personal information to enable us to provide you with our goods and/or services.
As a controller, we have certain obligations under the GDPR when collecting, storing and using the personal information of EU citizens. If you are an EU citizen, your personal data will:
- Be processed lawfully, fairly and in a transparent manner by us;
- Be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
- Be kept up to date, where it is possible and within our control to do so (please let us know if you would like us to correct any of your personal information);
- Be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected; and
- Be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Specifically, we have the following measures in place, in accordance with the GDPR:
Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored and where it goes after we get it, in order to protect your personal information.
Right to ask us to erase your personal information: You may ask us to erase personal information we hold about you. See the section “Your rights and controlling your personal information”.
Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), or where processing data is unlawful, and you request us to restrict the processing of personal information rather than it being erased.
Notification of data breaches: We will comply with the GDPR in respect of any data breach, see the section “Protecting the security of personal information” for more information.
We also apply these principles to the way we collect, store and use the personal information of our Australian customers or clients.
9. Our responsibilities as a ‘processor’ under the GDPR
Where we are a processor, we have contracts containing certain prescribed terms in our contracts with controllers. Depending on circumstances, we can be a controller or processor or controller and processor. In addition to:
- Our contractual obligations with controllers (where we are solely a processor); and
- Our legal obligations under the GDPR as a controller and processor (where we are both a controller and processor) we also have the following responsibilities under the GDPR:
o To co-operate with supervisory authorities;
o To ensure the security of its processing;
o To keep records of processing activities; and
o To notify any personal data breaches to the data controller; and
o To employ a data protection officer.
10. Your rights and controlling your personal information
An individual may also request for us to delete their personal information. We can delete personal information on request, unless the personal information is required for us to comply with applicable legal and tax requirements.
Where an individual has access to an online account with Definitiv, they can log into their account at any time to access and update their information.
An individual who is an employee or other payment recipient of a Definitiv client is encouraged in the first instance to contact the client (employer) so that the client can ask Definitiv to correct its records.
Individuals may also request we transfer this personal information to another third party (data portability).
Unsubscribing: To unsubscribe from our e-mail database or opt-out of communications (including marketing communications), please contact our Privacy Officer using the details below or opt-out using the opt-out facilities provided in the communication delivered to you.
11. Retention of personal information
12. Links to other websites
The Services may contain links to other websites operated by third parties. Definitiv makes no representations or warranties in relation to the privacy practices of any third-party website. Third party websites are responsible for informing you about their own privacy practices and policies.
13. What can an individual do if they have a complaint?
Any complaint regarding a possible breach of Definitiv’s privacy obligations may be directed to:
- The person or department at Definitiv the individual normally deals with, if the individual has a direct relationship with Definitiv; and/or
- Definitiv’s Privacy Officer (using the details below).
The Privacy Officer will investigate any complaint and notify the individual within a reasonable timeframe of the outcome of the investigation.
14. Protecting the security of personal information
We exercise great care to protect personal information that Definitiv holds. To provide the Services, Definitiv contracts with Amazon Web Services (AWS) Australia who store data on secure data centres within Australia. Further details on AWS’s location and security can be found here.
While we take all reasonable steps to ensure the security of the Definitiv system, Definitiv cannot provide any guarantee regarding security of the personal information and other data transmitted to the Services and Definitiv will not be held responsible for events arising from unauthorised access of your personal information.
Internally, Definitiv restricts access to personal information to employees or parties who need access to the information in order to do their jobs. These employees or parties are limited in number and are committed to maintaining confidentiality.
We review Definitiv’s security arrangements from time to time, as it deems appropriate.
Definitiv allows you to access your information at any time to keep it accurate and up to date. You can also play an important role in keeping your personal information secure, by maintaining the confidentiality of any password and accounts used on the Services. Please notify Definitiv immediately if there is any unauthorised use of your account by any other Internet user, or any other breach of security relating to your account at email@example.com.
14.1 Data Breaches: A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (‘NDB Act’) established a Mandatory Data Breach Notification (‘MDBN’) scheme.
Accordingly, Definitiv is prepared to act quickly in the event of a data breach (or suspected breach) and determine:
- Whether it is likely to result in serious harm; and if so,
- Whether it constitutes an MNDB.
If the effect of any data breach is considered a risk of serious harm, Definitiv:
- Will notify any individuals likely to be at risk of serious harm by a data breach; and
- Will notify the Office of the Australian Information Commissioner (‘OAIC’).
15. Further information
Please contact us if you have any queries about the personal information that Definitiv holds about you or the way we handle that personal information. Our contact details for privacy queries and complaints are set out below:
Attn: Privacy Officer
Definitiv Group Pty Ltd
PO Box 854, West Perth, 6872
Phone: +61 8 6163 4400
16. Changes to this policy
Please refer to the Definitiv Terms and Conditions document published on the website for our full terms and conditions of use. You can access our Terms and Conditions here.
This policy was last updated on 28th May 2018. Access our previous version here.