1. Background

This is the Privacy Policy of the Definitiv Group Pty Ltd ACN 147 808 026 (“Definitiv”, “us”, “we” or “our”) and its related bodies corporate (as defined in the Corporations Act 2001 (Cth)). Related bodies include Proactiv Payroll Australia Pty Ltd (ACN 600 296 400) and Definitiv International Pty Ltd (ACN 607 247 512).

Definitiv is committed to managing personal information in accordance with the Privacy Act 1988 (‘Act’) and the European Union General Data Protection Regulation (EU) 2016/679 (the GDPR). The core requirements of the Act are set out in the Australian Privacy Principles (APPs).

This document sets out our policy in relation to the protection of the privacy of personal information. This policy document is intended to enable our clients and others who interact with Definitiv to understand what types of personal information we collect and store, and what we do with such information to provide our products and services. This Privacy Policy also describes the measures we take to safeguard the personal information we obtain and how you can contact us about our privacy practices.

This Privacy Policy applies to all personal information we obtain through Definitiv properties including the Definitiv website (definitiv.com.au), web application, mobile applications and from other collection methods, such as; events, surveys, customer research, through our consulting services and other content we provide (collectively known as ‘Services’). Definitiv is a registered Australian propriety company that operates out of Perth, Western Australia. All client processing and services are provided by our capable team located in this office.

From time to time, as Definitiv updates and improves its service Definitiv may change this Privacy Policy. Definitiv will publish these changes on its website at definitiv.com.au/privacy-policy.

1.1 What is personal information?

Personal information is defined in the Act as;

‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.’

2. Personal information Definitiv collects and holds

Definitiv collects, holds, uses and discloses personal information that is reasonably necessary to provide its Services. The types of personal information we may collect from or about individuals, include:

2.1 Employees of Definitiv Clients: Definitiv generally collects the following personal information on employees of Definitiv clients;

  • Names
  • Contact information, including; addresses, phone numbers and e-mail addresses
  • Date of birth
  • Photograph
  • Details regarding gender and marital status
  • User ID, log data, device information and location information when using our Services
  • Banking and Superannuation account details
  • Tax File Number
  • Employment and payroll related information, including; salary details, superannuation contributions, payslips, Annual Statements, relevant Awards and Enterprise Agreements, job qualifications, profession, occupation or job title, roster, work schedule and tax informatio

2.2 Client contacts: Definitiv collects contact information from or about clients or prospective clients, including individuals working for clients or prospective clients, and record details of interactions with clients and prospective clients. This could include:

  • Contact information – information that allows Definitiv to communicate with the client, such as names, addresses, telephone numbers, email addresses or other contact details that allow Definitiv to send messages.
  • Relationship information – information that helps Definitiv do business with the client, such as the types of products and services that the client has shown interest in, information on the organisation’s size, geographic locations, creditworthiness and demographics.
  • Services-related Information – information from clients to be able to provide the Definitiv Services, including; purchase history, inquiries, customer account information, bank account information, ABN, default superannuation fund and information about how the client uses the Definitiv websites and applications.

2.3 Employees of Definitiv: Definitiv collects, stores and uses personal information from its employees as described in our Privacy Notice to Employees.

2.4 Applicants for jobs at Definitiv: Definitiv collects and stores contact details, employment history and other background information as required and as permitted by law.

3. How does Definitiv collect and hold personal information?

The most common ways we collect personal information are:

  • Through Definitiv Services. In most cases, when using our Services, Definitiv collects personal information about an employee from the Definitiv client that employs the relevant employee or from the employee itself. For example, when a client creates an account for an employee, enters details into the Services on behalf of the employee or when the employee themselves enters personal information directly through the Services.
  • Through correspondence with us directly. By the way of dealing with you in person, over the telephone or via email.
  • Through participation in customer feedback, surveys, research and other online forms.
  • Through signing up for communications, event, seminar or other promotion.
  • Through a job application. Definitiv collects information from a job applicant directly from the applicant or publicly available information. With the consent of the applicant, Definitiv may conduct reference, background and criminal record checks.

If an individual interacts with Definitiv online, Definitiv uses cookies and other technological tools to collect information about their computer and their use of Definitiv’s website and applications. Definitiv treats this information as personal information when it is associated with the individual’s contact information. For more information about cookies and other technologies, please see the section ‘Cookies and Statistical Analysis’.

4. The purposes for which we collect, hold, use and disclose personal information

Definitiv deals with personal information for a number of purposes, such as:

  • Enabling customers and employees to access and use the Services;
  • Providing payroll and other related consulting services;
  • Communicating with individuals by responding to their customer support queries or requests;
  • Personalising, customising and improving the functionality and user experience of our Services;
  • Sharing contact details including phone numbers and email addresses with an employee’s Employer and Co-workers, where the employer has activated this feature;
  • For billing, account management and other administrative matters;
  • Providing marketing communications and offers for products and services from Definitiv and, in some cases, Definitiv partners, including offers targeted based on interests, business characteristics and location;
  • Providing additional information, such as Definitiv news and announcements, product and service updates and technical service announcements to customers, employees and other subscribers;
  • Administering surveys, customer feedback, surveys, research and promotional events;
  • Determining eligibility for certain products, services or offers;
  • To investigate any complaints about, or made by, an individual;
  • To investigate any suspected breach of any of our terms and conditions or unlawful activity engaged in by an individual;
  • Internal business operations such as planning, product development and enhancement, research, and reporting to Definitiv related bodies corporate;
  • Managing Definitiv’s everyday business needs, such as payment processing and financial account management, product development, contract management, website administration, fulfilment, analytics, security and fraud prevention, corporate governance, reporting and legal compliance, and business continuity; and
  • Required by applicable law, legal process or regulation.

The collection, use and disclosure of personal information may be required or authorised under various International, Commonwealth and State laws, including:

  • The Income Tax Assessment Acts
  • Superannuation Guarantee (Administration) Act 1992 (Cth)
  • Fair Work Act 2009 (Cth)
  • Payroll Tax Acts
  • Long Service Leave Acts
  • Occupational Health & Safety Acts
  • Workers Compensation Acts
  • Tax Agent Services Act 2009 and Tax Agent Services Regulations 2009
  • Privacy Act 1988 (Cth)
  • European Union General Data Protection Regulation (EU) 2016/679
  • Corporations Act 2001 (Cth)
  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
  • Any secondary legislation pursuant to primary legislation referred to above.

5. Cookies and Statistical Analysis

We may use cookies on our Services from time to time. Cookies are text files placed in your computer’s browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personally identifiable information. If and when you choose to provide our Services with personal information, this information may be linked to the data stored in the cookie. When you use the Services, this information may be recorded for statistical and reporting purposes. Such information enables us to improve the Definitiv products and services. The information that may be recorded includes information regarding your:

  • server address;
  • domain name;
  • date and time of visit;
  • previous websites visited;
  • browser type and operating system; and location data.

We may use Google Analytics to collect and process data. To find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/ or any other URL Google may use from time to time.

6. Disclosure of personal information to third parties

Definitiv understands individuals do not want us to provide their personal information to third parties for their own marketing purposes. Under Definitiv’s policy, personal information may be disclosed to the following third parties where appropriate;

  • Australian Taxation Office and other governmental agencies as required by law;
  • Banks/financial institutions;
  • Superannuation Clearing Houses;
  • Superannuation funds;
  • Contracted service providers who are bound by law or contract to protect the personal information and only use the personal information in accordance with Definitiv’s instructions;
  • Business partners, and related bodies corporate of Definitiv;
  • Credit reporting agencies, courts, tribunals and regulatory authorities, in the event a customer fails to pay for goods or services we have provided to them;
  • Courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
  • Third parties that help enforce Definitiv’s rights, protect Definitiv property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions;
  • Third parties, including agents or sub-contractors (sub-processors), who assist us in providing information, products, services or direct marketing to customers and their employees. This may include parties located, or that store data, outside of Australia; and
  • Anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred.

Where we disclose your personal information to third parties, including sub-processors, we will request that the third party handle your personal information in accordance with this Privacy Policy. Sub-processors will only process your personal information in accordance with written instructions from us and we require that the third party either complies with the APPs set out in the Act or privacy shield principles set out in the GDPR. When we refer to ‘sub-processors’ in this clause and this Privacy Policy in general, we mean any third party that provides operations performed on personal information, whether or not by automated means, such as collecting, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available personal information.

By providing us with personal information, you consent to the disclosure of your personal information to third parties who reside outside Australia and, if you are a European Union (EU) citizen, to third parties that reside outside the EU. Where the disclosure of your personal information is solely subject to Australian privacy laws (and not subject to the GDPR), you acknowledge that we are not required to ensure that those third parties comply with Australian privacy laws.

Please note that Definitiv may use and disclose information about individuals that is not personally identifiable. For example, Definitiv may publish reports that contain aggregated and statistical data about Definitiv’s clients. These reports do not contain any information that would enable the recipient to contact, locate or identify an individual. These reports also do not contain any identifiable company information.

Where an individual has applied for employment with Definitiv, the personal information submitted with their job application will be added to Definitiv’s job opportunities database and may be used for recruitment and other customary human resources purposes. For example, Definitiv may send the applicant information about new job opportunities within Definitiv as well as other career development resources.

7. Direct Marketing Materials

We may use personal information for direct marketing reasons, including updating you on Definitiv’s latest products, services and news. These communications may be sent in various forms, including mail, SMS or email, in accordance with applicable marketing laws.

You can opt out of this service at any time by using any of our “unsubscribe” mechanisms or by contacting info@definitiv.com.au.

8. Our responsibilities as a ‘controller’ under the GDPR

Controllers are defined by the GDPR as natural or legal persons, a public authority, agency or other body to which personal information or personal data has been disclosed, whether via a third party or not, and who determines the purposes and means of processing personal information. We are a controller under the GDPR as we collect, use and store your personal information to enable us to provide you with our goods and/or services.

As a controller, we have certain obligations under the GDPR when collecting, storing and using the personal information of EU citizens. If you are an EU citizen, your personal data will:

  • Be processed lawfully, fairly and in a transparent manner by us;
  • Only be collected for the specific purposes we have identified in this Privacy Policy and personal information will not be further processed in a manner that is incompatible with the purposes we have identified;
  • Be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
  • Be kept up to date, where it is possible and within our control to do so (please let us know if you would like us to correct any of your personal information);
  • Be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected; and
  • Be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Specifically, we have the following measures in place, in accordance with the GDPR:

Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored and where it goes after we get it, in order to protect your personal information.

Right to ask us to erase your personal information: You may ask us to erase personal information we hold about you. See the section “Your rights and controlling your personal information”.

Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), or where processing data is unlawful, and you request us to restrict the processing of personal information rather than it being erased.

Notification of data breaches: We will comply with the GDPR in respect of any data breach, see the section “Protecting the security of personal information” for more information.

We also apply these principles to the way we collect, store and use the personal information of our Australian customers or clients.

9. Our responsibilities as a ‘processor’ under the GDPR

Where we are a processor, we have contracts containing certain prescribed terms in our contracts with controllers. Depending on circumstances, we can be a controller or processor or controller and processor. In addition to:

  • Our contractual obligations with controllers (where we are solely a processor); and
  • Our legal obligations under the GDPR as a controller and processor (where we are both a controller and processor) we also have the following responsibilities under the GDPR:

o To co-operate with supervisory authorities;
o To ensure the security of its processing;
o To keep records of processing activities; and
o To notify any personal data breaches to the data controller; and
o To employ a data protection officer.

10. Your rights and controlling your personal information

We respect the right of an individual to access, control and correct their personal information. Please read this Privacy Policy carefully. By providing personal information to us, you consent to us collecting, holding, using and disclosing your personal information in accordance with this Privacy Policy.

Accessing, controlling and updating personal information: Individuals may request access to the personal information we maintain about them or request that we correct, update or amend their information, or that we restrict the processing of such information by contacting our Privacy Policy as indicated below. Definitiv may require substantiation of any request to help protect the privacy and security of personal information. Where possible, we will provide a copy of personal information in CSV format or other easily readable machine format.

An individual may also request for us to delete their personal information. We can delete personal information on request, unless the personal information is required for us to comply with applicable legal and tax requirements.

Where an individual has access to an online account with Definitiv, they can log into their account at any time to access and update their information.

An individual who is an employee or other payment recipient of a Definitiv client is encouraged in the first instance to contact the client (employer) so that the client can ask Definitiv to correct its records.

Individuals may also request we transfer this personal information to another third party (data portability).

Unsubscribing: To unsubscribe from our e-mail database or opt-out of communications (including marketing communications), please contact our Privacy Officer using the details below or opt-out using the opt-out facilities provided in the communication delivered to you.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.

11. Retention of personal information

We will retain personal information we obtain for as long as it is needed for the purposes for which we obtained it, in accordance with the terms of this Privacy Policy. This means we will keep personal information on a customer and employee for the duration of our relationship with the customer or as long as an account is open with us; or to take into account applicable statute of limitation periods and comply with applicable laws, resolve disputes and enforce our agreements. As described in the “Your rights and controlling your personal information” section above, to the extent provided by the law, you may request that we delete personal information or restrict the processing of such information by contacting us as indicated below.

12. Links to other websites

The Services may contain links to other websites operated by third parties. Definitiv makes no representations or warranties in relation to the privacy practices of any third-party website. Third party websites are responsible for informing you about their own privacy practices and policies.

13. What can an individual do if they have a complaint?

Any complaint regarding a possible breach of Definitiv’s privacy obligations may be directed to:

  • The person or department at Definitiv the individual normally deals with, if the individual has a direct relationship with Definitiv; and/or
  • Definitiv’s Privacy Officer (using the details below).

The Privacy Officer will investigate any complaint and notify the individual within a reasonable timeframe of the outcome of the investigation.

14. Protecting the security of personal information

We exercise great care to protect personal information that Definitiv holds. To provide the Services, Definitiv contracts with Amazon Web Services (AWS) Australia who store data on secure data centres within Australia. Further details on AWS’s location and security can be found here.

While we take all reasonable steps to ensure the security of the Definitiv system, Definitiv cannot provide any guarantee regarding security of the personal information and other data transmitted to the Services and Definitiv will not be held responsible for events arising from unauthorised access of your personal information.

Internally, Definitiv restricts access to personal information to employees or parties who need access to the information in order to do their jobs. These employees or parties are limited in number and are committed to maintaining confidentiality.

We review Definitiv’s security arrangements from time to time, as it deems appropriate.

Definitiv allows you to access your information at any time to keep it accurate and up to date. You can also play an important role in keeping your personal information secure, by maintaining the confidentiality of any password and accounts used on the Services. Please notify Definitiv immediately if there is any unauthorised use of your account by any other Internet user, or any other breach of security relating to your account at support@definitiv.com.au.

14.1 Data Breaches: A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (‘NDB Act’) established a Mandatory Data Breach Notification (‘MDBN’) scheme.

Accordingly, Definitiv is prepared to act quickly in the event of a data breach (or suspected breach) and determine:

  • Whether it is likely to result in serious harm; and if so,
  • Whether it constitutes an MNDB.

If the effect of any data breach is considered a risk of serious harm, Definitiv:

  • Will notify any individuals likely to be at risk of serious harm by a data breach; and
  • Will notify the Office of the Australian Information Commissioner (‘OAIC’).

15. Further information

Please contact us if you have any queries about the personal information that Definitiv holds about you or the way we handle that personal information. Our contact details for privacy queries and complaints are set out below:

Attn: Privacy Officer

Definitiv Group Pty Ltd

PO Box 854, West Perth, 6872

Email: info@definitiv.com.au

Phone: +61 8 6163 4400

16. Changes to this policy

We may amend this Privacy Policy from time to time. The current version will be posted on our website and a copy may be obtained free of charge from our Privacy Officer.

Please refer to the Definitiv Terms and Conditions document published on the website for our full terms and conditions of use. You can access our Terms and Conditions here.

This policy was last updated on 28th May 2018. Access our previous version here.