Definitiv is committed to managing personal information in accordance with the Australian Privacy Act 1988 (‘Act’), the New Zealand Privacy Act 2020 (‘NZ Act’) and the European Union General Data Protection Regulation (EU) 2016/679 (the GDPR). The core requirements of the Act are set out in the Australian Privacy Principles (APPs).
1.1 What is personal information?
Personal information is defined in the Act as;
‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.’
2. Personal information Definitiv collects and holds
Definitiv collects, holds, uses and discloses personal information that is reasonably necessary to provide its Services. The types of personal information we may collect from or about individuals, includes but is not limited to:
2.1 Employees of Definitiv Clients: Personal information Definitiv collects on behalf of employees of Definitiv clients includes but is not limited to;
- Contact information, including; addresses, phone numbers and e-mail addresses
- Date of birth
- Details regarding gender identity and/or assigned sex at birth
- User ID, log data, device information and location information when using our Services
- Banking and Superannuation account details
- Tax Information
- Employment and payroll related information, including; salary details, superannuation contributions, payslips, Annual Statements, relevant Awards and Enterprise Agreements, job qualifications, profession, occupation or job title, roster, work schedule and tax information.
2.2 Client contacts: Definitiv collects contact information from or about clients or prospective clients, including individuals working for clients or prospective clients, and record details of interactions with clients and prospective clients. This could include:
- Contact information – information that allows Definitiv to communicate with the client or prospective client, such as names, addresses, telephone numbers, email addresses or other contact details that allow Definitiv to send messages.
- Relationship information – information that helps Definitiv do business with the client, such as the types of products and services that the client has shown interest in, information on the organisation’s size, geographic locations, creditworthiness and demographics.
- Services-related Information – information from clients to be able to provide the Definitiv Services, including; purchase history, inquiries, customer account information, bank account information, ABN, default superannuation fund and information about how the client uses the Definitiv websites and applications.
2.3 Employees of Definitiv: Definitiv collects, stores and uses personal information from its employees as described in our Privacy Notice to Employees.
2.4 Applicants for jobs at Definitiv: Definitiv collects and stores contact details, employment history and other background information as required and as permitted by law.
3. How does Definitiv collect and hold personal information?
The most common ways we collect personal information are:
- Through Definitiv Services. In most cases, when using our Services, Definitiv collects personal information about an individual from the Definitiv client that employs the individual or from the individual itself. For example, when a client creates an account or record for an employee, enters details into the Services on behalf of an employee or when the employee themselves enters personal information directly through the Services.
- Through correspondence with us directly. By the way of dealing with you in person, over the telephone or via email.
- Through participation in customer feedback, surveys, research and other online forms.
- Through signing up for communications, event, seminar or other promotion.
- Through a job application. Definitiv collects information from a job applicant directly from the applicant or publicly available information. With the consent of the applicant, Definitiv may conduct reference, background and criminal record checks.
4. The purposes for which we collect, hold, use and disclose personal information
Definitiv deals with personal information for a number of purposes, such as:
- Enabling clients and employees to access and use the Services;
- Providing payroll and other related consulting services;
- Communicating with individuals by responding to their customer support queries or requests;
- Personalising, customising and improving the functionality and user experience of our Services;
- Sharing contact details including phone numbers and email addresses with an employee’s Employer and Co-workers, where the employer has activated this feature;
- For billing, account management and other administrative matters;
- Providing marketing communications and offers for products and services from Definitiv and, in some cases, Definitiv partners, including offers targeted based on interests, business characteristics and location;
- Providing additional information, such as Definitiv news and announcements, product and service updates and technical service announcements to customers, employees and other subscribers;
- Administering surveys, customer feedback, surveys, research and promotional events;
- Determining eligibility for certain products, services or offers;
- To investigate any complaints about, or made by, an individual;
- To investigate any suspected breach of any of our terms and conditions or unlawful activity engaged in by an individual;
- Internal business operations such as planning, product development and enhancement, research, and reporting to Definitiv related bodies corporate;
- Managing Definitiv’s everyday business needs, such as payment processing and financial account management, product development, contract management, website administration, fulfilment, analytics, security and fraud prevention, corporate governance, reporting and legal compliance, and business continuity; and
- Required by applicable law, legal process or regulation.
The collection, use and disclosure of personal information may be required or authorised under various International, Commonwealth and State laws, including:
- The Income Tax Assessment Acts
- Superannuation Guarantee (Administration) Act 1992 (Cth)
- Fair Work Act 2009 (Cth)
- Payroll Tax Acts
- Long Service Leave Acts
- Occupational Health & Safety Acts
- Workers Compensation Acts
- Tax Agent Services Act 2009 and Tax Agent Services Regulations 2009
- Privacy Act 1988 (Cth)
- European Union General Data Protection Regulation (EU) 2016/679
- Corporations Act 2001 (Cth)
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
- Any secondary legislation pursuant to primary legislation referred to above.
5. Cookies and Statistical Analysis
- server address;
- domain name;
- date and time of visit;
- previous websites visited;
- browser type and operating system; and location data.
We may use Google Analytics to collect and process data. To find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/ or any other URL Google may use from time to time.
6. Disclosure of personal information to third parties
Definitiv understands individuals do not want us to provide their personal information to third parties for their own marketing purposes. Under Definitiv’s policy, personal information may be disclosed to the following third parties where appropriate;
- Australian Taxation Office and other governmental agencies as required by law;
- Banks/financial institutions;
- Superannuation Clearing Houses;
- Superannuation funds;
- Contracted service providers who are bound by law or contract to protect the personal information and only use the personal information in accordance with Definitiv’s instructions;
- Business partners, and related bodies corporate of Definitiv;
- Credit reporting agencies, courts, tribunals and regulatory authorities, in the event a customer fails to pay for goods or services we have provided to them;
- Courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
- Third parties that help enforce Definitiv’s rights, protect Definitiv property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions;
- Third parties, including agents or sub-contractors (sub-processors), who assist us in providing information, products, services or direct marketing to customers and their employees. This may include parties located, or that store data, outside of Australia; and
- Anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred.
If you are a client of Definitiv or an employee of a client of Definitiv, you may authorise a representative to access your personal information. Where appropriate we may enter into arrangements that expedite this process by enabling an individual to authorise a third party that needs to access certain personal information to seek that information directly from us, where they are authorised to do so. In such cases, we rely on, and contractually bind, those third parties to have the relevant individual’s authority to access their personal information. In such cases, we may charge a fee to the third party or the authorised representative that requests such authorised access.
By providing us with personal information, you consent to the disclosure of your personal information to third parties who reside outside Australia and, if you are a European Union (EU) citizen, to third parties that reside outside the EU. Where the disclosure of your personal information is solely subject to Australian privacy laws (and not subject to the GDPR), you acknowledge that we are not required to ensure that those third parties comply with Australian privacy laws.
Please note that Definitiv may use and disclose information about individuals that is not personally identifiable. For example, Definitiv may publish reports that contain aggregated and statistical data about Definitiv’s clients. These reports do not contain any information that would enable the recipient to contact, locate or identify an individual. These reports also do not contain any identifiable company information.
Where an individual has applied for employment with Definitiv, the personal information submitted with their job application will be added to Definitiv’s job opportunities database and may be used for recruitment and other customary human resources purposes. For example, Definitiv may send the applicant information about new job opportunities within Definitiv as well as other career development resources.
7. Direct Marketing Materials
We may use personal information for direct marketing reasons, including updating you on our Services, latest products, services and news. These communications may be sent in various forms, including mail, SMS or email, in accordance with applicable marketing laws.
You can opt out of this service at any time by using any of our “unsubscribe” mechanisms or by contacting firstname.lastname@example.org.
8. Our responsibilities as a ‘controller’ under the GDPR
Controllers are defined by the GDPR as natural or legal persons, a public authority, agency or other body to which personal information or personal data has been disclosed, whether via a third party or not, and who determines the purposes and means of processing personal information. We are a controller under the GDPR as we collect, use and store your personal information to enable us to provide you with our Services.
As a controller, we have certain obligations under the GDPR when collecting, storing and using the personal information of EU citizens. If you are an EU citizen, your personal data will:
- Be processed lawfully, fairly and in a transparent manner by us;
- Be collected in a way that is adequate, relevant and limited to what is necessary in relation to the purpose for which the personal information is processed;
- Be kept up to date, where it is possible and within our control to do so (please let us know if you would like us to correct any of your personal information);
- Be kept in a form which permits us to identify you, but only for so long as necessary for the purposes for which the personal data was collected; and
- Be processed securely and in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Specifically, we have the following measures in place, in accordance with the GDPR:
Data protection policies: We have internal policies in place which set out where and how we collect personal information, how it is stored and where it goes after we get it, in order to protect your personal information.
Right to ask us to erase your personal information: You may ask us to erase personal information we hold about you. See the section “Your rights and controlling your personal information”.
Right to ask us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal information we hold about you is wrong (to give us enough time to verify if the information needs to be changed), or where processing data is unlawful, and you request us to restrict the processing of personal information rather than it being erased.
Notification of data breaches: We will comply with the GDPR in respect of any data breach, see the section “Protecting the security of personal information” for more information.
We also apply these principles to the way we collect, store and use the personal information of our Australian customers or clients.
9. Our responsibilities as a ‘processor’ under the GDPR
Where we are a processor, we have contracts containing certain prescribed terms in our contracts with controllers. Depending on circumstances, we can be a controller or processor or controller and processor. In addition to:
- Our contractual obligations with controllers (where we are solely a processor); and
- Our legal obligations under the GDPR as a controller and processor (where we are both a controller and processor) we also have the following responsibilities under the GDPR:
o To co-operate with supervisory authorities;
o To ensure the security of its processing;
o To keep records of processing activities; and
o To notify any personal data breaches to the data controller; and
o To employ a data protection officer.
10. Your rights and controlling your personal information
Accessing, controlling and updating personal information: Individuals may request access to the personal information we maintain about them or request that we correct, update or amend their information, or that we restrict the processing of such information by contacting us as indicated below.
An individual may request for us to delete their personal information. We can delete personal information on request, unless the personal information is required for us to comply with applicable tax, recordkeeping and other legally imposed regulations.
Individuals may also request we transfer this personal information to another third party (data portability).
Definitiv will require verification of an individual’s identity before carrying out a request to help protect the privacy and security of personal information.
If you are an employee or former employee of a client of Definitiv, Definitiv provides its Services to clients in various ways. Therefore verifying your identity can differ based on the Services provided to your employer (i.e. the client). Some of the ways Definitiv can verify an individual’s identity include but are not limited to;
- An individual using their authorised user credentials to log into the Services either through Definitiv’s web or mobile application, and by logging in, the individual can update their personal information through the Services; and
- An individual submitting the request through their employer’s Definitiv authorised representative(s) and the authorised representative(s) carrying out their own verification of the individual’s identity. The employer or employer’s authorised representatives can either make the update on behalf of the individual or they can contact Definitiv to assist with the request.
If we refuse to update or action any other request in relation to an individual’s personal information, we will provide a reason why the request cannot be actioned. If you disagree with the response, you can respond and provide a statement with supporting information on why you believe this action should be carried out.
Unsubscribing: To unsubscribe from our e-mail database or opt-out of communications (including marketing communications), please contact our team using the details below or opt-out using the opt-out facilities provided in the communication delivered to you.
11. Retention of personal information
12. Links to other websites
The Services may contain links to other websites operated by third parties. Definitiv makes no representations or warranties in relation to the privacy practices of any third-party website. Third party websites are responsible for informing you about their own privacy practices and policies.
13. What can an individual do if they have a complaint?
Any complaint regarding how we have handled an individual’s personal information may be directed to:
- The person or department at Definitiv the individual normally deals with, if the individual has a direct relationship with Definitiv; and/or
- Definitiv’s Privacy Officer (using the details below).
If you do choose to make a complaint about how we have handled your personal information, please make sure it is submitted in writing such as through an email.
We will respond within five business days to inform you that we have received your complaint and then respond to the complaint within 30 days.
If you are not satisfied with our response, we do encourage you to contact the Office of the Australian Information Commissioner (OAIC) using the contact details on the OAIC website here.
14. Protecting the security of personal information
We exercise great care to protect personal information that Definitiv holds. To provide the Services, Definitiv contracts with Amazon Web Services (AWS) Australia who store data on secure data centres within Australia. Further details on AWS’s location and security can be found here.
While we take all reasonable steps to ensure the security of the Definitiv system, Definitiv cannot provide any guarantee regarding security of the personal information and other data transmitted to the Services and Definitiv will not be held responsible for events arising from unauthorised access of your personal information.
Internally, Definitiv restricts access to personal information to employees or parties who need access to the information in order to do their jobs. These employees or parties are limited in number and are committed to maintaining confidentiality.
We review Definitiv’s security arrangements from time to time, as it deems appropriate.
Definitiv allows you to access your information at any time to keep it accurate and up to date. You can also play an important role in keeping your personal information secure, by maintaining the confidentiality of any password and accounts used on the Services. Please notify Definitiv immediately if there is any unauthorised use of your account by any other Internet user, or any other breach of security relating to your account at email@example.com.
14.1 Data Breaches: A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (‘NDB Act’) established a Mandatory Data Breach Notification (‘MDBN’) scheme.
Accordingly, Definitiv is prepared to act quickly in the event of a data breach (or suspected breach) and determine:
- Whether it is likely to result in serious harm; and if so,
- Whether it constitutes an MNDB.
If the effect of any data breach is considered a risk of serious harm, Definitiv:
- Will notify any individuals likely to be at risk of serious harm by a data breach; and
- Will notify the Office of the Australian Information Commissioner (‘OAIC’).
15. Further information
Please contact us if you have any queries about the personal information that Definitiv holds about you or the way we handle that personal information. Our contact details for privacy queries and complaints are set out below:
Attn: Privacy Officer
Definitiv Group Pty Ltd
Ground Floor, 50 Kings Park Road, West Perth WA 6005
Phone: +61 8 6163 4400
16. Changes to this policy
Please refer to the Definitiv Terms and Conditions document published on the website for our full terms and conditions of use. You can access our Terms and Conditions here.
This policy came into effect on 24th May 2021. Our previous version can be accessed here.