Privacy policy

Why we have this policy

This Privacy Policy explains how Frank Accounting Limited (Frank) collects, uses, manages and discloses personal information, and how you can contact us if you have queries about our management of your personal information.

In case you are a Frank client this Privacy Policy should be read in conjunction with your Engagement Letter and Master Terms of Business (together, the Terms) provided to you when you engaged us to provide services to you.

In the event of any inconsistency, the Terms take precedence over this Privacy Policy.

The Privacy Policy applies to all personal information submitted to or collected by us. By engaging us to provide professional services or submitting personal information to us, you accept the terms of this Privacy Policy, and consent to our use, collection, disclosure and retention of personal information as described in this Privacy Policy.

If you do not agree to any provisions in this Privacy Policy, you should not disclose any personal information to us.

 

Obtaining a copy of this Privacy Policy

You are welcome to download and/or print this Privacy Policy at any time. If you would like us to email or mail you a copy of this Privacy Policy, you can contact us and request a copy.

 

What is personal information?

Personal information is information about an identifiable individual or information which is capable of identifying an individual and includes a person’s name, address, email address, telephone numbers. We collect information about you whenever you interact with us such as when you visit our website or when you instruct us to represent and advise you or your organisation.

By providing us with information, engaging us to provide you with services, or by using our website, you consent to the collection, use, storage and disclosure of personal information in accordance with this Privacy Policy, or as otherwise provided for in the Terms.

  

Our commitment to protect your privacy

We understand how important it is to protect personal information. Our commitment in respect of personal information is to abide by the New Zealand Information Privacy Principles for the protection of personal information, as set out in the Privacy Act 1993 (the Privacy Act), as well as the European Union General Data Protection Regulation 2016/679 (the GDPR) (if and to the extent that the GDPR is applicable to our engagement with you).

This Privacy Policy explains how we collect, hold, use, disclose, process and protect personal information, in accordance with our obligations under the Privacy Act and, if applicable, the GDPR.

 

From whom do we collect personal information?

In the course of operating our business we may collect personal information from:

  • web users;

  • persons who seek products or services from us;

  • clients (which may include our business associates) and their personnel;

  • share registries;

  • suppliers and providers of services to us and other business associates, including without limitation contractors and potential contractors; and

  • employees, potential employees and work experience persons.

 

What kind of personal information do we collect and hold?

In the course of our relationship with you, we are likely to collect a wide range of personal information about you. The type of personal information that we may collect will depend on our relationship with you, and the circumstances of collection. In general, the personal information we collect about you may include (but is not limited to):

·       your first and last names;

·       your date and place of birth;

·       your phone number, residential address and email address;

·       bank account details and credit / debit card details;

·       any information or comments provided by you;

·       reference details of you or your organisation related to the services we provide to you; and

·       details about your use of our website through the use of cookies.

·      In the course of offering or providing services to you, we may also collect copies of identification documents for example driver’s licenses, birth certificates and /or passports you have provided to us.

We collect most information directly from individuals when we deal with them. The personal information we collect may be provided in forms filled out by individuals, face to face meetings, email messages, telephone conversations or by third parties. If you contact us, we may keep a record of that contact.

Because of the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or with a pseudonym.

                       

Collection of personal information from employees and contractors

In respect of current and potential employees, contractors and work experience students, we may collect additional personal information including, but not limited to, personal resumes, third party references, bank details, Kiwisaver details, IRD numbers, certain health information, emergency contact details and other employee or contractor records.

We may also conduct criminal and financial background checks on individuals who commence employment or have a contracting arrangement with us. The results of such checks are held on our employee or contractor files for the duration of the employment, engagement or service, and after such relationship ceases, as needed.

 

Providing third party personal information to us

If, at any time, you provide us with personal information or other information about someone other than yourself, you warrant to us that you have that person’s consent, including where applicable any necessary consent under the ‘Cross-border disclosure of your personal information’ section of this Privacy Policy, to provide such information for the purpose specified and for us to treat such information in accordance with this Privacy Policy.

 

Social media and public sources

There may also be occasions when we collect personal information (to the extent it is available) from publicly available sources, including newspapers and social media platforms such as LinkedIn, Facebook, Instagram and Twitter. Sometimes, we may provide content on a range of platforms (including social media networks) with interactive features to which you may contribute. If you post your personal information in publicly accessible places or social media platforms, your personal information will become publicly available (subject to, where applicable, any privacy settings you have in place in social media platforms). We will not be responsible for the protection of personal information you choose to publish this way.

Information about users of our websites

Our internet service providers record certain statistical information about users of our websites. This information is reviewed by us for statistical purposes and is not disclosed to third parties. We do not identify you or your browsing activities except, in the event of an investigation, where a law enforcement agency may exercise a warrant or other such power to inspect the internet service provider’s server logs.

 

Cookies

A cookie is a small text file that is stored on a user’s computer for record-keeping purposes. We use cookies on our websites to identify repeat viewers and make it easier for you to navigate our site. If you reject cookies, you may still use our site, but your ability to use some features of our site may be limited.

 

Why we collect personal information

The primary purpose for which we collect personal information about you is to establish your identity and to provide you with products and services you have requested. We also collect information about you for the purposes outlined below in the ‘How we use your personal information’ section of this Privacy Policy.

We may state a more specific purpose at the point we collect your information. If you do not provide us with the information that we request, we may not be able to provide you with our products or services.

In certain circumstances we may need to collect personal and sensitive information in order to comply with our legal obligations, such as the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. If you do not provide us with the information we request, we will not be able to provide you with our products or services.

  

How we use your personal information

Our uses of personal information include but are not limited to:

·       establishing your identity;

·       communicating with you, including by email, mail or telephone;

·       managing our relationship with you;

·       seeking feedback on services provided to you;

·       providing accounting services;

·       billing you and collecting any debt owed to us by you (which may involve disclosing your personal information to debt collectors)

·       providing you with updates, offers or proposals in relation to your matters, products and services that may be of interest to you;

·       sending regular newsletters (and other correspondence) concerning developments in the field of accounting and other areas that may be of interest to you;

·       sending marketing and promotional material that we believe may interest you;

·       for purposes necessary or incidental to the provision of goods and services to you;

·       inviting you to events and functions;

·       personalising and customising your experiences;

·       managing and enhancing our products and services;

·       investigating complaints made by you;

·       to comply with legal requirements; and

·       in the case of employees and contractors:

o   to pay your wages, fees and employee & contractor entitlements;

o   conduct criminal checks and confirm your immigration status and right to work; and

o   to manage your relationship with us.

We may also use your personal information for purposes required or authorised by applicable laws or regulations, such as to prevent or investigate alleged crime or fraud.

Because of the nature of our business, it is generally impracticable for us to deal with individuals on an anonymous basis or with a pseudonym.

 

Marketing and consent

By supplying us with your personal information, you give us permission to use your personal information and to disclose your personal information to our employees, contractors, agents or service providers, so that we can assess your likely needs, and contact you from time to time.

We may contact you to inform you about developments in the field of accounting and other products, services, events and resources we think would be of particular interest to you. The permission you provide to us is not limited in time.

You can however elect to opt out of receiving correspondence and other marketing materials from us by:

·       contacting us using the contact information provided below in the ‘Contact details’ section of this Privacy Policy; or

·       by utilising an ‘unsubscribe’ facility on a communication we send to you.

If you contact us and opt out of receiving further communications from us we will take steps to ensure you do not receive any such further information from us in future. Recipients of our newsletters and other correspondence may notify us at any time should they wish to discontinue receipt of emails and other communications from us.

 

Disclosure and use of your personal information to and by third parties

We may also be required to disclose personal information to certain third parties that may include:

·       your agents, professional advisors, auditors or insurers;

·       our financial, taxation or legal advisors;

·       entities that assist or conduct mail outs on our behalf;

·       debt collection companies;

·       a purchaser or successor entity in connection with the sale of our business, a subsidiary of our business, or substantially all of its assets; and

·       entities established to help identify illegal activities and prevent fraud.

We may disclose your personal information to organisations that carry out functions on our behalf, or assist us to deliver our services, such as our business associates, contractors, agents or service providers. These third parties may change from time to time. Some examples include technology and internet service providers, data storage providers, digital mail providers who send communications on our behalf and their implementation partners. We may also use graphic designers, printers and posting services to assist us with design, printing and distribution of communications.

Where it is necessary for personal information to be provided to a third party in connection with the provision of a service to us, we will take reasonable steps within our power to prevent the unauthorised use or unauthorised disclosure of the personal information.

We do not disclose personal information to third parties for the purpose of third-party direct marketing.

We disclose personal information to third parties (such as agents and associates in foreign countries) when we are instructed to do so by our clients in relation to their matters in order to provide our services, or as may be required by law. You agree that, subject to any additional obligations under applicable laws, third parties who receive personal information from us may use and disclose the personal information subject to their respective privacy policies and laws applicable to them.

From time to time, we may provide third parties with information in the form of statistical representations about our users collectively and for the purpose of statistical analysis. Where we provide such information to third parties for this limited statistical purpose, we will not provide information in such a way that your identity may be obtained.

 

Other permitted disclosures

We may also release your personal information under the following circumstances:

·       when you have consented;

·       when you would reasonably expect us to use or disclose your personal information in a certain way;

·       when authorised or required to do so by a court or under applicable laws or regulations (for example, a subpoena), or where requested by a government agency;

·       where we consider a company, or an individual may be engaged in fraudulent activity or other deceptive practices of which a governmental agency should be made aware;

·       to appropriate persons, where your communication suggests possible harm to yourself or others; or

·       when disclosure is reasonably necessary for a law enforcement related activity.

 

Security

We store personal information in a variety of formats including on databases, in hard copy files and on personal devices, including laptop computers. Personal information is retained in secure hard copy and electronic files. We take reasonable steps to ensure that any third parties who handle files maintained in offsite facilities (primarily online data storage facilities) act consistently with this Privacy Policy.

We make every effort to ensure personal information is kept secure and take reasonable steps to protect it from misuse, loss, interference, unauthorised access, modification or disclosure. Some of the measures implemented by us to secure personal information include using firewalls, standard software protection programs, password access protections and secure servers.

We regularly review these arrangements to ensure we are taking reasonable and technically feasible steps available at the time to protect your personal information.

However, since no system is 100% secure or error-free, we cannot guarantee that your personal information is totally protected, for example, from hackers, interference or misappropriation. You acknowledge that the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. You provide information to us via the internet or by post at your own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, your personal information where the security of information is not within our control.

If you suspect any misuse or loss of, or unauthorised access to, your personal information, please contact us immediately using the contact details set out in the ‘Contact details’ section of this Privacy Policy.

In the event of a data breach involving a loss of, unauthorised access to or misuse of your personal information, we will report such breach to you and any relevant authority as required by law.

 

Personal information that is no longer required

We take reasonable steps to destroy, erase or permanently de-identify personal information as soon as practicable if it is no longer required by us (including being required for record keeping or legal purposes).

If you wish to request that your personal information be destroyed or erased, please refer to the ‘Responding to your request and when we may not be able to meet your request’ section of this Privacy Policy.

 

Accessing, updating or correcting your information

We use reasonable endeavours to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. We request that you keep the information we hold about you as current as possible by advising us of any changes or inaccuracies to your personal information in the manner outlined below so that we may continue to improve our service to you.

Individuals are able to request access to their personal information or make a request that personal information be corrected and/or updated. Unless we are required or permitted by law to refuse to do so, we will, on request, provide you with details of the personal information we have collected about you or update, correct and amend your personal information in accordance with your request. Where we are also required by applicable law to provide further information about the use or disclosure of your personal information, we will do so upon your request.

To obtain details of this information, or if you wish us to update or correct your personal information, please refer to the ‘Responding to your request and when we may not be able to meet your request’ section of this Privacy Policy.

 

Responding to your request and when we may not be able to meet your request

If you would like to update or correct your personal information, seek access to personal information we hold about you, or make any other requests with respect to your personal information in accordance with this Privacy Policy, please contact us using the contact details set out in the ‘Contact details’ section below.

You can also contact us if you have any questions or complaints about, or if you wish to restrict or object to how we collect, use, disclose, manage or store your personal information. Where we are required by applicable law to provide further information about or change the manner with respect to our use or disclosure of your personal information, we will use reasonable endeavours to do so.

We will respond to your request, where required by law, within one (1) calendar month from the date your request is received. We will inform you if this timeframe is not achievable and extend this timeframe as permitted by applicable law.

We may charge a fee to cover the costs of meeting your request if your request is unfounded or excessive.

If we do not agree to provide you with access to, or to amend or erase, your personal information as requested or otherwise meet your requests, we will notify you accordingly. Where appropriate, we will provide you with the reason(s) for our decision and the mechanisms available to complain about the refusal. If the rejection relates to a request to change your personal information you may make a statement about the requested change and we will attach this to your record.

In some circumstances, and subject always to legal obligations to the contrary, we may not be in a position to grant access to your personal information or otherwise meet your requests with respect to your personal information, such circumstances include when:

·       the personal information is not retrievable;

·       providing access or otherwise meeting your request is reasonably likely to pose a serious threat to the safety of an individual or the public;

·       providing access or otherwise meeting your request is likely to impact unreasonably on the privacy of others;

·       your request is frivolous or vexatious;

·       providing access or otherwise meeting your request would reveal information which relates to existing or anticipated legal proceedings between you and us, which information would not be accessible by the process of discovery in those proceedings;

·       providing access or otherwise meeting your request would impact on any negotiations between you and us;

·       providing access or otherwise meeting your request is unlawful (including being unlawful as directed by a court or tribunal order);

·       providing access or otherwise meeting your request would likely have impact on actions being taken in relation to alleged unlawful activities or misconduct relating to our functions and activities;

·       providing access or otherwise meeting your request would be likely to impact on any enforcement related activities conducted by any enforcement bodies; or

·       granting access or otherwise meeting your request would reveal evaluative information in connection with a commercially sensitive decision-making process.

 

European Union General Data Protection Regulation

This section only applies to the collection and processing of ‘EU personal data’. ‘EU personal data’ means any personal information of an individual who is located in the European Union (‘EU’) (whether the individual is a citizen of an EU country or otherwise).

This section will apply to you and the processing of your EU personal data if you are located in an EU country. This section does not apply with respect to your personal information if you are located outside of the EU countries, even though you may be a citizen of an EU country.

For the purposes of this section, the term ‘process’ has the meaning given to it under the GDPR and may include any operation or a series of operations performed on EU personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

EU personal data that is collected by us may have been sourced directly from you, a third party or implied from your use of our services. We process EU personal data in accordance with this section and our Privacy Policy. To the extent of any inconsistencies between other sections of our Privacy Policy and this section in relation to the processing of EU personal data, this section prevails.

GDPR principles

Any EU personal data will be:

·       processed lawfully, transparently and in a fair manner;

·       collected only for the purposes identified in this Privacy Policy or any other agreed specified purposes and not further processed in a manner incompatible with those purposes;

·       collected in an adequate and relevant manner and limited to what is necessary in relation to the purposes for which the EU personal data is processed;

·       kept current and up-to-date in accordance with the ‘Accessing, updating or correcting your information’ section of this Privacy Policy;

·       stored in a form which permits us to identify you, but only for the period necessary in relation to the relevant purposes identified in this Privacy Policy;

·       stored and processed securely to protect EU personal data against unlawful or unauthorized access and accidental loss, damage or disclosure in accordance with the ‘Security’ section of this Privacy Policy.

 

Lawful bases for processing

We will only collect and process EU personal data where we have lawful bases. This may include where:

·       you have given consent;

·       the processing of EU personal data is necessary for the performance of an agreement with you (such as to deliver the services you have requested or that have been requested on your behalf); and

·       the processing of EU personal data is necessary for the purposes of ‘legitimate interests’ of Frank Accounting Limited, provided that such processing does not outweigh your rights or freedoms. Some ‘legitimate interests’ are listed in the ‘Why we collect personal information’, ‘How we use your personal information’, ‘Marketing and consent’, ‘Disclosure and use of your personal information’, ‘Disclosure and use of your personal information to and by third parties’, and ‘Other permitted disclosures’ sections of this Privacy Policy.

Where we rely on your consent to process personal data, you have the right to withdraw, restrict or decline your consent at any time and where we rely on legitimate interests, you have the right to object. If you have any questions about the lawful bases upon which we collect and process EU personal data, please refer to the ‘Responding to your request and when we may not be able to meet your request’ section of this Privacy Policy.

We do not use automatic decision making, such as profiling, to make a decision that may produce a legal effect concerning a data subject of EU personal data.

 

Rights of EU personal data subjects

In addition to other rights you may have as set out in this Privacy Policy, you may exercise the data protection rights set out below in relation to your EU personal data:

·       Access and Portability: a request can be made by you for a copy of your EU personal data (and any other information relating to your EU personal data permitted under Article 15 of the GDPR) held by us in accordance with the ‘Accessing, updating or correcting your information’ and ‘Responding to your request and when we may not be able to meet your request’ sections of this Privacy Policy. In addition, you may request to be provided with such EU personal data in a structured, commonly used and machine-readable format (including for the purposes of transferring to another party).

·       Restrictions and Objections: You may request that we limit our use of your EU personal data or processing by requesting that we no longer use your EU personal data or limit how we use your data, this may include where you believe it is not lawful for us to hold your EU personal data or instances where your EU personal data was provided for direct marketing purposes and now you no longer want us to contact you.

 

Our responsibilities as a ‘data controller’ and ‘data processor’

We may act as the ‘data controller’, the ‘data processor’ or in some instances both the data collector and data processor simultaneously in relation to EU personal data.

We will be a data controller where we determine the purposes and means of the processing of EU personal data alone or jointly with others. To the extent we are a data controller with respect to EU personal data, we:

·       set out in this Privacy Policy how we collect personal information (including EU personal data), how it is stored, to whom such personal information is disclosed and how the EU personal data is otherwise processed;

·       only appoint processors under agreements that the processor will comply with the GDPR;

·       will maintain a record of processing activities which are under our responsibility (where required by GDPR);

·       cooperate with relevant authorities which enforce the GDPR;

·       implement appropriate technical and organisation security measures to protect EU personal data and report any data breaches to authorities and affected individuals as required by the GDPR in accordance with the ‘Security’ section of this Privacy Policy.

If a third party discloses EU personal data to us for a specific purpose, we will be acting as a data processor in processing the EU personal data for that purpose. Where we act as a data processor, we will:

·       only act on the controller’s documented instructions;

·       impose confidentiality obligations on all personnel who process the EU personal data;

·       not appoint sub-processors without the prior written consent of the controller;

·       at the instruction of the controller, return or destroy the EU personal data in accordance with the ‘Personal information that is no longer required’ section (but subject to the ‘Responding to your request and when we may not be able to meet your request’ section) of this Privacy Policy; and

·       where applicable, assist the controller in complying with the rights of the data subjects of the EU personal data;

·       maintain and keep accurate records of processing activities (where required by GDPR); and

·       implement appropriate technical and organisation security measures to protect EU personal data and report any data breaches to controller without undue delay.

 

Disclosure to third parties

If we are required to disclose your EU personal data to third parties, including data processors or sub-processors, we will notify the third party that it has an obligation to handle any EU personal data in accordance with the GDPR.

In the event we are responsible for a transfer of EU personal data outside of the EU, such transfer will be for the necessary and lawful performance of our services.

 

Express consent to transfer:

Further to the ‘Cross-border disclosure of your personal information’ section above, by providing us with your EU personal data, you are consenting to the disclosure of your EU personal data to third parties outside of the EU. You also acknowledge that we are not required to ensure that those third parties comply with its obligation under the GDPR.

If you have any questions, comments or complaints about our handling of your EU personal data, or wish to contact us regarding your EU personal data, please use the contact details set out below in the ‘Contact details’ section. Your requests will be handled in accordance with the ‘Responding to your request and when we may not be able to meet your request’ section of this Privacy Policy.

 

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time, so please review it frequently. Changes to this Privacy Policy will be published by posting an updated Privacy Policy on our website and are effective upon posting. Your continued use of our website, provision of instructions or information or receipt of our information or services, will signify your consent to be bound by this Privacy Policy.

Contact details

Our contact details are set out below:

  • Company: Frank Accounting Limited

  • Contact : Privacy Officer

  • Email: kiaora@frankHQ.co.nz

  • Postal Address: PO Box 37707 Parnell, Auckland 1151

  • Telephone: +64 9 520 5100

Problem

Complaints

If you have a problem or complaint, please let us know. We will respond to a complaint as soon as possible, but within 10 working days to let you know who is responsible for managing your complaint. We will also try to resolve the complaint within 10 working days. When this is not possible, we will contact you within that time to let you know how long it will take to resolve the complaint.

If you believe that we have not adequately dealt with your complaint, you may complain to the New Zealand Privacy Commissioner (http://www.privacy.org.nz/your-rights/how-to-complain).

CA logo_TM_MONO STACKED RGB.png
xero-platinum-partner-badge-RGB.png