0408 938 571 Call Us Now

+61 408 938 571 International Calls

Menu

Privacy Notice

Thank you for visiting our CFO PRO website and reviewing our Privacy Notice.

CFO PRO ("we", "us", "our" or "ourselves") is a professional accounting firm specialising in providing outsourced and offshored virtual CFO, Financial Controller and Corporate Governance/Company Secretarial services. It is based in Perth, Western Australia and services clients in Australia and the United Kingdom. As such we are a business-to-business service provider.

Respecting your privacy

As a business-to-business service provider, we do not collect Personal Data1, including IP addresses, browser type, operating system and geolocations, via this website and don't use cookies to collect personally identifiable information about anyone.

CFO PRO understands that privacy is important to you our business clients or potential clients (collectively "you" or "your") and your Data Subjects5 and that you and your Data Subjects care about how Personal Data transferred by you, as a Data Controller, to us, or generated on your behalf, is used.

Although this Privacy Notice is directed primarily at our business clients, if the reader of this Privacy Notice is a Data Subject5 they should read this Privacy Notice in that capacity, noting their rights, remedies, entitlements and obligations set out below. For clarity, a Data Subject is an employee, a contractor, a customer/client, potential customer/client, supplier/vendor, shareholder, adviser, complainant, correspondent or contact of our business client.

Further, we do not host social media platforms.

Some web browsers may indicate the presence of a small number of cookies on our website when a visitor clicks on the Site Identity button (the padlock icon) in the browser address bar. However, these are not actually cookies but privacy-focused, anti-bot service technologies which feature Local Storage and Session Storage, to protect this website, called hCaptcha (hereinafter "hCaptcha"). This service is provided by Intuition Machines, Inc., a Delaware US Corporation ("IMI"). hCaptcha is used to check whether the data entered on our website (such as on a login page or contact form) has been entered by a human or by an automated program. To do this, hCaptcha analyses the behaviour of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user). The data collected during the analysis will be forwarded to IMI. hCaptcha analysis in the "invisible mode" may take place completely in the background. Website or app visitors are not advised that such an analysis is taking place if the user is not shown a challenge. Such Session Storage stores information for the duration of a session only. When the browser is closed, any stored data is automatically deleted. Data processing is based on Art. 6(1)(f) of the GDPR (DSGVO): the website or mobile app operator has a legitimate interest in protecting its site from abusive automated crawling and spam. IMI acts as a "data processor" acting on behalf of its customers as defined under the GDPR, and a "service provider" for the purposes of the California Consumer Privacy Act (CCPA). For more information about hCaptcha and IMI's privacy policy and terms of use, please visit the following links: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms.

Personal Data we obtain, use and process

The only Personal Data we obtain, use and process, as a business, in our capacity as a Data Controller3 or Data Processor4 or both, is that which you, as a business client voluntarily, or your authorised third party, transfer to us in respect of your Data Subjects, via email (using encryption or secure document transfer or exchange protocols/platforms), intranet, phone, courier or letter.

We use and process the Personal Data that you supply to us only as necessary in our and your legitimate business interests for: fulfilling our written contractual obligations to you for the purposes of, and in the course of, providing normal business services to you; administering our business activities and communicating with you; and investigating any complaints.

Moreover, the use and processing of such Personal Data is only in accordance with any overriding interests of your Data Subjects and their fundamental rights under the law in Australia, or the United Kingdom ("UK") or the European Economic Area ("EEA")12.

You and or your Data Subjects may have a right not to provide information that can identify them. In such event, it may not be possible for us to meet our contractual obligations to you, or alternatively, the quality or appropriateness of our services or advice may be affected.

In the event of a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the maximum extent permissible under law our client files and documents, together with any Personal Data and non-personal data contained in those files and documents, subject to the buyer, new owner or transferee signing a Sub-Data Transfer Agreement ("SDTA")8 covering our clients and their Data Subjects in the UK or EEA.

What does this Privacy Notice cover?

This Privacy Notice covers our obligations in controlling, managing and processing the Personal Data we hold that is supplied by our business clients in respect of their own Data Subjects, to perform our contracted services, as well as those relating to potential clients. This includes information such as name, email address, phone number, various types of identification numbers, or any other type of information that can reasonably identify an individual, either directly or indirectly.

This Privacy Notice does not apply to practices, procedures and activities that are directly related to our records of our current or former employees. These are the subject of an internal privacy notice.

If you would like further information on this Privacy Notice, please contact us at the email address at the end of this Privacy Notice.

Disclosure of Personal Data

In the course of providing services to you we may be required to disclose your or your Data Subject's Personal Data to third parties, as variously required by law, and as instructed by you, for the purpose of meeting your statutory or contractual obligations, or to meet our professional obligations. Such disclosure will be in compliance with our contractual obligations to you, as set out in this Privacy Notice, APES 110 Code of Ethics for Professional Accountants (including Independence Standards) and (a) in the case of Australia: the Australian Privacy Principles in the Privacy Act 1988 (Cth) (Privacy Act), or (b) in the case of the UK and EEA, the General Data Protection Regulations ("GDPR")2, including under any Data Transfer Agreement ("DTA") we have with you and the Standard Contractual Clauses ("SCCs")9 incorporated therein.

The types of third parties we may disclose your Data Subjects' Personal Data to on your behalf include:

  • Government agencies as required or authorised by law including those regulating taxation, immigration, employment and fair work practices, company registration, social security, welfare and pensions.
  • Insurers covering various areas of your business including private health, salary continuance/income protection/disability, workers compensation/ employer liability, directors and officers, cyber risk management, protection and mitigation, professional indemnity, public liability, travel and theft of property.
  • Pension schemes or superannuation funds.
  • Companies or individuals contracted by you, in accordance with your country's data privacy obligations, to assist us in providing services or who perform functions on your or our behalf such as specialists, consultants, information technology service providers, barristers, solicitors, contractors or temporary/casual/contract employees.
  • In the case of clients based in Australia or outside the UK or EEA, companies or individuals contracted by ourselves to assist us in providing services or who perform functions on your or our behalf such as specialists, consultants, information technology service providers, barristers, solicitors, contractors or temporary/casual/contract employees.
  • Courts or tribunals via an order or ombudsmen in the course of an investigation.
  • Auditors, tax accountants, or BAS Agents, as required by law.
  • Anyone else to whom you consent, such as banks, accountants and other financial institutions.

The types of third parties to whom we may disclose your Data Subjects' Personal Data by virtue of our own professional obligations include:

  • Professional associations such as Chartered Accountants Australia New Zealand of which we are a member, in respect of our client files (including your files and documents) which may be subject to review as part of their quality review program as required by government regulation of professional bodies in the course of their monitoring our compliance with mandatory professional standards, as well as or our own quality monitoring program.
    However, if you are a client based in the UK or EEA, no quality review will be permitted of your files and documents unless the organisation conducting the quality review has, in the capacity of Subprocessor6, signed a SDTA with us and complies in all relevant respects with the GDPR.
  • In the case of Australian company clients, the Australian Corporations Act 2001 also provides the Australian Securities and Investments Commission with the authority to inspect our client files.

Compliance with these review or inspection programs may involve the disclosure of your Data Subjects' Personal Data. The same strict confidentiality requirements apply under these programs as apply to us as your accountant or virtual/outsourced CFO, Financial Controller and Corporate Governance/Company Secretary.

Where the law or our contractual obligation requires it, we will advise you promptly and in advance of disclosing any Personal Data. Where our professional association's code of conduct or regulation requires it, we will obtain your consent, before disclosing any Personal Data and require them to enter into a SDTA in the case of our UK or EEA clients.

Sensitive data

Some of the Personal Data is "sensitive data" as defined by the Privacy Act and the GDPR. Sensitive information includes health information, information about your race, ethnic origin, political opinion, religion, trade union or other professional or trade association membership, sexual preference(s) and criminal record. We restrict the receipt of such sensitive information to the absolute minimum needed to meet our and your obligations under law and in any event will only receive this information as permitted under the Privacy Act or GDPR, as applicable.

Sensitive data will be used, processed, transferred or disclosed only for the purpose for which it was provided, a directly related secondary purpose, or where required by law.

Any sensitive data transfers will be subject to applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Unsolicited Personal Data

There may be times when we receive unsolicited Personal Data from yourselves or your third party service providers. If and where this occurs, we will consult with you and determine if the information is necessary for us to provide our services, or whether the supply of such Personal Data is required or authorised by or under an Australian law, the GDPR or a court/tribunal order, as applicable. If it is, the information will be dealt with in accordance with the Australian Privacy Principles or the GDPR as if the information had been solicited.

If it is determined that we should not have received this information, we will destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.

Security of your Personal Data

CFO PRO is committed to ensuring that the confidential information and Personal Data you provide to us is secure and protected. In order to prevent unauthorised access or disclosure, or accidental or unlawful destruction or processing, of Personal Data, we have implemented suitable security measures including equipment, software and organisational policies and procedures to safeguard and protect information and prevent theft, hacking, misuse, interference, loss, corruption, unauthorised access or use, modification, or alteration, in particular where the processing involves the transmission of data over a network in which event network security is maintained using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and routing protocols). ("Technical And Organisational Security Measures").

Our employees are required to commit to the confidentiality of Personal Data and the privacy of Data Subjects. They are required to undergo privacy and data protection training, inter alia, to understand their obligations in regard to Personal Data.

Where and if we engage Subprocessors to process Personal Data on our behalf, we only do so on the basis that such Subprocessors comply with the requirements under the Privacy Act and GDPR (as set out in this Privacy Notice), are under an appropriate statutory obligation of confidentiality, and they have adequate Technical and Organisational Security Measures in place.

The transmission and exchange of information with you and any of your authorised third parties, to the maximum extent permitted by law, is carried out at your own risk. We cannot guarantee the security of any information that you or your third parties transmit to, or receive from, us. Although we take measures to safeguard against unauthorised disclosures of information, including by use of your intranet, your internal email, your third parties' secure document transfer or exchange protocols/ platforms, your cloud service providers' platforms, encryption, multi-factor authentication and pseudonymisation, we cannot guarantee you that your Data Subjects' Personal Data that we obtain will not be disclosed in a manner that is inconsistent with this Privacy Notice. Moreover, we cannot prevent the use, or misuse of such Personal Data by your employees, contractors or other persons.

We will retain your Data Subjects' Personal Data only as long as necessary to fulfil the purpose for which it was obtained, as required by law, the Privacy Act, or the GDPR, or in accordance with our documentation retention policies.

Hosting and International Data Transfers

CFO PRO does not disclose or transfer its Australian clients' or their Data Subjects' Personal Data to entities overseas unless such disclosure is required by you under our contractual obligation to you and is permitted under the Privacy Act. Such disclosure would be kept to the absolute minimum and would only be directed to your controlled, controlling, related or affiliated bodies corporate and other associated entities, foreign governments and regulators as required by law (such as employee names and email addresses), customers, contractors, advisors and suppliers in the normal course of business.

CFO PRO as a Data Controller or Data Processor may disclose or transfer its UK clients' Data Subjects' Personal Data to entities outside the UK or EEA only as required under our contract with you, associated DTA's and as permitted by the GDPR, under law and in any event would only be directed to your controlled, controlling, related or affiliated bodies corporate and other associated entities, customers, contractors, auditors, accountants, advisors, insurers, service providers and suppliers in the normal course of business including, but not limited to, the USA and within Australia or, as set out above, professional associations in Australia such as Chartered Accountants Australia New Zealand of which we are a member, in respect of our client files (including your files and documents) which may be subject to review as part of their quality review program as required by government regulation of professional bodies in the course of their monitoring our compliance with mandatory professional standards, as well as or our own quality monitoring program.

Any data transfers of our UK clients' Data Subjects' Personal Data to entities outside the UK or EEA are or will be protected by the GDPR safeguard of a DTA incorporating the SCCs adopted or approved by the European Commission which you have or will have in place or SDTAs that we will have in place, or any successor new or modernised standard contract clauses in the event they supersede the SCCs. Details of SCCs can be obtained from the European Commission Website;

CFO PRO has cloud service providers situated in Australia. The hosting facilities for our website are situated in Australia. For clients located in the UK, we typically store, process, access or back up your Data Subjects' Personal Data on your third party service providers' cloud servers that are located overseas. These servers are typically located in the USA, the UK and the Netherlands.

Access to Personal Data

Your Data Subjects may have the right to access, rectify or erase Personal Data or privacy preferences that we hold about them on your behalf, or restrict or object to or withdraw consent for, your or our processing of such Personal Data, or request direct transfer to third parties where technically feasible, in accordance with any relevant provisions of the Privacy Act, and for those who are UK or EEA Data Subjects, as applicable under the GDPR in relation to their right to invoke or enforce the SCCs, with some exceptions as set out in the GDPR.

If your Data Subjects would like a free copy of the Personal Data we hold about them or believe that such information is inaccurate, incorrect, incomplete, irrelevant or misleading, please direct them, or if they approach us directly we will direct them, to comply with your organisational procedures relating to their, firstly personally identifying themselves to you, secondly completing your relevant Data Subject access request forms, and thirdly, your formal acknowledgement of their Data Subject access request forms, copy to ourselves. Once this process has been completed please forward such acknowledgment to ourselves along with contact details and suitable identification, for our release of their Personal Data.

Alternatively, please provide us with your consent to enable us to directly undertake these same data access organisational procedures with the Data Subject.

In the event that you have factually disappeared or ceased to exist in law, unless any successor entity has assumed your entire legal obligations by contract or by operation of law, as a result of which it takes over your rights and obligations, then we will directly provide the Data Subject with a copy of their Personal Data held by us, subject to complying with these same data access organisational procedures.

In the case of Australian clients, we reserve the right, in conjunction with you, to refuse to provide your Data Subjects with details of the Personal Data that we hold about them, in certain circumstances set out in the Privacy Act or any other applicable law. If access is denied, we will explain the reason why it is denied. In any event we will require them to verify their identity and specify what Personal Data they require. We will further inform them that prior to responding to their request we will communicate with you and where required by law or contract, obtain your prior consent to release details of such Personal Data.

Keeping Personal Data current

We endeavour to ensure that the Personal Data we hold is accurate, complete and current. Changes inevitably are required and unfortunately errors do occur from time to time. You should contact us immediately in order to update any changes to the Personal Data we hold about you.

GDPR for citizens and residents of the UK and EEA

CFO PRO complies with the data protection principles set out in the GDPR for the purpose of fairness, transparency and lawful data collection and use. We apply the data protection principles of GDPR to all UK and EEA Data Subjects on whom we hold Personal Data. Under these data protection principles:

  1. We process your Data Subjects' Personal Data as a Data Processor and/or control it to the extent that we are a Data Controller.
  2. We are required to establish a lawful basis for processing Personal Data. The legal basis for which we obtain Personal Data depends on the data that we obtain and how we use it.
  3. We will only obtain Personal Data that has been provided with your Data Subjects' express consent, or under contract, for a specific purpose and any data collected will be to the extent necessary and not excessive for its purpose. We will keep your data safe and secure.
  4. We will process your Data Subjects' Personal Data as necessary for our legitimate interests, or to fulfil a contractual or legal obligation.
  5. We will also process your Data Subjects' Personal Data if: it is necessary to protect their life or in a medical situation; it is necessary to carry out a public function; it is a task of public interest; or if the function has a clear basis in law.
  6. We do not obtain or process any Personal Data in respect of your Data Subjects that is considered "Sensitive Personal Data" under the GDPR, such as Personal Data relating to their sexual orientation or ethnic origin unless you have obtained their explicit consent, prior to transferring it to us, in their full knowledge that it is being transferred to us, or if it is being obtained and transferred to us subject to and in accordance with the GDPR.
  7. You must not provide us with your Data Subject's Personal Data if they are under the age of 16 without the consent of their parent or someone who has parental authority for them. We do not knowingly obtain or process the Personal Data of children.

Data Subjects' rights under the GDPR

Citizens and residents of the EEA, have certain rights regarding how their Personal Data is obtained, processed, used or controlled. CFO PRO complies with the GDPR in relation to such rights.

Except as otherwise provided in the GDPR, UK and EEA Data Subjects have the following rights to:

  1. Information on how their Personal Data is being used;
  2. Access their Personal Data;
  3. Rectify their Personal Data if it is inaccurate, incorrect, incomplete or misleading;
  4. Erase their Personal Data;
  5. Restrict processing of their Personal Data;
  6. Receive in a commonly used format, or retain and use their Personal Data for personal purposes;
  7. Object to their Personal Data being used;
  8. Avoid any automated decision making and profiling; and
  9. Review the SCCs (and related Appendices) of your DTA with us, but with irrelevant confidential information redacted.

Your Data Subjects should be aware from your own privacy policies and statements, that their Personal Data we hold, process, use or control is primarily held on your behalf as our clients, under GDPR compliant DTAs, together with engagement letters, for the express purpose of performance of our contractual obligations with our clients and in particular for the processing and payment of payroll, time billing, invoicing, costing, pricing, expense reimbursement, budgeting, human resource and contract management, and external audit.

You or your Data Subjects can contact us at any time to exercise their rights under the GDPR. However, we will follow the procedures set out above under "Access to Personal Data". Our contact details are set out at the end of this Privacy Notice.

Third party websites

Our website has links to other internet websites not owned or controlled by us. These links are meant for your convenient reference only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that CFO PRO is not responsible for the privacy practices of other such websites, nor their content, removal or updating. We encourage our users to be alert and note whether secure, when clicking on one of these website links, to read the privacy notices of any website that collects personal data. We accept no responsibility for, and we expressly disclaim any liability relating to, the accuracy, relevancy, copyright compliance, legality of materials displayed on, or contained in these linked websites.

Changes to Privacy Notice

Please be aware that this Privacy Notice is subject to modification or update as and when required, to reflect new or changed legislation, technology, operating models or practices and business conditions. This Privacy Notice may be amended or updated at any time, in our sole discretion and with immediate effect upon upload to our website. Accordingly, please review this Privacy Notice intermittently.

Complaints about privacy

If you have any complaints about our Privacy Notice or privacy practices and procedures, please send details of your complaints to the relevant email or postal address below. We view complaints seriously and will expedite a response after receiving written notice of your complaint.

If you are a Data Subject who would like access to your Personal Data, or have any questions about privacy-related issues, you should contact the Data Protection Officer at the email address below, mindful, if applicable, of the protocols outlined above under ‘Access to Personal Data'.

Definitions

1. "Personal Data": (a) in the UK or an EEA country, has the meaning given to it pursuant to the GDPR2; or (b) otherwise, means any information relating to an identified or identifiable natural person, wherein an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her personality, personal status, physical, physiological, mental, state of health, economic, vocational qualifications, cultural or social identity, or opinions and beliefs of a person;

2. "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). For the purposes of this Privacy Notice, "GDPR" shall be construed as also referring to the GDPR as it applies in the UK by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"). Any references to specific articles of the GDPR shall be construed as also referring to the equivalent sections of the UK GDPR, where applicable and covers any EEA citizens or residents working for you in the UK;

3. "Data Controller" means: (a) the natural or legal person, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data; (b) in the UK or an EEA country, the meaning given to it pursuant to GDPR including in the capacity of a Data Exporter7; or (c) an active manager of a body that owns or possesses a database or collection of data;

4. "Data Processor" means an entity which processes Personal Data on behalf of a Data Controller;

5. "Data Subjects" means your: employees, contractors, customers/clients, potential customers/clients, suppliers/vendors, shareholders, advisers, complainants, correspondents and contacts;

6. "Subprocessor" means any third party individual or entity outside the UK or EEA appointed by or on behalf of ourselves to process, or is required under law, to review your Data Subjects' Personal Data;

7. "Data Exporter" means, under the GDPR, the Data Controller who transfers the Personal Data to a data importer such as ourselves, in our capacity also of Data Processor and/or Data Controller, whereby we agree to receive from you the Data Exporter, your Data Subjects' Personal Data intended for processing on your behalf after the transfer in accordance with your instructions and the terms our DTA as we are not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

8. Sub-Data Transfer Agreement ("SDTA") means an agreement signed between ourselves and our Subprocessor that incorporates the same GDPR SCCs safeguards, the same obligations that exist in our DTA with you, and meets the requirements of Article 28(3) of the GDPR. You and your Data Subjects are entitled to review such SDTA but with irrelevant confidential information redacted. You are also entitled to object to the appointment of a particular Subprocessor;

9. "Standard Contractual Clauses" means: (a) the Standard Contractual Clauses (Controller to Controller Modules); (b) the Standard Contractual Clauses (Controller to Processor Modules); (c) in relation to clause 3.1.9(c)(ii) the relevant processor to processor modules of the standard contractual clauses for the transfer of Personal Data to non-EU countries approved by the European Commission Decision 2021/914;

10."Standard Contractual Clauses (Controller to Controller Modules)" means the relevant controller to controller modules of the standard contractual clauses for the transfer of Personal Data to non-EU countries approved by the European Commission Decision 2021/914. A copy of the Standard Contractual Clauses (Controller to Controller Modules) can be found on the European Commission Website;

11."Standard Contractual Clauses (Controller to Processor Modules)" means the relevant controller to processor modules of the standard contractual clauses for the transfer of Personal Data to non-EU countries approved by the European Commission Decision 2021/914. A copy of the Standard Contractual Clauses (Controller to Processor Modules) can be found on the European Commission Website; and

12. "EEA" means the European Economic Area which is constituted at 1 January 2021 by the 27 Member States of the EU together with Norway, Liechtenstein and Iceland, and shall be read to include the United Kingdom.

Contact Details:

Data Protection Officer
CFO PRO Pty Ltd
P O Box 639
Nedlands WA 6909
+61 (0)408 938571
DPO@cfopro.net.au