GDPR (General Data Protection Regulation) became effective as of May 25th, 2018. The GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.

Our commitment to the GDPR

Our policy is to respect all laws that apply to our business and this includes the GDPR. We are committed to helping our customers stay in compliance with GDPR and/or their local requirements. As part of our commitment to GDPR compliance, we have updated our Privacy Policy.

In addition, here are a few things that our group is committed to doing to ensure our compliance with GDPR and that of our customers:

Where we are transferring data outside of the EU, we commit to having the appropriate data transfer mechanisms in place as required by GDPR.

Commitment to follow the appropriate security measures and precautions in accordance with GDPR and other privacy laws outside of the EU.

Notification to regulators of breaches and promptly communicating any breaches to customers and users.

We will ensure that employees authorized to process personal data have committed to confidentiality.

Annual risk assessments on all vendors, processors and sub-processors to ensure the highest level of security and data processing frameworks including GDPR compliancy.

Where appropriate, we will offer contractual language documenting our commitments to our customers to support their GDPR obligations.

You have a direct contact for data protection and GDPR, the Data Protection Officer. For any questions you have please contact – dpo@collectivetech.com.au

Our role under the GDPR

We act as a data controller for your company data. We’ve mapped out everywhere your data exists and how it moves throughout our systems.



We’ve taken a very deliberate approach to respecting our clients’ privacy. We only collect the data we need at any point to provide the promised services. We have implemented privacy by design to ensure the collection and retention of data is minimized to only what is critically needed.

Data Categories

We categorize the data we collect and receive in the following ways: Client Company Data and Worker Data.

Client Company Data

This category of data relates to information specific to the account-holding company that is using the services of our entities within the group. We only collect the minimum required data to provision and operate your account. In addition to provided data, we also collect application-specific information such as your IP address(es). This information is used to provide diagnostics for support and to protect the system from unauthorised use.

Employee Data

Any employee data collected is to provide the contractual services to the client company. The standard set of data collected is derived from the minimum requirements to perform the services that which have been contracted to do. Employee data is, if configured as such using an API, be used for facilitating payroll processing and HR services. Application-specific information, such as your IP address(es), is collected and used to provide diagnostics for support and to protect the system from unauthorised use.

Frequently Asked Questions

1. The right to be informed – The data subject has the right to be informed about what personal data has and is being processed.

2. The right of access – The data subject has the right to full and instant access to all personal data.

3. The right to rectification – The data subject has the right to the rectification of any inaccurate data.

4. The right to erasure – The data subject has the right to erase any or all data the controller has of the subject without any undue delay.

5. The right to restrict processing – The data subject has the right to restrict/inform the controller how, what and when their personal data is processed for.

6. The right to data portability – The data subject shall have the right to receive personal data that has been provided to a controller, in a structured, commonly used and machine-readable format, and has the right to transit this data to another controller without hindrance from the controller to which the personal data has been provided.

7. The right to object – The data subject shall have the right to object, on grounds relating to their situation, at any time to the processing of their personal data.

8. The right in relation to automated profiling – The data subject has the right to decline controllers to use their personal data for automated decision making and profiling. The controller must offer an option to the data subjects if they wish to use personal data for this.

*Please note that not all rights can be exercised if the following applies:

• There is a legal obligation to process the data in question through the EU or member state law to which the controller is subject to or it is a risk that needs to be carried out in the public interest or in the exercise of official authority vested in the controllers.

• There is a public interest in the area of public health.

• In case of archiving in the public interest, for scientific, historical research or statistical purposes insofar as the deletion of the requested data might seriously impair the achievement of the objectives of that processing.

• The data is needed to establish, exercise or defend legal claims.
To exercise any of your rights above please contact: dpo@collectivetech.com.au

Yes. We hold transparency in the highest regard and will not use your data without your consent. You have control over what data is stored and how it is processed. Please read our privacy policy for further information or if you have any questions, contact: dpo@collectivetech.com.au

We have implemented many systems and security measures to ensure data remains safe in transit and at rest. The infrastructure has been architected and designed with security and privacy at the forefront. All data is encrypted and resides on “private” networks and are not directly attached to the internet. A layered security model is in place and configured as per industry best practice. The group engages third party penetration testing consultants that regularly review and test the environment.

To place a data subject request or any other questions relating to the use of your data, please email: dpo@collectivetech.com.au