We collect Personal Information by fair and lawful means, to the extent that it is reasonably necessary for, or directly related to, one or more of our business activities. The legal bases for our handling of Personal Information is either:

• the individual has consented to it; or
• under performance of a contract with an employee or a third party; or
• it is in our legitimate interests as a business that provides services to contracted third parties; or
• there is a legal obligation which makes the processing necessary for us to comply with any laws or other legal requirements; or
• it is necessary in the vital interests of the individual whose Personal Information we hold; or
• the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law.

The first three of these are likely to be the dominant legal basis for our handling of Personal Information.

By using any of our services or otherwise providing us with any Personal Information (or authorising it to be provided to us by someone else), you consent to us collecting, holding, storing, using, disclosing, transferring and otherwise managing your Personal Information (including sensitive information (such as health information), as defined in the Privacy Act (“Sensitive Information”) as set out in this Policy. This Policy may be updated from time to time and published on the Midwinter website at https://www.midwinter.com.au/privacy-policy/ (“Midwinter Website”).

The Personal Information we may collect or receive will depend on the circumstances of collection, including whether we collect or receive the information from the individual as a prospective or existing institutional and financial advisers (and their associated staff) (“Clients“), supplier, contractor, job applicant, employee or in some other capacity, or whether we collect the information from some other source, such as from our clients or our related bodies corporate.

In running our business, and in providing services to our clients, Midwinter may:

• collect (under authorisation from our Clients) our Clients’ customer’s data feeds and information from third party product providers, including investment holdings, account numbers transaction information;

• collect Personal Information about contractors, service providers and suppliers, including (but not limited to):
  • name;
  • job title;
  • business contact details of company representatives with whom we deal; and
  • financial information and banking details; and

How do we collect Personal Information?

Midwinter collects Personal Information about an individual directly from the individual when the individual:

• applies for job vacancies, or is employed or contracted by us;
• meets with us or contacts us via other methods such as our support line or helpdesk, or when the individual uses our client portal;
• completes forms, transacts with us or provides information to us via the Midwinter Website;
• provides information to us through industry surveys, promotions conducted by us or via social media platforms; and
• participates in other services we offer, such as our digital advice tools, client portals and client engagement calculators and other.

We also collect Personal Information about individuals from third parties and organisations. We collect, handle or process information from:

• Clients of Midwinter who disclose the Personal Information of their customers as part of their use of the services provided by Midwinter;
• third party product providers who we engage (including, but not limited to, data feeding service providers);
• Midwinter’s related bodies corporate;
• publicly available sources of information, such as public registers;
• government agencies;
• our contracted service providers;
• parties to whom the individual refers us or from whom the individual authorises collection; and
• any social media platforms over which we have administrative control.

If you are a Client and provide us with the Personal Information of your customers, we will assume, and you must ensure, that you are authorised to disclose that information to Midwinter. If you disclose Personal Information of your customers to Midwinter or if you disclose Personal Information of third parties through contractual arrangements with Midwinter, we will assume, and you must also ensure, that:

• you have made that third party aware of the purposes involved in the collection, use, transfer and disclosure of the relevant Personal Information, for example, by requiring the customer to read this Policy;
• you have obtained the individual’s consent to our collection, use, disclosure, transfer and handling of the relevant Personal Information in accordance with this Policy; and
• when collecting Personal Information, you have complied with all applicable laws, including data protection and privacy laws.

Where requested to do so by Midwinter, you must assist us with any requests by an individual to access or update the Personal Information you have collected from them in relation to our services.

Purposes of collection, use and disclosure of Personal Information

Midwinter may collect, hold, use and disclose Personal Information for the following purposes:

• to provide services to our Clients;
• to maintain, manage and develop our relationship with our Clients, including organising events;
• to facilitate the provision of services by our Clients or our related bodies corporate to their customers;
• to verify an individual’s identity, for invoicing, to provide support services and to administer the services we provide to the individual;
• to provide our Clients with information and updates on changes to our services;

• to send our Clients’ information about our or our related bodies’ corporate products or services that may be of interest to them. If at any time an individual no longer wishes to be notified about our or our related bodies’ corporate products or services, the individual can contact us at the details provided at the bottom of this Policy;
• to send feedback questionnaires, and to participate in industry surveys;
• to help us undertake training in relation to our services and to improve how we serve our Clients;
• to assist individuals with the resolution of technical issues or other issues relating to our services;
• to contract out some of our functions to external service providers and suppliers (such as mailing houses and printing companies, IT, advertising and marketing);
• to comply with laws and regulations in applicable jurisdictions;
• to assess and consider applications from prospective job applicants, contractors and service providers;
• to manage and administer a contractor’s or service provider’s relationship and arrangements with us and maintain any records in relation to this relationship;
• and such purposes for which we may obtain consent, from time to time.

If you do not provide the Personal Information we request or consent to the collection and use of your Personal Information for the purposes outlined in this Policy, we may not be able to do any of the things or provide the services as set out above.

Offshore disclosure

We are likely to disclose an individual’s Personal Information to overseas recipients. The countries in which those recipients are likely to be located are the United Kingdom, New Zealand, Hong Kong, India and Poland. For clarity, we do not disclose our Clients’ customer’s Personal Information to overseas recipients. If an individual does not want their Personal Information or that of their clients’ to be stored on third party
servers, the individual should not provide their Personal Information to our Clients or use our services.

Security of Personal Information

Midwinter is committed to protecting any Personal Information held by us from unauthorised access, modification or disclosure. We take appropriate measures using industry standard techniques to maintain technical and organisational safeguards and controls to protect the information we hold (including your Personal Information). As part of our security policies we take into account confidentiality, integrity,
availability and privacy when handling Personal Information in both the physical and electronic environment.

Our services may allow an individual to transfer data, including Personal Information, electronically to and from third party applications. Midwinter has no control over, and takes no responsibility for, the privacy practices or content of these applications. The individual is responsible for checking the privacy policy and third party terms of any such applications so that the individual can be informed of how they handle Personal Information. Individuals must take care to protect their Personal Information (for example, by keeping usernames and passwords secure), and should notify us as soon as possible if they become aware of any unauthorised disclosure of Personal Information.

Disclosure of Personal Information in limited circumstances

In conducting our business, we usually disclose Personal Information (except for Clients’ Personal Information or our Clients’ customers Personal Information) to:

• our related bodies corporate;
• external service providers, such as mail houses, website and IT service providers;
• professional advisors, such as our financial advisers, legal advisers and auditors; and
• government agencies.

Midwinter may also disclose the Personal Information (except for Clients’ Personal Information or our Clients’ customers Personal Information) provided to us to third parties if it is necessary and/or appropriate in the provision of our services (or a related purpose). This may include disclosing Personal Information to any governing, regulatory or licensing bodies that require this information to assist with the provision of compliance or monitoring services, such as an individual’s dealer group or licensee. Midwinter may also be required to disclose Personal Information in order to comply with any court orders, subpoenas, or other legal process or investigation including by tax authorities, if such disclosure is required by law. Where possible and appropriate, we will notify individuals if we are required by law to disclose their Personal Information.

The third-party servers we use for data storage do not control, and are not permitted to access or use an individual’s Personal Information except for the limited purpose of storing that information.

You may request access to your Personal Information or seek its correction

We will take such steps (if any) as are reasonable in the circumstances to ensure that the Personal Information we collect is accurate, complete and up-to-date. Our Data Subject Access Request (“DSAR”) policy (available on the Midwinter Website) (“DSAR Policy”) explains our approach and submission requirements if an individual wishes to request access to their Personal Information, or request that we update or correct any Personal Information we hold about the individual.

Please be aware that if you are a Client of Midwinter, or are employed by Midwinter, you should make a request directly to us, by using the DSAR form attached to our DSAR Policy, and submitting it by:

• e-mail to [email protected]; or
• letter to the Operations Manager, Midwinter, Level 6/345 George St, Sydney NSW 2000.

If you do not have a direct relationship with Midwinter, but with one of Midwinter’s Clients, you should make your request directly to that individual or entity, who will request that we assist them with your DSAR.

Midwinter will only keep an individual’s Personal Information for as long as we require it for the purposes for which the information may be used or disclosed under the APPs unless otherwise required by law.

You can opt-out of any marketing email communications.

Midwinter uses an individual’s Personal Information to send them information about our or our related bodies’ corporate products or services that may be of interest to them. This information may be sent via email. Our emails will contain clear and obvious instructions outlining how an individual can choose to be removed from our mailing list.

Cookies

Midwinter may use cookies to collect information about an individual’s use of the Midwinter Website and online services. This information may include information about the IP address of the individual’s computer, browser type, language, operating system, mobile device, geographical region, the web pages visited, the date and the time of their visit, and the websites visited immediately before and after visiting the Midwinter Website.

Our online service requires the use of cookies which are placed on your computer by Midwinter for a number of purposes relating to the provision of our services, including to:

• retain your login information so as to make accessing our services efficient;
• retain details of your browsing and accessing history so as to optimise or customise the delivery of our services to you, or for us to provide material to you which may be of interest to you;
• and provide to us data as to the use of our services by customers so that we can assess the performance of the delivery of our services and make improvements or alterations to our services.

You will not be able to access some of our services if cookies are not enabled on your device. There are two types of cookies: session cookies and persistent cookies. Session cookies are detected once you leave the website. Persistent cookies, however, will remain on your computer or until deleted by the website user. Session and persistent cookies can be classified into one of four categories:

Strictly necessary cookies	These cookies are strictly necessary to enable you to move about the site or to provide certain features you have requested.
Functionality cookies	These cookies allow the website to remember choices you make (such as your name, language or region you are in) and provide enhanced, more personalised features
Performance/Analytics cookies	These cookies collect non-Personal Information – data in a form that does not permit direct association with any specific individual – and support the measurement of websites. This information helps improve websites by identifying any problems that visitors may encounter during their visit and by learning how they entered and which pages they visited.
Third party cookies	These cookies are set by a website other than the one you are currently on. For example, some websites might have social media buttons. When you use one of the share buttons, a cookie may be set.