Privacy Policy

HomePrivacy Policy

1. Background

Dundas Lawyers Pty Ltd ACN 150 373 167 (Dundas Lawyers®, Firm, We, Our, Us, and other similar terms) takes all reasonable steps to implement processes and procedures for the responsible management of Personal Information and Data.  References to Dundas Lawyers in this Privacy Policy include information collected online by Dundas Lawyers Gold Coast Pty Ltd ACN 627 097 170.

1.1 Application of this Policy

  • Dundas Lawyers is not an APP Entity for the purposes of the Privacy Act 1988 (Cth) (Privacy Act), because We do not currently meet the legislative threshold for mandatory compliance with the Australian Privacy Principles (APPs)
  • However, to the extent that We are a Reporting Entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), we are an APP Entity, the Privacy Act will apply to certain activities we carry out for the purposes of, or in connection with these obligations
  • Accordingly, this Privacy Policy applies only to Personal Information We collect, hold, use or disclose for the purposes of, or in connection with, Our obligations under the AML/CTF Act, including Client identification, verification of identity, due diligence, record keeping, reporting and related compliance obligations.  Other Personal Information We manage remains excluded from the application of the Privacy Act to the extent permitted by law, however We take all reasonable precautions to protect such information.
  • We have implemented this Privacy Policy having regard to the Privacy Act, the APPs, the AML/CTF Act and other applicable data protection rules, in order to be open and transparent about how We collect, hold and use Your Personal Information, and the circumstances in which We may disclose or transfer it.  However, Our decision to explain how We collect, hold and use Your Personal Information does not mean that We have “opted in” to be bound by the Privacy Act generally, where we are not required to do so.
  • This Privacy Policy forms part of the terms and conditions of Our agreement with Our Clients to provide legal services (You, Your, Client and other similar terms) but only applies to the extent set out in this section 1.

2. Definitions

In this Privacy Policy, unless the context or subject matter otherwise require:

AML/CTF means Anti-Money Laundering and Counter-Terrorism Financing.

APP Entity has the meaning given in section 6(1) of the Privacy Act and means an agency or organisation with an annual turnover of over $3 million.  For the purposes of this Privacy Policy, We are only treated as an APP Entity to the extent that the APPs apply to Us in connection with Our AML/CTF obligations as per section 6E(1A) of the Privacy Act.

AUSTRAC means the Australian Transaction Reports and Analysis Centre.

Customer Due Diligence has the meaning given by Part 2 of the AML/CTF Act, and refers broadly to the continuous processes which a Reporting Entity must follow to verify the identity of Clients and assess the risk of money laundering and/or terrorism financing in the provision of Designated Services.

Data means any information which is reduced to electronic form and stored in any of Our computer systems.

Data Breach means any unauthorised access to, unauthorised disclosure of, or loss of, Personal Information held by Us where the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

Designated Services means legal services which are regulated under the AML/CTF Act as AUSTRAC believe pose a risk for money laundering, terrorism financing and proliferation financing.  A list of Designated Services can be accessed at table 6B of section 6 of the AML/CTF Act.  Dundas Lawyers is prepared to provide the following Designated Services to its Clients:

  • assisting a person in the planning or execution of a transaction to buy, sell of transfer a body corporate or legal arrangement, including acting on behalf of an individual in a transaction;
  • receiving, holding, controlling or managing a person’s money, accounts, securities accounts, virtual assets, or other property as part of assisting the person in the planning or execution of a transaction;
  • assisting in organising, planning or executing a transaction for equity or debt financing relating to a body corporate or legal arrangement;
  • assisting in planning or executing in the creation or restricting of a body corporate or legal arrangement; and
  • providing a registered office address or principal place of business address, of a body corporate or legal arrangement.

Personal Information has the meaning given in section 6 of the Privacy Act, being any information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

Personal Information Types includes the following types of information collected:

  • Identity Information including name, date of birth, gender, signature, photographic identification, offices or directorships held;
  • Contact Information including residential and postal addresses, email addresses, telephone number(s);
  • Professional and Business Information including occupation, employer, job title, professional qualifications, business holdings and structures;
  • Financial Information including bank account details, billing information, payment card details, tax file numbers;
  • Matter-Related Information including information relevant to Your legal matter or the legal matter of Our Client;
  • Transaction Information including details of services provided to You or Your organisation;
  • Communication Records including records of correspondence and communications with You;
  • Website and Technical Data including IP address, browser type, device information, pages visited, cookies;
  • Recruitment Information including employment history, qualifications, references, right to work status and background check results; and
  • Sensitive information means information about a person’s sexual orientation, racial and ethnic origin, political beliefs, religious affiliation, criminal record, and health information.

Reporting Entity has the meaning given in section 5 of the AML/CTF Act and, broadly, means a person who provides a Designated Service.  For the purposes of this Privacy Policy, We are only a Reporting Entity to the extent that We provide, or propose to provide, Designated Services under the AML/CTF Act.

3. Identity verification and the AML/CTF Act

  • If We provide You with a Designated Service, We may be required to verify Your identity and collect certain information under the AML/CTF Act.  Identity Documents might also be required for other services such as Court matters and asset dealings.
  • We may be required under the AML/CTF Act to collect the following information from You, including:
    • personal identification documents;
    • corporate structure and organisation information;
    • information about beneficial ownership of entities; and
    • source of wealth information.
  • We are required to keep records of Your information for seven (7) years in accordance with the AML/CTF Act.
  • We may provide information related to AUSTRAC or other authorities as required by Our AML/CTF disclosure obligations without notifying You or Our Client(s).

4. Purpose of collecting Personal Information

4.1 Collection purposes

We collect, hold, use and disclose Personal Information for the primary purpose of providing legal services to Our Clients.  We may use and disclose Personal Information for secondary purposes that are ancillary to the provision of legal services as per principle 6.1 of the APPs.

4.2  Primary and secondary purposes

  • Primary purposes for collection and disclosure may include:
    • providing legal advice and representation to You or to Our Client(s);
    • managing Client matters and files;
    • conducting investigations and gathering admissible evidence in relation to Your matte
    • communicating with You and other parties;
    • billing and collecting fees, including pursuit of Our rights under a Costs Agreement or retainer;
    • complying with Our legal, professional and insurance obligations; and
    • administering and managing Our Firm.
  • Secondary purposes for collection and disclosure may include:
    • maintaining and developing Our relationship with You;
    • training and professional development;
    • ongoing Customer Due Diligence as required by the AML/CTF Act;
    • enforcement of Our right to payment of fees;
    • internal reporting and analysis; and
    • risk management and insurance purposes.

5. Types of Personal information collected

5.1 Personal Information collected by stage of engagement

The type of Personal Information We collect, when We collect it, how We use it, who it is disclosed to, and where it is stored may vary depending on the stage of legal services We provided to you.  This may include the following stages:

  • On browsing Our website: When You visit Our website at www.dundaslawyers.com.au, We may collect certain information about Your visit, including Your IP address and details about Your Web browser, including the type of browser and the operating system on which it is running, Your primary language preference, and whether Your browser is currently storing cookies previously set by Our website.  Additionally, as You browse, We collect information about the individual Web pages You view, what websites or search terms referred You, and information about how You interact with Us online.
  • On enquiry: when You first contact us, We may collect information necessary to understand Your enquiry, respond to You, assess whether We can assist, conduct preliminary conflict checks and arrange an initial consultation.
  • Once engaged: if You engage us, We may collect further information required to open Your file, verify Your identity, confirm Your instructions, comply with Our legal and professional obligations, issue engagement documents and commence work on Your matter.
  • As the matter progresses: during the course of a matter, We may collect, create, use and disclose additional information as reasonably necessary to provide legal services, communicate with You and others, prepare documents, obtain searches, brief advisers, deal with courts, tribunals or Government agencies, negotiate, settle or otherwise progress Your matter.
  • On termination, completion or closure: when Our engagement ends or a matter is completed or closed, We may retain, archive, return, transfer or securely destroy information in accordance with Our legal, professional, insurance, trust accounting, taxation, audit, complaint-handling and record-keeping obligations.
  • At each stage: information may be stored in Our electronic systems, practice management systems, document management systems, email systems, cloud storage, accounting and trust accounting systems, physical files, archive systems and secure backup systems.  The specific systems used may depend on the nature of the enquiry or matter, the information provided, the services required and Our legal and professional obligations.

5.2  Sensitive Information

  • Sensitive Information has the meaning given in section 6 of the Privacy Act
  • We do not collect or store Sensitive Information because is it not necessary for Us to provide Our services to You.

5.3  Device information and cookies

  • We collect the information identified in section 5.1(a) (above) using the following technologies:
    • “Cookies” which are Data files placed on Your device or computer which may include an anonymous unique identifie
    • “Log files” which track actions occurring on the website, and collect Data including Your IP address, browser type, referring/exit pages, and date/time stamps; and
    • “Web beacons”, “tags”, and “pixels” which are electronic files used to record information about Your browsing session.
  • Please note that We do not alter Our websites’ Data collection and use practices when Your browser is set to send a Do Not Track signal.
  • You may refuse the use of cookies by selecting the appropriate settings on Your browser, however if You do, You may not be able to use the full functionality of Our website.
  • We do not collect Personal Information or associate the information collected via cookies, web beacons, tags, log files or pixels with other Personal Information We collect.

6. Consent

By agreeing to this Privacy Policy, You give Us Your consent to use Your Personal Information as set out herein.  You have a right to withdraw Your consent at any time and may do so by contacting Us via the details provided in section 14 (below).

7. Use

7.1 General use

  • We use Personal Information collected as part of Our business operations which are primarily associated with the provision of legal services to You.  Examples of when Your information may be used include
    • informing You about Our goods and services;
    • providing You with the goods and services requested;
    • administration needs in relation to providing You with goods and services, including managing Your account;
    • dealing with requests, enquiries or complaints and other Client-care related activities; and
    • carrying out any activity in connection with a legal, Governmental, or regulatory requirement imposed on Us or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.
  • We may also use Personal Information for purposes, as would be reasonably expected by You, in connection with those activities described above.  However, We will not use Your Personal Information for purposes, other than as described in this Privacy Policy or other agreement We have with You, unless You consent to that use or there are specific law enforcement, public health or safety reasons.

8. Accessing Your information

Upon Your request and after satisfying ourselves of Your identity, We will provide access to the Personal Information We hold about You except in certain prescribed circumstances.  These include, where:

  • We believe giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safet
  • giving You access would be unlawful;
  • granting access would have an unreasonable impact on the privacy of other individuals;
  • the request for access is frivolous or vexatious; or
  • there are anticipated legal proceedings.

9. Data integrity

  • We take reasonable steps to ensure the Personal Information We collect, use, and disclose is accurate, complete, and up to date.  You have a right to access and correct incorrect Personal Information at any time and may do so by contacting Us using the details provided below.
  • If You become aware Your information is no longer accurate, complete, or up to date please contact Us.

10. Disclosure of Personal Information

  • We may disclose Personal Information to third parties to facilitate the purposes of collection noted in section 4 (above).  These purposes include disclosure to parties to proceedings or transactions and their representatives, to Courts, Government and regulatory agencies as may be necessary or appropriate to establish legal rights and to progress transactions in which We are instructed.
  • Your Personal Information and confidential Data is held by Us subject to Our duty of confidentiality under the Australian Solicitor’s Conduct Rules 2023 (Qld) (ASCR) and any applicable undertakings or Court rules. 
  • We may disclose Personal Information to third parties subject to those obligations and for the purposes described in this Privacy Policy, including:
    • to discharge Our professional obligations to You or to Our Clients or in the reasonable execution of Our instructions;
    • to comply with Our legal obligations or in answer to a compulsory notice such as a subpoena or warrant, or to disclose information under the AML/CTF Act, Criminal Code(s), Legal Profession Act 2007 (Qld) or other relevant legislation;
    • to barristers, mediators, expert witnesses, investigators and consultants and other legal practitioners engaged to act for You (and/or Our Client) or in relation to Your matter;
    • other parties to legal proceedings or transactions as instructed, reasonably necessary or required by law;
    • Courts, tribunals, Government agencies and regulators;
    • our professional indemnity insurers;
    • a Costs Assessor in the event that an assessment is ordered or reasonably necessary.
    • service providers who assist Us to operate Our business (including IT providers, AI providers, document management providers, and marketing service providers);
    • related entities;
    • as permitted under the ASCR confidentiality exceptions; and
    • any person You expressly or impliedly authorise Us to disclose information to.
  • We may also disclose Personal Information to third parties who hold, process, store or transmit information for us, or who assist Us in providing legal services, including:
    • document management and file storage providers;
    • communication and email providers;
    • providers of software relating to document storage, collaboration, calendaring, task management and office administration;
    • legal practice management, workflow and matter management providers;
    • Client relationship management, marketing, contact management and Website enquiry management providers;
    • search, property, company, identity verification, electronic conveyancing and legal information service providers;
    • accounting, billing, payment, trust accounting and financial administration providers;
    • professional indemnity insurers, brokers, claims managers and risk advisers;
    • State and Federal Government departments, regulators, statutory authorities, Courts, tribunals and registries;
    • barristers, experts, consultants, investigators, process servers, mediators, costs assessors, external lawyers and other professional advisers engaged in connection with a matter;
    • banks, financial institutions, settlement agents, trust account auditors and other parties involved in receiving, holding, transferring or verifying funds;
    • counterparties, opposing lawyers and other persons where disclosure is reasonably necessary for the conduct of a legal matter
    • IT support providers, cybersecurity providers, Website hosts, analytics providers, backup providers and other technical service providers who assist Us to operate, maintain, secure and improve Our systems
    • any other third party where disclosure is required or authorised by law, where You have consented to the disclosure, or where the disclosure is reasonably necessary for Us to provide legal services or operate Our legal practice.
  • To the best of Our knowledge, the third-party service providers and systems listed above store or process information in Australia, or provide services to Us through Data hosting arrangements, infrastructure, offices or service locations based in Australia.

11. Overseas disclosure

  • In general, We do not disclose Personal Information to recipients located outside of Australia.
  • We may disclose Personal Information outside of Australia in the following circumstances:
    • where Your matter involves overseas parties;
    • to overseas law firms or legal practitioners engaged in Your matter;
    • to service providers whose systems or servers are located overseas (including cloud storage and IT service providers) if We consider that the confidentiality arrangements that will apply to such information is sufficient); and
    • where You instruct or authorise Us to do so.

12. Anonymity and pseudonymity

  • To provide legal services, We are required to confirm the identities of Clients and cannot do so where Clients are seeking to use a pseudonym or remain anonymous.
  • If You do not provide Us with the Personal Information We request, We will not be able to provide You with legal services or respond to Your enquiry. 

13. Security of Personal Information

13.1 Security measures

  • We hold Your Personal Information using a system designed to protect against Data Breaches, however like all Data security systems, risks may only be mitigated but not eliminated.
  • It is Our practice to use reputable service providers for the storage, processing and management of Personal Information.  Where reasonably practicable, We seek to ensure that those service providers maintain appropriate security, confidentiality, backup, access control and Data protection measures.
  • We may use a combination of physical, technical and administrative safeguards to protect Personal Information, including:
    • secure cloud storage;
    • password protection;
    • access controls;
    • user permissions;
    • multi-factor authentication where available;
    • antivirus and endpoint protection;
    • secure backups;
    • staff training;
    • internal policies and procedures.
  • We hold a Gold (SMB1001:2025 Level 3) certificate issued by CyberCert Pty Ltd ABN 87 662 681 423, as endorsed by the Queensland Law Society.
  • We take reasonable steps to comply with the Privacy Act, the APPs and any other privacy, confidentiality, professional conduct, legal practice and record-keeping obligations that apply to Us.

13.2 Data retention

  • If We hold Personal Information about You, and We do not need that information for any purpose, We will take reasonable steps to destroy or de-identify that information, in accordance with the APPs, unless We are prevented from doing so by law.
  • Under Australian law, financial records, such as those relating to financial transactions, must be retained for seven (7) years after the transactions associated with those records are completed.
  • We envisage that Your Personal Information will be deleted or de-identified within ten (10) years if it is no longer reasonably required for the purposes for which it was collected.
  • You may make a request to Us in writing to remove Your Personal Information and, where permitted, We will do so in accordance with the APPs.

14. Inquiries about Your Personal Information

For more information about Our privacy practices, if You have questions, or if You would like to make a complaint, please contact Us using the details provided below:

  • Dundas Lawyers is a customer service-oriented business.  Therefore, if You have a complaint about Our collection or use of Personal Information pertaining to You, then We would ask You to contact Us.  Our Privacy Officer can be contacted via the information provided below.

Privacy Officer
Level 13 270 Adelaide Street
Brisbane City, QLD 4000
AustraliaTelephone: (07) 3221 0013Email: service@dundaslawyers.com.au

  • If after investigating Your complaint and reporting Our findings, You are still not satisfied, then You may contact the Office of the Australian Information Commissioner at the below address:

The Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
AustraliaTelephone: 1300 363 992Email: enquiries@oaic.gov.au

15. Amendments

We will regularly review this Privacy Policy.  As such We may update it from time to time to reflect changes to Our practices or for other operational, legal, or regulatory reasons.  This notice was last updated on 30 June 2026.

Schedule 1: PI collection, storage and processing flows – not part of the Policy

1.1 Personal Information (PI) is defined in section 6 of the Privacy Act as:

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

1.2 Sensitive Information is defined in section 6 of the Privacy Act as:

  • “information or an opinion about an individual’s:
    • racial or ethnic origin; or
    • political opinions; or
    • membership of a political association; or
    • religious beliefs or affiliations; or
    • philosophical beliefs; or
    • membership of a professional or trade association; or
    • membership of a trade union; or
    • sexual orientation or practices; or
    • criminal record;
    • that is also Personal Information; or
  • health information about an individual; or
  • genetic information about an individual that is not otherwise health information; or
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
  • biometric templates.”

Table of third parties to which disclosure of Clients’ personal information is or may be made

IDPI Collected Detailed field listWhat IT system is this information stored in?Where physically is this Data located?  (State/Country)Who and where is this PI send to?  Where is it physically located?For what reason is the PI send to a third party?
1Client names, contact details, matter details, file notes, correspondence, identification documents, instructions, legal documents, billing information and other matter-related personal informationActionstep – legal practice management, matter management and trust accountingAWS – Melbourne and Sydney, AustraliaActionstep and its hosting provider, AWS, located in AustraliaTo manage Client matters, legal files, trust accounting, workflows, billing and practice administration
2Names, email addresses, phone numbers, correspondence, attachments, Client instructions, matter-related communications and staff communicationsMicrosoft Outlook Exchange OnlineAustraliaMicrosoft 365 / Microsoft Exchange Online, AustraliaTo send, receive, store and manage email communications and attachments
3Documents, letters, agreements, pleadings, invoices, forms, spreadsheets, internal records, Client information and matter documentsInternal digital file storage / File ExplorerBrisbane, Queensland, AustraliaGenerally stored internally onsite, with onsite UPS systemInternal storage and management of Client and business records
4Shared documents, Client files, staff records, matter information, intranet content, correspondence, spreadsheets and collaborative work productMicrosoft SharePoint OnlineAustraliaMicrosoft 365 / Microsoft SharePoint Online, AustraliaTo allow document collaboration, shared folders, intranet access and internal file management
5Documents, spreadsheets, emails, Teams messages, files, user account details, meeting information and productivity DataMicrosoft 365 suite including Word, Excel, Outlook, Teams, OneDrive, SharePoint, Office Online and related servicesAustraliaMicrosoft 365, AustraliaTo create, edit, store, share and manage documents, communications, meetings and productivity workflows
6Prospective Client names, contact details, enquiry details, marketing preferences, communications, lead information and CRM notesHubSpot – CRM, enquiries, marketing and contact managementAWS – Melbourne and Sydney, AustraliaHubSpot and its hosting provider, AWS, located in AustraliaTo manage enquiries, Client intake, marketing communications, contact management and CRM records
7Search subject names, addresses, company details, property details, identity information, search results, matter references and payment/search recordsInfoTrack – property, company, identity, searches and legal information servicesAustralia; may disclose to VietnamInfoTrack, located in Australia, and where applicable recipients/service providers in VietnamTo obtain legal searches, property searches, company searches, identity checks and related legal information services
8Client names, matter information, claim details, file documents, correspondence, solicitor details, policy information and insurance-related recordsLexon Insurance – professional indemnity insurance and claimsAustralia; may disclose to SingaporeLexon Insurance, Australia, and where applicable recipients/service providers in SingaporeTo manage professional indemnity insurance, claims, notifications, risk management and insurance obligations
9Company names, director/shareholder details, addresses, ASIC extracts, lodgement information, regulatory records and search subject informationASIC – ASIC searches, company extracts, lodgements and regulatory dealingsAWS – Melbourne and Sydney, AustraliaASIC and its hosting provider, AWS, located in AustraliaTo conduct ASIC searches, company searches, obtain extracts, make lodgements and manage regulatory dealings
10Client names, contact details, invoice details, payment records, bank reconciliation information, account details, billing descriptions and financial administration recordsXero – accounting, invoicing, bank reconciliation and financial administrationAWS – Melbourne and Sydney, AustraliaXero and its hosting provider, AWS, located in AustraliaTo issue invoices, manage accounts, reconcile payments, undertake bookkeeping and financial administration
11Names, addresses, party details, Court documents, pleadings, affidavits, evidence, correspondence, orders, filing information and matter detailsCourts, tribunals and registries in Australia and, where relevant, overseas jurisdictionsAustralia and, where relevant, overseas jurisdictionsCourts, tribunals and registries in Australia and, where relevant, overseas jurisdictionsTo file documents, conduct proceedings, comply with court or tribunal requirements and progress legal matters
12Names, tax file information where applicable, ABNs, ACNs, addresses, land/property information, duty/tax/revenue records, Client instructions and transaction detailsATO, Revenue Queensland, Titles Queensland, land titles registries and other Government agenciesAustraliaAustralian Government agencies, including ATO, Revenue Queensland, Titles Queensland, land titles registries and other Government agenciesTo comply with taxation, revenue, property, land titles, regulatory and Government requirements
13Client names, matter details, instructions, documents, evidence, contact details, reports, expert materials, briefs, financial information and other matter-related informationBarristers, experts and external consultants, including counsel, expert witnesses, mediators, investigators, process servers, costs assessors and other professional advisersAustralia, or the location of the relevant external adviserRelevant barristers, experts, mediators, investigators, process servers, costs assessors and other professional advisersTo obtain legal advice, advocacy, expert opinions, mediation services, investigation services, service of documents, costs advice and other professional assistance
14Website enquiry names, email addresses, phone numbers, enquiry details, IP addresses, cookies, analytics Data, spam/security logs and website interaction informationWordPress host, contact forms, analytics, spam filtering and security pluginsLocation depends on the WordPress host and plugin providersWebsite hosting provider, contact form provider, analytics provider, spam filtering provider and website security plugin providersTo operate the website, receive enquiries, analyse website use, prevent spam, maintain website security and manage online communications
15User account details, device information, file metaData, backups, system logs, remote access records, cybersecurity alerts, email/file Data where accessed for support, and business IT informationDeployus – external IT provider, backup software, antivirus, endpoint management, remote access toolsLocation depends on Deployus and the relevant backup, antivirus, endpoint management and remote access providersDeployus and relevant IT support, backup, antivirus, endpoint management and remote access service providersTo provide IT support, cybersecurity, backups, remote access, endpoint management, system maintenance and business continuity services
16Hosting Data, system logs, application Data, backup Data, Client or business information stored in AWS-hosted systemsAWS – Amazon Web ServicesAustralia, including AWS Australia regions where applicableAWS, AustraliaTo host cloud-based systems, store Data, provide infrastructure, backups, security and system availability

Send this to a friend