This policy tells you how we collect and use (in other words, process) your personal information (also referred to as "personal data", including any information relating to an identified or reasonably identifiable person) and the legal basis for processing it, what we use it for and who we share it with. It also explains how you may seek to access or correct your personal information and exercise any other statutory right you may have or make a privacy complaint.
General website and service usage
When you are accessing the SMX website, Portal, Webmail and other services, we collect information and store it. This information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system, message headers and other usage information about the usage of the SMX website, including a history of the pages you view We use this information to facilitate your use of the website and services, to keep track of how many people have accessed the site, what they completed whilst on the site and what errors occurred.
Collection of personal information from you
The ways in which SMX may collect personal information about you include:
- information that you provide to us at the time of signup, which includes name, address, email address, phone number, employer
- any messages or comments you submit to SMX via its website through the Contact page, the Case study page, the News Page or the Product page or the Support Enquiry Form or the email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com email addresses;
- application forms, identification documentation or other documents that you may complete or provide to SMX;
- face to face meetings, interviews and telephone conversations; and
If you do not provide us with the information we request, then SMX may not be able to respond to your requests, verify your identity or protect against fraud, process your application, or provide services to you.
Collection of personal information from other sources
Sometimes we collect information about you from other sources. We may collect information about you that is publicly available (for example from public registers or social media) or made available by third parties. For instance, we do this where:
- messages pass through the SMX filtering services. We collect the metadata contained in those messages, which includes sender, recipient, time, and subject, and collect it in log files on our system.
- we distribute or arrange products on behalf of others, including our business partners.
- we need information from third parties about an application you make through us;
- we need information for fraud prevention purposes;
- we can't get hold of you and need to update your contact details; or
How we use and process the personal information we collect about you and on what legal basis
We use and process your information in a lawful manner and to serve the following legitimate purposes:
- to verify your identity and enable communication with you, whenever necessary in the context of our services and products and in any other of the following instances;
- for the performance of a contract with you, namely to deliver our services and products, meet our obligations and pursue our rights (also including billing and support services); or to enter into a contract with you at your request;
- in connection with our legitimate interests (except where they are overridden by your interests or fundamental rights and freedoms), for example:
- performing a contract with a legal entity you may represent, or entering into a contract with such legal entity;
- identifying opportunities to improve our services and service to you, detect and correct possible errors in our services and products, develop new services and products;
- allowing us to run our business, and perform administrative and operational tasks (including amongst others our subcontractors and third party service providers in the course of providing our services, such as website developers cloud storage providers and payment processors);
- promote our business, services and products, including through marketing tools and campaigns, newsletters, and corporate events; and
- defend our positions and pursue our legal claims before Courts or other bodies in the context of litigation or other disputes where SMX is a party;
- for any other purposes to which you have given your explicit consent, for instance to process your requests or answer your inquiries; and
- where we are required by applicable laws, regulations or codes that bind us.
Please note that it is not unusual that the different purposes we are serving by processing your personal information are based on multiple legal grounds. For instance, when we reach out to you to inform you about security updates in our products and services we may do so both in view of our commitments under an existing contract with you and to pursue our legitimate interests with regard to the security of our systems. Also, when you give us your consent to a particular processing operation it is not uncommon that the same processing can be justified on a different legal basis.
SMX does not sell or give out your email address, or send spam, unsolicited direct marketing material or other unsolicited electronic messages. SMX may occasionally send important announcements regarding SMX or its services and products to our existing clients.
In any case, if you have provided your consent to receiving direct marketing or newsletters from us, you can withdraw it without detriment at any time by contacting us or by clicking on the unsubscribe link in our electronic communications.
Sharing your information
At SMX we apply a strict need-to-know approach regarding the treatment of your personal information. Within our organisation your personal information is only shared with / accessed by those departments and workers who are responsible for the data processing operations concerned. We may share your information with other organisations or natural persons (outside SMX) consistent with the purposes for which we use and process your information as described in this policy. This may include:
- regulatory or enforcement authorities, where a legal obligation is imposed on SMX;
- our professional advisers, where required to enable them to provide advice to us which may be necessary for us in order to serve our legitimate interests, or otherwise; and/or
- third party service providers to whom we may outsource certain processing operations in the course of our business, such as IT platforms, storage providers, software developers, etc.
In some cases, the information we hold may be processed by our data analytics systems. This information is not used to identify you as an individual. It is collated into aggregate results or classifications to assist us in improving our service, and to operate, maintain, develop, test and upgrade our systems and infrastructure. The aggregated data contains no unique identifying information and ensures that data can only be used as a whole.
Transfer of your information to other countries and third party service providers
As SMX operates on a global scale, personal information that you provide us may be transferred, processed, used or stored by SMX or our third party service providers in countries other than New Zealand, including Australia, Belgium, France, Germany, and the USA.
If you have any concerns regarding the transfer of your personal information overseas, please contact us. However, please note that, if you object to the overseas transfer of your information, we may not be able to provide the services you have requested in whole or in part.
Security, Retention Policy
SMX regards the security of your personal information as paramount and takes reasonable and appropriate steps to protect the security of personal information that it holds, in accordance with applicable privacy law. SMX also takes reasonable and appropriate steps to protect such information from misuse, loss and unauthorised access, modification or unlawful disclosure.
We will keep personal information, including personal information stored on log files, for as long as we maintain our relationship with you or as otherwise required for our business operations or any applicable laws, including to enforce our rights, for fraud prevention, to identify, issue or resolve legal claims and/or for proper record keeping purposes, including to record any stated objection you have to receiving direct marketing for the purpose of ensuring that we continue to respect your wishes and do not contact you further. When personal information SMX collects is no longer required, it will take reasonable steps to destroy it.
We store log files, which can contain your personal information, for at least ten years to satisfy the purposes set out in the preceding paragraph.
Although SMX endeavours to provide a secure environment, and restricts SMX personnel access to personal information, the Internet by nature is not a secure environment. Information transmitted to SMX over the Internet cannot be guaranteed to be completely secure or error free, and as such SMX is not responsible for them. If you send an e-mail to SMX over the Internet, you are accepting the associated risks.
In the event of a security breach leading to accidental loss, disclosure or access to your personal information, we will comply with all our obligations under the applicable privacy laws including reporting to the competent authorities or notifying you of such breach where required by law to do so.
You agree that subject to any applicable privacy laws, any personal information you give to SMX will be accurate, correct and up to date, and that when acting on behalf of a business or other person, you are authorised to give such information to us. You must inform us if any of your personal information changes, to ensure that the details we hold about you are up to date and correct.
You have a right to request to access and/or correct your personal information and where provided by applicable law, to receive a copy of it or have it transferred to another party.
We may need to verify your identity to respond to your request. We will respond to any request within a reasonable period permitted under applicable privacy laws and will generally give access and/or make a correction (as applicable) unless an exemption applies to certain information. If we can't give you access or make a correction, we will tell you why in writing and how you can make a complaint about our decision. If we can't make a correction, you have a right to provide us with a statement of the correction you sought and may request that we attach that statement to your personal information.
Additional information on safeguards and rights of individuals residing in the European Economic Area (EEA)
This section provides additional information pertinent to individuals who are in the EEA, which includes all EU countries plus Iceland, Liechtenstein and Norway. If you are in the EEA, please make sure that you consult not only this section but also the rest of this policy as it is equally relevant to you, unless otherwise foreseen in the policy.
The collection and processing of your personal information will be subject to the General Data Protection Regulation (2016/679) (GDPR) from 25 May 2018. For the purpose of GDPR, SMX will be a data controller and this policy includes information that must be provided to you under the GDPR.
- where the country has been deemed adequate by the European Commission. For example, if the transfer of personal information was to New Zealand, or
- where transfer occurs to a country that has not been deemed adequate by the European Commission we will ensure protection is provided by way of a valid Privacy Shield certification (in the case of a data transfer to a Privacy Shield certified US recipient, click here); or
- where the country has not been deemed adequate by the European Commission and where a valid Privacy Shield certification is not in place, by adopting appropriate European Commission approved standard contractual clauses, click here. For example, if the transfer of personal information was to Australia, we would ensure European Commission approved standard contractual clauses were in place with the Australian processor.
- For transfers to New Zealand, Belgium, France and Germany, we rely on adequacy decisions by the European Commission.
- For transfers to Australia we rely on standard data protection clauses with controllers and / or processors located in those jurisdictions.
- For transfers to the US, we rely on the EU-US Privacy Shield Framework. Please consult the relevant statement and click here.
If you wish to know whether or not the country to which the overseas disclosure is intended to be made has been deemed adequate by the European Commission, please click here.
Please note that overseas organisations may be required to disclose information we share with them under an applicable foreign law.
Please contact us should you wish to receive information or a copy of the appropriate or suitable safeguards mentioned above for the transfer of your personal data outside the EEA.
If you are in the EEA you have, under the conditions laid down in the GDPR, the right to:
- request information about the processing or your personal data ("right to be informed");
- request access to your personal data ("right of access");
- request that we rectify inaccurate personal data concerning you ("right to rectification");
- request that we erase personal information concerning you ("right to erasure" or "right to be forgotten");
- request that processing of your personal information is restricted, i.e. temporarily frozen ("right to restriction");
- object to the processing of your personal information ("right to object");
- receive a copy of your personal data in a machine-readable format and have it transmitted to another controller ("right to data portability");
- where relevant, withdraw your consent;
- where relevant, obtain human intervention in parallel to automated processing; and
- revert to the competent supervisory authority to lodge a complaint ("right to lodge a complaint"), and seek for judicial remedy.
We may need to verify your identity to respond to your request. If we refuse any request you make in relation to these rights, we will write to you to explain why and how you can make a complaint about our decision.
Please note that if you withdraw your consent where it has been provided as a condition of our processing your information this will not affect the lawfulness of processing based on consent before its withdrawal. Also, in such a case it is possible that SMX may be entitled to continue processing if there are other legal grounds accordingly.
You may submit the requests listed above and exercise your rights or make a complaint by contacting us in any suitable way, such as by phone or post, using the contact details referred to in section "Contact us". However, we strongly encourage you to do soby email in order to enable us to deal with your request swiftly.
SMX Limited and SMX Australia Pty Ltd, which each process the personal data of individuals in the European Union, in either the role of 'data controller' or 'data processor', has appointed DPR Group as its Data Protection Representative for the purposes of GDPR.
DPR Group has locations in each of the 28 EU countries, so that SMX Limited and SMX Australia Pty Ltd's customers can always raise the questions they want with them. If you want to raise a question to SMX Limited and SMX Australia Pty Ltd, or otherwise exercise your rights in respect of your personal data under GDPR, you may do so by:
- sending an email to DPR Group quoting "SMX Limited" or "SMX Australia Pty Ltd" in the subject line,
- contacting DPR on their online webform, or
- mailing your inquiry to DPR Group at the most convenient addresses, click here.
Colin Print - SMX Privacy Officer PO Box 5447, Wellesley St, Auckland 1141, New Zealand +64 (0)800 769 769
Controller's Representative for EU/EEA
DATA PROTECTION REPRESENTATIVE LIMITED (TRADING AS 'DPR GROUP')
Office 29, Clifton House, Fitzwilliam Street Lower, Dublin, Ireland
If you are in Australia and would like more information about your rights and our obligations under the Privacy Act 1998 (Cth), or if you'd like to make a privacy complaint, you can contact the:
Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 2001 Ph: 1300 363 992
If you are in New Zealand and would like more information about your rights and our obligations under the New Zealand Privacy Act 2020 or if you'd like to make a privacy complaint, you can contact the:
Office of the Privacy Commissioner PO Box 10 094, The Terrace, Wellington 6143 Ph: 0800 803 909
If you are in the EEA and would like more information about your rights and our obligations under the GDPR or if you'd like to make a privacy complaint, you can contact the supervisory authority of the EU member state concerned. Please consult the website of the European Commission for contact information of data protection authorities across the EU.
Last Updated: 18 June 2021.