Orro Australian Privacy & GDPR Policy

  1. About this Policy

This policy outlines how Orro Group Pty Ltd ABN 22 154 268 344 (‘Orro Group’) collects, uses, and discloses your personal information.

Orro Group appreciates the importance of protecting your personal information. Our Privacy Policy complies with the Australian Privacy Principles set out in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and explains how your personal information will be managed when dealing with Orro Group.

We understand that your privacy is important to you, and we value your trust. That’s why we protect your information and aim to be clear and open about what we do with it.

By engaging Orro Group to provide you with any goods or services, communicating with Orro Group through email, by telephone, in writing or by using any of Orro Group’s (and its subsidiaries) services, including any of Orro Group’s websites, face-to-face conversation or meetings, products and services, you agree to the use and disclosure of your personal information in the manner described in this policy.

This Privacy Policy also explains how we process ‘personal data’ about people in the European Union (EU), as required under the General Data Protection Regulation (GDPR).

Not all information requested, collected, and processed by Orro Group is “Personal Information” as it does not identify a specific natural person. Such “Non-Personal Information” is not covered by this Privacy Policy. However, as non-personal information may be used in aggregate or be linked with existing personal information; when in this form it will be treated as personal information. As such, this Privacy Policy will list both types of information for the sake of transparency.

In some situations, users may provide us with personal information without us asking for it, or through means not intended for the collection of particular types of information. Whilst we may take reasonable steps to protect this data, the user will have bypassed our systems, processes, and control and thus the information provided will not be governed by this Privacy Policy.

In some situations, users may provide us personal information over platforms that are outside our control; for example, through social media or forums. Whilst any information collected by us is governed by this Privacy Policy, the platform by which it was communicated will be governed by its own Privacy Policy.

  1. The Purpose of Collecting Your Personal Information

Orro Group collects personal information, such as:

  • name, address, and contact details
  • credit or debit account details
  • user IDs and passwords
  • details of any goods or services provided to you
  • records of your communications with Orro Group
  • website usage information
  • information for reference – only with consent.

The primary purpose of collecting your personal information is for Orro Group’s business operation, which includes providing you with Orro Group’s goods and services, communicating with you, and improving and developing our business relationship with you. Orro Group also collects personal information for marketing purposes.

Personal information is only collected:

  • if necessary for Orro Group’s operations
  • by lawful and fair means
  • where practicable, only from the individual concerned.

Orro Group takes reasonable steps to ensure that you are aware of:

  • the likely use of the information
  • your right of access to the information
  • the identity and contact details of the organisations that we disclose personal information to (e.g. ATO, lawyers if and when required, work photos and/or information about staff members to LinkedIn and Yammer)
  • any law requiring collection of the information; and
  • the main consequences of failure to provide the information.
  1. How We May Use and Disclose Your Personal Information

Orro Group discloses personal information:

  • for the primary purpose for which it was collected or
  • where the individual would reasonably expect this or
  • where the individual has consented or
  • for direct marketing by Orro Group and giving individuals the opportunity to opt out of such direct marketing; Orro Group includes its contact details in any direct marketing.

Orro Group does not disclose your personal information for any secondary purposes unless your consent has been given or as required by law.

Orro Group will not sell or license any personal information that it collects from you.

  1. During Employment

As a business, Orro Group is required to ensure that all employees are suitable for their nominated role and comply with all legal local and federal employment regulations (such as the right to work in Australia). We are required by law to provide each employee’s Tax File Number to government agencies (such as ATO). If you are an employee of Orro Group (or its subsidiaries) or a contractor (with full-time, part-time or casual status) Orro Group may:

  • disclose personal information to the government and/or government agencies as required by law
  • keep records of your time worked and whereabouts (for payroll and security purposes and as part of Orro Group’s internal operational requirements); this can be achieved by utilising available technology
  • use CCTV and surveillance equipment as part of the security requirements of our business
  • disclose information for reference – only with consent
  • use personal and psychological assessments to establish job suitability and training requirements
  • utilise background and security checks; this may require a cross border personal information exchange with authorised agencies
  • keep all your employment records on file for legal purposes after you have ceased your engagement with Orro Group (or its subsidiaries). Any such information on file is treated as confidential with limited access. This includes (but is not limited to) records such as biometric personal records, medical records and other Personally Identifiable Information (PII) which is received, communicated and/or provided to Orro Group in a solicited manner and with your knowledge.
  1. Accurate and Up-to-date Information

Orro Group takes steps to ensure information is accurate and up to date by updating its records whenever changes to the data come to its attention. Orro Group disregards information which seems likely to be inaccurate or out-of-date by reason of the time which has elapsed since it was collected, or by reason of any other information in its possession.

  1. Security of your Personal Information

Orro Group protects personal information from misuse or loss by restricting access to the information in electronic format, and by appropriate physical and communications security. Any data that is being destroyed is disposed of in a manner that protects the privacy of information in an appropriate manner.

  1. Dealing with Unsolicited Information

Orro Group takes all reasonable steps to ensure that all unsolicited information is destroyed immediately. Any unsolicited PII or information received will be addressed and affected entities will be notified.

  1. Access to your Personal Information

Orro Group acknowledges that individuals have a general right of access to information concerning them, and to have inaccurate information corrected.

  1. Anonymity when Dealing with Orro Group

Orro Group allows individuals the option not to identify themselves when dealing with it, where practicable.

  1. Cross-border Disclosure

Your personal information may also be processed by or disclosed to employees or other third parties operating outside of Australia, who work for Orro Group in other countries, or by the representatives and employees of Orro Group’s parent company.

Orro Group will take reasonable steps, in the circumstances before your personal information is disclosed to an overseas recipient, to ensure that the overseas recipient does not breach privacy laws in relation to your personal information (‘the Required Steps’).

The Required Steps do not apply if you consent to the disclosure of your personal information to an overseas recipient. By supplying your personal information to Orro Group, you consent to the disclosure of your personal information to an overseas recipient and agree that the Required Steps do not apply.

The European Union (EU) General Data Protection Regulation (GDPR) has harmonised the data privacy laws of each individual EU country, giving more rights to individuals located in the EU and more obligations to organisations holding their personal information. Personal information must be processed in a lawful, fair and transparent manner. As such, if you are located in the EU, GDPR requires us to provide you with more information about how we collect, use, share and store your personal information as well as advising you of your rights as a ‘data subject’.

If you consent to the disclosure of your personal information to an overseas recipient, the overseas recipient will not be accountable under the Privacy Act, and you will not be able to seek redress for breaches under the Privacy Act.

  1. Collecting Sensitive Information

Orro Group does not collect sensitive information, unless it is specifically relevant and necessary for the purpose of Orro Group’s business operation. All sensitive information that is collected is used in accordance with this Privacy Policy. Orro Group does not use government identifiers (e.g. tax file numbers) to identify individuals.

  1. Erasure and Removal

You have the right to ask us to delete your personal information if there is no need for us to keep it. You must make the request in writing by contacting the Privacy and Data Protection Officer. There may be legal or other reasons why we need to keep your personal information, and if so we will tell you what these are.

  1. Automated Decision Making and Profiling

We sometimes use systems to make automated decisions (including profiling) based on personal information we have collected from you or obtained from other sources.

  1. Who Should you Contact for Further Information?

To contact our Privacy Officer (Data Protection Officer) if you have an enquiry or a complaint about the way we handle your personal information, or to seek to exercise your privacy rights in relation to the personal information we hold about you, you may contact our Privacy Officer:

Reza Nashvi (Privacy and Data Protection Officer) Orro Group

L11/423 Pennant Hills Road, Pennant Hills, NSW 2120 Phone: 1300 900 000


  1. Notifiable Data Breaches (NDB) Scheme

Orro Group has established internal procedures which ensure an effective management of NDB scheme requirements. All personal information security breaches are reported following Orro Group’s internal Incident Management & Reporting procedure. Further assessment and evaluation processes have been put in place to ensure that any Personally Identifiable Information security breach is assessed against NDB requirements and actioned in compliance with OAIC (Office of the Australian Information Commissioner) reporting requirements.

Where the content of information being held by Orro Group is not known or cannot be verified, Orro Group notify the (contractually bound) owner or custodian of the information if there is a suspected breach of information security.

  1. How this Policy Changes

This policy may change from time to time. A current version of this policy will be published on Orro Group’s Website or may be obtained free of charge upon request.