This privacy policy (Privacy Policy) explains how Atmos Holdings Pty Ltd (ABN 35 682 791 902) and its related entities (Atmos, we, us or our) handles and manages personal information we collect, hold, use and disclose about you as a supplier or representative of a supplier, where you respond to an invitation to or attend an event of ours, are a Client who is an individual, an employee or representative of a Client organisation, an individual relevant to the work we are undertaking for a Client or an employee or representative of a counterparty to any work we are performing for our Client, a witness, an individual impacted by the subject of our work for our Client or whose personal information is otherwise required in relation to our professional services being provided to our Client (collectively Individual).

The Privacy Policy applies in addition to any contract, engagement letter or other applicable policy. By instructing us, signing any contract with us, continuing to work with or instruct us and/or providing us with any sensitive information you consent to our collection, use and disclosure of any of your sensitive information in accordance with and as set out in this Privacy Policy.

If you are an Atmos Australian employee, please refer to our Employee Privacy Policy on the Atmos intranet. If you are a candidate or job applicant for a position with us in Australia, please refer to our Candidate Privacy Policy on this page. Each of these policies cover our collection, use and disclosure of your personal information as, respectively, an employee or candidate/job applicant with us.

You do not have to provide us with your personal information but if you do not provide us with the personal information we request then we will likely be unable to provide the services requested, answer your queries or otherwise provide our professional services to you, your employer or our Client.

Subject only to any applicable exceptions provided under the Privacy Act 1988 (Cth) (Privacy Act), when you provide us with personal information about any individual other than yourself you warrant and represent to us that you have obtained their approval to provide their personal information to us and you have provided them with a copy of this Privacy Policy or otherwise referred them to this Privacy Policy and informed them that this Privacy Policy is the basis on which we will collect, use and disclose their personal information.

Definitions

“Client” means any person, individual or organisation which engages with and is onboarded by us to receive any of our services or products.

“Personal information”, “sensitive information” and “health information” are as defined in the Privacy Act 1988 (Cth) (Privacy Act).

What personal and sensitive information do we collect

Where you are an Individual, depending on the exact nature of our relationship with you, we will collect your personal information, including:

• your name, job title and contact details;
• documents supporting onboarding as a Client;
• contents of communications between you and us;
• financial information;
• information about areas of legal interest;
• your professional or trade union memberships;
• information about your dealings with us or our Clients;
• information relevant to our professional services performed for you or our Client;
• personal information contained in any information provided to us by our Client in relation to any incident or recovered by us, our Client or service provider;
• agreements, contracts and/or other records relating to terms and conditions of the engagement;
• personal information that we collect from you or your employer/our Client in the course of our performance of professional services,

and other information permitted or required by law in order to perform our professional services.

We may also collect your sensitive information including information about your:

• identify and ID documents;
• racial or ethnic origin;
• gender identity or expression;
• religious beliefs or affiliations;
• membership of associations or professional bodies;
• health information (including information about any illnesses, injury, disability);
• medical certificates and/or health related information provided by you, your medical practitioner, employer or our Client;
• criminal record,

and other sensitive information permitted or required by law in order to perform our professional services.

How do we collect your personal information?

As an Individual, we collect your personal information directly from you and will also receive some of your personal information from your employer, our Clients, service providers or other third parties. We collect personal information about you from third parties such as insurers, medical/occupational experts, witnesses, investigations and our service providers.

We will collect the types of personal and sensitive information about you noted above primarily in the following circumstances, where:

• you, your employer or our Client engage our professional services;
• you as an individual Client or on behalf of your employer purchase or subscribed to our products offered by us via our website;
• you or your employer subscribe to or opt‑in as an individual or on behalf of your employer to our website or to receive any newsletters, updates or other correspondence/publications from us;
• register for and/or attend a seminar, webinar or other hosted event (whether virtual or in person);
• you correspond with us;
• you have other business dealings with us (whether as a representative of one of our suppliers or a regulator with which we deal) or in the context of a transaction or the professional services provided to our Client;
• your personal information is collected in the course of conducting our professional services for a Client, including regulatory investigations, litigation or other dispute resolution proceedings, due diligence, incident investigation and assessment or where you are related to the matter we are assisting our Client with in some capacity;
• you or your employer are a counterparty or provide a service to a counterparty of our Client; and
• otherwise provide your personal information to us, such as where you provide your business card to or correspond with us.

Purposes for which we collect your personal information

We collect, hold, use and disclose your personal information for purposes connected to the provision of our professional services to our Client, your engagement or relationship with them or us and to manage our relationship with our Client, you and our business affairs. These purposes include:

• complying with our professional, legal and regulatory obligations;
• monitoring and enforcing compliance with our policies and procedures and to prevent and detect fraud, money laundering, terrorism financing or other criminal activity;
• assessing and responding to enquiries, claims, complaints and/or whistleblower reports and conducting or cooperating with investigations of such;
• facilitating the onboarding and exit of Clients and suppliers;
• undertaking internal and external onboarding checks including conflict checks and AML and CTF checks;
• performing and providing our professional services and products and management of our Client’s legal matters and doing business with our suppliers;
• liaising with insurers in relation to relevant policies and claims;
• advising on and assisting our Clients with the fulfilment of legal and regulatory obligations;
• sending legal or other updates and to market our products and services to you or your employer;
• performing our contract with you, your employer or our Client;
• contracting out some functions or activities to, communications with and/or engaging on behalf of our Clients with external service providers and suppliers such as barristers, forensic accountants, investigators, valuers, IT service providers, campaign managers, data analytics providers, market research professionals and public relations and communication providers (Contracted Service Providers);
• carrying out research, planning, service development and security and risk management;
• conducting investigations, searches and enquiries regarding incidents and the information provided to us or more generally to collect additional personal information about you or your associates in order to perform our professional services and/or for regulatory or prudential purposes;
• outsourcing of any of our administrative, financial and/or support functions;
• organisational development, communication and corporate governance;
• to otherwise carry out our business as professional service providers,

and as otherwise permitted or required by law.

We collect, use and disclose sensitive information noted above for the purposes noted above and for managing our obligations to our Clients.

Security of your personal information

We take reasonable steps to protect your personal information that we hold. Unfortunately, no transmission of data over the internet can be guaranteed to be 100% secure.

Disclosure of personal information to third-party service providers

In addition to Contracted Service Providers, we engage third‑party service providers including systems and technology providers and other service providers (collectively the Contracted Service Providers all referred to as Third-Party Service Providers). We may disclose your personal information to any of the Third‑Party Service Providers and/or to our related entities in order to perform our professional services and for the purposes specified in this Privacy Policy. However, we will only disclose your personal information to the Third-Party Service Providers and our related entities necessary to provide our professional services, conduct our business and for the purposes detailed in the Privacy Policy, including to the following types of Third-Party Service Providers for the following purposes:

• systems and technology service providers – providing technology systems and services to us to assist us to provide our professional services to our Clients, meet our regulatory and professional obligations, manage our business, store and process data and fulfil the purposes set out in this Privacy Policy;
• government agencies, bodies and regulators – where we are permitted or required by law to make such disclosures, reports or to update them;
• service providers – providing anti-money laundering, identity and other checks, facilitating payment processing and financial reporting,

and otherwise as permitted or required by law.

Disclosure of personal information overseas

Some of our Third-Party Service Providers are located outside of Australia. When we use them to assist us to perform our professional services or the purposes set out above then your personal information may be disclosed to these Third-Party Service Providers in New Zealand, India and/or The Philippines.

Accessing your personal information

Subject to some exceptions, you have a right to request access to the personal information we hold about you. In order to exercise this right, we will require you to verify your identity before providing you access to your personal information.

To make an access request, please contact us using the details in the Contact Us section below. We will respond to your request, or provide you with a progress update, within 30 days of receiving it. If we will not or cannot fulfil your request for any reason we will write back to you and explain why and how you may complain about our decision.

We may refuse your request to access your personal information in certain circumstances, such as if granting access would be unlawful, would pose a serious threat to the health and safety of any individual or if there is reason to suspect unlawful activity or misconduct.

Updating and/or correcting your personal information

We take reasonable steps to ensure the accuracy of your personal information before we use it. To help us do this, we request that you keep your personal information updated and immediately tell us if your personal information changes by contacting us using the details in the Contact Us section below.

You may request that your personal information be updated or corrected at any time by contacting us using the details in the Contact Us section below. In order to exercise this right, we will require you to verify your identity before we correct or update your personal information. We will respond to your request or provide you with a progress update within 30 days of receiving it. If we will not or cannot fulfil your request for any reason, we will write back to you and explain why and how you may complain about our decision.

Complaints

If you wish to make a complaint about an alleged breach of this Privacy Policy or the Privacy Act you can contact us using the details in the Contact Us section below.

Please provide us with sufficient detail regarding your complaint and any supporting evidence. Once we get sufficient detail of and supporting evidence of your complaint we will investigate your complaint, usually within 30 days, and determine the steps to be taken to resolve it. We will notify you in writing as to the outcome of the investigation.

If you are not happy with the outcome of our investigation you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au/privacy/privacy-complaints.

Contact Us

Any general queries about this Privacy Policy, correction and access requests and privacy complaints should be addressed to:

Alec Christie, Chief Privacy Officer, info@atmosgroup.com.au

Changes to this Privacy Policy

This Privacy Policy may change from time to time and will be highlighted on our website. Significant changes to this Privacy Policy will be notified to you via email. Your continued instructions to us or engagement with us or provision to us of any further personal information after the changes to the Privacy Policy will be deemed to be (a) your acceptance of those changes and (b) where such includes sensitive information, your consent to the relevant specified collection, use and/or disclosure of that sensitive information.

This Privacy Policy was last updated on 19 February 2025.