Privacy Policy

This policy details how we collect, use and disclose “personal information”, being information or an opinion (whether true or not, and recorded in a material form or not) about an identified, or reasonably identifiable, individual.

1.    What Personal Information do we collect and hold?

Bonomelli Legal is an Australian corporate and commercial law firm. The types of personal information that we collect from you will depend on the nature of your dealings with us. Please note that, while we seek to minimise the personal information we collect, if you do not provide us with the personal information we request, we may not be able to provide you with the advice or other assistance you seek.

We may collect personal information from you in the following circumstances:

  • you, or the company that you work for, engage our services (legal or otherwise);

  • you correspond with us;

  • you have business dealings with us (whether as one of our suppliers, or as a regulator we deal with, or in the context of a transaction);

  • during the conduct of a matter for a client, including regulatory investigations or due diligence, where you are related to the matter in some capacity;

  • you, or the company that you work for, is a counterparty, or provides services to a counterparty, of our client;

  • you, or the company that you work for, engage us to provide services including when you supply Know Your Customer (KYC) information in response to our direct request;

  • you otherwise provide your personal information to us, such as where you supply your business card to us; or

  • where we are required by law to do so.

The personal information we collect may include your name, title, address and e-mail address and telephone/mobile numbers . However, we endeavour not to collect personal information that we do not need.

Where personal information is collected for AML/CTF purposes, we do not retain copies of full identity documents (such as passports or driver licences). Instead, we retain only the specific information required by law, such as relevant identification details, the type of document relied upon, verification outcomes and AML/CTF risk assessments.

Generally, we endeavour to collect personal information directly from the individual concerned. However, if this is not practicable, we may collect personal information about individuals from third parties, including from publicly available sources. If we do, we will take reasonable steps to ensure that the individuals concerned are made aware of the collection of their information.

If you are one of Bonomelli Legal’s ‘business contacts’ (e.g. a person working for one of our clients or suppliers, or in a government agency or other company with which we deal when you correspond with us or a contact person in one of our suppliers, or in a government agency or company with which we deal) we may collect basic business contact information from you (e.g. your name, title and work contact details) automatically using the details in your email signature.

In respect of the AML/CTF Act, we may collect sensitive information, including your biometric information to perform identity verification. We will seek your consent and provide notice through our verification provider before the biometric verification process is undertaken, unless a specific legal exception applies. In addition to the circumstances described above, we may collect sensitive information without consent where this is required or authorised under the AML/CTF Act. This may include information relevant to determining whether an individual is a politically exposed person or subject to sanctions.

Personal information collected for AML/CTF compliance

Bonomelli Legal is a “reporting entity” under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). We are required by law under the AML/CTF Act to collect and verify certain personal information and may be prohibited from providing services if we cannot do so.

Where required to comply with the AML/CTF Act and associated rules (AML/CTF Rules), we may collect, hold, use and disclose personal information for purposes including customer due diligence, ongoing customer monitoring, risk assessment, reporting to regulators and record keeping. In particular, we may collect KYC Information as required by the AML/CTF Act, including:

  • the identity of our client and contact details;

  • any information to support the verification of a person’s identity (government-issued identity document details, images of identity documents, facial images, liveness information, biometric information and verification metadata);

  • the identity of any person on whose behalf our client is receiving the service;

  • the identity of any person acting on behalf of the client including their authority to act;

  • if the client is not an individual, the identity of any beneficial owners;

  • whether the client, beneficial owner, or any person acting on their behalf is a politically exposed person or a person designated for targeted financial sanctions;

  • information regarding source of wealth and source of funds;

  • the nature and purpose of the business relationship or transaction; and

  • information regarding any other matter specified in the AML/CTF Rules.

Personal information (including sensitive information) for AML/CTF purposes is collected only where reasonably necessary to comply with our legal obligations and only in connection with matters where a designated service is, or is reasonably likely to be, provided. Not all legal engagements require the collection of personal information for AML/CTF purposes.

Where we use electronic or biometric identity verification, we may also use third-party verification providers to verify identity information, assess whether a person matches an identity document, conduct liveness or fraud checks, and provide verification outcomes.

Where required by law, or where reasonably necessary, having regard to ongoing risks related to AML/CTF purposes, the verification method used, auditability, fraud risk, disputes, regulatory enquiries, enhanced due diligence, suspicious matter assessment or ongoing customer due diligence, we may retain limited copies or images of identity documents, facial images or related verification artefacts to ensure compliance with the AML/CTF Act or other obligations pursuant to the AML/CTF Act and related Rules.

‍2.    How do we use Personal Information?

‍ Our policy is only to use personal information collected from business contacts for the business purpose for which it was collected, or as otherwise provided for in this policy.

‍ We use your personal information: ‍

  • to provide you or a client with our services, including the provision of legal advice and management of our client’s legal matters;

  • in connection with the fulfilment of a legal or regulatory obligation;‍ ‍

  • to comply with obligations under the AML/CTF Act and AML/CTF Rules, including customer due diligence, monitoring, reporting and record keeping, and to disclose information to regulators such as AUSTRAC where required or authorised by law;

  • where we have a legitimate interest that is not overridden by your rights under the law;

  • for any reason that you (or your organisation) has provided consent;

  • for the performance of a contract with you or your company;

  • to respond to any enquiries or complaints; and‍ ‍

  • to conduct our business.

‍3.    Will your Personal Information be given to anyone else?

We do not sell or trade personal information about you to or with third parties. Personal information may be disclosed to others by us in the circumstances described below:

‍Disclosures to external service providers

We may disclose personal information to external service providers who provide services to you or us, including those who help us operate our business. Examples of our external service providers include: third party data storage providers and IT and other software and systems providers. If we engage external service providers, we take steps to ensure that those external service providers: comply with the APPs when they handle personal information about you; and are authorised only to use personal information that we provide to them for the purposes specified in our agreement with them. ‍

We may also disclose personal information to external service providers to organise or facilitate the efficient and effective administration, management or delivery of our services. This may include service providers that support our due diligence processes associated with complying with our AML/CTF obligations.

‍Disclosures overseas

‍Where we engage external service providers, we ensure that wherever possible, our data is stored within Australia. Some of our vendors do, however, store data in overseas locations. In applicable situations, we take reasonable steps to ensure that any overseas recipient does not breach the APPs in relation to that information. Such overseas disclosures are only made in connection with the primary purpose for which the personal information has been collected.

In respect of identity verification conducted through our verification provider for AML/CTF purposes, verification data is hosted in Australia unless otherwise notified.

Disclosures required or authorised by law

We may use or disclose personal information where required or authorised by law, including under the Privacy Act, the AML/CTF Act or AML/CTF Rules. This may include disclosures to AUSTRAC and other regulators where legally required or authorised. Certain disclosures and restrictions on disclosure may apply under AML/CTF secrecy and tipping off provisions. In these circumstances, we are prohibited from notifying you of disclosures to AUSTRAC and may be prohibited from notifying you of disclosures to other government agencies or authorities.

We are also bound by professional obligations of confidentiality, including in relation to personal information.

Security of Personal Information

‍ We take reasonable steps to ensure the security of your personal information. Our IT systems are secured against external threats by various means and are password protected.

‍ Personal information collected for AML/CTF purposes, including KYC information, is retained only for the period required by law. Once no longer required for AML/CTF or other permitted purposes, personal information is securely destroyed or de-identified in accordance with applicable legal requirements.

‍4.    Your rights

Under the Privacy Act, you have the right to:

  • seek access to your personal information handled by us;

  • ask us to update or correct your personal information when it is inaccurate, incomplete or out of date; and

  • opt-out of receiving direct marketing communications from us (we do not currently send any direct marketing communications to our clients).

If you wish to access the personal information that we hold about you, please set out your request in writing, and forward this to our Privacy Officer, using the contact details set out at the end of this policy.

To provide you with access to your personal information held by us on our current records, we can provide you with a copy of the relevant personal information (ordinarily, an electronic print-out or a photocopy). We will not charge you for the cost of providing this type of access to these current records.

Access to, and correction of, personal information may be limited or refused where required or authorised by law, including where providing access or information would breach obligations under the AML/CTF Act, such as secrecy or tipping off provisions. In such circumstances, we may be unable to provide reasons for refusal.

‍For legal and administrative reasons, we may also archive non-current records containing personal information, such as back up data files. Please note that if we do provide access to old records, we may charge you for the cost of providing such access.

Additional information about how we handle personal information for AML/CTF compliance is set out in this Privacy Policy under the sections dealing with regulatory obligations.

‍If you are of the view that personal information about you is inaccurate or out of date, or if you have any other queries about access and correction, please contact our Privacy Officer using the contact details set out in Section 6 below.

5.    Making a complaint

‍If you wish to make a complaint about how we handle your personal information, please contact us setting out your complaint in writing, and forward it to our Privacy Officer, using the contact details in Section 6 of this policy.

We will deal with all requests for access to personal information or complaints as quickly as possible and will get back to you within a reasonable timeframe.

If you are not satisfied with our response to your complaint, you can make a formal complaint to the Office of the Australian Information Commissioner through their website at https://www.oaic.gov.au/, by emailing enquiries@oaic.gov.au or by calling 1300 363 992.

6.    Additional information and how to contact us

‍This Privacy Policy may change from time to time. The Privacy Policy will be made available to anyone who requests it, whether in person or by use of our website.

If you have any questions or comments about the Privacy Policy, please set out your request in writing, and forward this to our Privacy Officer, using the contact details below.

Email: mindy@bonomelli-legal.com.au

‍Post: Bonomelli Legal, PO Box 379, Subiaco WA 6904

‍Telephone: + 61 422 421 223

This Privacy Policy was adopted on 25 June 2026