Wotton Kearney – Global Privacy Policy

Last Updated: 26 May 2026

1. Our commitment to your privacy

Wotton Kearney (WK) is committed to protecting personal information and complying with applicable privacy and data protection laws in all jurisdictions in which we operate.

This Privacy Policy (Policy):

  • explains WK’s policies and practices for the collection, use, processing, storage, transfer and disclosure of personal information, and how privacy rights may be exercised; and
  • supports compliance with applicable privacy laws including, the Australian Privacy Act 1988 (Cth) (Privacy Act), Singapore Personal Data Protection Act 2012 (Singapore PDPA), the Thailand Personal Data Protection Act B.E. 2562 (2019) (Thailand PDPA) and the New Zealand Privacy Act 2020 (NZ Act), (collectively, Privacy Laws).

WK’s privacy compliance program supports this and guides how we handle personal information lawfully, transparently and appropriately.

2. Global application and WK Group coverage and responsibility

This Policy applies to all Wotton Kearney entities globally:

  • Wotton Kearney Pty Ltd (Australia)
  • Wotton Kearney Advisory Pty Limited (Australia)
  • Wotton Kearney Pte Ltd (Singapore)
  • Wotton Kearney Co. Ltd (Thailand)
  • Wotton + Kearney Limited (New Zealand)

(together, the above entities, affiliates and licensees are referred to as the WK Group and each a WK Group Entity). References to “WK”, “we”, “us” or “our” in this Policy mean the relevant WK entity unless the context indicates otherwise.

Each WK entity is responsible for complying with the privacy and data protection laws that apply in the country where it operates. Where local law imposes additional or different requirements, those requirements apply in addition to this Policy.

This Policy provides a consistent global framework for how WK handles personal information, while recognising jurisdiction specific obligations.

Depending on the circumstances, each WK Group Entity may act as a controller or as a processor. Controller and processor roles are determined by the nature of the processing activity and are set out in more detail in our Binding Corporate Rules for Cross-Border Transfer.

3. What this Policy covers

In this Policy, “you” refers to:

  • individuals who provide personal information to WK directly; and
  • organisations or other entities that provide us with personal information relating to individuals (for example, in connection with a matter, engagement or service).

This Policy applies to personal information WK collects through its sites and services, including where you:

  • engage us for legal or advisory services;
  • subscribe to mailing lists or register for or attend events;
  • contact or use our cyber hotline or other telephone or email services;
  • apply for employment or other roles with WK; or
  • use our websites, including subdomains of www.wottonkearney.com.au and www.wottonkearney.com.

This Policy does not apply to the privacy practices of any third party websites we link to.

Before using WK’s sites or services, you may be asked to confirm your authorisation or consent to the collection and processing of personal information as described in this Policy. The collection, use, storage, transfer and disclosure of your personal information will be limited to the scope of that authorisation or as otherwise permitted or required by law.

For the purposes of this Policy the following terms have the meanings set out below. Where a term differs from the terminology used in particular Privacy Laws, it shall be read as encompassing the corresponding statutory term and carrying the meaning given to it under that law:

  1. personal information” means any information or data relating to an identified or identifiable natural person, and encompasses “personal information” as defined in the Privacy Act and the NZ Act and “personal data” as defined in the Singapore PDPA, and the Thailand PDPA;
  2. individual” means the natural person that personal information relates to and encompasses an “individual” as referred to in the Privacy Act, the NZ Act and the Singapore PDPA and a “data subject” defined in the Thailand PDPA;
  3. controller” means the entity that determines the purposes and means of processing personal information and encompasses an “APP entity” (being an organisation or agency) as referred to in the Privacy Act, an “agency” as referred to in the NZ Act, an “organisation” as referred to in the Singapore PDPA, and a “controller” or “data controller” as defined in the Thailand PDPA;
  4. processor” means the entity processing personal information on behalf of a controller and encompasses “data intermediary” as defined in the Singapore PDPA and a “processor” or “data processor” as defined in the Thailand PDPA. For the purposes of the Privacy Act and the NZ Act, where an APP entity or agency (as applicable) engages a third party to handle personal Information on its behalf, that third party shall be treated as a processor; and
  5. processing” means any operation or set of operations performed on personal information, and encompasses “processing” as defined in the Thailand PDPA and, in relation to the Privacy Act, the NZ Act and the Singapore PDPA, the collection, use, disclosure, and holding of personal information or personal data (as applicable).

4. What personal information we collect and why

The types of personal information we collect, and the reasons we collect it, depend on how you interact with WK and may include:

  • contact and professional details
  • identification and verification information
  • billing and payment information
  • information relating to meetings, events and premises access
  • recruitment‑related information
  • technical and usage data from our websites and systems
  • information relating to legal matters, claims or incidents where WK is engaged

We collect and use personal information only where it is reasonably necessary for our functions and activities.

How we collect personal information

We collect personal information when you:

  • instruct, engage or communicate with us for legal or advisory services;
  • subscribe to mailing lists or attend events;
  • participate in surveys;
  • interact with our cyber hotline or other incident response services including telephone and email services;
  • interact with our websites or systems; or
  • provide information during service or procurement interactions.

Our web server automatically recognises your domain name but not your email address.

How we use personal information

We use personal information to:

  • provide legal and advisory services and respond to enquiries;
  • manage client and business relationships;
  • register you for events and send updates or articles;
  • provide information about WK services and events;
  • manage surveys and client feedback;
  • operate and improve our processes, websites and systems in the course of business;
  • assess candidates and manage recruitment processes; and
  • comply with applicable laws and regulations.

We may store and process personal information across WK Group entities to support service delivery. We do not sell or share your personal information for targeted advertising. We disclose personal information only as described in this policy.

Table 3 – Examples of the types of personal information we collect and why

Category Examples Purposes
Contact and professional information Name, title, position, organisation, business address, email, phone number, relationship details Communicate with you about services, insights and events, provide legal and advisory services, identify conflicts, and manage client and business relationships
Identification and verification information Photo ID, directorships and interests, beneficial ownership, PEP status, screening results, information from public sources Verify identity, conduct conflict checks, meet AML/CTF requirements, professional legal and regulatory requirements, and prevent fraud
Billing and payment information Billing details, payment method information (where applicable) Process payments securely and reconcile invoices, comply with legal and regulatory obligations
Claims and matter information Claims details, medical records, financial data, court documents, legal analysis outcomes Provide legal and advisory services, comply with legal and regulatory obligations
Information relating to meetings, events and premises access Contact and attendance information, visitor pass data, optional dietary or accessibility requirements Manage security and safety, organise events, and provide reasonable adjustments, and operate, secure and improve our systems and processes
Technical and usage data from our websites and systems Device and technical data, browser type, pages visited, session duration, cookie identifiers Operate our websites, conduct analytics, and improve performance, and operate, secure and improve our systems and processes
Marketing and subscriptions Name, business email, job title, organisation, business address Send alerts, newsletters, publications and event invitations, and manage subscription preferences
Recruitment-related information Applications, qualifications, employment history, right‑to‑work documentation, references Assess and manage applications and communicate about employment opportunities, comply with legal and regulatory obligations, Manage recruitment and employment matters
Indirect collection Individuals named in documents, insureds and claimants, individuals involved in cyber incidents, system users captured in logs Deliver legal services while maintaining confidentiality and legal professional privilege, comply with legal and regulatory obligations and operate, secure and improve our systems and processes
AI/WK Legal Assist Training Name, job title, employer Operate, secure and improve our systems and processes

Additional details that we may collect and why

  • Identification and verification

We may collect information from public registers or carefully selected background screening providers, and from information that you have voluntarily made public, for example LinkedIn. This supports AML and CTF checks (where applicable), conflict checks and legal onboarding.

  • Sensitive information for events

Dietary or accessibility information can reveal health or, in some cases, religious details. It is optional. Provide it only if you wish us to make reasonable adjustments. If you have a food allergy and choose not to disclose it, we cannot be responsible for any harm caused.

  • Health information

In the course of providing legal and advisory services, WK may collect and process health information, including medical records and reports, information relating to disabilities and injuries, immunisation information, psychological reports, and health-related information disclosed in the context of legal services, employment processes or counselling services. Health information is treated as sensitive information and is subject to additional protections under applicable privacy laws.

  • Cyber hotline and telephony–specific data

Where you contact WK through our cyber hotline or other telephony services, we may collect specific categories of information including caller contact details, employer and role information, incident and technical details, call recordings and transcripts, and information relevant to cyber incidents or legal advice and insurance notifications. Further detail on the cyber hotline is provided in Section 12 of this Policy.

  • Recruitment

We may receive information through recruitment agencies or from you directly via our Careers section.

  • Indirect collection for legal work

In some transactions, disputes, incident response, insurance matters or cyber incidents we may handle personal information about individuals who are not our direct contacts, for example employees of counterparties, insured persons, claimants, or individuals appearing in forensic logs during cyber matters. In these cases, providing a direct privacy notice may not be appropriate due to confidentiality or privilege. We handle such information in accordance with privacy laws and professional obligations.

5. Purpose limitation

We collect, use and disclose personal information only for the purposes described in this Policy unless the handling is:

  • directly related to the original purpose of collection;
  • necessary to negotiate or perform a contract;
  • required or authorised by law or by governmental or judicial authorities;
  • necessary to establish or preserve or defend legal claims; or
  • required to prevent fraud or illegal activity.

6. Legal basis for handling personal information

In some jurisdictions where WK operates or provides services, we are required to explain the legal basis that permits us to collect, use and disclose personal information. Depending on the circumstances and local law, this may include:

  • Legitimate interests: where handling is necessary for WK’s legitimate interests and those interests are not outweighed by your right. Examples include:
    • providing legal services
    • managing client relationships
    • improving our services and business operations
    • supporting the work of our overseas offices
    • operating and securing our technology systems
  • Performance of a contract: where handling is necessary to enter into or perform a contract with you or your organisation. Examples include:
    • instructions we receive from clients
    • documents and evidence provided to us
    • communications from staff, customers or third parties relevant to a matter

Without this information, we may be unable to provide services or proceed with the engagement.

  • Legal obligations: where handling is required to comply with legal obligations that apply to our business. These obligations can include:
    • anti money laundering and counter terrorism financing requirements
    • identity verification checks
    • conflict checks
    • professional, regulatory and reporting obligations
    • responding to lawful information requests

Some of the information collected for these purposes may include sensitive information, depending on the legal requirements applicable in the relevant jurisdiction.

  • Consent (only where necessary): where no other lawful basis is available or where consent is mandatory, we may rely on your express consent to collect or use personal information. This may include information considered sensitive in some jurisdictions, such as:
    • dietary requirements (health or religious) for events
    • accessibility requirements
    • any other sensitive information you choose to provide

You may withdraw your consent at any time. This will not affect the lawfulness of our handling of your information before consent was withdrawn, but doing so may limit our ability to provide services or continue our engagement with you.

7. Disclosing personal information

We may disclose personal information to:

  • WK Group Entities;
  • third party service providers (for example data storage, IT and software, AI systems, hotline services, marketing, research, consultants) supporting our operations;
  • counsel, experts and technical advisers;
  • insurers and professional indemnity providers;
  • authorities including regulators, government or government-linked bodies; and
  • business transferees in the event of a merger and/or acquisition.

8. Cross-border disclosure of personal information

As WK operates internationally, it may be necessary to disclose personal information to our overseas offices or to third‑party service providers located outside the country in which it was originally collected (the Originating Country), including Australia, Singapore and Thailand, subject to client contractual restrictions regarding data sovereignty. This may occur where:

  • your matter involves legal work that requires input from WK staff in overseas offices;
  • your instructions require input from lawyers, counsel or experts based in another jurisdiction;
  • WK uses centralised systems or service providers located overseas for operational efficiency (for example, data hosting, IT services, or transcription support); or
  • insurers, advisers or external consultants involved in your matter are based overseas.

WK manages international transfers of personal information through group-wide governance measures and legal safeguards, including binding internal rules governing how personal information is handled across the WK Group. For more information, please see our Binding Corporate Rules for Cross-Border Transfer (BCRs).

Where we transfer your personal information outside of the Originating Country, we will take appropriate steps to ensure that the recipient of the personal information is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to that required under the applicable Privacy Laws of the Originating Country.

By providing us with your personal information and/or continuing to use our services, you acknowledge and consent to the transfer, storage, and processing of your personal information in the relevant jurisdiction(s) outside the country in which it was originally collected in accordance with this Policy and our BCRs.

9. Your rights

Depending on your location, and subject to certain exceptions, you may have a range of rights in relation to your personal information. These may include the ability to:

  • request a copy of your personal information in a commonly used electronic format, if local laws provide a right to portability (subject to confidentiality, legal privilege or other lawful restrictions)
  • request correction of personal information that is inaccurate, incomplete or out of date
  • request deletion of personal information where there is no lawful reason for WK to retain it
  • withdraw consent, where consent is the basis for our handling of your personal information (withdrawing consent does not affect previous handling based on consent and may affect our ability to provide services)
  • ask us to temporarily limit our handling of your personal information in certain circumstances
  • object to the use of your personal information for direct marketing, in which case WK will stop using it for that purpose
  • object to other handling of your personal information in situations where local law provides this right

How to exercise these rights

You may submit a request by:

We will respond within the timeframes required by the privacy laws that apply to you.

Additional information

  • We may need to verify your identity before actioning your request.
  • If we refuse your request (for example, due to legal privilege, third party confidentiality or statutory retention requirements), we will explain why unless it is unreasonable to do so.
  • Rights differ from country to country. Some rights listed above may not apply to you depending on local law, and WK’s obligations may be limited by our professional duties and legal obligations.

10. How your information is protected

WK has measures in place to protect personal information from unauthorised access, misuse, interference, loss, or accidental disclosure. These measures include security controls, system monitoring and intrusion detection tools designed to alert us to potential or actual threats to our systems. Measures include:

  • client contractual requirements
  • access controls and authentication
  • system monitoring and intrusion detection
  • secure storage and restricted access to legal files
  • confidentiality obligations
  • secure disposal when information is no longer required and destruction is lawful

We will take reasonable steps to destroy or de‑identify personal information when no longer needed, subject to legal retention requirements.

Some countries where your information may be sent or accessed have different privacy and data protection laws to Australia. WK takes steps to ensure that your personal information remains protected when it is transferred overseas. These steps may include:

  • requiring contractual privacy and security commitments
  • imposing confidentiality obligations
  • ensuring service providers meet WK’s privacy, security and data handling standards

These measures align with WK’s broader commitment to safeguarding personal information wherever it is processed.

11. How long do we retain your information

We retain personal information according to legal and regulatory requirements. When a retention period expires or the information is no longer needed, we:

  • securely delete it in full, or
  • anonymise it so you cannot be identified

Anonymised information may be used for analysis and business planning.

12. Direct marketing and your choices

Certain parts of our website invite you to subscribe to updates, request publications, register for events and webinars, take part in surveys, or receive other information about WK and our services. When you do this, we may collect information such as:

  • your name
  • your business email address
  • your job title
  • your organisation
  • your business address

If you attend a WK event, seminar or meeting, we may also record your attendance details so we can share follow‑up materials or invite you to future events.

Our systems may recognise returning subscribers or website users and, based on the content you access or request, we aim to provide communications that are relevant to your interests. This may include information about WK’s services, insights, publications, or upcoming events.

You can opt out of marketing communications at any time by:

We action opt‑outs within applicable timeframes, in line with our obligations under relevant privacy laws.

13. Cyber hotline and other telephone services

WK operates a cyber hotline and other telephone services to support clients experiencing, or seeking advice about, potential cyber incidents or other incidents. In respect of the cyber hotline, outside Australian business hours, the hotline is supported by an AI‑assisted telephony system so that calls can be answered promptly at any time.

Information provided through the hotline and telephone services is treated as confidential and, where applicable, may be protected by legal professional privilege If you choose not to provide certain information, we may be limited in our ability to respond to or assess your enquiry.

Information we may collect

  • your name and contact details
  • your role and the organisation you work for
  • details of the incident or enquiry
  • technical information relevant to the incident
  • any additional information you choose to provide
  • call recordings or transcripts (where applicable)

We collect this information so that we can:

  • understand and assess the issue you are reporting
  • respond to your enquiry and provide legal advice
  • conduct conflict checks
  • support our professional and legal obligations
  • manage our relationship with you or your organisation

Depending on the nature of your enquiry, we may disclose hotline information to:

  • WK lawyers and legal staff
  • counsel, technical specialists and external experts assisting with your matter
  • third‑party service providers who support our hotline or legal work
  • your or your employer’s insurer, where relevant

We do not use information collected through the hotline for direct marketing without your consent.

14. Artificial Intelligence

We may use artificial intelligence (AI) technologies to support our legal services, improve our operations, and enhance your experience with us. AI may be used in a range of activities, including analysing information and data, automating routine processes, assisting with document review, and helping to analyse documents and contracts.

We assess AI tools for privacy, security, confidentiality and bias risks before they are approved for use. AI tools are used in accordance with our internal governance framework, and client or personal information is only used where permitted, lawful and subject to appropriate safeguards.

Where AI is used to process personal information, we ensure compliance with applicable privacy and data protection laws. We also apply governance measures designed to promote accuracy, fairness and security, and to ensure that human oversight remains central to our decision‑making.

We do not use AI for automated decision‑making that produces legal or similarly significant effects. Any decisions about our services or our clients remain subject to professional judgment.

15. Cookies and similar technologies

We use cookies and similar technologies when you interact with our website. These technologies collect limited information from your device to help us understand how our website is used and to improve the performance and functionality of our online services.

We use these technologies to:

  • remember your device settings and preferences
  • understand how visitors navigate and use our website
  • improve website performance, functionality and content
  • carry out aggregated reporting and analytics to help us enhance our online services

We do not use this information to create a personal profile of you, and we do not link it to information that directly identifies you.

Most browsers allow you to refuse or delete cookies. You can still use most site features if cookies are disabled, although some functions may not operate as intended. Where required, we will request your consent before placing cookies or similar technologies on your device.

16. Children

WK does not knowingly collect personal information from children unless we are required or permitted to do so by law, or where parental or guardian consent is required and has been provided. If we become aware that personal information has been collected from a child without the necessary consent, we will take steps to delete that information or handle it as required by applicable laws.

We only use or disclose a child’s personal information where the law allows it or where it is necessary to protect the safety or wellbeing of the child.

17. Links to third‑party sites

Our website may contain links to third‑party websites or services. These links are provided for convenience only. WK does not control, endorse or take responsibility for the content, privacy practices or security of those third‑party sites.

If you choose to access a third‑party site, any personal information you provide will be handled under that site’s own terms and privacy notice. We encourage you to review the privacy policies of any external sites you visit.

18. Data security breaches

WK maintains incident response and data breach management procedures.

If a data breach occurs that is likely to affect your personal information, we will notify you as soon as reasonably possible after confirming the breach and assessing its potential impact, in line with our legal obligations and our commitment to transparency.

19. Miscellaneous

Personal information obtained via third party

Where personal information relating to any individual (including, without limitation, employees, officers, representatives, agents, contractors, clients, or customers of clients) is disclosed or provided to us by a person (including but not limited to a body corporate) other than the individual to whom the personal information relates, we shall be entitled to assume, and shall not be obliged to independently verify, that:

  • all necessary consents have been obtained from the relevant individual for the collection, use, disclosure, transfer and/ or processing of his or her personal information to us for the purposes contemplated under this Privacy Policy and/or any applicable agreement;
  • the relevant individual has been provided with adequate notice of such collection, use, disclosure, transfer and/or any processing; and
  • the disclosure of such personal information to us complies with all applicable data protection and privacy laws.

The person providing such personal information represents and warrants that it has obtained and shall maintain all necessary consents and authorisations, and shall indemnify us against any claims, losses, liabilities, damages, or expenses arising from any failure to do so.

Failure to provide personal information

Where personal information is required for us to fulfil contractual obligations, comply with legal and regulatory requirements, process transactions or provide services, failure to provide such personal information (or withdrawal of consent, where applicable) may result in:

  • our inability to provide or continue providing our services;
  • delays in processing requests or transactions;
  • termination of contractual arrangements; or
  • our inability to comply with applicable legal or regulatory obligations.

20. How to make a privacy complaint

If you have a question or concern about how WK handles your personal information, you can contact us at any time. We will review your enquiry or complaint and respond within the timeframes required under applicable privacy laws.

You can contact us by:

  • Emailing the Group Privacy Officer at: privacyofficer@wottonkearney.com
  • calling
    • WK Australia at: +61 2 8273 9900
    • WK Singapore at: +65 6967 6460F
    • WK Thailand at: +66 2 460 7301
    • WK New Zealand at: +64 9 377 1854

If you are not satisfied with our response, or you prefer to raise your concern with the privacy regulator, you may contact the applicable privacy regulator in your jurisdiction:

  • Australia – Office of the Australian Information Commissioner (OAIC). The OAIC provides information on how to lodge a privacy complaint here.
  • Singapore – Personal Data Protection Commission (Singapore PDPC). The Singapore PDPC provides information on how to lodge a privacy complaint here and information on what to do before lodging a complaint here.
  • Thailand – Personal Data Protection Committee (Thailand PDPC). The Thailand PDPC provides information on how to lodge a privacy complaint on its website.
  • New Zealand – Office of the Privacy Commissioner. The Office of the Privacy Commissioner provides information on how to lodge a privacy complaint here.
  • United Kingdom – Information Commissioner’s Office (ICO). The ICO provides information on how to lodge a privacy complaint here.

We encourage you to contact WK first so we have the opportunity to address your concern promptly and directly.

21. Contact us

If you would like more information about how WK manages personal information, or if you wish to exercise any of your privacy rights, you can contact us using the details below:

Group Privacy Officer Email: privacyofficer@wottonkearney.com

Wotton Kearney Australia
Level 9, Grosvenor Place
225 George Street
Sydney NSW 2000
Phone: +61 2 8273 9900

Wotton Kearney Singapore
138 Market Street, #07‑03,
Singapore 048946
Phone: +65 6967 6460

Wotton Kearney Thailand
990 Abdulrahim Place, Unit 1710, 17th Floor,
Rama 4 Road Silom Sub-district,
Bang Rak District Bangkok 10500
Phone: +66 2 460 7301

Wotton Kearney New Zealand
Level 8, 21 Queen Street,
Auckland 1010
Phone: +64 9 377 1854

We will respond as soon as reasonably possible and in accordance with our legal obligations.

22. Changes to this policy

We may update this Privacy Policy from time to time as our services, technology or legal obligations evolve. When we make changes, we will publish the updated version on this page.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect and manage personal information.