Last updated: 01.08.2023
This policy sets out:
- who we collect personal information about;
- the kinds of personal information we collect;
- how we collect and hold personal information;
- why we collect personal information;
- how we use and disclose personal information;
- how you can access and seek to correct the personal information we hold about you;
- whether we disclose your information to overseas entities; and
- how you can complain if you think we have breached this policy or the New Zealand Information Privacy Principles.
2. What personal information do we collect and hold and how do we collect it?
2.1. Who do we collect personal information about?
In conducting our functions and activities (which include vehicle and equipment leasing, vehicle rental, vehicle sales, asset financing and fleet management) we collect, hold, use and disclose personal information about individuals who are or who are proposed to be:
- customers or guarantors under leasing agreements, fleet and vehicle management agreements, financing agreements and sales or rental agreements with ORIX (if the customer or guarantor is a company this includes directors and beneficial owners of that company);
- drivers or nominated custodians of vehicles or equipment owned by, leased or hired from ORIX or financed or managed by ORIX;
- third parties to insurance claims that involve us or one of our customers;
- contractors or suppliers of vehicles or equipment, goods and services or financial products to ORIX or to one of our customers or intending customers;
- visitors to our premises or the premises of our customers or suppliers;
- solicitors, valuers, auctioneers or other professional consultants engaged by us;
- referees of our contractors, suppliers, customers and our customer’s guarantors;
- purchasers of vehicles or equipment owned by us;
- finance brokers, introducers or other intermediaries engaged by us; and
- applicants for employment with us.
2.2. What types of personal information do we collect?
The kind of personal information that we collect and hold about an individual will vary considerably depending on the reason for its collection, including the nature of the individual's arrangements or relationship with ORIX and the individual's connection with the arrangements. The personal information collected and held (depending on the purpose of collection) might include (but is not limited to):
- name, address and contact details;
- date of birth, and driver’s licence particulars and other identity information to verify an individual's identity;
- employment, credit and business history (including trade and credit references or reports);
- information about products or services that an individual has requested or that we provide the individual or their employer;
- driver infringement history (captured during the course of our fines management service) and other driver usage information (including the use and location of tolls, use of fuel and fuel cards, and other driving data);
- “telematics” data captured about vehicles and vehicle drivers (including information as to location, performance, routes taken, vehicle specifications, odometer readings and speed and other driving infringements);
- website and app user data, including your IP address, date, time and duration of your visit to our website or app and device information (see section 2.4 for further information)
- Photographs and/or images from camera footage and other biometric data;
- payment (including credit card) details used to purchase our products or services;
- financial position and information, income and financial commitments;
- credit information, such as particulars of consumer and commercial credit enquiries made with a credit reporting bodies (“CRB”) (for example, Equifax see www.equifax.co.nz) by credit providers, and other credit reporting information obtained from a CRB (including consumer credit liability information, the type of commercial credit and the amount of commercial credit sought in an application, default information (and where a default has been remedied, payment information or new arrangement information), court proceedings information, personal insolvency information, certain administrative information relating to credit (such as account and customer numbers), credit reporting information we receive from a CRB including business credit scores and ratings, publicly available credit worthiness information, information that we derive from the credit reporting information we receive from CRBs and (where applicable) an opinion from a credit provider that an individual has committed a serious credit infringement); and
- any information we consider relevant to assessing and considering applications for employment, including information contained in letters of application and resumes and employment history.
Occasionally, we might also collect sensitive information about an individual, such as health information. We will only do this if the individual expressly consents and only if it is reasonably necessary for ORIX to provide the individual with the product or service they have asked for or otherwise carry out our functions and activities (such as when an individual is negotiating payment relief with ORIX).
We may also collect personal information (including health information) as part of our COVID-19 (or any future pandemic) response for the purposes of contact tracing, complying with any regulatory requirements in relation to COVID-19 (or any future pandemic) and minimising the potential harm to our employees.
Where we engage with an individual multiple times over a short period in relation to the same matter, we may not provide the individual with a separate notice about privacy each time we engage with that individual.
2.3 How do we collect personal information?
Generally, we collect personal information directly from the individual to whom the information relates (or from their employers, appointed agents or intermediaries). However, sometimes it is collected from third parties including:
- sources with a connection to the individual (for example, the individual’s employer, or referee or recruitment agent);
- our customers or their directors, principals or employees;
- guarantors or proposed guarantors of customers;
- insurance providers;
- finance brokers, introducers or other intermediaries;
- credit reporting bodies;
- credit providers;
- providers of Anti-Money Laundering and Countering Financing of Terrorism legislation (AML) compliance, ‘Know your customer’ (KYC) and other customer onboarding and ID verification services;
- mercantile and other agents;
- publicly available sources of information; and
- government departments, authorities and agencies.
2.4 How do we collect personal information from our apps, websites, customer portals and telematics devices?
We may also collect personal information through our apps, websites, customer / supplier portals and log-in systems at our premises. Personal information may also be collected by our third party services providers who assist us in operating our apps, websites, portals and log-in systems.
We use website analytics such as Google Analytics to help analyse how people use our websites. Website analytics generate statistical and other information about website use by means of cookies, which are stored on users’ devices. The information generated is used to create reports about the use of ORIX’s websites. We may also share website analytics with third parties engaged to provide or update our websites.
In the case of Google Analytics Google will store this information. ORIX will not (and will not allow any third party to) use website analytics to track or collect any personal identifiable information of visitors to our websites. We will not associate any data gathered from our websites with any personal information from any source as part of our use of website analytics.
If you do not want your website data reported by Google Analytics, you can install the Google Analytics opt-out browser add-on. For more details on installing and uninstalling the add-on, please visit the Google Analytics opt-out page at http://tools.google.com/dlpage/gaoptout.
Like many websites, our website and mobile applications may use “cookies” from time to time. Cookies are small text files that are sent to a user's device (phone or computer) by a website for the purpose of storing information about a user's identity, browser type or website visiting patterns. Cookies may be used on our website to monitor web traffic, for example the time of visit, pages visited and some system information about the type of device being used. We use this information to enhance the content and services offered on our website and through our mobile applications.
Cookies are sometimes also used to collect information about what pages you visit and the type of software you are using. If you access our website or click through an email we send you, a cookie may be downloaded onto your device.
Cookies may also be used for other purposes on our website but in each case none of the information collected can be used to personally identify you.
You can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie preferences.
Third Party content (for example: social media links)
Some of the content on our websites may include applications made available by third parties, such as social media buttons or links that allow you to share content or links to our websites through the relevant third party platforms. These third party applications themselves may facilitate collection of information by those third parties through your interaction with the applications (sometimes even if you do not interact directly with them).
We are not responsible for the technical operation of these applications or the collection and use practices of these third parties. Please visit the relevant third party websites to understand their privacy practices and options they may make available to you in relation to their collection of your personal information.
If our vehicles are fitted with a telematics device, there will be a visible sticker on the driver side window advising that a telematics device had been fitted to the vehicle. Using a telematics device, we collect information about the use and performance of the vehicle, including vehicle tracking information, vehicle and driver performance data and additional safety related data (“Telematics Information”). Some of the Telematics Information collected may constitute “personal information” within the meaning of the Privacy Act.
If you (or the company leasing or hiring the vehicle from ORIX) has requested telematics services, we will provide Telematics Information to you (or the company leasing or hiring the vehicle from ORIX).
If you (or the company leasing or hiring the vehicle from ORIX) had not requested for telematics services, we will use the device to:
- obtain regular odometer readings, geolocation and other incidental data in order to manage the vehicle lease or rental, and
- to locate and/or the vehicle in the event of a default or an emergency.
3. Why do we collect and hold personal information?
3.1 Why do we collect your personal information?
ORIX collects and holds personal information to conduct our functions and activities, including to market and sell our products and services, and so that we can:
- provide our customers (or their directors, principals or employees) with vehicle leasing, equipment leasing, financing, vehicle sales, novated leasing, vehicle rental, fleet management services and any other of our products and services they might request, including assessing and considering applications and guarantors for these products and services;
- verify customers in accordance with our KYC process;
- manage the facilities, the vehicle and equipment leases, hires and delivery of services connected with our leasing, fleet management, and other services;
- assess whether to engage applicants for employment and contractors and manage employment relationships;
- appropriately identify parties ORIX contracts with for goods or services (including suppliers and consultants) and manage the supplier relationship;
- comply with our legal and regulatory obligations (including those relating to health and safety generally); and
- otherwise conduct our business functions and activities.
If we are not able to collect the personal information we seek we may not be able to provide requested products and services.
3.2 How does ORIX use personal information for marketing?
From time to time, ORIX may also use and disclose the personal information we collect to let our customers know about products and services that might be of interest to them, including by direct marketing. Subject to your consent we may use your personal information to send you information, including promotional material, about ORIX or our products and services, as well as the products and services of our related entities and third parties, now and in the future. Subject to your consent we may send you such information by means of direct mail, email, SMS and MMS messages.
If at any time you wish to stop receiving these types of notifications or you do not want your information disclosed for marketing purposes, please let us know by:
- clicking the "Unsubscribe" link in a direct marketing email that you have received from us;
- or contacting our Privacy Officer the contact details of whom are shown below.
4. What do we do with the personal information we collect?
4.1 How do we use your personal information?
- to identify you (if you are a customer, supplier, guarantor, proposed guarantor, driver or purchaser of a leased, hired or financed vehicle or equipment) – including verifying information you provide via searches of both government and public registers (either directly or through an intermediary);
- to assess and consider applications for vehicle or equipment leasing, novated leasing, vehicle rental, vehicle sale, asset financing, fleet management services, or a related product or service – your involvement in the application for one of these products or services might be as the applicant/customer, a proposed guarantor for the applicant/customer or if the applicant/customer (or proposed guarantor) is a company, as a director, principal, beneficial owner or employee of that company;
- to provide and manage the vehicle or equipment leasing, novated leasing, vehicle rental, asset financing and fleet management services. This includes administrative operations, delivering and managing lease vehicles or equipment, managing our accounts (including the recovery of money, vehicles or equipment and the exercise of any of our rights or obligations), managing vehicle registration, managing fines, tolls and fuel cards on your behalf, the maintenance and repair of vehicles and equipment, disposing of vehicles, and arranging insurance;
- to collect, process and manage payments for our products and services;
- to manage insurance and accident claims;
- if you are an employee or other representative of a customer to which we provide our products and services, to communicate with and provide reports to your employer about your driving behaviour and performance;
- to obtain and use information for assessing and considering applications for credit and establish and manage the credit facilities required to provide products and services to the relevant individual, a company of which they are a director, principal, or beneficial owner or to companies or individuals for whom the individual is (or is proposed to be) a guarantor;
- to report details of any fraud or other serious credit infringement
- to assess, onboard and manage our suppliers (including prospective suppliers);
- to provide and manage our websites, mobile applications, and customer and supplier portals;
- to personalise and customise your experience on our website;
- to help us research the needs of our customers to market our products and services with a better understanding of the needs of our customers, and for the purposes of improving existing products or services or creating new products or services;
- if applicable, to carry out checks on the Personal Property Securities Register (PPSR) (which may involve a disclosure to the PPSR operator or an intermediary in the course of accessing the PPSR), including to confirm your details where you have applied for credit;
- to enable us to comply with our obligations under the AML legislation which might include identifying a customer’s beneficial owner; and
- to enable us to comply with our legal obligations, including any legal obligations of our related companies, including ORIX Australia Corporation Limited or its parent company in Japan, ORIX Corporation.
4.2 Who may we disclose your personal information to?
Disclosure of personal information in New Zealand
We may sometimes disclose personal information to third parties outside of ORIX. This disclosure will either be for one of the purposes for which the information was collected, related purposes, purposes to which you have consented or to allow us to comply with an New Zealand law that requires us to disclose personal information. External parties we may disclose personal information to include:
- credit reporting bodies including Equifax New Zealand Information Services and Solutions Limited;
- other credit providers including credit providers with whom you have had consumer or commercial credit dealings;
- our service providers and advisers including providers of AML compliance, KYC and other customer onboarding and ID verification services, corporate support services, technology support services, securitised lenders to ORIX; brokers, introducers, agents, auditors, solicitors and other professional consultants, trade, commercial / mercantile agents and auctioneers; debt collecting agencies, insolvency practitioners (for example, bankruptcy trustees, administrators, receivers, liquidators) and similar;
- other third party suppliers including suppliers or repairers of vehicles or equipment, motor vehicle manufacturers and dealers, and contractors (including tow truck operators), toll operators, motor clubs, emergency breakdown assistance providers and similar, as required to facilitate the provision of goods, services or products you have requested;
- insurers and related entities including insurance brokers, insurance assessors and inspection agents, and investigators;
- government or regulatory authorities including vehicle registration authorities, transport authorities, state debt recovery authorities, law enforcement, tax authorities and other organisations as required or authorised by law;
- our customer’s guarantors or proposed guarantors.
- We may otherwise collect, use or disclose your personal information:
- as required or authorised by law, including without limitation the New Zealand Information Privacy Principles under the Privacy Act.
Disclosure of personal information overseas
We are a New Zealand company with an Australian parent company and will generally process your personal information (including storing in servers) within New Zealand or Australia. However, there are certain limited circumstances where your personal information may be transferred overseas, including but not limited to the following examples:
- disclosure to an overseas related entity of ORIX for purposes of conducting our business function – this will be mainly limited to Australia and Japan as we are a wholly owned subsidiary of ORIX Australia Corporation Limited (based in Australia) which is in turn wholly owned by ORIX Corporation (based in Japan);
- a software application or platform hosted in New Zealand requires technical maintenance or support and the support services are located overseas;
- a cloud application or platform based on Google Cloud, Microsoft Azure, Amazon Web Services or similar with backup servers located overseas;
- a telematics provider uses an overseas cloud storage provider for requested services;
- if the transactions, information, services or products have an interstate or overseas connection; and
- in the event that ORIX acquires or divests of a part of our business to a third party, we may disclose our business information together with your personal information to a potential purchaser including in insolvency.
Some of these third parties outside New Zealand may not be subject to New Zealand privacy laws. However, we will take such steps as are reasonable in the circumstances to ensure that those third parties are required to protect the information in a way that, overall, provides comparable safeguards to those under the Privacy Act. You may have rights to enforce an overseas party’s compliance with applicable data protection laws, but you may not have recourse against those parties under the New Zealand Privacy Act in relation to how those parties treat your personal information.
5. How can you access or correct the personal information we hold about you?
We take reasonable steps to ensure that any personal information we collect and use is accurate, complete and up-to-date. To assist us in this, you need to provide true, accurate, current and complete information as requested. If you believe or become aware that some of the personal information we hold about you is incorrect or requires updating (for example your address or contact details), please notify us of the correct information by contacting the Privacy Officer whose details are set out below.
If you wish to access or correct the personal information ORIX holds about you, you can request this by contacting the Privacy Officer whose details are set out below.
Once we receive your request, we will acknowledge your request within 20 Business Days. We may need to further verify your identity before we can proceed with your request.
Where we cannot provide you with the requested information, including where we rely on an exemption in the Privacy Act to refuse or limit access, we will provide you with reasons why.
We will not charge you for making the request but in some cases, there may be a reasonable charge to cover the time taken to provide you with the requested information. Where a charge may be involved, we will provide you with a quote and you will be able to decide whether to proceed with the request.
6. How do we hold and protect your personal information?
We use reasonable and appropriate measures to protect your personal information (in both hard copy and in digital forms) from misuse, interference and loss, and from unauthorised access, modification or disclosure. These security measures range from technical controls to training for our staff on recent trends and risks.
In the event of a data breach, we have well-tested processes on how to respond and communicate promptly with affected individuals and authorities.
7. What do I do if I have a privacy question or complaint??
Do you have a privacy related question?
Do you think we have breached your rights under the Privacy Act (in particular the New Zealand Information Privacy Principles)?
Please contact ORIX’s Privacy Officer, we would like to hear from you.
It would help us to respond to your complaint promptly if it is made in writing. Please detail all information relevant to your complaint.
The ORIX Privacy Officer will acknowledge receipt of your question or complaint within 5 Business Days of receipt and will respond to you within 20 days of its receipt.
If we are unable to satisfactorily answer your question or resolve your concerns about our handling of your personal information,, you can contact the New Zealand Office of the Privacy Commissioner at: PO Box 10094, The Terrace, Wellington 6143, phone 0800 803 909, http://privacy.org.nz/.
ORIX Privacy Officer's Contact Details
This policy is effective 1 August 2023 and may be updated from time to time. Please check our website for the most current version or contact us for a printed copy.