GDPA MEMBER COMPLIANCE POLICY

CW RETAIL SERVICES PTY LTD

HEREIN REFERRED TO AS THE (ENTITY)


Since 10th August 2020

CERTIFICATION NUMBER: 80334

CLICK TO VIEW RATING SYSTEM

We are 100% committed in protecting your data, the same way we wish our own personal data to be protected by others. If you have any concern, please reach out to us. Our policy herein is designed to meet our local Data Privacy Regulation, including regulations of other jurisdictions where applicable. Should you find any aspect which does not meet our obligation towards you, please feel free to let us know via the Communication Options provided at the end of this page and we will address the matter accordingly. CLICK HERE to validate our certification.


COMPLIANCE POLICY

Our compliance policy tells you how and for what purposes we collect and use personal data from our pharmacy patients and service users and what to expect us to do with your personal information when you contact us or use one of our services. We tell you why we are able to process your information; what purpose we are processing it for; whether you have to provide it to us; how long we store it for and whether there are other recipients of your personal information.

We the ENTITY implement the following 16 compliance principles as our foundation and in line with local and where applicable international data protection regulations. These principles are listed below together with an explanation of how we comply with these principles.

  1. Processed lawfully, fairly and in a transparent manner: this means having a lawful basis (reason) for processing data, handling the data honestly, and being unambiguous about how we intend to use this data.
  2. Collected for specified, explicit and legitimate purposes: this means being open and clear about why personal data is being collected and outlining the exact legal purpose for processing.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes of processing: this means only holding the amount of information sufficiently necessary for the purpose(s) intended.
  4. Accurate and where necessary, kept up-to-date: this means taking reasonable steps to ensure accuracy of information, and verifying and rectifying/updating information without delay as required.
  5. Kept in a form which allows the identification of an individual for no longer than is necessary: taking into account the purpose(s) for which information is held, this means reviewing the length of time information is kept, and making sure information is not kept for longer than necessary.
  6. Processed in a manner that ensures appropriate security: this means preventing data breaches by having suitable security measures in place to fit the type of data processed (for example, physical security measures such as locks on manual filing systems, and electronic security measures such as passwords on computer terminals).
  7. Your right to view your health record: You have the right to ask for a copy of all pharmacy records about you (generally in paper or electronic form). There are some exemptions, which means you may not always receive all the information we process.
  8. Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
  9. Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  10. Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
  11. Your right to object to processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests.
  12. Your right to data portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent. Generally, you are not required to pay any charge for exercising your rights. We have one month to respond to you.
  13. Where your data will be stored: Your data will be held on the computer system(s) within our pharmacy and on any paperwork relevant to the provision of pharmacy services to you. Your data may also be held by systems and support networks involved in your care. Your data may also be backed up or archived within purpose-built, professionally managed, secure data storage facilities in Ireland, which will be monitored 24 hours a day, 365 days of the year. Appropriate security measures are in place in line with our requirements to protect your data.
  14. How we comply with the General Data Protection regulation (GDPR): We have internal procedures to ensure that all information which is collected and held about you is held in accordance with the legal requirements and principles of GDPR which came into effect on 25th May 2018.
  15. Data Protection Officer: We have designated GDPA as our Data Protection Auditors and have appointed internally a DPO (Mark Finocchiaro) to manage and address our ongoing path to compliance. GDPA are experienced in Data Protection and Confidentiality matters and provide us with the tools in taking full responsibility for all matters relating to data protection and compliance. Our DPO is responsible for making sure that our business processes and decision making are in line with compliance requirements and good practice. Our DPO will ensure that we are accountable and transparent to the supervisory authorities. We are committed to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us via the COMMUNICATION OPTIONS below.
  16. Office of the Australian Information Commissioner (OAIC): If you remain dissatisfied, you can make a complaint about the way we process your personal information directly to the OAIC, GPO Box 5218, Sydney, NSW 2001, Australia or via their contact page – CLICK HERE

Our compliance policy provides you with details of how we collect and process your personal data via our ONLINE/OFFLINE Channels (referred to as our OOC) which include:

website: https://www.chemistwarehouse.com.au/

facebook: https://www.facebook.com/ChemistWarehouse/

instagram: https://instagram.com/chemistwarehouseaus/

twitter: https://twitter.com/ChemistWhouse

linkedin: https://www.linkedin.com/company/my-chemist-warehouse-group

youtube: https://www.youtube.com/channel/UC1mfhAu4MKP83grVEBOXlBg

and

This policy incorporates our obligations to comply with privacy regulations on how we collect and process your personal data via OFFLINE methods which include: face to face physical presence; sending physical hard copy data/information via traditional postal services / courier (air/sea/road) and all other applicable offline methods.

By providing us with your data, you warrant to us that you are over 16 years of age. If you are not over the age of 16, please provide parental consent.

We the ENTITY are the data controller and we are responsible for your personal data (referred to as “we”, “us” or “our” in this policy).

We have appointed the Global Data Protection Agency “GDPA” as our registered European GDPR Secretariat.

Our GDPR Secretariats duties are to view your submission and submit them to us, where we will take the necessary steps in answering you accordingly in-line with the GDPR Regulations and the general protection of your personal data. Should you have any questions about our policy as defined herein, you can submit them via the form provided at the bottom of this page.

If required, you can also forward via post your hard-copy communication to our registered postal address within the European Union exactly as follows;

We would be grateful if you contacted us first if you do have a complaint so that we can try to resolve it for you.

It is very important that the information we hold about you is accurate, up to date and that we are doing the right thing by you. Please do let us know if at any time your personal information changes.

We the Entity are committed to processing your personal data in accordance with our responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

A) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

B) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

C) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);

D) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

E) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

F) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The provisions of this section include where we the Entity shall:

A) Apply this policy to all personal data processed by us.

B) Be solely responsible for the ongoing compliance as defined in this policy.

C) Review this policy at least once per year.

The provisions of this section include where we the Entity shall:

A) Ensure the processing of data is lawful, fair, and properly documented and logged.

B) Review at least once per year our compliance processes.

C) Give individuals the right to access their personal data and any such requests made to us shall be dealt with in a timely manner and no greater than one calendar month from the date the request was submitted by the individual.

The provisions of this section include where:

A) All data processing performed by us the Entity, shall be done on at least one of the following lawful bases:

    • consent
    • contract
    • legal obligation
    • vital interests
    • public task
    • legitimate interests.

B) We the Entity shall keep logs on their appropriate lawful basis.

C) Consent is relied upon as a lawful basis for processing data, evidence of “explicit opt-in” consent shall be kept with the personal data.

D) Communications are sent to individuals based on their consent. The individual at all times has the option to revoke their consent. The provision and system is clearly available and in place to ensure such revocation is reflected accurately in the Entity’s systems. You will find 7 provisions in place and available to you at the end of this policy as follows:

    • Data Breach Registrar
    • Data Subject Opt-Out
    • Data Subject Portability
    • Data Subject Erasure
    • Data Subject Correction
    • Data Subject Access
    • Data Subject Restriction

The provisions of this section include where we the Entity shall ensure that personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Consideration relevant to the us the Entity include:

A) ORDER MANAGEMENT: To handle the processing of orders placed by the individual with us the Entity.

B) CUSTOMER RELATIONS: To handle consented communication or when necessary communications between us the Entity with the individual to fulfill the obligations and legitimate interests of both parties.

C) TAXATION PURPOSES. To evidence legitimate transactions with our local taxation authorities and laws.

D) MARKETING ACTIVITIES. To perform marketing activities based on a consent drive basis where applicable and permitted by the GDPR/OAIC.

E) CONSUMER ANALYTICS. To perform grouped analytics to better understand our consumers on a non-personal and non-identifiable basis.

The provisions of this section include where we the Entity shall:

A) Take reasonable steps to ensure personal data is accurate.

B) Where necessary for the lawful basis on which data is processed, put steps in place to ensure that personal data is kept relevant and up to date.

The provisions of this section include where we the Entity shall:

A) Ensure that personal data is kept for no longer than necessary, and shall put in place an archiving policy for each area in which personal data is processed and review this process at least once per year.

B) Define the archiving policy including what data should and/or must be retained, for how long, and why.

The provisions of this section include where we the Entity shall:

A) Ensure that personal data is stored securely using modern software for online security and that is kept-up-to-date.

B) Limit the access of personal data to personnel who need access and appropriate security shall be in place to avoid unauthorized sharing of information.

C) When deleting personal data, do so safely, securely and in such a manner where that the data is irrecoverable by any means.

D) Have in place appropriate back-up and disaster recovery solutions.

We the Entity have defined the social media platforms we are found on in section 1 INTRODUCTION.

Separate to our policy herein, we also adhere to the privacy conditions related to us and placed upon us by each of the social media platforms.

Here are the links to the privacy policies provided by the social media platforms we are or may become members of and to other social media platforms which you may find useful;

You may find it beneficial and/or of interest in reading them, so you can understand on how they protect your data and where applicable any provisions they place upon us the Entity in protecting your data.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, we the Entity shall:

A) Immediately log the breach.

B) Assess the risk to people’s rights and freedoms.

C) Where required, report this breach to:

    1. the affected individuals.
    2. the appropriate authorities.

D) Conduct a Full Audit and based on the findings, update the security procedures and security measures to mitigate the chances of a similar breach reoccurring.

Under certain circumstances, you have rights under data protection laws of the GDPR/OAIC in relation to your personal data.

These include the right to:

1 Request access to your personal data. (Data Subject Access)

2 Request correction of your personal data. (Data Subject Correction)

3 Request erasure of your personal data. (Data Subject Erasure)

4 Object to processing of your personal data. (Data Subject Restriction)

5 Request restriction of processing your personal data. (Data Subject Restriction)

6 Request transfer of your personal data. (Data Subject Portability)

7 Right to withdraw consent. (Data Subject Opt-Out)

If you wish to exercise any of the rights set out above, you can do so directly via the options available at the end of this policy.

You will not have to pay a fee. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

What’s a cookie?

A “cookie” is a piece of information that is stored on your computer’s hard drive and which records how you move your way around a website so that, when you revisit that website, it can present tailored options based on the information stored about your last visit. Cookies can also be used to analyse traffic and for advertising and marketing purposes.

Cookies are used by nearly all websites and do not harm your system.

If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings. You can block cookies at any time by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

How do we use cookies?

We may use cookies to track your use of our Social Media/Web Sites (SMS). This enables us to understand how you use the site and track any patterns with regards how you are using our website. This helps us to develop and improve our website as well as products and / or services in response to what you might need or want.

Cookies are either:

✍Session cookies: these are only stored on your computer during your web session and are automatically deleted when you close your browser – they usually store an anonymous session ID allowing you to browse a website without having to log in to each page but they do not collect any personal data from your computer; or

✍Persistent cookies: a persistent cookie is stored as a file on your computer and it remains there when you close your web browser. The cookie can be read by the website that created it when you visit that website again. We use persistent cookies for Google Analytics.

Cookies can also be categorized as follows:

✍Strictly necessary cookies: These cookies are essential to enable you to use the website effectively, such as when buying a product and / or service, and therefore cannot be turned off. Without these cookies, the services available to you on our website cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet.

✍Performance cookies: These cookies enable us to monitor and improve the performance of our website. For example, they allow us to count visits, identify traffic sources and see which parts of the site are most popular.

✍Functionality cookies: These cookies allow our website to remember choices you make and provide enhanced features. For instance, we may be able to provide you with news or updates relevant to the services you use. They may also be used to provide services you have requested such as viewing a video or commenting on a blog. The information these cookies collect is usually anonymized.

Please note third parties who advertise on our SMS (including, for example, the owner/operators of the SMS, affiliates, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

How to block cookies?

Cookies are a nemesis to all and we apply our best efforts applying cookies that permit us to perform our legitimate interest in being able to service you and to improve the functionality and flow of our business. Should you feel uncomfortable with our cookies, you may disable them via your chosen browser following the instructions provided via the following links. Please note that disabling cookies may interrupt the flow of your information to us and not permit us to meet our obligations to you:

Our cookie list

Below is the list of third-party-service providers we use who can leave cookies to be able to work for their intended purposes. Should you have any queries regarding cookies used by them and what information they collect and why please visit respective cookie policy page links provided below.

Cookie Domain: .chemistwarehouse.com.au
Description: All Cookies are leveraged to provide site functionality, analytics and advertising and profiling to ensure you get the best experience possible.

Still have concerns about cookies?

If you are still not comfortable with the cookies we use then feel free to reach out to us via the COMMUNICATION OPTIONS provided below and we will do our best to put any concern you may have to rest.

1. INTRODUCTION

This privacy notice provides you with details of how we collect and process your personal data through your use of our sites as defined in section 1:INTRODUCTION, including any information you may provide through our sites when you purchase or enquire about a product or service, sign up to our newsletter or take part in a prize draw or competition.

By providing us with your data, you warrant to us that you are over 16 years of age.

We the ENTITY are the data controllers and we are responsible for your personal data (referred to as “we”, “us” or “our” in this privacy notice).

If you have any questions about our GDPA Compliance Policy, please use the COMMUNICATION OPTIONS provided below.

It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by using the DATA SUBJECT OPTIONS provided below.

2. WHAT DATA DO WE COLLECT ABOUT YOU

Personal data means any information capable of identifying an individual. It does not include anonymised data.

We may process certain types of personal data about you as follows:

2.1 Identity Data may include your first name, maiden name, last name, username, marital status, title, date of birth and gender.

2.2 Contact Data may include your billing address, delivery address, email address and telephone numbers.

2.3 Financial Data may include your bank account and payment card details. Transaction Data may include details about payments between us and other details of purchases made by you.

We may also process Aggregated Data from your personal data but this data does not reveal your identity and as such in itself is not personal data. An example of this is where we review your Usage Data to work out the percentage of website users using a specific feature of our site. If we link the Aggregated Data with your personal data so that you can be identified from it, then it is treated as personal data.

SENSITIVE DATA

We do not collect any Sensitive Data about you unless it is required to fulfill our obligation, contract and/or service to you and which form part of our data processing conditions. Sensitive data refers to personal data that includes details about your;

§ race or ethnicity,

§ religious or philosophical beliefs,

§ sex life,

§ sexual orientation,

§ political opinions,

§ trade union membership,

§ information about your health,

§ genetic and bio-metric data and

§ information about criminal convictions and offences.

Where we are required to collect personal data by law, or under the terms of the contract between us and you do not provide us with that data when requested, we may not be able to perform the contract (for example, to deliver goods or services to you). If you don’t provide us with the requested data, we may have to cancel a product or service you have ordered but if we do, we will notify you at the time.

3. HOW WE COLLECT YOUR PERSONAL DATA

We collect data about you through a variety of different methods including:

3.1 Direct interactions. You may provide data by filling in forms on our site (or otherwise) or by communicating with us by post, phone, email or otherwise, including when you:

3.1a order our products or services;

3.1b create an account on our site;

3.1c subscribe to our services or publications;

3.1d request resources or marketing be sent to you;

3.1e enter a competition, prize draw, promotion or survey;

3.1f give us feedback or

3.1g provide an official medical prescription issued by an accepted and legal medical authority such as your doctor.

3.2 Automated technologies or interactions. As you use our sites, we may automatically collect Technical Data about your equipment, browsing actions and usage patterns. We collect this data by using cookies, server logs and similar technologies. We may also receive Technical Data about you if you visit other websites that use our cookies. For further details regarding our cookie policy, please contact us via the COMMUNICATION OPTIONS provided below.

4. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when legally permitted and to be able to deliver our services/products to you. The most common uses of your personal data are:

4.1 Where we need to perform the contract between us.

4.2 Where it is necessary for our legitimate interests (or those of a pre-approved third party) keeping always at the forefront your interests and fundamental rights where they are not overridden.

4.3 Where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal ground for processing your personal data, other than in relation to sending marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time via the DATA SUBJECT OPTIONS provided below.

PURPOSES FOR PROCESSING YOUR PERSONAL DATA

Set out below is a description of the ways we intend to use your personal data and the legal grounds on which we will process such data. We have also explained what our legitimate interests are where relevant.

We may process your personal data for more than one lawful ground, depending on the specific purpose for which we are using your data. Details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below:

Purpose/Activity 1: To register you as a new customer.

  • Type of data: Identity & Contact.
  • Lawful basis for processing: Performance of a contract with you.

Purpose/Activity 2: To process and deliver your order.

  • Type of data: Identity.
  • Lawful basis for processing: Performance of a contract with you.

Purpose/Activity 3: Manage payments, fees and charges.

  • Type of data: Contact.
  • Lawful basis for processing: Necessary for our legitimate interests to recover debts owed to us.

Purpose/Activity 4: Collect and recover money owed to us.

  • Type of data: Financial, Transactions, Marketing & Communications.
  • Lawful basis for processing: Necessary for our legitimate interests to recover debts owed to us.

Purpose/Activity 5: To manage our relationship with you.

  • Type of data: Identity.
  • Lawful basis for processing: Performance of a contract with you.

Purpose/Activity 6: Notifying you about changes to our terms or privacy policy.

  • Type of data: Contact.
  • Lawful basis for processing: Necessary to comply with a legal obligation.

Purpose/Activity 7: Asking you to leave a review or take a survey.

  • Type of data: Profile, Marketing and Communications.
  • Lawful basis for processing: Necessary for our legitimate interests to keep our records updated and to study how customers use our products/services.

Purpose/Activity 8: To administer and protect our business and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

  • Type of data 8.1: Identity.
    • Lawful basis for processing: Necessary for our legitimate interests for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise.
  • Type of data 8.2: Contact and Technical.
    • Lawful basis for processing: Necessary to comply with a legal obligation.

Purpose/Activity 9: To deliver relevant content and advertisements to you and measure and understand the effectiveness of our advertising.

  • Type of data: Identity, Contact, Profile, Usage, Technical, Marketing and Communications.
    • Lawful basis for processing: Necessary for our legitimate interests to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy.

Purpose/Activity 10: To use data analytics to improve our website, products/services, marketing, customer relationships and experiences.

  • Type of data: Technical and Usage.
    • Lawful basis for processing: Necessary for our legitimate interests to define types of customers for our products and services, to keep our site updated and relevant, to develop our business and to inform our marketing strategy.

Purpose/Activity 11: To make suggestions and recommendations to you about goods or services that may be of interest to you.

  • Type of data: Identity, Contact, Technical, Usage and Profile.
    • Lawful basis for processing: Necessary for our legitimate interests to develop our products/services and grow our business.

MARKETING COMMUNICATIONS

You will receive marketing communications from us if you have:

1: requested information from us or purchased goods or services from us; or

2: if you provided us with your details and ticked the consent option provided at the point of entry of your details for us to send you marketing communications; and

3: in each case, you have not opted out of receiving that marketing.

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences OR by following the opt-out links on any marketing message sent to you or OR by using the DATA SUBJECT OPTIONS provided below.

Where you opt out of receiving our marketing communications, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for a purpose unrelated to the purpose for which we collected the data, we will notify you and we will explain the legal ground of processing.

If we desire to use your personal data for a purpose unrelated to the purpose for which we collected the data and outside of legal processing grounds, we will first seek your explicit consent. If you do not reply to our request, we will take it that we do not have your permission and as such will respect it.

We may process your personal data without your knowledge or consent where this is required or permitted by law.

5. DISCLOSURES OF YOUR PERSONAL DATA

We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above:

5.1 Other companies in our group who provide IT and system administration services and undertake leadership reporting.

5.2 Service providers who provide IT and system administration services.

5.3 Professional advisers including lawyers, attorneys, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.

5.4 Revenue & Customs, regulators and other authorities based in our Country and other relevant jurisdictions who require reporting of processing activities in certain circumstances.

5.5 Third parties to whom we sell, transfer, or merge parts of our business or our assets.

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions and with a Data Processors agreement in place.

6. INTERNATIONAL TRANSFER PROVIDERS SUCH AS DROPBOX, MAILCHIMP, ETC THAT HAVE THEIR SERVERS BASED OUTSIDE OF THE EU

When applicable, we may share your personal data within our group of companies which involves transferring your data outside the European Economic Area (EEA).

Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.

Some of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:

6.1 We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or

6.2 Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or

6.3 Where we use providers based outside of the European Union, we may transfer data to them if they provide similar protection to personal data shared between the Europe and other countries.

If none of the above safeguards is available, we simply do not deal with them.

7. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. DATA RETENTION

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for a period of years after they cease being customers for tax purposes as the law dictates in our Country..

In some circumstances you can ask us to delete your data via the DATA SUBJECT OPTIONS provided below.

In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

9. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

9.1 Request access to your personal data.

9.2 Request correction of your personal data.

9.3 Request erasure of your personal data.

9.4 Object to processing of your personal data.

9.5 Request restriction of processing your personal data.

9.6 Request transfer of your personal data.

9.7 Right to withdraw consent.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month and where required within 72 hours. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You will find your DATA SUBJECT OPTIONS listed below.

10. THIRD PARTY LINKS

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our site, we encourage you to read the privacy notice of every Website you visit.

When designing our website(s), we sought expert advice on how to implement “PRIVACY BY DESIGN”, as it was our primary objective in presenting a platform built to safeguard YOUR individual rights as outlined by the GDPR/OAIC Principles.

The following 12 steps were defined and acted upon:

  1. We implemented data protection issues as part of the design and implementation of systems, services, products and business practices.
  2. We made data protection an essential component of the core functionality of our processing systems and services.
  3. We anticipate risks and privacy-invasive events before they occur, and take steps to prevent harm to individuals.
  4. We only process the personal data that we need for our purposes(s), and that we only use the data for those purposes.
  5. We ensure that personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.
  6. We provide the appropriate communication channels where our members can dialogue with us.
  7. We adopt a ‘plain language’ policy for any public documents so that individuals easily understand what we are doing with their personal data.
  8. We provide individuals with tools so they can determine how we are using their personal data, and whether our policies are being properly enforced.
  9. We offer strong privacy defaults, user-friendly options and controls, and respect user preferences.
  10. We only use data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design.
  11. When we use other systems, services or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account.
  12. We use privacy-enhancing technologies (PETs) to assist us in complying with our data protection by design obligations.

Rest assured, we are not perfect and have no doubt that we may have not taken certain aspects into account, not because we have ignored them but because they have slipped our radar. Tell us, this is the only way we can improve our service and obligation to YOU via the COMMUNICATION OPTIONS below.

To us, Trust is Everything!

Your privacy is important to us, and we’re committed to the protection of your privacy in your employment with us. This Recruitment Privacy Policy (RPP) describes what Personal Data  our company  as well as any of our subsidiaries, affiliates, and related entities (together the ENTITY) collects about you as a prior, current, or former employee (Employee).

This RPP covers what Personal Data we collect about you, how the Personal Data will be used and shared (if at all), how the Personal Data will be stored, and your rights in relation to the collection of your Personal Data during, before, or after your employment with the ENTITY. It also describes how you can access, modify, and if needed, request deletion of your Personal Data. This RPP also covers how your Personal Data is handled by our third-party data processors.

DEFINITIONS

APPLICABLE COMPANY: This RPP is applicable to the ENTITY listed above.

ENTITY: For the purposes of this RPP, we will refer to the Company as the ENTITY, we, our, or us.

EMPLOYEE: This RPP applies to the Personal Data of all individuals who seek to be, are, or were employed by the ENTITY. These individuals shall be referred to as Employee or Employees. When we refer directly to you, as the Employee, we’ll refer to you as you, as well as through second-person pronouns such as your and yours.

PERSONAL DATA: “Personal Data” means information that we obtain from you in connection with your potential, current, or past employment with us that can identify you. For the purposes of this RPP, Personal Data is any information about an identifiable Employee that seeks to be, is, or was employed by the ENTITY. Personal Data does not mean any data that is anonymised or identify that cannot identify you in any way.

CONTACT INFORMATION

The best way to contact us is via our Human Resources Department or our Data Protection Officer (Mark Finocchiaro) via the COMMUNICATIONS OPTIONS below.

You may contact us for any questions you have about the handling and processing of your Personal Data. You may also contact us to have access to your Personal Data or any other request. If you are unsatisfied with the handling of your Personal Data, you may make a complaint with the relevant data protection authority.

COLLECTION OF PERSONAL DATA

We collect different types of Personal Data in different ways. Some of the Personal Data gathered is automatic (through technologies which give us information about you), and some of the information is given by you directly to us.

In order to ensure that we are meeting our responsibilities and duties as your employer or prospective employer, we collect, process, and maintain different types of Personal Data in regard to those individuals who seek to be, are, or were employed by us, including, but not limited to:

  • Gender
  • Marital status, for the purpose of ascertaining and distributing benefits such as health insurance
  • Dependant status, for the purpose of ascertaining and distributing benefits such as health insurance
  • Date of birth
  • General contact information, such as address, telephone number, and email
  • Resumes that you provide and/or application(s) that you fill out and provide to us
  • Your start date
  • Your job title
  • The location where you are working
  • Any training or education programs you undertake through us
  • Professional or personal references
  • Company policies and employment forms signed by you
  • Payroll Information: This includes, but is not limited to, tax forms, your social security number, bank account information, additional direct deposit Information, and your photo ID. If, at any point, your payroll information changes, you will be required to fill out updated payroll forms. These forms will be kept in your file along with any previous payroll forms that you have given the ENTITY.
  • Forms that contain any information relating to your personal employee benefits, health care plans, insurance policies and the like.
  • Beneficiary information
  • The contact information of the individual that you list to be first notified in the event of an emergency. This includes phone numbers, addresses, and any other personally identifying information for that individual.
  • Assessments, evaluations, performance reviews, training completion rates, and training scores.
  • Any monetary raises, bonuses, stock information, retirement information, commissions, overtime rate, salaried rate and/or regular hourly rate.
  • Any requested time off, accrued paid time off, tardiness, or requests to leave before the scheduled end of your workday.
  • Grievances, including complaints made by fellow employees or clients or customers, corrective action plans for inappropriate behaviour and write-ups.
  • Accolades, including recommendations, awards, or other instances of recognition for quality work.
  • Letter of resignation, if received by the ENTITY
  • Letter of termination, if given by the ENTITY
  • Other personal details you voluntarily provide to us
  • Other personal details you are required to provide us as required by law or to serve the legitimate interests of the ENTITY

USE OF PERSONAL DATA

We use the information that we collect about you to effectively run our business and to help us provide a pleasant, safe, and productive work environment for you.

We also use Personal Data to:

  • Accurately process payroll
  • Enroll insurance policies
  • Manage and plan our business
  • Send out business mailings
  • Conduct employee reviews
  • Handle internal disputes or grievances
  • Analyse your qualifications
  • Manage employee stocks
  • Process any claims you bring
  • For internal accounting
  • Oversee your work
  • Put you through education or training
  • Generally, comply with applicable law
  • Manage your compliance to data privacy

We only process your Personal Data where we are permitted by law or required to do so, including where we must process Personal Data for your employment with us, where we have a legal obligation to do so as your employer, for legitimate business purposes, to protect your vital interests, or if we have your consent to do so. We may, though, have to process your Personal Data without your consent or knowledge, but only when required to do so by law. We won’t make any decisions on the automated processing of Personal Data without your consent.

We also process your Personal Data to prevent fraud and ensure the security of all aspects of our business.

SPECIAL CATEGORIES OF PERSONAL DATA

We may collect certain categories of sensitive data, as defined under relevant applicable law. If you are asked for any of these categories of data, you may request the purpose for which the data is required and refuse to provide it, if desired. We collect and process the following sensitive Personal Data only through voluntary disclosure for our legitimate business purposes, including to carry out any legal obligations and responsibilities as needed and required.

  • Racial origin
  • Ethnic origin
  • Religious or spiritual beliefs
  • Political opinions
  • Criminal background
  • Sexual orientation
  • Health data
  • Biometric data
  • Genetic data
  • Trade union membership

If we collect other categories of sensitive Personal Data not described here, we will seek your prior express consent.

DATA SHARING

We only share your Personal Data when to those individuals and entities who assist in fulfilling our responsibilities within the employment relationship with you or when required to do so by applicable law (collectively, “Third-Party Service Providers”). These Third-Party Service Providers include, but are not limited to, the website in which you submitted your employment application (if applicable) security personnel companies, payroll information and pay stub viewing applications and companies, scheduling programs, processing systems, company insurance providers and others similarly situated to assist in the employment relationship.

We use these Third-Party Service Providers to help us operate the ENTITY, but we’ll never share your Personal Data other than as described here without your explicit consent. Personal Data will only be disclosed if such Third-Party Service Providers agree to ensure an adequate level of protection of your Personal Data that is consistent with this Privacy Policy. Please note that the Third-Party Service Providers that we utilise will access your Personal Data only on an “if needed” basis as a part of their partnerships with us and with Third-Party Agreements in place. If you have any questions as to how these Third-Party Service Providers handle your Personal Data, you may contact them or us.

In certain cases, we may have to disclose your Personal Data to third parties without your consent or prior knowledge. We limit that disclosure to the following circumstances.

  • To protect our legal rights
  • To satisfy any Local Laws, State Laws, Federal Laws and International Laws or regulations
  • To respond to requests, such as discovery, criminal, civil, or administrative process, subpoenas, court orders, or writs from law enforcement or other governmental or legal bodies
  • To bring legal action against an Employee who has violated the law
  • In the case of any business transfer, sale, or transfer of assets of the ENTITY
  • To generally cooperate with any lawful investigation about our past, present, or potential employees
  • If we suspect any fraudulent activity within or in relation to the ENTITY, or if we have noticed any activity which may violate our ethics, guidelines, or other applicable rules
  • If you have breached any data privacy regulations

DATA TRANSFER

We are based in Australia, specifically in the state of Victoria. In other words, your Personal Data may be transferred from the location in which you reside to our physical location in Australia. It may also be transferred to third parties, as described above, located in Australia and abroad. The risks of transferring data outside of your jurisdiction to Australia include the possibility of data breaches and loss. Before beginning employment, we ask you to specifically consent to the transference of your Personal Data to Australia. We will continue to process your Personal Data in the manner described herein, and if we change anything about how we handle your Personal Data, including the international transfer of your Personal Data, we will seek your explicit consent again.

DATA STORAGE AND SECURITY

We only store your Personal Data as long as it is necessary for providing you with the benefits and protections that employment with us entails or until you cease your employment with us and request deletion of your data. We may also store your Personal Data for any applicable legal record-keeping, including after the termination of your employment or for additional business purposes (e.g., maintaining our accountancy records or otherwise maintaining the safety and security of our ENTITY, for a time period permitted by applicable law).

We employ organisational and technical security measures to protect your Personal Data, such as limiting access to your Personal Data, secured networks, and encryption. We ensure that your Personal Data is protected against unauthorised access, disclosure, or destruction by utilising practices that are consistent with standards in the industry to protect your privacy.

Please note, however, that no system involving the transmission of information via the Internet or the electronic storage of data is completely secure, no matter what reasonable security measures are taken. Although we take the protection and storage of your Personal Data very seriously, and we take all reasonable steps to protect your Personal Data, we cannot be responsible for data breaches that occur outside of our reasonable control. We will, however, follow all applicable laws in the event a data breach occurs, including taking reasonable measures to mitigate any harm as well as notifying you of such breaches as soon as possible.

We the ENTITY are committed to maintaining an ongoing path to compliance at all times.

APPLICATION RETENTION PERIOD

If your application for employment is unsuccessful, the ENTITY will hold your data on file for 6 (six) months after the end of the relevant recruitment process. If you agree to allow us to keep your personal data on file, we will hold your data on file for a further 6 (six) months for consideration for future employment opportunities. At the end of that period, or once you withdraw your consent, your data is deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper based) and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

YOUR RIGHTS

You have the right to access your Personal Data and to correct, amend, or delete it if it is inaccurate or has been processed in violation of this Privacy Policy, except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to your privacy, or where the rights of other people would be violated. To exercise any of these rights, you can contact us or you can do it directly via your own compliance dashboard if you are actively employed by us the ENTITY.

You may also contact us to restrict the sharing of your personal data with third-parties, in compliance with the local, state, national or other data privacy jurisdictions that you qualify in being protected under as a data subject.

If the Personal Data we collect, covered by this Privacy Policy, is to be used for any purpose materially different from the purpose described here or disclosed to a third party not acting as our agent, in a manner other than as disclosed here, we’ll always give you an opportunity to opt-out of this materially different use or disclosure.

DATA PROTECTION OFFICER (DPO)

The Data Protection Officer we have appointed for you to contact in the event of questions or complaints regarding this Privacy Policy is Mark Finocchiaro. You can contact our DPO via the COMMUNICATION OPTIONS listed below.

We are committed and as humanly possible permitted in upholding the highest standards when it comes to protecting your personal data and doing the right thing by YOU, as we would expect in others doing the right thing by US as individuals.

Perfection is something we strive for and is part of our culture. In saying that, we are also human and no doubt will make mistakes. When we do, you will be able to view them via our recorded breaches which you can view via the COMMUNICATIONS OPTIONS provided below.

Being a member of GDPA provides us with the knowledge and tools to continually work towards being compliant with the protection you would expect from us.

If you identify any shortfalls we may have, we invite you to contact us directly via the COMMUNICATIONS OPTIONS provided below, and we will come back to you within the shortest possible time-frame during our business hours and work towards correcting the matter and/or clarifying any doubt you may have.


DATA SUBJECT REQUESTS

when requested enter our confirmation email as follows


COMMUNICATION OPTIONS

when requested enter our confirmation email as follows

You can contact us via traditional post directly to our appointed GDPR Registrar acting on our behalf as our registered European GDPR Secretariat.

Our GDPR Secretariats duties are to view your submission and submit them to us, where we will take the necessary steps in answering you accordingly in-line with the GDPR Regulations and the protection of your personal data.

Please address the mail as follows:

BUSINESS PHONE NUMBER GLOBAL

☎ International: +61 1300 464372
☎ National: 1300 GOGDPA or 1300 464372

BUSINESS PHONE NUMBER EUROPE

☎ International: +30 21 0300 4376
☎ National: 21 0300 4376

BUSINESS HOURS

★ Monday to Friday
★ 9am to 5pm
★ Excluding Public Holidays