GDPR Privacy Policy - Template, Sample Form to Fill out Pro · AU-law

PRIVACY POLICY FOR WEBSITE

________

Effective Date: ________

This privacy policy (the "Privacy Policy") explains how we handle your personal information when you access or use our website located at ________ (the "Website").

The Website is owned and operated by ________ (ABN ________) of ________ ("we", "us" or "our").

We are committed to protecting your privacy and to handling your personal information in accordance with the Privacy Act 1988 (Cth) (the "Privacy Act"), the Australian Privacy Principles (the "APPs") contained in Schedule 1 to the Privacy Act, and, where applicable, the Spam Act 2003 (Cth). We urge you to read this Privacy Policy carefully because it contains important information about:

- who we are;
- how and why we collect, hold, use and disclose personal information;
- your rights in relation to your personal information; and
- how to contact us and the relevant regulator should you have a complaint.

(1) INTERPRETATION

(a) In this Privacy Policy, unless the context otherwise requires, the following rules of interpretation apply:

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

(2) WHO WE ARE

(a) ________ owns and operates this Website. We collect, hold, use and are responsible for certain personal information about you. When we do so we are regulated under the Privacy Act and the APPs.

(b) To the extent that we offer goods or services to, or monitor the behaviour of, individuals located in the European Union or the United Kingdom, we may also be subject to the General Data Protection Regulation ((EU) 2016/679) ("GDPR") and the UK GDPR, and may act as a "controller" of personal data for the purposes of those laws.

(3) THE INFORMATION WE COLLECT AND USE, HOW WE COLLECT IT, AND WHY

(a) The kinds of personal information we collect may include your name, contact details (including email and postal address), account login details, transaction and payment information, and technical information such as your IP address, device information and browsing activity. The specific information we collect includes: ________

(b) We generally collect personal information directly from you, including when you complete forms on the Website, make an enquiry or purchase, subscribe to communications, or otherwise interact with us. We may also collect information automatically through cookies and similar technologies, and from third parties such as our service providers.

(c) We collect, hold and use your personal information for the following purposes: ________, and otherwise to operate, improve and personalise the Website and your user experience, to respond to your enquiries, to fulfil orders, and to comply with our legal obligations.

(d) In accordance with APP 3, we will only collect sensitive information about you with your consent, unless an exception under the Privacy Act applies.

Vulnerable users

(I) We may collect information from specific categories of users who may be particularly vulnerable, including: ________.

(II) Information collected from vulnerable users under this clause is collected for the purpose of helping us to improve the Website and your user experience.

(III) Information collected from vulnerable users under this clause is collected, used and, where applicable, disclosed in accordance with the general provisions of this Privacy Policy.

(4) WHETHER YOU HAVE TO PROVIDE PERSONAL INFORMATION, AND IF SO WHY

(a) Where lawful and practicable, you have the option of not identifying yourself, or of using a pseudonym, when dealing with us, in accordance with APP 2.

(b) You may choose not to provide personal information to us. However, if you do so, some features of the Website may not function as intended and we may be unable to provide you with certain goods or services.

(5) INFORMATION YOU RELEASE

(a) You acknowledge and agree that if you publish or submit personal information in publicly accessible sections of the Website (such as forums, bulletin boards, chat rooms or similar features), you are solely responsible for the release of that personal information and we are not liable for it, to the extent permitted by law.

(6) DIRECT MARKETING AND EMAIL OPT-OUT

(a) In accordance with APP 7 and the Spam Act 2003 (Cth), we will only use or disclose your personal information for direct marketing purposes where permitted by law. Each commercial electronic message we send will contain a functional unsubscribe facility.

(b) If you receive a communication from us in relation to the Website and would prefer not to receive such communications in the future, you may follow the unsubscribe instructions in the message or contact us using the details at the end of this Privacy Policy. We will use all reasonable efforts to comply promptly with your request, although you may receive subsequent communications while your request is being processed.

(7) COMBINING INFORMATION

(a) We may combine, link or aggregate some of your information to better understand your requirements, to improve the Website and to assist with our business or administrative requirements.

(b) We may share aggregated information with third parties, but only where that aggregated information does not contain any information that identifies you personally.

(8) WHO YOUR INFORMATION MAY BE SHARED WITH

(a) We may disclose your personal information to law enforcement agencies and government authorities in connection with any investigation, or where required or authorised by or under an Australian law or a court/tribunal order.

(b) We may disclose some of your personal information to third party service providers so that they can help us serve you, including for information storage (such as cloud storage), data analytics and usage tracking, hosting, order fulfilment and advertising.

(c) Where we use third party analytics or tracking services, we may collect information such as the source of page requests, the dates and times of page requests, details of referring websites and other details about your usage of the Website. This helps us understand usage patterns and improve the Website.

(d) We may allow third parties to advertise on the Website. These third parties may use cookies in connection with their advertisements (see the "Cookies and similar technologies" provisions referred to in this Privacy Policy).

(e) We only disclose your personal information to a third party service provider where that provider agrees to handle your personal information consistently with this Privacy Policy and the APPs.

(f) Notwithstanding the other provisions of this Privacy Policy, we may disclose your personal information to a third party in order to protect the rights, property or safety of us, our customers or third parties, or as otherwise required or authorised by law.

(g) We will not otherwise knowingly disclose your personal information to any third party other than in accordance with this Privacy Policy.

(h) We will not sell or rent your personal information, and we will not use or disclose it for direct marketing purposes other than as permitted under clause (6).

(9) RELATED ENTITIES

(a) We may share your personal information with any of our parent companies, subsidiary companies, affiliates or other trusted related entities.

(b) We only share your personal information with a related entity where that entity agrees to handle your personal information consistently with this Privacy Policy and the APPs.

(10) HOW LONG YOUR PERSONAL INFORMATION WILL BE KEPT

(a) We will retain your personal information for the following periods:

________

(b) We will only keep your personal information, in a form that permits your identification, for as long as is necessary for the purposes described in this Privacy Policy, or as required or authorised by law.

(c) In accordance with APP 11.2, where we no longer need your personal information for any purpose for which it may be used or disclosed, and we are not required by law or a court/tribunal order to retain it, we will take reasonable steps to destroy the information or to de-identify it.

(11) LAWFUL BASIS FOR COLLECTING AND USING YOUR PERSONAL INFORMATION

(a) Under the Privacy Act and the APPs, we collect and handle personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities.

(b) Where the GDPR or UK GDPR applies, we rely on one or more of the following lawful bases to collect and use your personal information:

- consent: you have given consent to the processing for one or more specific purposes;
- contract: the processing is necessary for the performance of a contract with you or to take steps at your request prior to entering a contract;
- legal obligation: the processing is necessary for us to comply with the law;
- vital interests: the processing is necessary to protect someone's life;
- legitimate interests: the processing is necessary for our legitimate interests (or those of a third party), except where overridden by your interests or fundamental rights and freedoms.

(12) MERGER, RESTRUCTURE OR SALE OF OUR BUSINESS

(a) Part or all of our business may be merged, restructured or sold, including through a sale of business or shares, a corporate reorganisation, a change in control, or bankruptcy or insolvency proceedings.

(b) In such an event, we may transfer your personal information as part of that transaction, in which case we will require the recipient to handle your personal information consistently with this Privacy Policy and the APPs.

(13) KEEPING YOUR INFORMATION SECURE

(a) By continuing to use the Website, you acknowledge that no transmission of information via the internet, or electronic storage of data, is completely secure. While we take the protection of your personal information very seriously, we do not guarantee the security of any information you transmit to us, and you do so at your own risk.

(b) In accordance with APP 11, we take reasonable steps to protect your personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. We limit access to your personal information to those who have a genuine business need to access it, and those persons are subject to a duty of confidentiality.

(c) We use technical and organisational measures to keep your personal information secure.

(d) We have procedures in place to deal with any suspected data breach. In accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act, where an eligible data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable.

(e) If you have any particular concerns about the security of your information, please contact us using the details below.

(14) DISCLOSURE OF YOUR INFORMATION TO OVERSEAS RECIPIENTS

(a) Our business is based in Australia.

(b) In addition to handling your information within Australia, we may disclose your personal information to recipients located in the following countries:

________

(c) In accordance with APP 8, before disclosing personal information to an overseas recipient, we will take such steps as are reasonable in the circumstances to ensure that the recipient does not breach the APPs in relation to that information, unless an exception under the Privacy Act applies (for example, where you consent to the disclosure after we expressly inform you that APP 8.1 will no longer apply).

(d) We may store your information in cloud or networked storage that is accessible from various countries via the internet, which means it is not always practicable to determine the countries in which your information may be stored or accessed.

(e) Where the GDPR or UK GDPR applies and we transfer your personal data outside the United Kingdom or the European Economic Area ("EEA"), we will only do so with appropriate safeguards in place, including: (i) transfers to a country recognised by the European Commission (or the UK authorities) as providing an adequate level of protection; (ii) the use of standard data protection (model) clauses; (iii) binding corporate rules; or (iv) another lawful transfer mechanism recognised under the GDPR or UK GDPR.

(f) For more information about our overseas disclosures or the safeguards we apply, please contact us as described below.

(15) ACCESSING, UPDATING AND CORRECTING YOUR PERSONAL INFORMATION

(a) We are committed to ensuring that any personal information we hold about you is accurate, complete, up to date and relevant, in accordance with APP 10.

(b) In accordance with APP 12, you have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable period and will give access in the manner requested where reasonable and practicable.

(c) In accordance with APP 13, you have the right to request that we correct any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant or misleading. We will take reasonable steps to correct it.

(d) We will not charge you for making a request to access or correct your personal information, although we may charge a reasonable fee for giving access (but not for making the request itself).

(e) If we refuse to give access or to correct your personal information, we will give you written reasons for the refusal (except to the extent it would be unreasonable to do so) and information about how to complain.

(f) To request access to, or correction of, your personal information, please contact us using the details at the end of this Privacy Policy.

(16) YOUR RIGHTS IN RELATION TO YOUR PERSONAL INFORMATION (GDPR/UK GDPR)

(a) Where the GDPR or UK GDPR applies, and subject to certain exceptions and conditions, you have a number of additional rights in relation to your personal information, including:

Lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat duis aute irure dolor in reprehenderit voluptate velit esse cillum dolore eu fugiat nulla pariatur lorem ipsum dolor sit amet consectetur adipiscing elit sed do eiusmod tempor incididunt ut labore et dolore magna aliqua ut enim ad minim veniam quis nostrud exercitation ullamco laboris.

(b) If you would like to exercise any of these rights, please contact us using the details at the end of this Privacy Policy. When contacting us, please provide enough information to identify yourself (and any additional identity information we may reasonably request) and let us know which right you wish to exercise.

(c) You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive.

(d) We try to respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests, it may take longer, in which case we will notify you and keep you updated.

(e) Please keep us informed if your personal information changes during the period for which we hold it.

(17) GOVERNING LAW

This Privacy Policy is governed by the laws of ________, Australia, and each party submits to the non-exclusive jurisdiction of the courts of that State or Territory and the courts competent to hear appeals from them.

(18) HOW TO COMPLAIN

(a) We take privacy complaints very seriously. If you have a complaint about how we have handled your personal information, please contact us using the details at the end of this Privacy Policy. Your complaint should be made in writing and should describe the nature of your complaint, including any relevant dates, the people involved, any consequences that have occurred, and what you believe should be done to resolve the issue.

(b) Our complaints handling procedure is, in summary, as follows:

(I) Your complaint will be referred to our privacy/complaints officer for review. We aim to acknowledge complaints within 7 days of receipt. We may contact you for further information if required.

(II) We will investigate your complaint and aim to provide a written response within 30 days of receiving all relevant information. If we accept fault, we will propose a resolution; if we do not, we will advise you and explain our reasons.

(III) If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner ("OAIC") at GPO Box 5288, Sydney NSW 2001, by telephone on 1300 363 992, or online at https://www.oaic.gov.au.

(IV) Where the GDPR or UK GDPR applies, you also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA state where you work, normally live, or where any alleged infringement occurred, or with the Information Commissioner's Office in the UK (https://ico.org.uk/concerns/).

(19) CHANGES TO THE PRIVACY POLICY

(a) This Privacy Policy was last updated on ________.

(b) We may amend this Privacy Policy from time to time. You should review it periodically to ensure you are aware of the most recent version that applies each time you access the Website. We will also endeavour to notify users of any material changes by:

________

(20) CONTACT US

(a) If you have any questions about this Privacy Policy or the personal information we hold about you, please contact us by:

Email: ________

Post: ________

Telephone: ________

(b) Our privacy officer is ________.