The purpose of this Policy is to:
- Promote transparency and accountability, and foster a privacy and data protection culture across the Group;
- Ensure compliance with the General Data Protection Regulation (GDPR) and all other privacy and data protection legislation in the countries where we operate;
- Ensure employee confidence and compliance in their Processing of Personal Data, and being fully informed and aware of their responsibilities and obligations; and
- Provide confidence to the Group’s customers and suppliers that their Personal Data is being well managed and ensure Data Subjects know how they can access it.
- In the course of our business we may need to Process your Personal Data and this Policy details what information is collected and how it is collected, disclosed, protected, used and for how long it is stored and for what purposes and with whom it is shared. We also advise how you may request access to your Personal Data and how to make a complaint.
- BAI Group is the data controller in relation to the Processing activities described below. This means that we decide why and how your Personal Data is Processed.
- We are committed to protecting your privacy and Processing your Personal Data fairly and lawfully in compliance with the GDPR and all other privacy and data protection legislation in the countries where we operate. If you have any questions about this statement or our privacy practices, please contact our Privacy Officer on the contact details set out below.
- This Policy may change from time to time so please check this page occasionally to ensure that you’re happy with any changes.
Data Subject” means any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity;
“Personal Data” is any data which lets you identify a living individual. Personal Data can be factual (for example, a name, a personal email address, phone number or date of birth) or it can be an opinion about that person, their actions or behaviour. If you can’t use a piece of data to identify an individual, but can combine it with other data we hold to identify an individual then all of that data is Personal Data;
“Process/Processing” of Personal Data means almost any handling or use of Personal Data, including (but not limited to) collection, recording, organisation, storage, modification, transfer and deletion;
“Special Categories of Personal Data” relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning an individual’s sex life or sexual orientation.
This Policy applies to all our BAI Group offices and to all people who handle work for any office, or any associated entities including directors, employees and all temporary or contract staff, secondees and consultants whether or not they are employed by BAI and irrespective of length of service or duration of contract.
5 RELATED DOCUMENTS
5.1 Please also refer to our:
- Employee Privacy Notice;
- Information Security Policy Statement;
- Intra-Group Data Processing Agreement;
- Data Protection Impact Assessment; and
- Subject Access Request Procedure;
which are located on our Policy Portal Intranet.
6 HOW WE COLLECT PERSONAL DATA
6.1 We may collect Personal Data directly from you when you:
- Make an enquiry or contact us during the ordinary course of business such as by online enquiry, email, phone or by letter;
- Apply to us for a job vacancy;
- Purchase or request products or services from us;
- Use our website;
- Use our social media accounts, e.g. via Facebook, LinkedIn or Twitter;
- Notify us of a data breach or make a complaint; and
- Complete any surveys we contact you about.
6.2 We may also collect Special Categories of Personal Data when we:
- Manage our operations;
- Comply with our statutory obligations; or
- Liaise with third parties who have authority to provide us with your Personal Data such as your employer in certain circumstances.
7 TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU
7.1 We typically Process the following types of Personal Data about you:
- Your name, home address, personal email address and personal phone number;
- Your work email address and other work contact details;
- Your role, industry, location, position and/or job title within your employment;
- Your area of employment (e.g. marketing, sales, procurement);
- Details of your visits to our premises; and
- Details of transactions you carry out with us in the course of business or through our website.
8 HOW WE USE YOUR PERSONAL DATA
8.1 We will Process your Personal Data in connection with the management of our relationship with you for the following purposes:
- to provide you or your employer with requested products or services;
- for account management purposes and to keep in touch with you about requested products or services;
- to identify persons authorised to trade on behalf of our Customers, Suppliers and/or Service Providers;
- for administrative purposes in relation to the security and access of our systems, premises, platforms and secured websites and applications;
- to comply with our legal and regulatory obligations and requests anywhere in the world, including reporting to and/or being audited by national and international regulatory bodies;
- for monitoring and assessing compliance with our policies and standards;
- to comply with court orders and exercise and/or defend our legal rights; and
- as otherwise permitted or required by any applicable law or regulation.
9 HOW WE LAWFULLY PROCESS YOUR PERSONAL DATA
9.1 We will only Process your Personal Data, where:
- you have given your consent to such Processing; and in relation to Special Categories of Personal Data we will always obtain your specific informed consent. We will always obtain your explicit consent for marketing activities, in order to contact you by email or text with marketing information about our products and services (except where we may rely on legitimate commercial interests as described below). Please see the Marketing section (section 16) below in this Policy. You may withdraw your consent for us to use your Personal Data at any time. Please see section 13 on withdrawing your consent for further details; or
- the Processing is necessary to provide our services such as when we are providing you with any of our products and services; or
- the Processing is necessary for compliance with our legal obligations, such as:
- to identify you when you contact us;
- to verify the accuracy of data we hold about you; and/or
- to comply with a request from you in connection with the exercise of your rights; or
- the Processing is necessary for our legitimate commercial interests or those of any third-party recipients that receive your Personal Data, such as:
- operating and managing contracts with our suppliers and service recipients; and
- for the establishment and defense of our legal rights and
- to assess and process applications from job applicants.
10 WHO MIGHT WE SHARE YOUR PERSONAL DATA WITH?
10.1 We do not and will not sell, rent out or trade your Personal Data. We will only disclose your Personal Data in the ways set out in this Policy and, in particular, to the following recipients:
- to any of our Group Companies (in accordance with our Intra-Group Data Processing Agreement or any other relevant intra-company policies and procedures);
- to our third-party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf (for example cloud services providers, hosting, email and content providers, marketing agencies (if you have given your consent to this) and administrative services providers;
- to any third party to whom we assign or novate any of our rights or obligations;
- to any prospective buyer in the event we sell any part of our business or assets; and/or
- to any government, regulatory agency, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request.
10.2 When we use third party service providers, we only disclose to them any Personal Data that is necessary for them to provide their service and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
11 HOW WE PROTECT YOUR PERSONAL DATA
11.1 We are committed to safeguarding and protecting your Personal Data and we have implemented and maintained appropriate technical and organisational measures to ensure a level of security appropriate to protect any Personal Data provided by you to us from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed. This is set out in our Information Security Policy.
12 HOW DO WE PROTECT YOUR PERSONAL DATA IF WE SEND IT OVERSEAS?
12.1 The Personal Data we collect from you may be transferred to (including accessed in or stored in) a country or territory outside the European Economic Area (“EEA”), [including to countries whose laws may not offer the same level of protection of Personal Data as are enjoyed within the EEA]. We will ensure that any such international transfers are made subject to appropriate or suitable safeguards as required by the GDPR. These safeguards include imposing contractual obligations on the recipient of your Personal Data or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. Copies of the relevant safeguard documents may be requested from our Privacy Officer whose contact details are set out below.
13 YOUR RIGHTS IN RELATION TO THE PERSONAL DATA WE COLLECT
13.1 Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for Processing your Personal Data, and we set these out below:
- You have the right to ask us for copies of your Personal Data. This right always applies. There are some exemptions, which means you may not always receive all the information we Process. Please see our Subject Access Request Procedure and Form located on our Policy Portal Intranet;
- You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies;
- You have the right to ask us to erase your Personal Data in certain circumstances. Unless there is a reason that the law allows us to use your Personal Data for longer, we will make reasonable efforts to comply with your request;
- You have the right to ask us to restrict the Processing of your Personal Data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations, we may only Process your Personal Data whilst its Processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings;
- Where we rely on our legitimate business interests as the legal basis for Processing your Personal Data for any purpose(s), as outlined under section 9 on how we may lawfully Process your Personal Data, you may object to us using your Personal Data for these purposes by emailing or writing to us at the address at the end of this Policy. Except for the purposes for which we are sure we can continue to Process your Personal Data, we will temporarily stop Processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data;
- You may object to us using your Personal Data for direct marketing purposes and we will automatically comply with your request. If you would like to do so, please email or write to us at the address at the end of this Policy;
- You have the right to object to Processing if we can Process your Personal Data because the Process forms part of our public tasks, or is in our legitimate interests;
- You have the right to ask that we transfer the Personal Data you gave us from one organisation to another or give it to you. The right only applies if we are Processing Personal Data based on your consent or under, or in talks about entering into a contract and the Processing is automated.
You can ask us to send your Personal Data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your Personal Data if this concerns other individuals or we have another lawful reason to withhold that information.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
Please contact our Privacy Officer on the contact details below in relation to any of the above rights.
- Where we rely on your consent as the legal basis for Processing your Personal Data, as set out under section 9 on how we lawfully Process your Personal Data, you may withdraw your consent at any time by contacting our Privacy Officer using the details at the end of this Policy.
If you would like to withdraw your consent or object to receiving any direct marketing to which you previously opted-in, you can do so using the unsubscribe tool in that communication (if it is an email), or by writing to us or calling our Privacy Officer using the contact details at the end of this Policy. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.
If you have provided consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to amend your preferences.
14 HOW LONG WILL WE HOLD YOUR PERSONAL DATA FOR?
14.1 We will only retain your Personal Data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.
15 LINKS TO OTHER WEBSITES
16 OUR MARKETING
16.1 We may Process your preferences to receive marketing information directly from us by email and text in the following way:
- If you place an order with us for a product or service, we may contact you with marketing information in the ways mentioned in the notices presented to you as part of that transaction, except where you indicate you would prefer otherwise.
16.2 If you do not complete a purchase and have not indicated that you would prefer otherwise, we may remind you by phone or email about your incomplete purchase.
16.3 From time to time, we may ask you to refresh your marketing preferences by asking you to confirm that you want to continue receiving marketing information from us.
16.4 We may contact you with marketing information by post and telephone by using your Personal Data or with targeted advertising delivered online through social media and platforms operated by other companies using their profiling tools or use your Personal Data to tailor marketing to improve its relevance to you, unless you object.
16.5 You can amend your marketing preferences at any time by contacting our Privacy Officer using the contact details at the end of this Policy.
17 THIRD PARTY MARKETING
17.1 We will only share your Personal Data with our third-party partners for them to contact you directly with marketing information about their products and services where you have indicated to us that you would like us to do so.
17.3 You have the right to opt out of our use of your Personal Data to provide marketing to you in any of the ways mentioned in this Policy. Please also see section 13 on withdrawing your consent and on objecting to our use of your Personal Data and automated decisions made about you.
18.1 We may change or update parts of this Policy in order to maintain our compliance with applicable law and regulation or following an update to our internal practices. Any changes will be notified to you by posting an updated version on our website. Therefore, please ensure that you regularly check this Policy, so you are fully aware of any changes or updates.
19 HOW YOU CAN CONTACT US
19.1 If you have any queries about the contents of this Policy, or wish to inform us of a change or correction to your Personal Data, would like a copy of the Personal Data we collect on you or would like to raise a complaint or comment, please contact our Privacy Officer using the details set out below:
BAI Communications Pty Limited
Address: Level 10, Tower A, 799 Pacific Highway, Chatswood, NSW 2067, AUSTRALIA
20 WHO ELSE YOU CAN COMPLAIN TO:
20.1 We would like to be able to resolve all your concerns, and we hope that we can do so. Where we have not been able to do this, you have the right to contact the appropriate data protection regulator if you consider that we have breached your data protection rights.
The contact details of the appropriate data protection regulator for Australian complaints are:
The contact details of the appropriate data protection regulator for UK complaints are: