The privacy of your personal information is afforded the highest level of importance by the Codan Group of Companies (Codan Group), comprising Codan Limited (ACN 007 590 605) and each of its controlled entities.
The Codan Group is bound by the Australian Privacy Act 1988 (Cth) (Privacy Act) regarding the manner in which we handle your personal information, and we will strictly comply with all relevant legislative requirements. In addition to the Privacy Act, if you are located in the European Economic Area (EEA) (including the European Union (EU)), or in the United Kingdom (UK) the section 'European & United Kingdom Residents' below provides further information about our processing of your personal information we collect and your additional data subject rights in relation to the processing of your personal information (otherwise known as personal data) under the EU General Data Protection Regulation (2016/679) (EU GDPR) or the UK’s implementation of the EU GDPR, known as the UK GDPR (UK GDPR) by members of the Codan Group that are subject to the scope of the EU GDPR and UK GDPR.
What kinds of personal information do we collect?
In this Policy, personal information means any information about an identified individual or an individual who is reasonably identifiable or as otherwise defined by applicable data protection law. It does not include information that is de-identified (anonymous data).
We collect personal information about customers and potential customers and their personnel, suppliers and their personnel, our employees, partners, contractors, and former or prospective employees, partners and contractors, and other people who come into contact with a member of the Codan Group.
The kinds of personal information that we collect and hold include:
- your contact information, including postal and residential addresses, telephone and facsimile numbers, and email addresses;
- credit information, if a customer applies for a credit account with us;
- details of the make and model of any product you purchase from us;
- data relating to your activity on our websites via tracking technologies such as cookies;
- details of any survey responses you provide;
- bank account and tax file details; and
- for job applicants or staff, employment history, educational qualifications, reference checks, payroll information and medical information (where relevant).
How do we collect and hold personal information?
We will only collect personal information where it is reasonably necessary to do so for the conduct of our business. Any collection of personal information by us will be fair and lawful and will not be intrusive.
We will collect personal information about you in the following ways:
- if you provide your information by telephone, post, email or facsimile, or in person (such as at industry events and Trade Shows);
- if you contact us via email or submit your information through one of our websites;
- if you purchase products from us, or require us to provide services to you; and/or
- if you enter a competition run by us or on our behalf by a third party service provider.
If it is reasonable and practical to do so, we will collect personal information about you only from you. In the course of operating our business, however, we may collect personal information about you that is publicly available or from third parties (such as online search tools, publicly available registers and from our suppliers, advertisers, mailing lists, recruitment agencies, contractors and business partners. We will do this where we cannot contact you and need to update your contact details, or where we need information about individuals from third parties to help us provide our services to customers.
If we collect personal information about you from a third party we will, where appropriate, request that the third party inform you that we are holding such information, how we will use and disclose it, and that you may contact us to gain access to and correct and update the information.
When we collect personal information from you, we will take reasonable steps to notify you or ensure you are aware of:
- the Codan Group entity which is collecting your personal information, and their contact details;
- that we have collected your personal information, and whether that collection is required or authorised by law;
- the purposes of collection;
- the consequences if personal information is not collected (such as if this will affect our ability to provide products or services to you); our usual disclosures of personal information of the kind collected;
- whether we are likely to disclose personal information to overseas recipients, and if practicable, the relevant countries in which they are located; and
- any other information we are required by law to provide to you.
How do we hold personal information?
We will hold personal information as either physical records, records on our servers, and in some cases, records on third party servers, which may be located overseas.
We take active steps to hold all hard copy and electronic records of personal information in a secure manner to ensure that they are protected from misuse, interference and loss, and unauthorised access, modification or disclosure.
We have procedures in place to destroy or de-identify personal information once it is no longer needed for a valid purpose or required to be kept by law.
Purposes for which we collect, hold, use and disclose personal information
In general, members of the Codan Group will collect, hold, use and disclose personal information for the purposes of providing or offering goods and services to you.
By providing us with your personal information, you consent to us using and disclosing your personal information for the following purposes:
- providing goods and services to you;
- providing you with news and information about our products and services;
- sending you marketing and promotional material that we believe you may be interested in, either from any of our related entities or a third party business which we consider may be of interest to you;
- personalising your experience with our products and services, for example, via connectivity with social media services;
- conducting competitions or promotions on behalf of us and selected third parties;
- allowing us to run our business and perform administrative and operational tasks;
- for job applicants, assessing your eligibility for employment within the Codan Group; and
- disclosing that information to third parties (such as our agents, contractors and suppliers) to undertake the above purposes on our behalf.
You may opt out of receiving marketing and promotional material from the Codan Group at any time by contacting our <Privacy Officer>.
There may be circumstances in which we are authorised or required by law to use or disclose your personal information. For instance:
• A number of laws require the provision of personal information to third parties, including the Australian Corporations Act 2001 (Cth). The precise information required to be provided will vary depending on the circumstances requiring disclosure of that information.
• We may also use or disclose personal information about you to avoid, lessen or prevent a serious emergency or crime. If we use or disclose personal information about you in those circumstances we will make a written record of such use or disclosure.
We may disclose personal information between members of the Codan Group. This could depend on the product or service you have applied for and the Codan Group member that you are dealing with. This enables us to have a complete understanding of you and your needs in connection with the product or services we are providing you. We may also disclose personal information to third parties such as our suppliers, organisations that provide us with marketing, technical and support services, or our professional advisors, where permitted by the Privacy Act (or GDPR where applicable, see below).
Any disclosure that is required to be made to any third party will be made primarily for the purpose of providing or offering goods and services to you. If we disclose information to a third party, we generally require that the third party protect your information to the same extent that we do.
How do we handle credit information?
We sometimes provide products and services to our customers on credit. In the course of providing credit, we will sometimes collect certain credit information from individuals, for instance, where the credit application relates to a sole trader, company director or guarantor. Such credit information may include:
- identity and contact information about a customer or employee, director or trade reference of a customer;
- details about a person's employment with, or directorship of, a customer (e.g. position title, length of service etc.);
- details of other credit arrangements including the relevant dates and applicable terms and conditions;
- details of previous credit applications including the amount and type of credit and credit limit; and
- details of any credit defaults, adverse court judgments or insolvency.
By providing us with your credit information, you consent to us using and disclosing your credit information for the following purposes:
- to assess relevant credit or guarantee applications;
- to monitor and produce assessments in relation to your credit worthiness;
- to review and manage your credit account;
- to obtain credit reports and disclose credit information to credit-reporting bodies; and
- to disclose credit reports to any solicitors and mercantile agents for enforcement and recovery purposes.
The credit-reporting bodies that we may use include:
- Dun & Bradstreet Inc.;
- illion Australia Pty Ltd;
- National Credit Insurance (Brokers) Pty Ltd;
- TRACE International; and
- Refinitiv, a London Stock Exchange Group business.
Under the Australian Privacy Act, individuals may request credit-reporting bodies not to:
- use their credit-related personal information to determine their eligibility to receive direct marketing from credit providers; and
- use or disclose their credit information, if they have been or are likely to be a victim of fraud.
Please see other sections of this Policy for further information regarding access, correction, complaints and how we generally handle personal information.
How can you access your personal information?
You have a right to request access to your personal information and to request its correction if it is out of date or incorrect.
You may request access or correction at any time by sending a written request to our <Privacy Officer>.
You do not need to provide a reason for your request for access to your personal information. We may charge a small fee for providing access to your personal information if it requires a significant amount of time to locate or collect your information or to present it in an appropriate form. We will not charge you to correct your personal information that we hold in our records.
We will respond to all requests for access to or correction of personal information within a reasonable time.
Please note there may be circumstances in which we are not able to provide you with access to your information, such as where the requested access will have an unreasonable impact upon the privacy of others or where we are required by law to withhold the information. If we are unable to provide you with access to your information, or make the amendments which you have requested, we will provide you with reasons for this decision.
European & United Kingdom Residents
If you are an individual based in Europe or the United Kingdom and a Codan Group entity offers or provides products or services to you, or has dealings with you in an employment context, the processing of your personal information will be subject to the EU GDPR or the UK GDPR and the following additional information applies.
The relevant Codan Group entity that you have contracted with is the data controller for the purposes of processing your personal information.
We have a Privacy Officer who will also be appointed as a Data Protection Officer if we have a legal obligation to do so.
Our Legal grounds for processing: We rely on the following legal grounds to process your personal information:
- contract performance – we may collect and process your personal information to enter into a contract with you or to perform our obligations under a contract to which you are a party;
- if it is necessary to pursue our legitimate interests and does not override your rights and interests - this is the usual basis on which we carry our business for the purposes set out above and includes when we carry out research, conduct direct marketing or otherwise communicate with you;
- with your consent – where required, we will only use your personal information for the purposes for which you have given your valid or explicit consent. For instance, we need your consent to collect and use your sensitive information such as your health information or to send you direct marketing; and
- to comply with laws or regulations that apply to us including exercising our rights – we may use and process your personal information where we are required by applicable laws, regulations or codes.
Transfer of information outside the EEA or United Kingdom: If we or our service providers or one of our related entities transfers your personal information outside Europe or onwards to a third country from Australia, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. We will do this by one of the following:
- sending it to a country approved by the European Commission or the Information Commissioner’s Office in the United Kingdom (ICO), as appropriate, as having an adequate level of protection for personal information;
- the recipient has signed a contract incorporating the Standard Contractual Clauses (also known as the SCCs) approved by the European Commission or the International Data Transfer Agreement (also known as the IDTA) approved in the United Kingdom and published by the ICO, as appropriate, requiring them to protect your personal information (see here);
- if the recipient is located in the US, it may be a certified member of a scheme permitting the transfer of personal data from the EEA and/or the United Kingdom; or
- obtaining your explicit and informed consent to the proposed transfer;
How long do we retain your personal information? We retain your personal information for as long as necessary to provide our services and products that you have requested, to comply with our legal obligations, resolve disputes, and enforcing our rights and policies.
Your additional rights and choices: In addition,
- erasure: You can ask us to erase your personal information without undue delay in certain circumstances such as if you withdraw your consent and we otherwise have no legal reason to retain it.
- restrictions of processing: You can object to, and ask us to restrict, our processing of your personal information in certain circumstances, such as while we verify your assertion the information is inaccurate or if we are processing your information for our legitimate interests or for direct marketing purposes (we may be legally entitled to refuse that request);
- data portability: You can, in some circumstances such as where we are processing your information with your consent, receive some personal information you have given us in a structured, commonly used and machine-readable format and/or ask us to transmit it to someone else if technically possible feasible;
- right to object: You can withdraw your consent (but we may be able to continue processing without your consent if there is another legitimate reason to do so); and
- right to complain: You can lodge a complaint with the data protection authority in the relevant European member state or the United Kingdom’s ICO, as appropriate, if you think that any of your rights have been infringed by us.
If we refuse any request you make in relation to your personal information rights, we will write to you to explain why and how you can make a complaint about our decision.
Cross Border Disclosures of Information
We may disclose your personal information to overseas recipients in the following circumstances:
- to any members of the Codan Group that are located overseas (with our offices currently operating out of Australia, Canada, Ireland, China, Malaysia, South Africa, New Zealand, the United Arab Emirates and the United States of America);
- to our vendors and/or service providers who provide services to us (including direct marketing services), where such information may be processed and/or stored by our vendors and/or service providers on servers located in the United States of America; and
- any courts, tribunals and regulatory authorities that are based overseas, where disclosure is required by law.
By providing your personal information to us, you consent to us disclosing your personal information to the above overseas recipients and agree that APP 8.1 of the Australian Privacy Principles will not apply to such disclosures. For the avoidance of doubt, in the event that an overseas recipient breaches the Australian Privacy Principles, that entity will not be bound by, and you will not be able seek redress under the Privacy Act.
If you do not want us to disclose your information to overseas recipients, please let us know.
Where practicable, we are required to provide the option for you to deal with us anonymously or under a pseudonym. This option will not be available where we are required or authorised by law to deal with individuals who have identified themselves, or if we need to verify your identity in order to provide products or services to you.
How to submit a query or complaint
If you have any queries or believe that we may have breached the Australian Privacy Principles, or failed to comply with this policy, you may direct your complaint to our <Privacy Officer>.
We take all complaints seriously, and will respond to your complaint within a reasonable period.
If you are dissatisfied with the handling of your complaint, you may contact the Office of the Australian Information Commissioner:
Office of the Australian Information Commissioner GPO Box 5218
Sydney NSW 2001
Telephone: 1300 363 992 Email: firstname.lastname@example.org
If you are an individual based in Europe or the United Kingdom, you may also have the right to make a complaint to the data protection authority in the relevant European member state or the United Kingdom’s ICO, as appropriate, (for example: according to where you reside or where you believe we breached your rights).
Our Privacy Officer can be contacted as follows: Privacy Officer
2 Second Avenue Mawson Lakes SA 5095
Telephone: +618 8305 0311
Facsimile: +618 8305 0411 email@example.com