Last revision: 20/03/2023
Available formats: Word and PDF
Size: 8 to 13 pages
Rating: 4.8 - 2 votesFill out the template
Start by clicking on "Fill out the template"
Answer a few questions and your document is created automatically.
Your document is ready! You will receive it in Word and PDF formats. You will be able to modify it.
Data privacy is a complicated area of law, particularly in the digital age. Each jurisdiction has its own data privacy laws, but when data is transferred internationally (such as when an Australian business sells to an overseas customer), things can get complicated.
But in addition, as of May 2018, the European Union General Data Protection Regulation (GDPR) contains data protection requirements that may apply to Australian businesses.
Australian businesses (regardless of size) may need to comply with the GDPR if they have an establishment in the EU or UK, if they offer goods and services in the EU or UK, or if they monitor the behaviour of individuals in the EU or UK.
- which personal information is being collected
- if and how cookies are used
- how the information will be used
- how the information will be protected
- the fact that data transmitted via the internet may not be secure, and that the website owner disclaims liability in this regard
- how to unsubscribe from email lists
- how to lodge a complaint
- how to contact the owner of the website or application
- if the site/application may be used by children, what information will be collected, and how parental controls work
- how to update personal information and preferences
- how third party advertisements may be used
- what information may go to third parties
Under the GDPR, users are required to consider the lawful bases for their processing of personal information. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever an entity processes personal data:
(a) Consent: the individual has given clear consent to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract with the individual, or because they have asked the relevant entity to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for an entity to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone's life.
(e) Public task: the processing is necessary for the relevant entity to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for an entity's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if the entity is a public authority processing data to perform their official tasks.)
In addition to Australian privacy law and the EU GDPR, some industries have additional privacy rules. These are discussed in the "Applicable law" section below.
How to use this document
The owner should also strongly consider seeking legal advice at this stage.
If the website deals with "sensitive personal information" it will also be necessary for the website to display a separate notice (e.g. a popup box with checkbox) for the user when collecting such information which will:
Sensitive personal information includes information relating to ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or criminal record.
If user details are used for marketing purposes either by the website operators, by group companies, or by 3rd parties with whom the website operators share such information, users should be given an opportunity to opt-in and thereafter opt-out of any such marketing messages when such details are collected.
If personal information will be transferred to non-EEA countries by the website or its operators, entities will need to consider the safeguards surrounding such transfers and may need to use an EU commission approved model contract or EU commission approved corporate binding rules. Australia is a non-EEA country, so the website owner will need to consider appropriate safeguards, in compliance with the GDPR, for any information which is transferred to Australia.
If the website relies upon consent as a lawful basis for processing any personal information, such consent must also be expressly collected and recorded by the website (e.g. through a checkbox), in circumstances where the user is fully informed about the nature of their consent. Indeed, the user should also confirm that they are old enough to provide any such consent.
Further information, guidance and a code of practice can be found on the UK Information Commissioner's Office website.
The primary legislation in relation to privacy law in Australia is the Commonwealth Privacy Act 1988. This has been amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
In the EU, the primary law is the European Union General Data Protection Regulation (GDPR).
The UK has adopted the Data Protection Act 2018, which is very similar to the EU GDPR. Therefore the rules set out in the GDPR continue to apply in the UK even after 31 December 2020 (the end of the Brexit transition period).
Other relevant laws include the Privacy Regulation 2013, and the Privacy (Credit Reporting) Code 2014. A number of industries also have additional privacy rules. For example, specific laws may impose additional privacy requirements in relation to:
- email marketing
- criminal records
- data matching
- anti-money laundering
- health records, Medicare, the pharmaceutical benefits scheme, or the eHealth system
- biometric information
- the Personal Property Securities Register
- credit reporting
- financial services
- tax file numbers
- information relating to racial or ethnic origin
- information relating to political opinions
- membership of a political association, professional or trade association or trade union
- religious beliefs or affiliations
- philosophical beliefs
- sexual orientation or practices
Further information about how the GDPR may affect Australian businesses is available through the Office of the Australian Information Commissioner.
If in doubt at any stage, seek legal advice.
How to modify the template
You fill out a form. The document is created before your eyes as you respond to the questions.
At the end, you receive it in Word and PDF formats. You can modify it and reuse it.
Guides to help you