GDPR Privacy Policy

A GDPR privacy policy is a document used by businesses that have an establishment in the EU or UK, offer goods and services in the EU or UK, or monitor the behaviour of individuals in the EU or UK. Even if the business has its main location in Australia, if it fits in one of these categories, then it is likely that the business will need to comply with the EU's (and UK's) rules on privacy.

Data privacy is a complicated area of law, particularly in the digital age. Each jurisdiction has its own data privacy laws, but when data is transferred internationally (such as when an Australian business sells to an overseas customer), things can get complicated.

For example, Australia has its own privacy laws, set out in the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Therefore, Australian businesses need to consider these laws as a starting point. If a website or application collects and/or uses information from users for a benefit, service or advantage, then Australian law requires the owner of the website or application to have a Privacy Policy which explains how users' information is going to be collected, stored and used.

But in addition, as of May 2018, the European Union General Data Protection Regulation (GDPR) contains data protection requirements that may apply to Australian businesses.

Australian businesses (regardless of size) may need to comply with the GDPR if they have an establishment in the EU or UK, if they offer goods and services in the EU or UK, or if they monitor the behaviour of individuals in the EU or UK.

The GDPR goes further than Australian law in relation to data protection. Therefore, Australian businesses that are affected by the GDPR will need to make sure that their Privacy Policy and their data protection practices meet the more stringent requirements of the GDPR (as well as complying with Australian privacy law).

This Privacy Policy is designed to comply with both Australian privacy law and the EU GDPR.

Under Australian law, a Privacy Policy should outline:

- which personal information is being collected
- if and how cookies are used
- how the information will be used
- how the information will be protected
- the fact that data transmitted via the internet may not be secure, and that the website owner disclaims liability in this regard
- how to unsubscribe from email lists
- how to lodge a complaint
- how to contact the owner of the website or application
- if the site/application may be used by children, what information will be collected, and how parental controls work
- how to update personal information and preferences
- how third party advertisements may be used
- what information may go to third parties

Under the GDPR, users are required to consider the lawful bases for their processing of personal information. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever an entity processes personal data:

(a) Consent: the individual has given clear consent to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract with the individual, or because they have asked the relevant entity to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for an entity to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone's life.

(e) Public task: the processing is necessary for the relevant entity to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for an entity's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if the entity is a public authority processing data to perform their official tasks.)

In addition to Australian privacy law and the EU GDPR, some industries have additional privacy rules. These are discussed in the "Applicable law" section below.

A Privacy Policy is one of several documents which are required for businesses using a website and/or mobile application. In addition to a Privacy Policy, online businesses are required to have a set of Terms and Conditions for Website or Mobile Application. If the business is using cookies on its website then it should consider obtaining a Cookies Policy. If sending emails to customers, then the business should consider obtaining an Email Disclaimer. If the business is selling goods or services, then it will also require a Contract for Sale of Goods, and/or a Service Agreement respectively. We have each of these documents available for purchase separately, although business owners are free to organise them however they like.

How to use this document

Privacy law is complex and having an up to date Privacy Policy is only the first step for the website owner. In order to comply with Australian privacy law and the GDPR, the owner will then need to actually do what the Privacy Policy says they are going to do. The Office of the Australian Information Commissioner provides useful information about the Australian Privacy Principles and the application of the GDPR to Australian businesses. The UK Information Commissioner's Office also provides further information on its page regarding the lawful basis for processing personal information under the GDPR.

Therefore, before preparing this document, the owner will need to conduct some research to ensure they understand their obligations. They may also need to consult various people or departments within their organisation, in order to determine how best to deal with privacy. Once the Privacy Policy has been prepared, the owner may also need to educate various people within the organisation about the terms of the policy. Procedures may need to be set in place to ensure that privacy obligations are met.

The owner should also strongly consider seeking legal advice at this stage.

In order for the Privacy Policy to be effective, the user will have to actually be made aware of the policy. So firstly, it will need to be published on the website.

Many websites will also refer to the Privacy Policy within their Terms and Conditions for Website or Mobile Application.

If the website deals with "sensitive personal information" it will also be necessary for the website to display a separate notice (e.g. a popup box with checkbox) for the user when collecting such information which will:

• display a clear and prominent request for the information just prior to the point of collection
• ask the user to opt-in or consent to the collection of such information
• provide enough information to enable the user to make an informed choice
• record their response

Sensitive personal information includes information relating to ethnicity, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life or criminal record.

If user details are used for marketing purposes either by the website operators, by group companies, or by 3rd parties with whom the website operators share such information, users should be given an opportunity to opt-in and thereafter opt-out of any such marketing messages when such details are collected.

If personal information will be transferred to non-EEA countries by the website or its operators, entities will need to consider the safeguards surrounding such transfers and may need to use an EU commission approved model contract or EU commission approved corporate binding rules. Australia is a non-EEA country, so the website owner will need to consider appropriate safeguards, in compliance with the GDPR, for any information which is transferred to Australia.

If the website relies upon consent as a lawful basis for processing any personal information, such consent must also be expressly collected and recorded by the website (e.g. through a checkbox), in circumstances where the user is fully informed about the nature of their consent. Indeed, the user should also confirm that they are old enough to provide any such consent.

Further information, guidance and a code of practice can be found on the UK Information Commissioner's Office website.

Applicable law

The primary legislation in relation to privacy law in Australia is the Commonwealth Privacy Act 1988. This has been amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 also includes a set of Australian Privacy Principles which apply to Australian organisations and provide guidance as to what should be included in a Privacy Policy. Further information about the Australian Privacy Principles is available via the Office of the Australian Information Commissioner.

In the EU, the primary law is the European Union General Data Protection Regulation (GDPR).

The UK has adopted the Data Protection Act 2018, which is very similar to the EU GDPR. Therefore the rules set out in the GDPR continue to apply in the UK even after 31 December 2020 (the end of the Brexit transition period).

Other relevant laws include the Privacy Regulation 2013, and the Privacy (Credit Reporting) Code 2014. A number of industries also have additional privacy rules. For example, specific laws may impose additional privacy requirements in relation to:

- email marketing
- telemarketing
- surveillance
- telecommunications
- criminal records
- data matching
- anti-money laundering
- health records, Medicare, the pharmaceutical benefits scheme, or the eHealth system
- biometric information
- the Personal Property Securities Register
- credit reporting
- financial services
- children
- tax file numbers
- information relating to racial or ethnic origin
- information relating to political opinions
- membership of a political association, professional or trade association or trade union
- religious beliefs or affiliations
- philosophical beliefs
- sexual orientation or practices

This Privacy Policy satisfies basic requirements of the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 but does not contemplate the full range of specific privacy matters that may apply in some situations (including those additional matters that may arise under the other privacy laws listed above).

Further information about how the GDPR may affect Australian businesses is available through the Office of the Australian Information Commissioner.

If in doubt at any stage, seek legal advice.

How to modify the template

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.