Effective June 2021
1. Our commitment
This statement sets out GS1 Australia’s Privacy and Security Policy in respect to personal information which you may provide to us in a variety of ways. GS1 Australia recognises that your privacy is very important to you and we are committed to promoting confidence in the manner in which your personal information is handled by us. We ask that you read this Privacy and Security Policy carefully as it explains who we are, how we collect, use, disclose, store and protect personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
In this policy the term "website(s)" refers to the GS1 Australia website www.gs1au.org; the GS1 Australia membership portal MyGS1 (www.gs1 au.org/mygs1) and any other websites managed by GS1 Australia, including websites, webpages and applications and chat sessions provided for or by GS1 Australia products and services.
Your use of our website and any of our services (including membership-related services) constitutes an acknowledgement that you have been made aware of our Privacy and Security Policy outlined below.
2. Who we are
GS1 Australia Ltd, Australian Company Number ACN 005 529 920 (we, us, our or GS1 Australia) collect, use and are responsible for certain personal information about you.
As we are an Australian company, we are regulated by Australian laws including the Privacy Act 1988 (Cth). We are also responsible as an “organisation” for the management and handling of your personal information under those laws, and as a “credit provider” that is bound by the credit reporting provisions in Part IIIA of the Privacy Act 1988 (Cth) in relation to the management and handling of your credit information or credit eligibility information.
Also, when we do so in the European Union (EU), or if you are located in the EU and we offer goods or services to you, we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom (UK)) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
3. Supporting Industry best practice
GS1 Australia is bound by, and committed to supporting, Australia’s Privacy Act 1988 and Spam Act 2003 in relation to electronic direct marketing.
4. What personal information do we collect and use?
When you interact with us, including through our services or on our website(s), webpages and applications and chat sessions, we may collect the following information:
- your contact details including your name, email address, your organisation, mailing address, phone number and mobile phone number;
- your country and state or territory of both you or your organisation;
- data collected through your use of GS1 services or your or your organisation’s membership of GS1 or your use of GS1’s membership-related services;
- technical data associated with web browsing (see section 19), cookie data (see section 20) and date and time of web site visit(s) plus other data for analytical purposes (see section 21);
- any third-party website from which you linked to our website(s) or accessed our Service;
- if you install and use our software or hardware products, we may also collect information relating to your device for the purposes of registration or activation of such products;
- your or your organisation’s financial information, such as your bank account or credit card details, for any relevant purchases or for the purposes of credit eligibility (discussed below);
- other transactional information about your access to our website(s) or services; and
- any other personal information you provide to us in relation to the website(s) or our services.
We may also generally collect and hold (or derive) the following kinds of credit related information:
- credit information about you;
- credit eligibility information about you; and
- CP derived information about you.
The following words when used in this Policy have the following specific meanings:
CRB means a credit reporting body including bodies such as Equifax, Experian, Milton Graham.
CP derived information has the same meaning as in section 6 of the Privacy Act 1988 (Cth) which, for ease of reference, may include personal information about you that is derived from credit reporting information disclosed to us by a CRB and that has a bearing on your credit worthiness and which is or has been used, or could be used, in establishing your eligibility for consumer credit. Please refer to the Privacy Act 1988 (Cth) for a complete list of all types of CP derived information.
credit information has the same meaning as in section 6N of the Privacy Act 1988 (Cth) which, for ease of reference, may include information such as consumer credit liability information, repayment history information, types and amounts of credit you have sought, default information, and personal insolvency information. Please refer to the Privacy Act 1988 (Cth) for a complete list of all types of credit information.
credit eligibility information has the same meaning as in section 6 of the Privacy Act 1988 (Cth) which, for ease of reference, may include information such as credit reporting information about you that has been disclosed by a credit reporting body or information derived from such information and which has a bearing on your credit worthiness. Please refer to the Privacy Act 1988 (Cth) for a complete list of all types of credit eligibility information.
5. How do we collect your information?
We collect personal information in a variety of ways, such as:
- from you directly including when you interact with us in writing, electronically or via telephone, and when you visit our website(s), webpages and use our chat sessions and applications (including when you submit a quote or a membership or service application form);
- when you participate in our events or promotions;
- when we supply to you or you access our products or services; and
- from third party stakeholders.
We generally obtain the credit related information referred to above about you either directly (e.g. via forms you complete for us) and through your interactions with us and our staff, such as via our website(s), over the telephone, via email or in person, or indirectly via the methods discussed in section 7.
Note that when you use our website(s), webpage(s), chat sessions, and applications, GS1 is not responsible for any data you input that is not mandatory for the purpose of that website, webpage or application.
6. Can I opt out of providing personal information?
The provision of your personal information is required in order to access or use our website(s), to enable us to provide you with, and administer, our services (or your or your organisation’s membership or membership-related services) or to contact you for marketing or promotional purposes.
However, this may result in you not being able to access, or use, all or part of our website(s) or our services. If personal information has been collected, we may still use or disclose that information:
- if we subsequently notify you of the intended disclosure and you do not object to that use or disclosure;
- if we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their functions;
- to enforce our terms and conditions or to protect our rights;
- to protect the safety of members of the public and users of our website(s) and services; or
- if we are required by law to disclose the information.
7. What about information collected from other sources?
We may also obtain personal information from other sources or third parties, including our global GS1 network of member organisations or affiliated GS1 member organisations (including in the UK or EU) or our distributors, resellers or others in your organisation.
We may collect personal information from other members or subscribers of our services to whom you or your organisation are a supplier (e.g. a retailer to whom you or your organisation supplies goods or services) or of whom you or your organisation is a member (e.g. a trade association of whom you or your organisation is a member).
In particular, we may obtain the credit related information about you indirectly from other people involved in your business (e.g. from your business partner or a co-director of your company in connection with an order being placed with us or an application for credit) or other people relevant to your relationship with us or the provision of credit by us (e.g. trade contacts or trade references you have provided to us, if we are considering providing credit to you or an entity related to you) or CRBs if we are considering providing credit to you or an entity related to you.
8. How do we use personal information and what reasons do we have for doing so?
Your privacy is respected, and we do not sell, rent or trade your personal information.
We use your personal information for a variety of purposes to effectively conduct our business, including to:
- Verify your identity;
- Administer and manage services, including charging, billing and collecting debts;
- Verify / authenticate that your use of GS1 services and the GS1 system is in accordance with our manuals and guidelines;
- Assist you to subscribe to or use our services, including to respond to your requests, advise on how your use of our products or services can be improved, and to contact you when necessary;
- Gain an understanding of your information and communication needs in order for us to provide you with a better service;
- Conduct research, surveys, opinion polls etc (see also section 14 on Market Research);
- Provide you with news, information and material in relation to our services or direct marketing and promotional content of us, our partners and affiliates (see section 9);
- Monitor who is accessing our website(s) or using our services;
- Profile the type of people using our website(s) or services solely for the purposes of improving our website(s) or services;
- Improve our website(s) or services; or
- Comply with our legal obligations;
We will only collect, hold, use and disclose your credit information and credit eligibility information to the extent permitted to do so by the Privacy Act 1988 (Cth). Subject always to this requirement, the purposes which we may collect, hold, use and disclose such information include, in relation to information which you have expressly consented to a CRB providing to us, assessing your application for credit with us (or the application of another entity whose commercial credit you have offered to guarantee) and for internal management purposes that are directly related to the provision or management of that commercial credit and other credit related purposes in the Privacy Act 1988 (Cth).
Where the GDPR applies we rely on the following lawful reasons to collect and use your personal data and, on occasion, more than one lawful reason (basis) set out below may apply to the processing:
- our legitimate interests in marketing and providing our goods and services globally for both our benefit and that of our customers and contacts interested in what we provide;
- to perform or enter into any contract we may have with you;
- to comply with our legal obligations;
- to protect your vital interests or that of another person (e.g. in an emergency); or
- where you consent to the processing where we ask you to (e.g. for certain sorts of marketing or other processing where the law either requires this or where it is our policy from time to time to seek consent for such processing).
9. To whom do we disclose personal information?
From time to time we disclose your personal information to, or share it with, third parties including:
- Parties that you authorise us to disclose your personal information, either directly, or via provision of a GS1 service which is governed by the terms and conditions of that service;
- Companies and consultants who perform services for us, such as specialist information technology or outsourcing companies, mail houses or other contractors to GS1 Australia. In this case we require those companies and consultants to protect your personal information;
- Companies and consultants that verify and/or authenticate your use of the GS1 system;
- To credit providers and credit reporting bodies;
- Government and regulatory authorities (as required or authorised by law);
- Our professional advisors (such as auditors and lawyers);
- Our related organisations;
- Organisations that assist us to conduct research/surveys or analyse data. In this case we require those companies to protect your personal information; or
- Other third parties as permitted by law.
- We may also disclose your credit related information to other credit providers, at your request and with your express consent and to the following CRBs:
The third parties with whom we share personal information may be located overseas including, but not limited to, our partners or affiliated GS1 member organisations in USA, Canada, Belgium, Germany, UK, Ireland, Spain, New Zealand and more. Please note that some countries outside the UK or EU (including Australia) do not have the same data protection laws as the UK or EU. However, we do not ordinarily disclose your credit information or credit eligibility information to entities that do not have an Australian link.
We will take reasonable steps to ensure that third parties that have access to your personal information are bound by appropriate privacy and confidentiality obligations in relation to that personal information.
Where the GDPR applies to any transfer of personal information, either by us or by any third party to whom we provide your personal information, such transfer will (unless the European Commission considers their laws adequate) be subject to appropriate or suitable relevant safeguards (such as a legally binding contract containing European Commission-approved model clauses or terms consistent with them or, for transfers to the US, the EU-US Privacy Shield). These safeguards will apply to the extent required under the GDPR and are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. If you have any queries about the basis upon which we may transfer your personal information outside of Australia, please contact us using our contact details below.
If you are an individual or sole trader, you may request that information supplied to third parties for the purposes of verification / authentication can be de-identified.
10. Your rights under the GDPR (if applicable)
Under the GDPR (where it applies to you), you have a number of important rights free of charge. In summary, those include rights to:
- fair processing of information and transparency over how we use your use personal information that this Privacy Notice is already designed to address;
- access to your personal information and to certain other supplementary information;
- require us to correct any mistakes in your information which we hold;
- require the erasure of personal information concerning you in certain situations;
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
- object at any time to processing of personal information concerning you for direct marketing;
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
- object in certain other situations to our continued processing of your personal information;
- where the processing is based on your consent you may withdraw your consent at any time; and
- otherwise restrict our processing of your personal information in certain circumstances.
For further information on each of those rights, including the circumstances in which they apply, see for example the Guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under the General Data Protection Regulation. If you would like to exercise any of those rights, please:
- email, call or write to us (contact details below) and let us have enough information to identify you (such as name and registration details)
- let us have proof of your identity and address
- let us know the information to which your request relates, including any account or reference numbers, if you have them.
11. Direct marketing and your privacy
On occasions, we may use the personal information we collect from you to identify particular GS1 Australia products and services which we believe may be of interest to you. We may then contact you to let you know about these products and services and how they may benefit your organisation. We will give you a choice to “opt out” (unsubscribe) from receiving such information in the future.
12. How can I "opt out" (unsubscribe) from promotional and marketing content?
You can opt out of receiving promotional and marketing information by any one of the following methods:
- Unsubscribing via the electronic means provided
- By calling our Customer Support Team or emailing us using the contact details below
- In writing to us at the address detailed below
Note: The nominated GS1 representative of an organisation in respect to its membership of GS1 or in respect to a particular service is not eligible to opt out of communications relating to the membership or subscription, billing, or particular service technical updates until another replacement representative is nominated by your organisation (unless your membership or service has been cancelled or terminated). You will be advised if your role falls into one or more of these categories. You will not be able to continue your or your organisation's membership or use of such services if you elect to opt out of all such communications as we require such communications with you (or with you on behalf of your organisation) for the purposes of performing our contract with you/your organisation.
13. Electronic Direct Mail (EDM) policy
The ability for you to opt out by unsubscribing via the electronic means provided will remain functional for at least 30 days after the original communication has been sent. After this time, another method to opt out should be used (e.g., sending an email to us at the address below).
GS1 Australia’s opt out facility will use its reasonable endeavours to process your request in a fair and reasonable timeframe: we aim to complete your unsubscribe request within five working days of receipt if the request is received electronically.
14. Market research
GS1 Australia from time to time may choose to engage in market research (telemarketing or surveys) relating to our products and services, or to ensure your contact details are correct to assist in providing better customer service levels.
15. Do you record my phone calls to you?
Yes, your phone calls may be monitored and recorded for reasons of training, service quality control and compliance purposes. Recordings are kept securely for up to 36 months.
During the conversation, to ensure any private details are not recorded, the call operator can temporarily suspend and resume recording either on their determination or Your request.
You can request a digital copy of Your recording by asking the call operator, or by sending request in writing to customer service detailing the date and time of the call and Your phone number.
Your right to access your personal information is not absolute. In certain circumstances, the law may permit us to refuse your request to provide you with access to your personal information. These circumstances may include where:
- Access would pose a serious threat to the life or health of any individual;
- Access would have an unreasonable impact on the privacy of others;
- The request is frivolous or vexatious;
- The information relates to a commercially sensitive decision making process; or
- Access would be unlawful or may prejudice enforcement activities, a security function or commercial negotiations.
17. What do we do with personal information when it is no longer needed?
GS1 Australia will destroy or archive personal information that is no longer needed for the purposes for which it was collected, or if GS1 Australia is no longer permitted or required by law to retain it, using secure methods to destroy the information.
18. Third party relationships
19. Other information collected on GS1 Australia website(s)
On GS1 Australia website(s) we may collect information from you such as browser type, operating system, and web pages visited to help us manage our web site.
20. Website 'cookies'
Many websites, like the GS1 Australia website(s), use ‘cookie’ technology. 'Cookies’ are small text files a website can use to recognise repeat users (or their computers or mobile devices), store registration data, facilitate the user's ongoing access to and use of the website. This allows a website to track usage behaviour and compile aggregate data for navigational or content improvements.
Cookies are not programs that come onto your system and damage files. You can disable cookies or be warned when cookies are being used to enable you to accept or reject them by adjusting your internet browser settings. However, disabling or rejecting cookies may mean that you are not able to access parts of our website or to take advantage of the improved user experience that cookies can help provide.
21. Using our website(s)
As with many sites, when visiting our website(s), a record of your visit (not your personal information) may be recorded in Google analytics, Hotjar, or similar services. This record may include the following types of information:
- Date and time and duration of visit;
- Pages accessed, links clicked on, and documents downloaded;
- Address of any website that linked you directly to our site; and
- Your device details including your IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website.
In the case of Hotjar, this information is stored on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf. For further details, please see the ‘about Hotjar’ section of Hotjar’s support site."
Further information about Google Analytics can be found on the Google Marketing Platform website under the section Google Analytics Terms of Service.
This information is NOT shared with any third party other than those assisting GS1 Australia to better understand your needs, optimise our service(s), enhance your user experience, and/or protect your information.
22. Website and service security and privacy; how long do we keep your information?
We understand that you may be concerned about the security of the personal information we collect from you.
We will take reasonable steps to protect personal information which we hold from misuse, loss and from unauthorised access, modification or disclosure.
We have systems and processes in place to maximise the security of your personal information such as the use of the industry standard encryption, Secured Socket Layer (SSL) certificate, on our website(s).
For site and service security purposes and to ensure services remain available to all users, we employ software programs to monitor network traffic in order to identify unauthorised attempts to upload or change information, or otherwise cause us damage.
However, you should be aware that, when using our website(s) or our services, no data transmission over the Internet can be guaranteed as completely secure.
23. Data Breaches
Any data breaches will cause GS1 Australia's Data Breach Policy to be enacted. The GS1 Australia Data Breach Frequently Asked Questions outlines how we standardly deal with any such matters.
We or our affiliated GS1 member organisations, outsourced service providers or relevant third parties may also be required to comply with obligations we (or they) may have to give notice of any eligible data breaches in Australia or other jurisdiction and may use your personal information to comply with such requirements.
24. Changes to this Privacy and Security Policy
25. Can I change information about myself or my company? How can I access and correct or ask you to delete or cease processing my personal information?
GS1 Australia will, upon your request and subject to applicable privacy laws, provide you with access to your personal information (including any credit related information) that is held by us.
We will endeavour to ensure that credit related or other personal information we hold about you is up to date, accurate and complete, but will generally assume that any information provided by you is free from errors and omissions unless you tell us it needs to be corrected. So, yes, it’s important that you keep us informed if the credit related or other personal information we have about you is inaccurate, incomplete or out of date. We ask that all requests are made in writing. We will take reasonable steps to action them quickly and promptly.
You may instruct us to remove any previous consent you provided to receive marketing communications from us.
You may make a request for access to, or correction of, any credit related or other personal information we hold about you. We may request you to verify your identity and (for access requests) specify what type(s) of information you require before processing your request. We will give you reasons if we deny access to your credit related information.
A fee will not apply to making a request for access or update to or deletion of your personal information. A fee may apply and be charged for providing the information to you. The fee covers the cost to us in collating, copying and providing certain information to you. We will only charge this fee where it is lawful for us to do so.
In some circumstances where we correct a record, we may still require retention of the original record.
In some circumstances, we may refuse to provide you with access to or correct your personal information including, but not limited to, where:
- giving access would have an unreasonable impact on the privacy of others;
- the information relates to existing or anticipated legal proceedings, and the information would not be discoverable in those proceedings;
- giving access would be unlawful;
- denying access is otherwise required or authorised by law; or
- the request for access is frivolous or vexatious.
If we refuse to provide you with access to or correct your personal information, we will provide you with an explanation in writing.
Please note that if the GDPR applies to you then you will have additional rights (see section 10) and, where your GDPR rights are different from what is stated here, then, we will respect your GDPR rights in preference to the rights in this section 25.
26. Feedback, queries and how to complain
We would ask that any complaint should be made first in writing to us. We will then respond in writing and in accordance with any timeframes required by law, and we will endeavour to provide you with confirmation as to how we propose to deal with the complaint as soon as reasonably practicable. We may require you to provide further information about your complaint to duly assess your complaint.
If, for any reason you do not wish to complain to us initially or if you are unhappy with how we propose to resolve your complaint, then complaint may also be made to the Office of the Australian Information Commissioner, by visiting the following website and following the steps.
Please note that where it applies, the GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the EU (or European Economic Area) member state where you work, normally live or where any alleged infringement of data protection laws occurred.
27. Contact details
Locked Bag 2
Mt Waverley VIC 3149
Call 1300 227 263 or +61 3 9558 9559 between 8.30 am and 5.00 pm Monday to Friday Australian Eastern Standard Time (excluding public holidays) or email us at firstname.lastname@example.org, attention Compliance Officer.