City Beach Privacy Policy
Last updated: September 2020
1. We Respect Your Privacy
Fewstone Pty Ltd (ACN 010 496 465) as trustee for the City Beach Trust and its Related Bodies Corporate (as defined by the provisions of the Corporations Act 2001 (Cth) (City Beach, we, us and our) respects your privacy and is committed to protecting it.
We comply with the Australian Privacy Principles and the Privacy Act 1988 (Cth) (Privacy Act), which govern the way private sector organisations collect, use, keep secure and disclose Personal Information.
The Privacy Act defines "Personal Information" to mean any information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true; and whether the information or opinion is recorded in a material form.
If you are a resident of the European Union, we are required to comply with the GDPR (as defined in Section 13) in relation to your Personal Data (as defined in Section 13).
This Privacy Policy sets out how we handle your Personal Information and Personal Data. If you have any concerns or questions, please contact us at the address set out in Section 12 and our privacy officer will resolve your concern or answer your question (residents of the European Union, refer to Section 13).
We recommend that you keep this information for future reference.
2. Kinds of Personal Information or Personal Data
We will only use or disclose your Personal Information or Personal Data (as applicable) for the primary purposes for which it was collected, or as consented to by you.
At or around the time we collect Personal Information or Personal Data from you, we will endeavour to provide you with a notice which details how we will use and disclose that specific information.
We set out some common collection, use and disclosure instances below.
Type of Information | Uses | Disclosures |
|
The uses we will make of Personal Information or Personal Data collected for this purpose include:
|
The types of disclosures we will make of Personal Information or Personal Data collected for the type of purposes listed include, without limitation, to:
|
Type of Information | Uses | Disclosures |
|
For full details relating to uses of Personal Information or Personal Data in relation to the use of credit information, please refer to our Credit Reporting Policy.
|
For full details relating to disclosures of Personal Information or Personal Data in relation to any credit information, please refer to our Credit Reporting Policy.
In summary, we may disclose this type of Personal Information or Personal Data to:
|
Type of Information | Uses | Disclosures |
|
|
We may disclose your Personal Information or Personal Data to:
|
Type of Information | Uses | Disclosures |
|
|
We may disclose your Personal Information or Personal Data to:
|
3. Collecting & Holding Personal Information or Personal Data
3.1 Collection Generally
As much as possible or unless provided otherwise in this Privacy Policy or a notification, we will collect your Personal Information or Personal Data directly from you.
We may collect your Personal Information or Personal Data from you in a variety of ways, including: by email, website and forms. When you engage in certain activities, such as filling out a survey or sending us feedback, we may ask you to provide certain information. It is completely optional for you to engage in these activities.
Depending upon the reason for requiring the information, some of the information we ask you to provide may be identified as mandatory or voluntary. If you do not provide the mandatory information or any other information we require in order for us to provide our products or services to you, we may be unable to provide our products or services to you in an effective manner, or at all.
3.2 Other Collection Types
We may also collect Personal Information or Personal Data about you from other sources, such as:
- when we collect Personal Information or Personal Data about you from third parties or competitions; or
- when we collect Personal Information or Personal Data about you from publicly available sources including but not limited to, court judgments, directorship and bankruptcy searches, Australia Post or other address/directory service providers, White Pages directory, and social media platforms (such as Facebook, Twitter, Google, Instagram etc).
3.3 Notification of Collection
If we collect details about you from someone else, we will, whenever reasonably possible, make you aware that we have done this and why, unless special circumstances apply, including the following circumstances:
- where information is collected from any personal referee you have listed on any application form (including any employment application) with City Beach;
- where information is collected from publicly available sources including but not limited to court judgments, directorship and bankruptcy searches, social media platforms (such as Facebook, Twitter, Google, Instagram etc); or
- as otherwise required or authorised by law.
3.4 Unsolicited Personal Information or Personal Data
In the event we collect Personal Information or Personal Data from you, or a third party, in circumstances where we have not requested or solicited that information (known as unsolicited information), and it is determined by City Beach (in its absolute discretion) that the Personal Information or Personal Data is not required, we will destroy the information or ensure that the information is de-identified. However, where unsolicited Personal Information or Personal Data is collected in relation to your future potential employment with City Beach, we may keep this Personal Information or Personal Data.
3.5 How We Hold Your Personal Information or Personal Data
Once we collect your Personal Information or Personal Data, we will either hold it securely and store it on infrastructure owned or controlled by us, or with a third party service provider who have taken reasonable steps to ensure they comply with the Privacy Act. Refer to Section 10 (Data security and quality) for more information.
3.6 Cookies and IP Addresses
If you use our website, we may utilise "cookies" which enable us to monitor traffic patterns, trends and to serve you more efficiently if you revisit our website. In most cases, a cookie does not identify you personally but may identify your internet service provider or computer.
We may gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our services. This information does not identify you personally.
However, in some cases, cookies may enable us to aggregate certain information with other Personal Information or Personal Data we collect and hold about you. We extend the same privacy protection to your Personal Information or Personal Data, whether gathered via cookies or from other sources, as detailed in this Privacy Policy.
You can set your browser to notify you when you receive a cookie and this will provide you with an opportunity to either accept or reject it in each instance. However, if you disable cookies, you may not be able to access certain areas of our websites or take advantage of the improved website experience that cookies offer.
4. Using & Disclosing Personal Information or Personal Data
4.1 Use and Disclosure Details
We provide a detailed list at Section 2 of some common uses and disclosures we make regarding the Personal Information or Personal Data we collect. We may also use or disclose your Personal Information or Personal Data and in doing so we are not required to seek your additional consent:
- when it is disclosed or used for a purpose related to the primary purposes of collection detailed above and you would reasonably expect your Personal Information or Personal Data to be used or disclosed for such a purpose;
- if we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety;
- if we have reason to suspect that unlawful activity has been, or is being, engaged in; or
- if it is required or authorised by law.
4.2 Use and Disclosure Procedures
In the event we propose to use or disclose such Personal Information or Personal Data other than for reasons set out in the above table at Section 2 or as otherwise outlined in this Privacy Policy, we will first notify you or seek your consent prior to such disclosure or use.
Your Personal Information or Personal Data is disclosed to these organisations or parties only in relation to the products or services we provide to you or for a purpose permitted by this Privacy Policy.
We take such steps as are reasonable to ensure that these organisations or parties are aware of the provisions of this Privacy Policy in relation to your Personal Information or Personal Data.
4.3 Communications Opt-Out
If you have received communications from us and you no longer wish to receive those sorts of communications, you should contact us via the details set out in this document and we will ensure the relevant communication ceases. Any other use or disclosure we make of your Personal Information or Personal Data will only be as required or authorised by law or as permitted by this Privacy Policy or otherwise with your consent.
5. Sensitive Information
5.1 Sensitive Information Generally
Sensitive information is a subset of Personal Information. It means information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information about an individual, genetic information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.
5.2 Collection and Use of Sensitive Information
In general, we attempt to limit the collection of sensitive information we may collect from you, but depending on the uses you make of our products this may not always be possible and we may collect sensitive information from you in order to carry out the services provided to you. However, we do not collect sensitive information from you without your consent.
We use sensitive information for the following limited purposes:
- biometric information (such as a scan that creates an individual ID) for time and attendance verification in respect of on-site employees and contractors;
- criminal records for pre-employment screening purposes; and
- medical information, voluntarily provided, to determine fitness for work.
We do not use sensitive information to send you Direct Marketing Communications (as set out in Section 6 below) without your express consent.
5.3 Consent
We may collect other types of sensitive information where you have consented and agreed to the collection of such information. Generally speaking, we will obtain this type of consent from you at (or around) the point in time in which we collect the information.
6. Direct Marketing
6.1 Express Informed Consent
You give your express and informed consent to us using your Personal Information or Personal Data set out in:
- the "General Enquiries" section of the table at Section 2 of this document above; and
- the "Marketing Services" section of the table at Section 2 of this document above,
to provide you with information and to tell you about our products, services or events or any other direct marketing activity (including third party products, services, and events) which we consider may be of interest to you, whether by post, email, SMS, messaging applications and telephone (Direct Marketing Communications).
6.2 Inferred Consent and Reasonable Expectations of Direct Marketing
Without limitation to paragraph 6.1, if you have provided inferred or implied consent (e.g. not opting out where an opt-out opportunity has been provided to you) or if it is within your reasonable expectation that we send you Direct Marketing Communications given the transaction or communication you have had with us, then we may also use your Personal Information or Personal Data for the purpose of sending you Direct Marketing Communications which we consider may be of interest to you.
6.3 Opt-Out
If at any time you do not wish to receive any further Direct Marketing Communications from us or others under this Section 6, you may ask us not to send you any further information about products and services and not to disclose your information to other organisations for that purpose. You may do this at any time by:
- using the "unsubscribe" facility included in the Direct Marketing Communication.
- updating your communication preferences via your City Beach account by unchecking the 'Receive marketing emails' tick-box and clicking save.
- contacting us at the address set out in Section 12 and we will ensure the relevant communication ceases.
7. Credit Information and Our Credit Reporting Policy
7.1 Credit Information Generally
The Privacy Act 1988 (Cth) contains provisions regarding the use and disclosure of credit information, which applies in relation to the provision of both consumer credit and commercial credit.
7.2 Credit Information and City Beach
As we provide terms of payment of accounts which are greater than 7 days, we are considered a credit provider under the Privacy Act in relation to any credit we may provide you (in relation to the payment of your account with us).
We use credit related information for the purposes set out in the "Credit information" section of the table at Section 2 above and our Credit Reporting Policy which includes but is not limited to using the information for our own internal assessment of your credit worthiness.
7.3 Storage and Access
We will store any credit information you provide us, or which we obtain about you, with any other Personal Information or Personal Data we may hold about you. Refer to Section 11 and the provisions of our Credit Reporting Policy for how to access to correct your Personal Information or Personal Data.
7.4 Complaints
Please see Section 12 and the provisions of our Credit Reporting Policy if you wish to make a complaint in relation to our handling of your credit information.
7.5 Our Credit Reporting Policy
Please see our Credit Reporting Policy for further information as to the manner in which we collect, use, store and disclosure credit information.
8. Anonymity and Pseudo-Anonymity
Due to the nature of the services we provide and goods we offer for sale, it is only practicable or reasonable for City Beach transact and correspond with you on a named basis. Your Personal Information or Personal Data may be required in order to provide you with our products and services, or to resolve any issue you may have.
9. Cross Border Disclosure
9.1 Cross Border Disclosures
City Beach’s servers are primarily hosted in Sydney, Australia and Macquarie Park, Australia, and City Beach does not disclose or hold any Personal Information or Personal Data at a destination outside of Australia.
However, we utilise third party services providers and overseas contractors to assist us with providing our goods and services to you, who disclose Personal Information or Personal Data overseas. These third party service providers disclose your information to the places detailed below in our Cross Border Disclosures Table.
Administrative and other related functions | Countries |
IT service providers for assistance with data hosting |
United States
United Kingdom |
IT service providers for administrative applications and website functions | Singapore |
Service providers for marketing functions and promotions |
United Kingdom
Ireland |
Service providers for recruitment services, and workforce management |
United Kingdom
United States Singapore Hong Kong Philippines |
As we use service providers and platforms which can be accessed from various countries via an Internet connection, it is not always practicable to know where your information may be held. If your information is stored in this way, disclosures may occur in countries other than those listed above.
9.2 Provision of Informed Consent
By submitting your Personal Information or Personal Data to City Beach, you expressly agree and consent to the disclosure, transfer, storing or processing of your Personal Information or Personal Data outside of Australia. In providing this consent, you understand and acknowledge that countries outside Australia do not always have the same privacy protection obligations as Australia in relation to Personal Information or Personal Data.
The Privacy Act requires us to take such steps as are reasonable in the circumstances to ensure that any recipients of your Personal Information or Personal Data outside of Australia do not breach the privacy principles contained within the Privacy Act. By providing your consent, under the Privacy Act, we are not required to take such steps as may be reasonable in the circumstances. However, despite this, we acknowledge the importance of protecting Personal Information or Personal Data and have taken reasonable steps to ensure that your information is used by third parties securely and in accordance with the terms of this Privacy Policy.
9.3 If You Do Not Consent
If you do not agree to the disclosure of your Personal Information or Personal Data outside Australia by City Beach, you should (after being informed of the cross border disclosure) tell City Beach that you do not consent. To do this, either elect not to submit the Personal Information or Personal Data to City Beach after being reasonably informed in a collection notification or please contact us via the details set out at the top of this document.
If you are located in New Zealand, your Personal Information will be disclosed outside of New Zealand, including to Australia and other countries as described in this Privacy Policy. To the extent necessary or applicable, the New Zealand privacy laws permits City Beach to disclose personal information outside of New Zealand without your consent where City Beach has another basis (other than express consent) for doing so.
10. Data Security & Quality
10.1 City Beach's Security Generally
We have taken steps to help secure and protect your Personal Information or Personal Data from unauthorised access, use, disclosure, alteration, or destruction. You will appreciate, however, that we cannot guarantee the security of all transmissions or Personal Information or Personal Data, especially where human error is involved or malicious activity by a third party.
Notwithstanding the above, we will take reasonable steps to:
- make sure that the Personal Information or Personal Data we collect, use or disclose is accurate, complete and up to date;
- protect your Personal Information or Personal Data from misuse, loss, unauthorised access, modification or disclosure both physically and through computer security methods; and
- destroy or permanently de-identify Personal Information or Personal Data if it is no longer needed for its purpose of collection.
10.2 Accuracy
The accuracy of Personal Information or Personal Data depends largely on the information you provide to us, so we recommend that you:
- let us know if there are any errors in your Personal Information or Personal Data; and
- keep us up-to-date with changes to your Personal Information or Personal Data (such as your name or address).
We provide information about how you can access and correct your information in Section 11.
11. Access to and Correction of Your Personal Information or Personal Data
You are entitled to have access to any Personal Information or Personal Data relating to you which we hold, except in some exceptional circumstances provided by law (including the Privacy Act 1988 (Cth). You are also entitled to edit and correct such information if the information is inaccurate, out of date, incomplete, irrelevant or misleading.
If you would like access to or correct any records of Personal Information or Personal Data we have about you, you are able to access and update that information (subject to the above) by contacting us via the details set out at the top of this document.
12. Resolving Privacy Complaints
12.1 Complaints Generally
We have put in place an effective mechanism and procedure to resolve privacy complaints. We will ensure that all complaints are dealt with in a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision.
12.2 Contacting City Beach Regarding Complaints
If you have any concerns or complaints about the manner in which we have collected, used or disclosed and stored your Personal Information, please contact us:
Telephone: 1800 640 811 (AUS Only)
Email: customerservice@citybeach.com.au
Address: Customer Service, PO Box 2399, Mansfield QLD 4122
Please mark your correspondence to the attention of the Privacy Officer.
12.3 Steps We Take to Resolve a Complaint
In order to resolve a complaint, we:
- will liaise with you to identify and define the nature and cause of the complaint;
- may request that you provide the details of the complaint in writing;
- will keep you informed of the likely time within which we will respond to your complaint; and
- will inform you of the legislative basis (if any) of our decision in resolving such complaint.
12.4 Register of complaints
We will keep a record of the complaint and any action taken in a Register of Complaints.
13. GDPR
13.1 Definitions
In providing our products and services, or collecting and using your Personal Data, we are required to comply with the GDPR where you are a European Union resident.
The following defined terms have the associated meanings:
- "Data Subject"" has the meaning attributed to that term in the GDPR.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC; and
- "Personal Data" means the Personal Data (having the meaning attributed to that term in the GDPR) of the Data Subjects whose data is processed for the purposes of the provision of our retail services.
13.2 GDPR Obligations
If you are a resident of the European Union for the purposes of the GDPR, then in addition to what is set out in Sections 1 - 11 above, the following applies to you.
Under the GDPR, City Beach is considered a "data processor" in the provision of its retail services to you. City Beach is considered a "data controller" under the GDPR only in terms of the Personal Data of City Beach’s EU resident employees.
In addition to your rights of access and correction as set out above, as a Data Subject you may:
- (access) request access to your Personal Data held by City Beach;
- (rectification) request to update or rectify any of the Personal Data that we hold about you by contacting us at the details specified above and request Personal Data updates;
- (erasure) withdraw your consent to City Beach’s use of your Personal Data as described in this Privacy Policy by deletion or erasure of your Personal Data that we hold where that data is no longer required for the purpose for which it was collected;
-
(restriction on processing) obtain from the controller (usually, this is your employer) a restriction on processing of your Personal Data where:
- accuracy of the Personal Data is contested;
- the processing by the processor is unlawful (and you oppose erasure but request restriction of use);
- City Beach no longer needs your Personal Data; or
- you have objected to processing pursuant to your right to object under Article 21(1) of the GDPR;
-
(data portability) request that City Beach:
- provides you with a copy of the Personal Data that City Beach holds about you in a portable and machine readable form; or
- share your Personal Data with a nominated third party.
13.3 Exercising Data Subject Rights
If you wish to exercise any of your Data Subject rights, then please send your request in writing to the details above in section 12.2.
We will process your request promptly and in any event, within one month of receipt of receiving it.
13.4 Complaints
If you have any concerns in relation to City Beach’s collection or processing of your Personal Data, then you also have a right to complain to a supervisory authority (within the meaning of the GDPR).
14. Consent, Modifications and Updates
14.1 Interaction of this Policy With Contracts
This Privacy Policy is a compliance document prescribed by law rather than a legal contract between two or more persons. However, certain contracts may incorporate all, or part, of this Privacy Policy into the terms of that contract. In such instances, City Beach may incorporate the terms of this Privacy Policy such that:.
- certain sections or paragraphs in this Privacy Policy are incorporated into that contract, but in such a way that they do not give rise to contractual obligations onto City Beach, but do create contractual obligations on the other party to the contract; and
- the consents provided in this Privacy Policy become contractual terms provided by the other party to the contract.
14.2 Acknowledgement
By using our website, purchasing a product or service from City Beach, where you have been provided with a copy of our Privacy Policy or had a copy of our Privacy Policy reasonably available to you, you are acknowledging and agreeing:
- to provide the consents given by you in this Privacy Policy; and
- that you have been informed of all of the matters in this Privacy Policy.
14.3 Modifications and Updates
We reserve the right to modify our Privacy Policy as our business needs require. We will take reasonable steps to notify you of such changes (whether by direct communication or by posting a notice on our website). If you do not agree to our continued use of your Personal Information or Personal Data due to the changes in our Privacy Policy, please cease providing us with your Personal Information or Personal Data and contact us via the details set out at the top of this document.