1. Introduction and Scope
1.1 From time to time GreenLight Clinical Pty Ltd (“Company”, “Controller”, “us” or “we”) is required to collect, hold, use or disclose personal information relating to individuals (such as its customers, contractors, suppliers and employees (collectively referred to in this Policy as “you” or “Data Subjects”), in the performance of its business activities.
1.2 This Policy outlines the Company’s requirements and expectations in relation to the handling of personal information as well as setting out the rights of Employees and Data Subjects. It meets the requirements of the Australian Privacy Act 1998 (Cth) (the “Act”) which regulates the rights of Data Subjects in Australia, as well as the General Data Protection Regulation which regulates the rights of Data Subjects in the European Union (the “Regulation”). The Act and the Regulation will be referred to collectively as the “Law”.
2. Name, Address and Contact Details of Company/Controller
GreenLight Clinical Pty Ltd
134 William Street
Woolloomooloo, NSW 2011
Data Privacy Officer
Tel: +61 2 9191 0640
3. What is personal information?
3.1 Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
3.2 This Policy does not apply to the collection, holding, use or disclosure of personal information that is excluded by the Act or Regulation.
4. Unsolicited personal information
4.1 Unsolicited personal information is personal information that the Company receives which it did not ask for. Unless the Company determines that it could have collected the personal information in line with the Law or the information is contained within a government record, it shall destroy the information or ensure it is de-identified unless the Company determines that it is acceptable for the Company to have collected the personal information.
5.1 Like many other websites, our website may use a standard technology called a “cookie” to collect information regarding how you use the site.
5.2 The website uses ‘cookies’ for maintaining contact with a user during a website session. A cookie is a small file supplied by us and stored by the web browser software on your computer when you access our site. Cookies allow us to recognise you as an individual as you move from one of our web pages to another.
5.3 Information generated by the cookie is only used to help you navigate the website systems more efficiently, not to track your movements through the internet, or to record personal information about you.
6. Type of information that the Company collects and holds
6.1 The Company collects personal information that is reasonably necessary for its business activities or if the Company has received consent to collect the information. If the Company collects sensitive information (as defined below), the Company must also have obtained consent in addition to the collection being reasonably necessary.
6.2 The type of information that the Company collects and holds may depend on an individual’s relationship with the Company, for example:
- Candidate: if a person is a candidate seeking employment with the Company, the Company may collect and hold information about that candidate including the candidates name, address, email address, contact telephone number, gender, age, employment history, references, CV, medical history, emergency contact details, taxation details, qualifications and payment details.
- Customer: if a person is a customer of the Company, the Company may collect and hold information including the customer’s name, address, email address, contact telephone number, gender and age and other sensitive information.
- Supplier: if a person or business is a supplier of the Company, the Company may collect and hold information about the supplier including the supplier’s name, address, email address, contact telephone number, business records, billing information and information about goods and services supplied by the supplier.
- Referee: if a person is a referee of a candidate being considered for employment by the Company, the Company may collect and hold information including the referee’s name, contact details, current employment information and professional opinion of candidate.
- Sensitive information: the Company will only collect sensitive information where an individual consents to the collection of the information and the information is reasonably necessary for one or more of the Company’s business activities. Sensitive information includes information or an opinion about racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.
7. How the Company collects and holds personal information
7.1 The Company (and the employees acting on the Company’s behalf) only collects personal information by fair and lawful means.
7.2 The Company may collect personal information in a number of ways. Some examples are listed below:
- through application forms (e.g. job applications);
- by email or other written mechanisms;
- from a telephone call;
- in person;
- through transactions;
- through the Company website;
- through lawful surveillance means such as a surveillance camera;
- by technology that is used to support communications between individuals and the Company;
- through publically available information sources (which may include telephone directories, the internet and social media sites);
- direct marketing database providers.
7.3 When the Company collects personal information about a Data Subject through publicly available information sources, it will manage such information in accordance with the Law.
7.4 At or before the time or, if it is not reasonably practicable, as soon as practicable after, the Company collects personal information, the Company must take such steps as are reasonable in the circumstances to either notify the Data Subject or otherwise ensure that the Data Subject is made aware of the following:
- the identity and contact details of the Company;
- that the Company has collected personal information from someone other than the Data Subject or if the Data Subject is unaware, that such information has been collected;
- the purpose for which the Company collects the personal information;
- the consequences if the Company does not collect some or all of the personal information;
- any other third party to which the Company may disclose the personal information collected by the Company;
- how a Data Subject may access and seek correction of personal information held by the Company and how a Data Subject may complain about a breach of the Law; and
- whether the Company is likely to disclose personal information to overseas recipients, and the countries in which those recipients are likely to be located.
8. Purpose, Use and Disclosure of Personal Information
8.1 The main purposes for which the Company may use or disclose personal information may include:
- customer service management;
- training and events;
- surveys and general research; and
- business relationship management.
8.2 The Company may also collect, hold, use or disclose personal information if a Data Subject consents or if required or authorised by Law.
8.3 Direct marketing:
- the Company may use or disclose personal information (other than sensitive information) about a Data Subject for the purpose of direct marketing (for example, advising a customer about new goods or services being offered by the Company);
- the Company may use or disclose sensitive information about an individual for the purpose of direct marketing if the Data Subject has consented to the use or disclosure of the information for that purpose; and
- a Data Subject can opt out of receiving direct marketing communications from the Company by contacting the Data Privacy Officer in writing or if permissible, accessing the Company’s website and unsubscribing appropriately.
9. Disclosure of Personal Information
9.1 The Company may disclose personal information for any of the purposes for which it is collected, as indicated under clause 7 of this Policy, or where it is under a legal duty to do so.
9.2 Disclosure will usually be internally and to related entities or to third parties such as contracted service suppliers.
9.3 If an employee discloses personal information to a third party in accordance with this Policy, the employee must take steps as are reasonable in the circumstances to ensure that the third party does not breach the Law in relation to the information.
10. Integrity, security and retention of personal information
10.1 The Company will ensure that the personal information that it collects is accurate, up-to-date and complete.
10.2 The Company will take all action necessary to protect the personal information from misuse, interference, loss and from unauthorised access, modification or disclosure.
10.3 Personal information will only be held for as long as is necessary to meet the purpose for which it was collected. If the Company holds personal information it no longer needs, it will without delay, take such steps to erase or destroy the information or to ensure it is de-identified.
10.4 The time for which Personal Information will be stored by us will never exceed any time limits prescribed by Law. Once that limit is reached, the corresponding data will be routinely deleted, as long as it is no longer necessary for the fulfilment of a contract or the initiation of a contract.
10.5 Sometimes we may need to send your personal information overseas. However, we will not send your personal information to anyone anywhere unless we are sure that your personal information will remain secure at all times.
11. Rights of the Data Subject
You as a Data Subject, have the following rights:
- Right of Confirmation
- You have the right to obtain from the Controller confirmation regarding whether or not personal information about you is being processed. You may exercise this right by contacting the Data Privacy Officer.
- Right of Access
- If the Company holds personal information about you, you may request access to that information by contacting the Data Privacy Officer. The Company will respond to any request without undue delay.
- There are certain circumstances in which the Company may refuse you access to personal information. In such situations the Company will provide you a written notice that sets out:
- the reasons for the refusal;
- the mechanisms available to you to make a complaint.
- If you receive such a notice, please contact the Data Privacy Officer.
- Right of Rectification
- You have the right to obtain from the Company without undue delay, the rectification of inaccurate personal information about you.
- Taking into account the purpose of the processing, you have the right to have incomplete personal information completed.
- If you wish to exercise this right of rectification contact the Data Privacy Officer.
- There are certain circumstances in which the Company may refuse to correct the personal information. In such situations the Company will give you written notice that sets out:
- the reasons for the refusal;
- the mechanisms available to you to make a complaint.
- If the Company corrects personal information that it has previously supplied to a third party and you request the Company to notify the third party of the corrections, the Company shall without undue delay, give that notification unless impracticable or unlawful to do so.
- Right to Erasure (Right to be Forgotten)
- You have the right to require the Company to erase personal information about you. You may exercise this right for a number of reasons including:
- you withdraw consent previously given; or
- the personal information is no longer necessary for the purpose for which it was collected; or
- you object to the processing of personal information and there are no legitimate grounds to continue; or
- the personal information has been unlawfully processed; or
- the personal information must be erased in order to comply with the Law.
- If you wish to exercise this right to erasure contact the Data Privacy Officer.
- Where the Controller has made personal information public and is obliged to erase it, the Controller shall take all reasonable steps to inform other controllers processing the personal information that you have requested its erasure and to require them to erase such personal information from their systems including any links to other systems.
- Right of Restriction of Processing
You have the right to restrict the processing of your personal information if:
- you contest the accuracy of the personal information and the Controller has an opportunity to verify the accuracy of such personal information;
- the processing is unlawful and you oppose the erasure of the personal information and request instead, the restriction of its use;
- the Controller no longer needs the personal information for the purposes of the processing but is required to retain the information for the establishment, exercise or defence of legal claims; or
- you have objected to the processing pending verification of whether the legitimate grounds of the Controller override your rights.
- Right to Data Portability
- You have the right to receive personal information provided to the Controller in a structured, commonly used and machine-readable format. You will have the right to transmit this data to another controller as long as the processing we undertake is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
- In exercising this right, you also have the right to have personal information transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
- Right to Object
- You have the right to object to the processing of your personal information where such processing was necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller or a legitimate interest pursued by the Controller.
- On receiving your objection we shall no longer process your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or where such processing is necessary for the establishment, exercise or defence of legal claims.
- In addition, you also have the right to object to personal information about you being used for scientific or historical research purposes or for statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- If you wish to exercise this right to object contact the Data Privacy Officer.
- Right to Withdraw Consent
- You have the right to withdraw your consent to processing your personal information at any time.
- If you wish to exercise this right to withdraw consent contact the Data Privacy Officer.
12. Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or which may significantly affect you. As a responsible company, we do not use automatic decision-making or profiling.
12.1 If you wish to make inquiries in this regard please contact the Data Privacy Officer.
13. Anonymity and Pseudonymity
13.1 You have the option of not identifying yourself or using a pseudonym, when dealing with the Company in relation to a particular matter. This does not apply:
- where the Company is required or authorised by Law to deal with individuals who have identified themselves; or
- where it is impracticable for the Company to deal with individuals who have not identified themselves or who have used a pseudonym.
13.2 However, in some cases if you do not provide the Company with personal information when requested, the Company may not be able to respond to the request or provide you with the goods or services that you are requesting.
14.1 You have a right to complain about the Company’s handling of personal information if you believe the Company has breached either the Act or the Regulation.
14.2 If you are dissatisfied with the Company’s response to a complaint, you may refer the complaint to either
- The Office of the Australian Information Commissioner if you are a resident of Australia
Address: 175 Pitt St, Sydney NSW 2000, Australia
Tel: 1 300 363 992
- The Supervisory Authority in any Member State of the European Union (EU) if you are a resident of a Member State in the EU, such as
The Danish Data Protection Agency
Borgergade 28, 5.
DK-1300 Copenhagen K.
Tel: +45 33 19 32 00.