PRIVACY POLICY

MANAGEMENT OF PERSONAL INFORMATION

At Sansoni Group, we recognise the importance of your privacy and understand your concerns about the security of the personal information you provide to us.  We comply with the Australian Privacy Principles (“APPs”) as contained in the Privacy Act 1988 (Cth).  The APPs detail how personal information may be collected, used, disclosed, stored and destroyed, and how an individual may gain access to or make complaints about the personal information held about them.

“Personal information” is information or an opinion about an identified individual, or about an individual who is reasonably identifiable.

This policy details how Sansoni Group manages personal information about you.

In the course of doing business, we endeavour to collect business information only.  However, the collection of personal information in some instances is necessary or unavoidable.

What personal information we collect and hold
The kinds of personal information we collect from you or about you depend on the transaction you have entered into with us, the goods / services you or your organisation have contracted us to provide, and the goods / services you or your organisation are interested in. The kinds of personal information that we commonly collect and hold from you or about you include: your name, address, phone and fax numbers, email address, date of birth, drivers licence details, bank account details, credit card details, your financial position, details of any businesses you own, and details of your businesses’ profitability. When you browse our website or contact us electronically, we record the following: activity logs, cookies, IP addresses, device information (including the operating system, browser type, and screen resolution), referral information, shopping behaviour, error logs, accessibility and user data, consent and preference settings, social media interactions, and geographical tagging.

How we collect and hold personal information
We aim to collect personal information only directly from you unless it is unreasonable or impracticable for us to do so.  For example, we collect personal information from you or about you from letters, emails, application forms and contracts that you tell us, submit to us, telephone calls with us, and from your activity on our website, which is stored on the cloud in the Microsoft data warehouse. Excerpts of the data may be stored on the cloud of our other programs, including but not limited to Xero. However, in some instances we may receive personal information about you from third parties, such as from marketing partners, data brokers, publicly available sources, and associated businesses that sell at our events.

You can be anonymous or use a pseudonym when dealing with us, unless:

• The use of your true identity is a legal requirement; or
• It is impracticable for us to deal with you on such basis.

Why we collect, hold, use and disclose personal information
We collect, hold, use and disclose personal information from you or about you where it is reasonably necessary for us to carry out our business functions and activities.  For example, we collect, hold, use and disclose your personal information as necessary to provide our goods and services to you or your organisation.

If we do not collect, hold, use or disclose your personal information, or if you do not consent, then we may not be able to answer your enquiry, complete the transaction you have entered into, or provide the goods / services that you or your organisation have contracted us to provide.

We also collect, hold, use and disclose your personal information for related purposes that you would reasonably expect, such as our administrative and accounting functions, fraud checks, providing you with information about other goods / services offered by us, marketing and promotions, market research, statistical collation, and website traffic analysis.

Where we wish to use or disclose your personal information for other purposes, we will obtain your consent.

Where we use your personal information for marketing and promotional communications, you can opt out at any time by notifying us.  Opt out procedures are also included in our marketing communications.

We may also disclose your personal information to third parties (including government departments and enforcement bodies) where required or permitted by law.

How we hold and store personal information
Your personal information is held and stored on paper, by electronic means or both.  We have physical, electronic and procedural safeguards in place for personal information and take reasonable steps to ensure that your personal information is protected from misuse, interference, loss and unauthorized access, modification and disclosure:

• Data held and stored on paper is stored in scanned into our system, redacted and locked filing cabinets, which are stored on our secured premises.
• Data held and stored electronically is protected by strong encryption algorithms, limited access via multi-factor authentication, password updates, and monitoring of access logs, firewalls and intrusion detection systems, regular security audits, data backup, vendor security measures, physical security measures, and an incident response plan.
• Data held and stored “in the cloud” is protected by strong encryption algorithms, limited access via multi-factor authentication, role-based access, and continuous monitoring, cloud provider security, data backup and redundancy, vendor assessment, an incident response plan, transparency and control, contractual agreements with the cloud provider, and continuous monitoring and analytics related to your data in the cloud. We also require our IT contractors and other third parties to implement privacy safeguards.
• Data stored or archived off-site is contained within secure facilities, encrypted, and has strict limited access via authorised personnel. We continuously monitor and conduct regular audits of our off-site storage practices, and ensure they are legally compliant and compliant with our security policies. We also require our storage contractors to implement privacy safeguards. All data stores or archived off-site is retained in accordance with legal requirements, and we have prepared a disaster recovery strategy should it be required.
• Where we disclose personal information to third parties (including contractors and affiliated businesses located locally and overseas), our contractual arrangements with them include specific privacy requirements.
• Our staff receive regular training on privacy procedures.

Destruction and De-identification
We will retain your personal information whilst it is required for any of our business functions, or for any other lawful purpose.
We use secure methods to destroy or to permanently de-identify your personal information when it is no longer needed:

• Paper records are stored securely to prevent unauthorised access for destruction. Destruction of paper records is undertaken via various methods including shredding, third party shredding services, pulping, incineration, witnessed destruction, and recycling;
• Electronic records are destroyed via various methods including secure deletion involving overwriting the data, physical destruction of any physical media the data is stored on, and third party destruction services.

Our processes and policies in relation to data destruction comply with legal regulations and are regularly audited and reviewed. In certain circumstances, we may obtain certificates of destruction to provide documented proof of secure destruction. Lastly, our employees involved in any such destruction are trained appropriately.

Overseas disclosure
We do not disclose personal information to any entities or individuals located overseas. Our data handling practices are designed to keep your information within our jurisdiction, and we have implemented safeguards to ensure that your personal information is not transferred internationally.

Requests for access and correction
We have procedures in place for dealing with and responding to requests for access to, and correction of, the personal information held about you. In most cases, we expect that we will be able to comply with your request.  However, if we do not agree to provide you access or to correct the information as requested, we will give you written reasons why.  For further information, please see our Privacy Access, Correction & Complaints brochure or contact us.

To assist us to keep our records up-to-date, please notify us of any changes to your personal information.

Complaints and Concerns
We have procedures in place for dealing complaints and concerns about our practices in relation to the Privacy Act and the APPs.  We will respond to your complaint in accordance with the relevant provisions of the APPs.  For further information, please see our Privacy Access, Correction & Complaints brochure or contact us.

Contact
Privacy Officer
Aaron Sansoni Group International Pty Ltd
privacy.officer@aaronsanoni.com

16 August 2023