Data transfer Policy

Definition

World Options and subsidiaries companies will hereafter be referred to as “World Options”

Scope

This policy and procedure applies across all entities or subsidiaries owned, controlled, or operated by World Options and to all employees, including part-time, temporary, or contract employees, that handle personal data and/or personal data transfers.

Policy statement

The World Options services/entities may transfer personal data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e. third countries), they must be made in compliance with an approved transfer mechanism. The World Options services/entities may only transfer personal data where one of the transfer scenarios listed below applies:

  • The data subject has given consent to the proposed transfer.
  • The transfer is necessary for the performance of a contract with the data subject
  • The transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject’s request.
  • The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the data subject.
  • The transfer is legally required on important public interest grounds.
  • The transfer is necessary for the establishment, exercise or defence of legal claims.
  • The transfer is necessary in order to protect the vital interests of the data subject

Transfers between World Options services/entities

In order for World Options to carry out its operations effectively across its various services/entities, there may be occasions when it is necessary to transfer personal data internally from one Entity to another or to allow access to the personal data from an overseas location. Should this occur, the World Options service/entity sending the personal data remains responsible for ensuring protection for that personal data.

From time to time, World Options handles the transfer of personal data between World Options services/entities, where the location of the recipient entity is a third country. World Options only transfer the minimum amount of personal data necessary for the particular purpose of the transfer (for example, to fulfil a transaction or carry out a particular service). We ensure adequate security measures are used to protect the personal data during the transfer (including password-protection and encryption, where necessary).

Transfers to Third Parties

Each World Options service/entity will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. Where third party processing takes place, each World Options service/entity will first identify if, under applicable law, the third party is considered a data controller, or a data processor of the personal data being transferred.

Where the third party is deemed to be a data controller, the World Options service/entity will enter into, in cooperation with the Board of Directors, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data transferred. Where the third party is deemed to be a data processor, the World Options service/entity will enter into, in cooperation with the Board of Directors, an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with the World Options instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect personal data as well as procedures for providing notification of personal data breaches.

The World Options have a ‘Standard Data Processing Agreement’ document that, should be used as a baseline template. When a World Options service/entity is outsourcing services to a third party (including cloud computing services), they will identify whether the third party will process personal data on its behalf and whether the outsourcing will entail any third country transfers of personal data. In either case, it will make sure to include, in cooperation with the World Options Board of Directors, adequate provisions in the outsourcing agreement for such processing and third-country transfers.

Responsibility

Compliance, monitoring and review

The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing data transfers activities at World Options rests with the Board of Directors.

All operating units’ staff that deal with personal data are responsible for processing this data in full compliance with the relevant World Options policies and procedures.

Records management

Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised World Options record-keeping system.

All records relevant to administering this policy and procedure will be maintained for a period of 5 years.

Terms and Definitions

Office of the Australian Information Commissioner (OAIC)The Privacy Act 1988 was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.

The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies. Such organisations and agencies are collectively known as ‘APP entities’. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data

Data Processor: the entity that processes data on behalf of the Data Controller

Data Protection Authority in Australia: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Subject: a natural person whose personal data is processed by a controller or processor

Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data

Processing: any operation performed on personal data, whether by automated means, including collection, use, recording, etc.

Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour

Regulation: a binding legislative act that must be applied in its entirety across the Union

Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

For more information

Contact our Data Protection Officers who are the World Options Board of Directors by emailing: au.support@worldoptions.com