Last amended [ 18 May 2018 ]
Afterpay Touch Group
Phone: +61 3 9018 6800
About This Document
Afterpay Touch is committed to complying with the Privacy Act 1988 (Cth) as amended from time to time (Privacy Act) and to protecting information from which the personal identity of its customers and website users is clear or easily determinable (Personal Information), and the personal information of their customers.
Afterpay Touch is committed to the best-practice privacy standards
Afterpay Touch operates as a processor of personal data under contract from its customers, who are its controllers, and those requirements that request enhancements to privacy provisions above the legal compliance requirements are incorporated into that customer’s solutions.
Afterpay Touch is a Level 1 accredited PCI DSS (Payment Card Industry Data Security Standard) organisation. Accreditation is achieved on a yearly basis through the PCI DSS Council and is managed by an independent PCI Council approved auditor. PCI DSS has an impact on the personal data that incorporates Card Holder Data which may be stored, processed or transacted through Touch’s systems.
Afterpay Touch is an accredited IRAPS Medicare Australia compliant organisation. Accreditation is achieved every two years under the accreditation program through the Department of Human Services (Australian Federal Government department) and is audited by an independent IRAPS approved auditor. The compliance process requires Touch to not store Personal Information in regard to Health transactions with Medicare.
Afterpay Touch is accredited for ISO 27001:2013. ISO 27001 is the international standard for Information Technology – Security Techniques – Information Security Management Systems - Requirements. ISO 27001 belongs to the 27000 family of standards to help organisations keep information assets secure. ISO 27001 has an impact on personal data that incorporates the protection of Management Information Management Systems.
Collection and holding of Personal Information
In this policy, "personal data" or "personal information" means any information relating to an identified or identifiable natural person ("data subject").
How Afterpay Touch collects and holds Personal Information
Afterpay Touch may be provided with information through customers entering details on the company's Electronic Service Delivery System (ESDS) when using particular services. In all cases, Afterpay Touch shall only collect and retain information relevant to a customer’s use of the ESDS and in accordance with the requirements of the data controller.
Information collected is stored on secure servers that are protected in controlled facilities, meeting the requirements of 3 separate compliance regimes: PCI DSS, ISO 27001 and IRAP.
Kinds of Personal Information collected and held
Although the amount and type of information collected will vary depending on which services are used on Afterpay Touch's ESDS, a comprehensive list of all of the various kinds of Personal Information that Afterpay Touch may collect is as follows:
- Contact information, such as a person’s name, address, phone, email and other similar information.
- Detailed personal information such as a person’s date of birth.
- Tokenised financial information, such as the bank account numbers and credit card numbers.
- Details of Our Partner’s businesses, including location of their stores.
Processing of special categories of personal information
We do not collect or process special categories of personal information (also known as "sensitive information") unless the relevant data subject provides explicit consent for us to do so.
Purposes for collecting, using and disclosing Personal Information
Afterpay Touch recognises the confidence entrusted in it when its customers and website users provide Personal Information. In order to deliver service required by its customers Afterpay Touch may sometimes share customers’ and users’ Personal Information with a provider of products and services distributed through the Afterpay Touch ESDS.
The Personal Information which individuals provide Afterpay Touch may be collected, held, used or disclosed for a the following reasons only:
- processing an order placed by a customer;
- providing a customer with products and/or services requested;
- billing a customer or administering a customer’s account;
- dealing with requests, enquiries or complaints and other customer care related activities;
- using aggregated and anonymised data only, carrying out market and product analysis and marketing Touch’s products and services generally;
- contacting a customer about Touch’s products and services but only with the customer's consent if the customer is an individual within the EU;
- registering a customer’s details and allocating or offering the customer rewards, discounts or other benefits services but only with the customer's consent if the customer is an individual within the EU; and
- carrying out any activity in connection with a legal, governmental or regulatory requirement on Touch or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.
Our legal basis for processing EU data subjects' data in accordance with the above is:
- so far as items 1-4 inclusive are concerned, to meet our contractual obligations
- so far as items 5-7 inclusive are concerned, it is necessary for the purposes of our legitimate interests to process personal data in that way
- so far as item 8 is concerned, we are obliged to comply with the law
Afterpay Touch will not collect, hold, monitor or use any EU data subjects Personal Information about its customers and website users without their explicit consent unless it is necessary:
- because it is required by law;
- to provide its customers with a service that they have requested;
- to implement its terms of service;
- to protect the rights or property of Afterpay Touch, any Afterpay Touch customer, or any member of the public; or
- to lessen a serious threat to a person's health or safety.
Disclosure to overseas recipients
Save for as otherwise set out in this policy, there will be no disclosure of Personal Information by Afterpay Touch to recipients outside of Australia.
Most web browsers automatically accept Cookies. You can find information specific to your browser under the ‘help’ menu. You are free to decline our Cookies if your browser or browser add-on permits, unless our Cookies are required to prevent fraud or ensure the security of websites we control. However, declining our Cookies may interfere with your use of our websites and Afterpay Touch Services.
Storage, security and behaviours regarding Personal Information
Afterpay Touch will take all reasonable steps to ensure that Personal Information which it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification and disclosure. The Personal Information, if in digital format, is stored on secure servers that are protected in controlled facilities, meeting the requirements of 3 separate compliance regimes: PCI DSS, ISO 27001 and IRAP. If in hardcopy format, the Personal Information is stored in locked areas in controlled facilities.
In some cases, these facilities are overseas. Afterpay Touch employees and data processors are obliged to respect the confidentiality of any Personal Information held by Afterpay Touch. However, security of communications over the internet cannot be guaranteed, and therefore absolute assurance that information will be secure at all times cannot be given.
In addition, Afterpay Touch's employees and data processors are obliged to respect the confidentiality of any Personal Information held by Afterpay Touch, as well as undertaking continuing police reference checks to determine their suitability of employment. Touch employees and agents undergo a yearly education program regarding privacy to ensure an understanding by all staff as to the correct handling of personal data is understood.
Afterpay Touch is independently (and separately) audited for Medicare IRAP, ISO 27001 and PCI DSS on a regular basis. Afterpay Touch is also audited for some specific products like MoneyGram to ensure data for their systems is similarly protected to personal data collected. Some of those product requirements request that no Personal Information is stored.
Individual’s right to access
Afterpay Touch will respond to an individual’s request for access to his or her information within a period of seven (7) days. Afterpay Touch will provide access to the information in the manner requested by the individual, so far as it is reasonable and practicable to do so.
Correction and updating
Afterpay Touch will take all reasonable steps to ensure that the Personal Information it holds is accurate and will correct Personal Information within seven (7) days of a request from an individual. If Afterpay Touch is unable to correct Personal Information held, Afterpay Touch will provide an explanation in writing as to why the information cannot be corrected.
Afterpay Touch will deal with all complaints promptly and will endeavour to reach an amicable solution to the problem.
If you are not satisfied with the outcome of your complaint, you may make a complaint with the Privacy Commissioner at the Office of the Australian Information Commissioner (http://www.oaic.gov.au).
Afterpay Touch will comply with any applicable privacy laws of any jurisdiction which are binding on Afterpay Touch.
In particular, so far as data subjects in the EEA are concerned you have the right to:
Access. You have the right to request a copy of the personal information we are processing about you.
Rectification. You have the right to have incomplete or inaccurate personal information that we process about you rectified.
Deletion. You have the right to request that we delete personal information that we process about you unless it is lawful to retain it for other purposes.
Restriction. You have the right to restrict our unlawful processing of your personal information.
Portability. You have the right in certain circumstances to obtain personal information we hold about you and to transmit such data to another data controller.
Objection. Where the legal justification for our processing of your personal information is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation.
Withdrawing Consent. If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge.
You can make any of these requests in relation to your personal information by sending the request to the address at 1.2 above or Korzo 11, HR-51000 Rijeka, Croatia, EU or by email to DPO@afterpaytouch.comor firstname.lastname@example.org
Data subjects in the EEA also have the right to lodge a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws. please click the link for a list oflocal data protection authorities in the countries within the EEA in which we operate.
Changes in policy
For more information about privacy issues in Australia, visit the Office of the Australian Information Commissioner's website at http://www.oaic.gov.au.
This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. This email may contain personal information of individuals, and be subject to Commonwealth and/or State privacy laws in Australia. This email is also subject to copyright. If you are not the intended recipient, you must not read, print, store, copy, forward or use this email for any reason, in accordance with privacy and copyright laws. If you have received this email in error, please notify the sender by return email, and delete this email from your inbox.