1.2 Who do we collect your personal information from?
We collect personal information about you from: a) You, when you provide that personal information to us, including via the website and any related service, through any registration process OR through any contact with us (e.g. telephone call or email). b) Third parties where you have authorised this or the information is publicly available. If possible, we will collect personal information from you directly.
1.3 How we use your personal information
We will use your personal information
- to verify your identity
- to provide services and products to you
- to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose)
- to improve the services that we provide to you
- to undertake pre-employment checks of you
- to bill you and to collect money that you owe us, including authorising and processing credit card transactions
- to respond to communications from you, including a complaint
- to conduct research and statistical analysis (on an anonymised basis)
- to protect and/or enforce our legal rights and interests, including defending any claim
- for any other purpose authorised by you or the Act.
1.4 Disclosing your personal information:
We may disclose your personal information to:
- another entity within our group
- any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products
- a credit reference agency for the purpose of credit checking you
- other third parties (for anonymised statistical information)
- a person who can require us to supply your personal information (e.g. a regulatory authority)
- any other person authorised by the Act or another law (e.g. a law enforcement agency)
- any other person authorised by you.
- a business that supports our services and products may be located outside Australia. This may mean your personal information is held and processed outside New Zealand, for example, AWS Cloud storage
1.5 Protecting your personal information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.
1.6 Accessing and correcting your personal information
Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates. In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction. If you want to exercise either of the above rights, email us at email@example.com Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting). We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.
1.7 Internet use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
- If you post your personal information on the website’s contact forms, you acknowledge and agree that the information you post is publicly available.
2 GDPR Attestation
Specific technical or organisational measures over and above what My General Counsel has in place in order to meet customer obligations as a data controller under the GDPR, will need to be discussed and agreed with My General Counsel in a Statement of Work and a data processing agreement. To the extent that My General Counsel is a data processor and/or a data importer for the purposes of the GDPR, we will agree in the relevant data processing agreement to:
- only act on your authorised, lawful and reasonable instructions with respect to the personal data we process for you; we will ensure that personal data passed on to us as a data processor is not retained or used by us for our own purposes.;
- impose confidentiality obligations on all our personnel who process the relevant data;
- apply appropriate security measures to the personal data to protect it from unauthorised access or disclosure and ensure the security of the personal data that we process is in accordance with ISO 27001:2013 Information Security Management Systems;
- obtain your consent for the appointment of sub-processors (if any);
- ensure we agree a retention period for the categories of personal data held on our systems;
- notify you, without undue delay, in the event of a data security breach affecting the personal data being processed on your behalf;
- notify you, without undue delay, in the event we receive a subject access request from a relevant data subject;
- reasonably comply with any registration requirements to the extent relevant to our role as a data processor for the duration of the contract
- implement measures that are agreed with us to assist you in complying with the rights of data subjects such as the deletion or return of the data upon termination or ending of the contract with us;
- reasonably assist and co-operate with you with respect to any data protection authority enquiry, audit or investigation; and
- reasonably provide you with all information necessary to demonstrate compliance with the GDPR.