The privacy of your personal information is afforded the highest level of importance by Expr3ss! Pty Ltd ACN 102 229 961 LG 146 Arthur Street, North Sydney NSW 2060, Australia.
We are also required to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) to the extent that we collect the personal information of residents of the European Union. Expr3ss! is a data controller for the purposes of the GDPR.
What is “personal information”?
Personal information is information that identifies a particular individual. A person does not have to be mentioned by name for information to be “personal information”. A record or information will contain personal information if an individual can be “reasonably identified” from the record or information. Personal information can include information and opinions, regardless of whether the information is true or not. Personal information may also be referred to in this policy as personal data.
What is “sensitive information”?
Sensitive information is an important type of personal information. Sensitive information is personal information relating to an individual’s:
• racial or ethnic origin, including country of birth;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual orientation or practices;
• criminal record; and
• child related employment screening reports.
Sensitive information also includes information relating to:
• genetics; and
Sensitive information may also be referred to in this policy as “special category data” for the purposes of the GDPR.
What is a “data controller”?
A data controller for the purposes of the GDPR means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal information.
What is a “data processor”?
A data processor means a natural or legal person, public authority, agency or other body which “processes” personal data on behalf of a data controller, and in accordance with the data controller’s instructions.
What is a “data subject”?
For the purposes of the GDPR, a data subject is an individual who is physically located in the European Union at the time that their personal information is collected by Expr3ss!. A person does not need to be a citizen of a European country in order to considered a data subject. Throughout this policy we use the term “European Resident” to refer to a data subject.
What is a Member State?
For the purposes of the GDPR, a Member State refers to any one of the member states of the European Union.
What is the Expr3ss! Site
The site located at https://companyname.expr3ss.com
What is a Job Advertiser ?
An organisation or agency who has engaged Expr3ss! to, among other things, collect and manage applications from prospective employees in response to advertisements placed on the Expr3ss! Site by that organisation or agency.
Collection of Information
We will only collect personal information where it is reasonably necessary to do so for the conduct of our business. We generally collect your personal information through your submissions on the Expr3ss! Site.
The kinds of personal information that we collect and hold may include:
• your name, birth date and gender;
• your contact information, including postal and residential addresses, telephone and facsimile numbers, and email addresses;
• questions specific to the requirements of the employer;
• your education;
• your employment history;
• passport and visa details;
• academic records, transcripts, enrolment and assessment details.
• submitted video recordings.
Any collection of personal information by us will be fair and lawful and will not be intrusive.
Expr3ss! will only solicit and collect sensitive information if:
• it is required to do so by law; or
• it has the consent of the individual to whom the information relates, and it is reasonably necessary for Expr3ss! to collect the sensitive information to enable it to carry out a relevant function or activity.
Expr3ss! will only collect sensitive information where the information is necessary for a relevant function or activity. Examples of a relevant function or activity include (are but not limited to):
• to determine whether an individual is permitted to work in Australia, having regard to Visa requirements; or
• qualification for particular employment/recruitment programs, financial or other assistance which may be allocated by reference to matters which constitute sensitive information, such as cultural background.
Expr3ss! may also collect sensitive information about an individual in order to comply with Expr3ss! obligations under Australian law, including but not limited to:
• language or cultural background;
• citizenship status;
• status as an Indigenous Australian;
• disability status; and
• health information.
We may also collect and hold information about you that is not personal information, including:
• data relating to your activity on the Expr3ss! Site via tracking technologies such as cookies; and
• the identity of your Internet browser, the type of operating system you use, your IP address and the domain name of your Internet service provider.
We may use this information for internal purposes, including administering our services, diagnosing problems, generating statistics and trends, and improving the quality of our products and services. We may also use this information to identify any submissions you make on the Expr3ss! Site and to assess your engagement with the Expr3ss! Site and the materials herein.
Expr3ss! will generally collect your personal information from you directly, unless:
• you consent to the collection of the information from someone else; or
• Expr3ss! is required or authorised by law to collect the personal information from a third party; or
• it is unreasonable or impracticable to obtain the personal information from you directly.
If it is reasonable and practical do so, we will only collect personal information from the individual to whom the information relates.However, you authorise us to collect information from external sources including government agencies and other third parties such as advertisers, mailing lists, recruitment agencies, contractors and business partners as and when required.
If we collect personal information about you from a third party we will, where appropriate, request that the third party inform you that we are holding such information, how we will use and disclose it, and that you may contact us to gain access to and correct and update the information. We will not, however, make any such request to any third party in circumstances where it would not be practical to do so.
Use of Personal Information
Expr3ss! collects and uses your personal information on the lawful basis that it:
• Is pursing its legitimate interests. This includes:
◊ To communicate with you in respect of news and information about our products and services;
◊ To provide Job Advertisers with the services and/or products which we have undertaken to provide them with under contract;
◊ To collate your contact details
◊ To facilitate communication and engagement between you and Job Advertisers who utilise our services as part of their recruitment processes; Expr3ss!;
◊ to facilitate future employment opportunities in the event your initial employment application is unsuccessful;
◊ to operate and maintain its information technology systems;
◊ to improve the functionality of its website;
◊ to personalise your experience with our products and services, for example, via connectivity with social media services;
◊ to enable third party organisations to provide us with technical and support services;
◊ to obtain legal, financial, business and other professional advice in respect of its operations;
◊ to carry out direct marketing;
◊ to carry out statistical analysis and internal research in respect of its customer base, products and services; and
• Is complying with its legal obligations. This includes
◊ the Corporations Act 2001 (Cth) which requires the disclosure of your personal information to third parties in certain circumstances
• is necessary to protect your vital interests. This includes:
◊ Releasing sensitive personal information where Expr3ss! considers that there is an imminent threat to your health, safety or life generally, or where it considers that it is necessary to avoid, lessen or prevent a serious emergency or crime.
Disclosure of personal information
The primary purpose for using or disclosing an individual’s personal information will include:
• to identify an individual and verify their identity;
• to provide Expr3ss! services to an individual and Job Advertiser;
• to do any of the things listed in the section of this Privacy Statement entitled “Use of Personal Information”; and
• to communicate with an individual.
Some Expr3ss! employees and contractors will have access to your personal information to a level that is necessary to enable them to perform their roles within Expr3ss!. They are obliged to respect the confidentiality of any personal information held by Expr3ss! Expr3ss! will take reasonable steps to ensure that personal information is not disclosed to a third-party, except in certain permitted situations. These include:
• where Expr3ss! obtains your consent;
• where it is necessary to provide that information to a third-party who provides services to Expr3ss!;
• where the disclosure is required or authorised by law or regulatory obligations; or
• any other circumstance permitted by the APPs.
Any disclosure that is required to be made to any third party will be made primarily for the purpose of providing or offering goods and services to you. If we disclose information to a third party, we generally require that the third party protect your information to the same extent that we do.
Any personal information submitted via our online form may need to be processed by a third party.
By submitting personal information via an online form on the Expr3ss! Site, you consent to the disclosure of that information to a third party, which may be located overseas, for the sole purpose of processing the online form. For the avoidance of doubt, third parties in Australia to whom your personal information might be disclosed include:
• Job Advertisers registered with us, but only those Job Advertisers with whom you have lodged an employment application either contemporaneously or in the past;
• contracted service providers including:
◊ information technology service providers, including cloud service providers;
◊ external business advisors, including accountants, auditors and lawyers;
◊ third party marketing providers; and
Third parties outside of Australia to whom your personal information might be disclosed include:
◊ information technology service providers, including cloud service providers;
◊ third party service providers;
◊ third party marketing providers.
In the event that the personal information being processed by a third party is the personal information of a European Resident, Expr3ss! will ensure that the requirements set out in the “Contracts with Third Party Data Processors” section of this Policy are adhered to.
Under the Act and APPs
Expr3ss! may, on occasion and where reasonable and appropriate, use your personal information for the purpose of sending you direct marketing materials which we consider may be of interest to you. Direct marketing may occur by mail, email, SMS or telephone.
Expr3ss! may also disclose your information to third parties or related entities for the purpose of allowing them to send you direct marketing materials directly.
Where the direct marketing is transmitted electronically or by telephone, Expr3ss! will at all times comply with any applicable laws including the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
Direct marketing will only occur if:
• Expr3ss! has the consent of the individual or where otherwise permitted by law (including where the use or disclosure is necessary to meet a contractual obligation to the Commonwealth);
• the individual would reasonably expect Expr3ss! to use or disclose the personal information a direct marketing purpose;
• Expr3ss! provides a simple and readily identifiable means by which the individual may refuse to receive direct marketing from Expr3ss! (a refusal request);
• Expr3ss! provides a simple and readily identifiable means by which the individual may opt out from receiving direct marketing from Expr3ss! which they had previously consented to receiving (an opt out request); and
• the individual has not made an opt out or refusal request to Expr3ss! .
Direct marketing, as it relates to sensitive information, will be identical to that set out above for broader personal information, save and except for Expr3ss! obtaining the express consent of the individual concerned to use or disclosure the sensitive information for a particular purpose.
Requirements of the GDPR
Expr3ss! may, on occasion and where reasonable and appropriate, use the personal information of European Residents in direct marketing. Direct marketing may occur by mail, email, SMS or telephone
To the extent that any direct marketing material is transmitted electronically to European Residents, the requirements of the GDPR and the ePrivacy Directive (or any equivalent law that may be in place from time to time) will be adhered to. In particular, Expr3ss! will ensure that it has obtained the consent of the European Resident via an opt-in method before the direct marketing material is sent.
Storage and Security of Personal Information
The individual providing the personal information to Expr3ss! must also ensure that the personal information is both relevant and accurate.
We will generally hold your personal information as either physical records, records on our servers, and in some cases, records on third party servers, which may be located overseas.
Expr3ss! will, wherever possible, keep all personal information strictly confidential.
Expr3ss! will take reasonable steps to protect of the personal information it holds, in both hard copy and electronic form, from:
• misuse, interference and loss; and/or
• unauthorised access, modification or disclosure.
For example, Expr3ss! has in place:
• data is encrypted in transit and at rest.
• your personal data is accessible only to registered employees and contractors of the employer via password protected logins.
Expr3ss! has in place systems to manage all personal information so that it is able to destroy or permanently de-identify personal information, wherever reasonable and practicable, that is no longer needed for any reason.
Generally, subject to your right to erasure, personal information retained by Expr3ss! will be stored for as long as Expr3ss! requires it to:
• fulfil our obligations under law;
• discharge our contractual obligations;
• carry out the purpose for which the personal information was collected; and/or
• otherwise facilitate the reasonable conduct of our business operations
following which time it will be either destroyed or anonymised.
Expr3ss! reserves the right to retain the personal information of European Residents which it holds for the following purposes indefinitely:
• archiving purposes in the public interest;
• scientific or historical research purposes; or
• statistical purposes.
Expr3ss! will manage all data breaches in accordance with the mandatory Notifiable Data Breaches Scheme (NDB Scheme) in Australia, as well as the mandatory notification obligations under the GDPR.
Obligations of Expr3ss! under the NDB Scheme
In accordance with the NDB Scheme, in the event of a suspected data breach Expr3ss! will:
• contain the breach and, if possible, take remedial action; and
• commence the requisite assessment process to determine whether the data breach is likely to be an “eligible data breach” for the purposes of the NDB Scheme. An “eligible data breach” being one where:
◊ there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by it;
◊ the access, disclosure or loss is likely to result in “serious harm” to any of the individuals to whom the information relates. In this context, “serious harm” refers to serious physical, psychological, emotional, financial or reputational harm to an individual or individuals; and
◊ Expr3ss! has not been able to prevent the likely risk of serious harm with remedial action.
If Expr3ss! has reasonable grounds to believe that an “eligible data breach” has occurred, it will:
• prepare a statement to the Office of the Australian Information Commissioner (OAIC) as soon as practicable (OAIC Statement);
• notify the individual to whom the information relates as soon as practicable after the statement has been prepared; and
• provide that individual with a copy of the OAIC Statement.
If Expr3ss! is unable to locate the individual to whom the eligible data breach relates for the purpose of providing them with a copy of the OAIC Statement, a copy of the OAIC Statement will be posted on our website.
Obligations under the GDPR
In accordance with the GDPR, Expr3ss! will ensure that:
• on becoming aware of a data breach, it will:
◊ attempt to contain it and assess the potential adverse consequences for individuals involved; and
◊ if, after conducting an assessment, it considers that:
† there is a risk to an individual’s rights and freedoms as a result of the personal data breach, it will report the breach to the relevant Supervisory Authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach; and
† there is a high risk to an individual’s rights and freedoms as a result of the personal data breach, it will report the breach to the relevant Supervisory Authority in accordance with the clause above and notify the individual affected without undue delay.
Expr3ss! will keep a record of all personal data breaches, regardless of whether or not they need to be reported to the Supervisory Authority.
Expr3ss! will not report a personal data breach in the event that, after conducting an assessment, we consider that the risk of harm to an individual’s rights and freedoms is unlikely.
A “personal data breach” for the purposes of the GDPR includes, but is not limited to, whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Contracts With Third Party Data Processors
In the event that Expr3ss! engages a data processor to process the personal data of European Residents on its behalf, it will only do so if that data processor has provided Expr3ss! with sufficient guarantees that it will implement appropriate technical, contractual and organisational measures that ensure compliance with the GDPR, and the protection of the personal information of European Residents.
To the extent that Expr3ss! engages a third party data processor, it will ensure that it enters into a written agreement with that data processor, which sets out, as a minimum, terms which require the processor to:
• only act on the written instructions of Expr3ss! as the data controller;
• ensure that people processing the data are subject to a duty of confidence;
• take appropriate measures to ensure the security of processing;
• only engage sub-processors with the prior consent of Expr3ss! and under a written contract;
• assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
• assist Expr3ss! in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• delete or return all personal data to Expr3ss! as requested at the end of the contract; and
• submit to audits and inspections, provide Expr3ss! with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell Expr3ss! immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
Data Access & Correction
You can review your personal information online via the Expr3ss! Site, or you may request access to your personal information at any time by sending a written request to our Privacy Officer by mail at Expr3ss! Pty Ltd ACN 102 229 961 LG 146 Arthur Street, North Sydney NSW 2060, Australia, Australia, or by using the contact form on the Expr3ss! Site.
You do not need to provide a reason for your request.
Expr3ss! will not impose a fee for making an access or correction request in the first instance. However, we may charge a small fee for administrative costs incurred by us in providing access to your personal information in those circumstances where the request is manifestly unfounded or excessive, and requires a significant amount of time to locate or collect your information or to present it in an appropriate form.Expr3ss! will generally grant an individual access to their personal information unless an exception applies. Exceptions include where:
• giving access would have an unreasonable impact on the privacy of other individuals;
• the request for access is frivolous or vexatious;
• the request is manifestly unfounded or excessive (taking into account whether the request is repetitive in nature); or
• the access would be unlawful.
We will take reasonable steps to ensure that the personal information we collect about you is accurate, up-to-date and complete, and ensure that the personal information we use or disclose is accurate, up-to-date, complete and relevant. You are free to update your personal information at any time by sending a written request to our Privacy Officer by mail at Expr3ss! Pty Ltd ACN 102 229 961 LG 146 Arthur Street, North Sydney NSW 2060, Australia, Australia, or by using the contact form on the Expr3ss! Site. There is no cost for updating your information.
If we are unable to provide you with access to your information, or make any amendments which you have requested, we will provide you with written reasons for our refusal within a reasonable time period.
Additional Rights Of European Residents Under The GDPR
In addition to the protections afforded under the Privacy Act and the APPs, if you are a European Resident, you have a number of additional rights under the GDPR, including:
• the right to receive personal data you have provided to us in a structured, commonly used and machine readable format, including the right to request that we transmit this data directly to another data controller;
• the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way that we use your data (this right is an alternative to requesting the erasure of your data); and
• the right to require us to erase your data in certain circumstances.
In the event that a European Resident requests that their data be erased, Expr3ss! will assess this request against any relevant record keeping obligations it has under any statute or regulation, and retains the right to seek professional advice in respect of any conflict of law issues that might arise as a result of the initial assessment before the European Resident’s request for erasure is granted.
Cross-Border Disclosure of Information
We are likely to disclose your information to overseas recipients, including, but not limited to our third party servers, international advertisers, or international branches of Australian based companies. You consent to us disclosing your personal information to such overseas recipients for purposes necessary or useful in the course of operating our business. Such disclosures will be in accordance with the APPs, subject to clause 26.a of the Expr3ss! Service Terms. The countries in which such recipients are likely to be located include, but are not limited to, Hong Kong, New Zealand and the United Kingdom.
If you do not want us to disclose your information to overseas recipients, please let us know.
Expr3ss! may also, from time to time, disclose the personal information of European Residents to third parties outside of the European Union. However, Expr3ss! will only do so where:
• the foreign jurisdiction governing a third party has been assessed as “adequate” in terms of data protection in accordance with the GDPR; and/or
• sufficient safeguards (such as a binding contract or corporate rules or any other safeguards prescribed by the GDPR) have been put in place; or
• a derogation or exception as listed in the GDPR applies.
If you are a European Resident and have any questions about Expr3ss!’s compliance with the GDPR, please contact the Privacy Officer in the first instance.
We take all complaints seriously, and will respond to your complaint within a reasonable period.
If you are interested in obtaining additional information about privacy, you can visit the Australian Privacy Commissioner’s website at www.oaic.gov.au.
Please note that there are inherent risks in transmitting information over the Internet. There is a possibility that your information could be accessed by a third party while in transit. Each User of the Expr3ss! Site should make their own assessment of the possible security risks to their information when deciding whether or not to use the Expr3ss! Site.
Expr3ss! cannot ensure or warrant the security of any information transmitted to Expr3ss! online and individuals do so at their own risk. To the extent permitted by law, Expr3ss! accepts no responsibility for the unauthorised access of personal information held by Expr3ss!
Importantly, cookies do not need to identify the user or record any personal information. No attempt is made to identify you or your browsing activities except, in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect the service provider’s logs, or where your usage is causing technical issues for the Expr3ss! Site that may need to be resolved and Expr3ss! needs to contact you. A notice will be posted on the Expr3ss! Site if the Expr3ss! Site attempts to identify individuals from their cookies unless that identification is required by law or to assist in law enforcement.
The default settings of most internet browsers allow cookies. However, users may change their browser settings to disallow cookies. Please note that some parts of the Expr3ss! Site may not function fully for users that disallow cookies.
To the extent that any cookies placed on the Expr3ss! Site by Expr3ss! or a third party can uniquely identify a European Resident, the requirements of the GDPR will be adhered to. In particular, Expr3ss! will ensure that:
• consent is obtained prior to the setting of the cookies
• a European Resident can withdraw their consent at any time by changing the relevant settings;
• a European Resident’s consent is renewed every 12 months;
• it documents a European Resident’s consent and stores it securely; and
• it deletes the personal information of a European Resident upon request.