INCNET GDPR STATEMENT
WHAT IS THE EU GDPR
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 with the intent of unifying data protection laws across the European Union (EU).
The GDPR applies to “personal data” including any information relating to an identified or identifiable natural person.
TO WHOM DOES GDPR APPLY
The GDPR applies directly in all EU member states. However, in certain circumstances the GDPR can also apply to the processing activities of data controllers situated outside the EU.
GDPR applies to:
- The processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not;
- The processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to either of the following: a) The offering of goods or services to data subjects in the EU; b) The monitoring of the behaviour of data subjects as far as their behaviour takes place in the EU;
- The processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.
DOES GDPR GENERALLY APPLY TO INCNET
IncNet is an Australian business that is not established in the EU or the European Economic Area (EEA).
GDPR generally does not apply to IncNet’s activities for the following reasons:
- IncNet as a data controller does not have an establishment in the EU;
- IncNet’s business information data was collected in Australia and New Zealand with respect to individuals in Australia and New Zealand.
- IncNet does not offer goods or services to data subjects in the EU;
- IncNet does not monitor the behaviour of data subjects as far as their behaviour takes place in the EU;
- EU Member State law does not apply to IncNet’s processing by virtue of public international law.
WHAT BUSINESS DATA DOES INCNET PROVIDE
IncNet provides its customers with business contact information to help its customers locate and engage with other businesses (B2B data). This B2B data relates to businesses in Australia and New Zealand only. The B2B data may include “personal information” which is defined under The Australian Privacy Act 1988 (Privacy Act), as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’ (i.e. contact names of individuals employed by such businesses in Australia or New Zealand), however:
- the business data does not include individual consumer contact information (no B2C data);
- IncNet does not process sensitive personal data;
- IncNet does not process “special categories” of personal data; and
- the business data is subject to usage restrictions and may only be used internally by the client.
DOES INCNET COMPLY WITH GDPR
The GDPR does not generally apply to IncNet and its business activities.
The GDPR may still apply where IncNet engages a data processor established in the EU to perform services for IncNet. In this event, IncNet will require that such party complies with the GDPR.
Regardless of whether GDPR may apply indirectly to IncNet, IncNet must comply with the laws of Australia in relation to the transfer of personal data to and the processing by any data processor for which it is a controller.
INCNET COMPLIES WITH AUSTRALIAN PRIVACY LAW
IncNet takes all reasonable steps to ensure that any disclosure of its business data to an overseas recipient does not breach the Australian Privacy Principles (APPs) in relation to that information. IncNet will also take into account whether it reasonably believes the overseas recipient is subject to laws that are substantially similar to the APPs (eg GDPR or the UK Data Protection Act 2018).
This statement is intended to apply to IncNet’s Australian and New Zealand business contact information. This document is provided for information purposes only and does not constitute legal advice.