This Privacy Policy explains to you how GB Group plc and its group companies including GBG (Australia) Pty Ltd (jointly referred to as 'GBG') collect, hold, use and disclose (‘process’) your personal information:
GBG take the protection and security of your personal information very seriously and this policy sets out our responsibilities under the Privacy Act 1988 (Cth) (‘Australian Privacy Act’) and the Privacy Act 2020 (‘New Zealand Privacy Act’) and other applicable laws in Australia and New Zealand relating to the processing and security of personal information. We refer to the Australian Privacy Principles as the APPs and the New Zealand Information Privacy Principles as the IPPs. We refer to the Australian Privacy Act and the New Zealand Privacy Act together as ‘the Privacy Acts’. Where your personal information is transferred overseas, it will be treated in accordance with Australian and New Zealand laws at a minimum.
We have offices across multiple locations, and our registered head office is located within the United Kingdom.
GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
United Kingdom
CH4 9GB
Company Registration Number: 02415211
If you have any questions about how your personal information is used by GBG, please email us at compliance@gbgplc.com or call + 61 (0)3 8595 1500.
Our Australian office is located at:
GBG (Australia) Pty Ltd (‘GBG AU’)
Level 4 / 360 Collins St
Melbourne
Victoria 3000
Australia
GBG AU has a registered overseas branch in New Zealand.
GBG review our Privacy Policy on an annual basis, sooner if changes to regulation require it or GBG change the way we process personal information.
This policy was last updated on 3rd February 2023.
What information do we collect about you?
Browsing our website: When you browse our website www.gbgplc.com, we will collect the Internet Protocol (IP) address of the device you are using, but will be unable to identify you at this point. We collect this data so that we can identify where customers are dropping out of the website and to identify areas of improvement to make the experience more engaging for our customers.
We use cookies on our website, so please see our Cookie Policy for more information.
Requesting a brochure: When you request a brochure from us, we will collect the following information from you:
Requesting a call back: when you request a call back from us, we will collect the following information from you:
Subscribing to our marketing lists: Where you have consented to receive marketing from GBG, we will collect the following information from you:
Requesting further information from us: Where you request further information from us by completing a form on our website in relation to our products and services, your details will be added to our marketing database to receive marketing from GBG relevant to the products and services you have an interest in. We will collect the following data from you:
Conferences and events: As a global organisation, GBG attends worldwide events and have marketing team members located around the world. GBG will obtain from the event organiser a delegate list of all attendees who have consented to their personal information being shared with GBG.
Entering into an agreement with GBG: When your organisation enters into an agreement with GBG to provide products and services, we will collect additional information, which is necessary for:
All personal information we collect is held electronically within our Customer Relationship Management systems (CRM) which are located in the United Kingdom.
GBG will share your information with third party service partners who are acting on behalf of GBG as our data processor. Below are the details of whom GBG will share your personal information with and why:
HubSpot Inc.: provides GBG with an email marketing solution, which delivers marketing emails on our behalf. HubSpot is headquartered in the US and their product infrastructure is hosted on Amazon Web Services in the US, with some services being routed through the Google Cloud Platform in Germany. We share the following personal information with HubSpot:
Price Waterhouse Coopers: supports GBG with our CRM systems and, as a result, their team located in Poland may access the live system for technical support.
Microsoft: our Dynamics 365 CRM system is cloud-based and hosted by Microsoft in the UK. In addition, when you visit our website you will be directed to the Microsoft Azure instance in the region nearest to you (Ireland, Hong Kong, California, or London) and the data will be stored in Ireland.
CustomerSure: carries out our Voice of the Customer surveys and is based in the UK. In order to determine customers’ level of satisfaction following their interaction with GBG at various pre-defined trigger points, CustomerSure will receive personal information from GBG's CRM systems. This is used to facilitate the sending of an email requesting completion of a survey and, following that, analysis of and appropriate reaction to the feedback received. The data is processed by CustomerSure in the UK with the exception of the disaster recovery backups, which are hosted in Ireland.
Brace Digital: provides development and technical support of our website and is located in the UK.
GBG can assure you that we have taken all reasonable technical and organisational measures necessary to protect the personal information that our third party service partners may access.
Marketing and the use of your personal information
As stated above, we use a third party service provider, HubSpot, to manage our email marketing solution. When you receive an email from GBG it will include an unsubscribe link, which you can click on if you wish to unsubscribe from our marketing lists. We will then add your email address to our suppression list, which will ensure you do not receive any further marketing from GBG.
Where you have opted out of marketing materials, you may still receive technical and product support communications from GBG related to any product or service you have purchased from us.
Please be assured we do not sell your personal information to third parties for marketing purposes.
How long do we retain your personal information for and why?
Where we have collected your personal information for marketing purposes, we will retain your personal information for as long as you remain subscribed to our mailing lists or until you inform us that you no longer wish to receive marketing from us.
For account management purposes, we will retain the personal information for as long as we have the relationship with your organisation. If GBG no longer have a relationship with your organisation, then we will only keep the relevant information, such as invoices, for audit purposes for 7 years after the relationship with GBG has ended.
Once GBG are informed you are no longer the contact we need to liaise with or you leave your organisation, we will remove your details from our system.
Visitors to our website
Analytics
We use Google Analytics to measure how users interact with our website in order to understand which parts of our sites are doing well, how people arrive at our site and so on. We use this information to improve our website. Google will not associate your IP address with any other data held by it. You can learn more about Google Analytics here or opt out if you wish here.
Cookies
We use various types of cookies in order to identify and track users and to store information about your preferences. Users may disable cookies; however, please keep in mind that if you decide not to accept all of the cookies, some parts of the site might not work properly. You can read more about how we use cookies in our Cookie Policy.
Search facility
The search facility on our website does not collect any personal information. Search queries and results are logged anonymously to help us improve the website and search functionality, but we do not have the ability to identify any individuals.
Security and performance
We keep a record of traffic data, which is logged automatically by our server, such as your IP address and any error messages visitors may encounter. Any traffic data we process in order to monitor our website is anonymised when required for analytics.
Visitors to our offices
We meet visitors at our offices, including:
Our visitors are asked to sign in and out at reception, or via an online link. The information collected will be name, company, contact details, who you’re visiting, time in/time out, vehicle licence plate number (if applicable), Covid related health information and date. The app used to collect this information is supplied by ‘Proxyclick’, and may be transferred overseas to the EU and USA. Where any overseas transfer of your data occurs, GBG will ensure your information is handled securely and managed in accordance with Australian and New Zealand privacy laws.
Visitor details are held for a period of 30 calendar days, in line with our CCTV recordings.
Wi-Fi
In order to access our on-site guest Wi-Fi, you will need to be on the list of authorised users to access the network. When connecting to the GBG GUEST WI-FI network, you will be asked to enter in the email address of a GBG nominee, who will authorise your request for internet access. Once the GBG nominee has granted you permission, you will have access to the network. We monitor access to our internet, and log traffic information such as the IP address, sites visited, times and dates, log on times and log off times. This data is held for 12 months.
CCTV
Closed-circuit television (CCTV) operates both inside and outside our Melbourne, Canberra, and Sydney offices.
Generally, recordings will be retained for up to 30 calendar days, after which they will be deleted. Imagery required for investigative or evidential purposes may be retained beyond 30 days and is securely disposed of upon completion/conclusion of the purpose for which it was retained.
Recordings are retained in a secure environment and are only accessible by authorised personnel who have a legitimate reason to do so.
Job applications
Our legal basis for processing your personal data
We rely on your consent as the legal basis to process your data for the purpose of considering and/or securing employment.
In addition to the above, we rely on your explicit consent as legal basis to process any information you choose to provide as part of your application which fall under the Sensitive data category such as health, religious or ethnicity information.
We will present you with a consent box and key information at the point you are ready to submit your application.
What personal data do we collect and why?
GBG uses Workable, an online application provided by Workable Software Limited, to assist with our recruitment process. We use Workable to process personal information as a data processor on our behalf. Workable is only entitled to process your personal data in accordance with our instructions.
When you apply online for a position with GBG we will use the personal data you provide to assist in the recruitment and selection process. The application for a role is a choice you have made, and this is the minimum information we require in order to process your application, which within the software are depicted as mandatory fields.
We may also receive your personal data from a third party, for example a recruitment company you have a relationship with who recommends you as a candidate for a specific role opening, or for our business more generally.
Workable’s technology allows GBG to search publicly available sources, for example LinkedIn, which may include your personal data such as your CV or Resume, to find potential candidates for our Talent Pool to fill current or future role openings. Where we find you in this way, we will obtain your personal data from these sources and inform you immediately of this.
If you are successful and accept an offer from GBG, we may also seek additional information from other sources, for example we will perform pre-employment background and reference checks to confirm details about you. All checks are carried out in a fair and consistent manner and will be limited to information that is directly relevant to the position being applied for and in pursuance of our employment obligations.
GBG respects and is committed to protecting the personal information of our candidates.
Information provided at the point of the application and any information obtained from other sources will be retained in all cases electronically only for as long as is required for the purposes of:
You have the opportunity to provide information in relation to reasonable adjustments you require in the recruitment process to assist you. As an equal opportunity employer, we are committed to providing fair opportunities for everyone, regardless of age, gender, race, religion, sexual orientation, parental status, or disability. Where applicable please inform your GBG Talent Attraction Specialist if you require any reasonable adjustments to the interview process. This is to ensure we enable all individuals to compete on equal terms.
You may also choose to provide some ‘Sensitive” personal information which will assist GBG with its Inclusion and Diversity agenda, this is depicted in optional fields, it is not mandatory and could also be provided voluntarily at a later date if you are successful in securing the role you have applied for. If you do provide this data during the application process, we will always ask for your explicit consent to process it. Please note that neither the Sensitive personal information you provide nor opting out of providing SEnsitive personal information will have any negative impact on your candidacy.
Who will we share your personal data with and why?
GBG will share your information with third party service partners, who are acting on behalf of GBG as our data processor, or a data controller in their own right, the details are below of whom GBG will share your personal information with and why:
Workable Software Limited provide GBG with the software which controls the be/hired process via the screens you are using now. The data within the software is hosted in the United States.
External Recruitment Agencies This is where you have engaged with an external recruitment agency and they have shared your details with GBG for a role they will have notified you about. We are unable to be more explicit in this statement as to who they are as we work with a large number of agencies globally. If you would like more information regarding your personal information, please contact us by using this form, email to: compliance@gbgplc.com or by writing to: Data Privacy and Compliance,
GBG (Australia) Pty Ltd (‘GBG AU’), Level 4 / 360 Collins St, Melbourne Victoria 3000
Australia .
SHL: provide GBG with a global talent assessment platform which is hosted in the United Kingdom. As part of your application journey, you may be asked to complete this assessment via a separate link. To generate this link, GBG will need to have shared your name and email address. The data entered is then determined by you.
PEO Worldwide: who provide GBG with an outsourced employment relationship for temporary contractors in new territories where GBG does not currently have a branch office. GBG will share the candidate data with PEO Worldwide who are based in the United Kingdom. The individual will then be onboarded by and enter into a direct employment relationship with the PEO entity in the relevant country who will also be a data controller.
Other Third Parties: This could include contacting the named referee(s) you have provided in order to gain a reference on you or once your application has been successful, your details may be shared with other third parties, such as a payroll provider. You will be notified of any further processing at the appropriate time.
How long do we retain your data for?
Your data is retained for 12 months within our recruitment platform, then it is automatically deleted unless when notified of imminent deletion you opt in to GBG holding this data for future role consideration. If you would like your data deleted sooner, please contact usingthis form so we can consider your request.
If your recruitment process goes beyond 12 months, you will be aware of this, with your personal data then held by GBG for the duration of your recruitment process.
If you are successful with your application, your personal data will form part of your employment record. There is a separate privacy notice to support how Team Member information is held, which will be shared at the appropriate time.
What information do we collect about you?
The personal information that we may collect about you broadly falls into the following categories:
We work with a number of trusted data suppliers, These include:
Government/Public Authorities - These bodies include authorities that provide driving licence information, passport information, citizen identification number, social security number, insolvency records (also in publicly available) or sanctions lists (also in publicly available).
Regulated Financial Services Organisations- These entities collect information about your financial status, but this data can also be used to help organisations like us verify your identity by confirming you are who you say you are, and where you live, or if you have lived at an address.
Other Regulated Organisations/Firms - These entities provide personal data which can help to verify or contact you, for example you have made a choice whether or not your landline is included in the public telephone directory.
Commercial Organisations - These entities provide your contact details, such as name, address, telephone number or email address, which we can then use to meet the request you have made to one of our Customers.
Customer Data - These customer entities have informed individuals that data will be provided to GBG for additional purposes of generating risk scores or creating fraud and/or identity alerts, insights and reports.
Publicly available, collected by a third party organisation or GBG - These entities provide information about insolvency records, property information, sanction lists, PEPs information, social media / convention online information / deep web / dark web, income index or family situation.
Non personal/address data - These entities provide information about deceased records, geocodes, co-ordinates, postcodes or zip codes.
We may also disclose your personal data to the following categories of recipients:
If we provide your personal information to any of these entities, we will always require them to manage it in accordance with the Australian Privacy Principles and/or the Information Privacy Principles in New Zealand. We may also provide your information to third parties if we are required to do so by law or under some unusual circumstances which are permitted under the Privacy Act 1988 (Cth), or the Privacy Act 2020 in New Zealand.
Overseas transfers of personal information
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
Our group companies, data suppliers, customers and third party providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this privacy notice.
Where appropriate, these include implementing contractual arrangements to ensure your data is handled in accordance with Australian and/or New Zealand data protection laws, implementing the New Zealand Standard Contractual Clauses or ensuring these entities are subject to adequate laws in foreign jurisdictions. Where an international data transfer occurs between our group companies, the same arrangements are in place. We have implemented similar appropriate safeguards with our data suppliers, customers and third party providers and partners.
Data security
IS0 27001 Certification
GBG are a global specialist in identity data intelligence for some of the largest organisations in the world, which is why GBG aim to set the highest standards of information security and in doing so, have developed an Information Security Management System (ISMS) to meet the requirements of the ISO 27001:2013 standard. Its aim is to protect the confidentiality, integrity and availability of GBG and client held information resources and assets, thus safeguarding GBG and its clients from unauthorised access, compromise and/or disclosure of data.
PCI-DSS Certification
Some of the services we provide are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant with PCI DSS means that we are doing our very best to keep our customers’ valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. PCI ensure technical and operational strengths to raise the bar on our security.
Cyber Essentials Certification
In addition to the above, we have services that are Cyber Essentials accredited, this helps prevent the vast majority of cyber-attacks. Having a Cyber Essentials badge enables us to:
The Compliance Platform is a product used by our business customers so they can verify the information that you have provided to them. We do this by matching the personal data you provide against third party data from our data suppliers or data that we have pooled together in our patented eDNA technology (described below) which is collected from other business customers.
How we use your personal information
We use the information you provide to match and verify against third party sources.
Matching your personal data may be done in two (2) ways, depending on the product that our customer is utilizing:
The Compliance Platform also enables our customers to manage ongoing screening requirements to assist with detection and prevention of fraud, and their obligations under Anti Money Laundering legislation.
eDNA
Our eDNA data consortium is a data pool that consists of the information that we receive from all of our customers who take any of our compliance platform products, which are all utilized for fraud and/or compliance purposes.
Please note that data that in eDNA is pseudonymized and one-way hashed for technical safeguarding and that we do not grant our customers or any third parties direct access to the data held in eDNA; the data in eDNA is only accessed to help our products process their fraud/compliance needs to generate a risk or pass/fail score, without actual disclosure of the data.
Data Retention
The data that we hold in eDNA is data that our customers provide to us, and this is kept until our customers direct us to delete it, or for no longer than 7 years, whichever is shorter.
GBG acquired Verifi Identity Services (‘Verifi’) in 2022. Verifi is the creator of the identity verification software Cloudcheck. The Cloudcheck Privacy Statement can be located on the Verifi Website here: https://www.verifidentity.com/legal/#privacy
greenID is a product used to verify the identity of individuals. GBG provides online identity verification and fraud detection solutions to businesses to assist them to onboard their customers. If you apply for a product or service with any of our customers, we will collect information about you (from you and/or from our customer) in order to verify your identity. In order to do this we will need to provide your information to our data partners to confirm your details.
How we use your personal information
We use the personal information we collect about you for the following purposes:
Data Retention
Your information will be held for a period of time in order to support our customers onboarding processes. That timeframe is negotiated between GBG and it’s business users depending on their requirements.
GBG’s customers access IDscan products and services to prevent and detect fraud. Using a combination of automated document recognition, digital tampering detection, advanced face-matching technologies and real-time online support from trained document examiners, our clients are able to on-board individuals while improving customer experience, fighting fraud and meeting compliance obligations.
How we use your personal information
IDScan obtains a copy of your identification document. Where GBG provides a hosted cloud storage solution to our clients, we hold your identity documents (IDs). We hold this data in order to provide our services, including storage, support and maintenance.
We also require sample documents to train and test our document recognition engine, so that we can improve our ability to recognise, extract from, validate and authenticate our customers’ documents. Where our customer has agreed to it, a copy of your ID or proof of address document might be provided to GBG to train the IDscan document recognition engine to recognise underperforming or unrecognised documents. The nature of the documents means that they include personal information such as photograph, name, address and date of birth. This information cannot be anonymised or pseudonymised without compromising the ability to train and test GBG’s document recognition engine. Our aim is to be fully transparent, which is why we suggest our Australian and New Zealand customers include a link to this Privacy Policy in their own notices so that individuals are informed of GBG’s involvement as part of the service we provide and so that individuals may exercise their rights under the Privacy Acts.
International Transfers
For our Australian and New Zealand customers, IDScan is hosted from Australia. For any New Zealand customers there will be a data transfer from New Zealand to Australia of personal information. PII from our Australian and New Zealand customers will generally be stored in Australia, unless product support is required (as detailed below).
If product support is required, this will be provided by our team based in the United Kingdom and Malaysia and our technical and support teams in Turkey. Should they be required to access or view any identification documents, this is considered to be a transfer of data to the United Kingdom, Malaysia or Turkey in order to facilitate that support.
Where there is an international data transfer to our United Kingdom, Malaysian or Turkey offices, your personal information will be handled in accordance with the Australian Privacy Act and APPs (at a minimum) in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information.
Data retention
Documents captured via the IDScan for the document recognition engine will be retained until the earlier of the following events occurs (the ‘Retention Period’):
At the end of the Retention Period, we will take reasonable steps to destroy or de-identify the ID. Identity documents provided as part of a verification process are held for a maximum of 30 days before being deleted.
Loqate Inc. and Mastersoft (collectively,”Loqate”) take the protection and security of your personal information very seriously. Loqate is part of the group of corporate companies belonging to GB Group PLC group of entities (collectively, “GBG”).
This Privacy Policy applies to the Loqate (www.loqate.com/anz/) website and Loqate products and services offered in Australia and New Zealand.
How we use your personal information
The majority of personal information that we collect on individuals, with the exception of any B2B personal information (detailed below), is provided to us by our B2B clients for us to process on their behalf as their service provider. We perform these services to help our business clients better serve their consumers and to help with their cost-savings. The services we perform for our B2B business clients as their service provider includes the following: name, phone, email, and address validation, cleansing, and de-duplication and deceased suppression.
If you are a B2B client or prospective B2B client, we may also collect the following information from you: name, title, business contact details such as business address and business phone number, business credit/debit card billing information, user IDs and passwords, IP address, survey responses, and any additional information that you provide to us directly or through our websites or software applications. We use this for business and commercial purposes, such as being able to reach out to potential business prospects and to transact with our clients.
Data Retention
For account management purposes, we will retain the personal information we collected from you for as long as we have the relationship with your organization. If GBG no longer has a relationship with your organization then we will only keep the relevant information such as invoices for audit purposes 6 years after the relationship with GBG has ended. Once GBG are informed, you are no longer the contact we need to liaise with or your leave your organization, we will remove your details from our system.
For information that our B2B business clients provided to us on you for us to perform our contractual obligations to them as their service provider, we will retain this information for as long as it is reasonably necessary for us to complete performance, for the duration of our legitimate business interests, and/or comply with any audit or legal obligations.
As an individual, you have rights regarding the processing of your personal information, these are:
Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds set out in the applicable Privacy Act is satisfied.
You can send these requests to compliance@gbgplc.com or by post to:
Data Protection Manager
GBG
Level 4 / 360 Collins St
Melbourne
Victoria 3000
Australia
Or call us on +61 (0)3 8595 1500.
You are not required to pay any charge for exercising your rights. We will always aim to provide you with access within 30 days (if the Australian Privacy Act applies) or within 20 working days (if the New Zealand Privacy Act applies) but in some cases, it may take longer. If GBG are unable to comply with your request, we will provide you with an explanation.
We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal information is used by GBG then please write to us at:
Data Protection Manager
GBG
Level 4 / 360 Collins St
Melbourne
Victoria 3000
Australia
You can also email us at compliance@gbgplc.com.
GBG will investigate and respond within 10 working days of receipt of your complaint. This allows us time to investigate your complaint thoroughly.
Where you believe that GBG have not taken our responsibilities with your personal information seriously, you have the right to complain to the applicable Supervisory Authority. If your complaint arises under the Australian Privacy Act/APPs you must first raise your concerns with us and give us 30 days to satisfactorily resolve your complaint If your complaint arises under the New Zealand Privacy Act/IPPs, we ask that you do the same. The details for the Supervisory Authorities are as follows:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney
NSW 2001
Australia
Telephone number: 1300 363 992
Email: enquiries@oaic.gov.au
Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand
Telephone number: 0800 803 909
Email: enquiries@privacy.org.nz