GB Group Plc (‘GBG’) Australia & New Zealand Website Privacy Policy

Privacy Policy

General information and contact details

This Privacy Policy explains to you how GB Group plc and its group companies including GBG (Australia) Pty Ltd (jointly referred to as 'GBG') collect, hold, use and disclose (‘process’) your personal information:

  • whilst you are using the GBG website gbgplc.com.
  • when you enter into a contract with GBG to provide services to your organisation.
  • when you visit one of our offices.
  • when you apply for a job at GBG.
  • in connection with our products and services.

GBG take the protection and security of your personal information very seriously and this policy sets out our responsibilities under the Privacy Act 1988 (Cth) (‘Australian Privacy Act’) and the Privacy Act 1993 (‘New Zealand Privacy Act’) and other applicable laws in Australia and New Zealand relating to the processing and security of personal information. We refer to the Australian Privacy Principles as the APPs and the New Zealand Information Privacy Principles as the IPPs. We refer to the Australian Privacy Act and the New Zealand Privacy Act together as ‘the Privacy Acts’. Where your personal information is transferred overseas, it will be treated in accordance with Australian and New Zealand laws at a minimum.

We have offices in 22 locations, and our registered head office is located within the United Kingdom.

GB Group Plc
The Foundation
Herons Way
Chester Business Park
Chester
United Kingdom
CH4 9GB

Company Registration Number: 02415211

If you have any questions about how your personal information is used by GBG, please  email us at compliance@gbgplc.com or call  + 61 (0)3 8595 1500.

Our Australian office is located at:

GBG (Australia) Pty Ltd (‘GBG AU’)
Level 4 / 360 Collins St
Melbourne
Victoria 3000
Australia

GBG AU has a registered overseas branch in New Zealand.

GBG review our Privacy Policy on an annual basis, sooner if changes to regulation require it or GBG change the way we process personal information.

This policy was last updated on 28 July 2020.

Use of your data

Browsing our website: When you browse our website www.gbgplc.com, we will collect the Internet Protocol (IP) address of the device you are using, but will be unable to identify you at this point. We collect this data so that we can identify where customers are dropping out of the website and to identify areas of improvement to make the experience more engaging for our customers.

We use cookies on our website, so please see our Cookie Policy for more information.

Requesting a brochure: When you request a brochure from us, we will collect the following information from you:

  • Email address (so that we can send the brochure to you).
  • The name of your organisation (so that we can identify which sectors are showing the most interest in our products/services).
  • Your IP address (which will no longer be anonymous; we will therefore be able to identify you).

Requesting a call back: when you request a call back from us, we will collect the following information from you:

  • Your name (so that we contact the right individual).
  • Your contact telephone number (so that we contact the right individual).
  • Your reason for contact (so that we can direct your call back to the right team who will respond to you directly).
  • Your IP address (which will no longer be anonymous; we will therefore be able to identify you).

Subscribing to our marketing lists: Where you have consented to receive marketing from GBG, we will collect the following information from you:

  • Your name (so that we market to the right individual).
  • Email address (so that we send the marketing to the right place).
  • The marketing preferences indicated by yourself, such as your areas of interest and how you want to be marketed to.
  • Your IP address (which will no longer be anonymous; we will therefore be able to identify you).
  • A record of your consent to confirm what you have consented to and when.

Requesting further information from us: Where you request further information from us by completing a form on our website in relation to our products and services, your details will be added to our marketing database to receive marketing from GBG relevant to the products and services you have an interest in. We will collect the following data from you:

  • Your name (so that we market to the right individual).
  • Email address (so that we send the marketing to right place).
  • The marketing preferences indicated by yourself, such as your areas of interest and how you want to be marketed to.
  • Your IP address (which will no longer be anonymous; we will therefore be able to identify you).

Conferences and events: As a global organisation, GBG attends worldwide events and have marketing team members located around the world. GBG will obtain from the event organiser a delegate list of all attendees who have consented to their personal information being shared with GBG. 

Entering into an agreement with GBG: When your organisation enters into an agreement with GBG to provide products and services, we will collect additional information, which is necessary for:

  • The performance of the contract we have with your organisation, such as billing information; and
  • Providing service updates related to the product/service GBG are providing to you.

All personal information we collect is held electronically within our Customer Relationship Management systems (CRM) which are located in the United Kingdom.

GBG will share your information with third party service partners who are acting on behalf of GBG as our data processor. Below are the details of whom GBG will share your personal information with and why:

HubSpot Inc.: provides GBG with an email marketing solution, which delivers marketing emails on our behalf. HubSpot is headquartered in the US and their product infrastructure is hosted on Amazon Web Services in the United States, with some services being routed through the Google Cloud Platform in Germany. We share the following personal information with HubSpot:

  • When you are browsing our website, HubSpot capture the anonymous IP address.
  • At the point that you enter all of the required personal information relating to a free trial, demo, brochure request, or contact information for marketing, HubSpot will receive all of the personal information you provide via the website.
  • For the purposes of marketing to our existing customer and prospect base and identifying which website visitors are already known to GBG, HubSpot will receive personal data relating to our primary contact at your organisation with whom we correspond as part of a sales process and/or in support and administration of customer contracts.

Price Waterhouse Coopers: supports GBG with our CRM systems and, as a result, their team located in Poland may access the live system for technical support.

Microsoft: our Dynamics 365 CRM system is cloud-based and hosted by Microsoft in the UK. In addition, when you visit our website you will be directed to the Microsoft Azure instance in the region nearest to you (Ireland, Hong Kong, California, or London) and the data will be stored in Ireland.

CustomerSure: carries out our Voice of the Customer surveys and is based in the UK. In order to determine customers’ level of satisfaction following their interaction with GBG at various pre-defined trigger points, CustomerSure will receive personal information from GBG's CRM systems. This is used to facilitate the sending of an email requesting completion of a survey and, following that, analysis of and appropriate reaction to the feedback received. The data is processed by CustomerSure in the UK with the exception of the disaster recovery backups, which are hosted in Ireland.

Brace Digital: provides development and technical support of our website and is located in the UK.

GBG can assure you that we have taken all reasonable technical and organisational measures necessary to protect the personal information that our third party service partners may access.

Accuracy

Where you have consented to receive marketing from GBG we will only market to you via the channel you have consented to (such as email, telephone etc.). As stated above, we use a third party service provider, HubSpot, to manage our email marketing solution. When you receive an email from GBG it will include an unsubscribe link, which you can click on if you wish to unsubscribe from our marketing lists. We will then add your email address to our suppression list, which will ensure you do not receive any further marketing from GBG.

Please be assured we do not sell your personal information to third parties for marketing purposes.

As part of the account management process, GBG will on a regular basis enquire if the personal information we hold about you is correct. You can also ensure your personal information is correct by:

  • Contacting GBG at compliance@gbgplc.com.
  • Alternatively, if your organisation has an agreement with GBG for the provision of services, you can contact your GBG account manager, who will ensure they update your record on our CRM system.

Data retention

Where we have collected your personal information for marketing purposes, we will retain your personal information for as long as you remain subscribed to our mailing lists or until you inform us that you no longer wish to receive marketing from us. 

For account management purposes, we will retain the personal information for as long as we have the relationship with your organisation. If GBG no longer have a relationship with your organisation, then we will only keep the relevant information, such as invoices, for audit purposes for 7 years after the relationship with GBG has ended. 

Once GBG are informed you are no longer the contact we need to liaise with or you leave your organisation, we will remove your details from our system.

Transfers outside of Australia or New Zealand

In addition to the transfers detailed above, as a global organisation, it will be necessary for your personal information to be transferred to our sales and support teams, which are located all over the world, for account management activities and, where you have provided consent, for marketing purposes.  GBG will ensure the transfer of any personal information outside of Australia or New Zealand is subject to appropriate safeguards.  Please see below where we detail specific products which require a transfer of data.

Contacting us

Social media

If you contact us through one of our GBG social media accounts by either a publicly visible message or a private direct message, this will be handled by our Communications Team. You will be asked to send your enquiry to the relevant team and provided with their email address. Messages received on social media containing personal information are deleted within one week.

We do not track individuals and the analytics data we receive is not at a granular level. We do not scrape data from LinkedIn. GBG uses Sales Navigator to process personal information within LinkedIn. Obtaining personal information from LinkedIn by any other method is against the terms and conditions of LinkedIn and against GBG policy.

Emails

We use Office 365 encryption (TLS/SSL, IPSec, AES) and Mimecast to encrypt and protect email traffic. In addition, email filtering software is currently in place to monitor all incoming and outgoing emails for inappropriate or malicious content, spam, and unencrypted proprietary and/or personal information.

Purpose and legal basis for processing

We process the information mentioned in this section in order to be able to reply to any queries we receive and enhance the services we provide, which we believe also benefits our customers. The legal basis we rely on to process your personal information is APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose.

Visitors to our website

Analytics

We use Google Analytics to measure how users interact with our website in order to understand which parts of our sites are doing well, how people arrive at our site and so on. We use this information to improve our website. Google will not associate your IP address with any other data held by it. You can learn more about Google Analytics here or opt out if you wish here.

Cookies

We use various types of cookies in order to identify and track users and to store information about your preferences. Users may disable cookies; however, please keep in mind that if you decide not to accept all of the cookies, some parts of the site might not work properly. You can read more about how we use cookies in our Cookie Policy.

Search facility

The search facility on our website does not collect any personal information. Search queries and results are logged anonymously to help us improve the website and search functionality, but we do not have the ability to identify any individuals.

Security and performance

We keep a record of traffic data, which is logged automatically by our server, such as your IP address and any error messages visitors may encounter. Any traffic data we process in order to monitor our website is anonymised when required for analytics.

Purpose and legal basis for processing

We process the information mentioned above for carefully considered and specific purposes mentioned in each section, which are in our legitimate interests to enable us to enhance the services we provide, which we believe also benefits our customers. This is in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose.

Visitors to our offices

Visitor book

We meet visitors at our offices, including:

  • Potential and existing customers;
  • External training providers;
  • Job applicants;
  • Suppliers and tradespeople; and

Our visitors are asked to sign in and out at reception. The information collected will be name, company, who you’re visiting, time in/time out, vehicle licence plate number (if applicable), and date. This information will be contained in the visitor’s badge, which you will be required to wear throughout your visit.

At the end of each working week, the visitor forms are securely destroyed.

If your visit is planned, we will send your name and visit information to reception prior to your visit so they are expecting you.

Purpose and legal basis for processing

It is important GBG capture the details of visitors to our offices for various reasons, including but not limited to health and safety, fire safety, building security, and safety of our team members. This is in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose.

Wi-Fi

In order to access our on-site guest Wi-Fi, you will need to be on the list of authorised users to access the network. When connecting to the GBG GUEST WI-FI network, you will be asked to enter in the email address of a GBG nominee, who will authorise your request for internet access. Once the GBG nominee has granted you permission, you will have access to the network. We monitor access to our internet, and log traffic information such as the IP address, sites visited, times and dates, log on times and log off times. This data is held for 12 months.

Purpose and legal basis for processing

The purpose for processing this information is to provide you with access to the internet while visiting our office. This is in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose.

CCTV

Closed-circuit television (CCTV) operates both inside and outside our Chester, Kuala Lumpur, London, Melbourne, Canberra, Nottingham, Turkey, and Worcester offices.

Generally, recordings will be retained for up to 30 calendar days, after which they will be deleted. Imagery required for investigative or evidential purposes may be retained beyond 30 days and is securely disposed of upon completion/conclusion of the purpose for which it was retained. Our Chester, Kuala Lumpur and Nottingham offices must retain the images for 90 days in order to comply with PCI-DSS requirements.

Recordings are retained in a secure environment and are only accessible by authorised personnel who have a legitimate reason to do so.

Any CCTV used in our Edinburgh, Liverpool or New York offices is not operated by us, so we are not the data controller. It will be under the control of the relevant building landlord.

Purpose and legal basis for processing

GBG uses CCTV imagery for the purposes of maintaining the safety and security of our building and team members, and for investigative purposes as evidence to support the effective management of any incidents. This is in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities.

Job applications

What personal information GBG collect and why

When you apply online for a position with GBG we will use the information you provide to assist in the recruitment and selection process. There is information we require in order to process your application, which within the software is depicted as mandatory fields. GBG may also seek additional information from other sources, for example, by using your references in the final stages of the recruitment process.

You have the opportunity to provide information in relation to additional adjustments required for the recruitment process to assist you. This is to ensure we enable all individuals to compete on equal terms. You may choose to provide some special category data here, such as ethnicity, religious beliefs or medical conditions, but it is not required and can optionally be provided at a later date.

Purpose and legal basis for processing

Our purpose for processing your data in the event of a job application is to assess your suitability for the role. This is in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose.

With regard to any special category data you provide, we collect this information to monitor equality and diversity to ensure we comply with legislation such as the Australian Human Rights Commission Act 1986 (Cth) and the Equal Opportunity Act 2010 (Vic). This is in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose.

Data retention

Information provided on the application form and any information obtained from other sources will be retained in all cases in hard copy format and/or electronically only for as long as is required for the purposes of:

  • the administration of your application,
  • future consideration where applicable (you will be notified separately if your application details will be retained for this purpose and provided with the opportunity to request deletion), or
  • discharging any legal or regulatory requirements.

Your data is retained for 3 months within be/hired, our internal HR platform, then it is automatically deleted. If you would like your data deleted sooner, please contact compliance@gbgplc.com so we can raise this as a request for Access UK Ltd to complete on our behalf.

If your recruitment process goes beyond 3 months, you will be aware of this, with your personal information then held by GBG for the duration of the recruitment process.

If you are successful with your application, the personal information you have supplied to us will form part of your employment record.

Use of data processors

GBG will share your information with third party service partners, who are acting on behalf of GBG as our data processor:

Access UK Ltd: provides GBG with the software which controls the be/hired process. This is hosted in the UK. GBG is unable to change the questions which have been asked or the process within the system you are taken through. Whilst Access UK controls the “how” from a software perspective and hosts this platform, your personal information is gathered by GBG as the data controller, so we decide on why this is processed, who it is shared with, etc. The aCloud Recruitment Team at Access UK (Deployment/Development & support) appoints one individual in the hosting team with access to the server for support and maintenance purposes only. 

CEB Inc: provides GBG with a global talent assessment platform which is hosted in the US. As part of your application you may be requested to complete this assessment via a separate link. To generate this link, GBG will need to have shared your name and email address. The data entered is then determined by you.

Other third parties

Where you have engaged with an external recruitment agency they will have shared your details with GBG for a role they have notified you about. The recruitment agency also acts as a data controller.

We are unable to be more explicit in this statement as to who they are as we work with a large number of agencies globally. If you would like more information regarding your personal information, please contact us by email at compliance@gbgplc.com or by writing to: Data Protection Manager, GBG, Level 4 / 360 Collins St, Melbourne, Victoria 3000, Australia.

We may also contact the named referee(s) you have supplied in order to provide a reference on you. Or once your application has been successful, your details may be shared with other third parties, such as a payroll provider. You will be notified of any further processing at the appropriate time.

Accuracy of your personal information

You enter your own information, so please ensure it is correct. If this needs to be updated, please contact behired@gbgplc.com who will be able to facilitate your request.

International data transfers

As a global organisation, a transfer taking place will depend on where in the world you are based and the role you have applied for.

The platform on which be/hired is hosted by Access UK is in the United Kingdom, so your personal information will be transferred to the UK. If you complete a talent assessment, your name and email address will have been transferred to CEB Inc., which is based in the US.

Depending on the role you have applied for, we may need to transfer your personal information to other companies within GBG for administrative purposes. For example, if you are based in Australia or New Zealand, we may need to transfer your personal information to our head office in the UK and to any territory in which you have applied for a role.

IDscan

GBG’s customers access IDscan products and services to prevent and detect fraud. Using a combination of automated document recognition, digital tampering detection, advanced face-matching technologies and real-time online support from trained document examiners, our clients are able to on-board individuals while improving customer experience, fighting fraud and meeting compliance obligations.

What personal information GBG holds and why

Where GBG provides a hosted cloud storage solution to our clients, we hold your identity documents (IDs). We hold this data in order to provide our services, including storage, support and maintenance.

We also require sample documents to train and test our document recognition engine, so that we can improve our ability to recognise, extract from, validate and authenticate our customers’ documents, thus helping organisations meet a legal obligation or for their legitimate interests. A copy of your ID or proof of address document might be provided to GBG to train the IDscan document recognition engine to recognise underperforming or unrecognised documents. The nature of the documents means that they include personal information such as photograph, name, address and date of birth. This information cannot be anonymised or pseudonymised without compromising the ability to train and test GBG’s document recognition engine. Our aim is to be fully transparent, which is why we suggest our Australian and New Zealand customers include a link to this Privacy Policy in their own notices so that individuals are informed of GBG’s involvement as part of the service we provide and so that individuals may exercise their rights under the Privacy Acts.

Purpose and legal basis for processing

Our purposes for processing your data in connection with IDscan are: (i) to provide support services to our clients who use IDscan to verify your identity and to conduct maintenance and testing of our IDscan systems (in accordance with APP 3.2, which allows us to collect personal information when it is reasonably necessary for one or more of GBG’s functions or activities and IPP 1 which allows us to collect information for a lawful purpose connected with one of our functions or activities where the collection of the information is necessary for that purpose); and (ii) to train the IDscan document recognition engine to recognise underperforming or unrecognised documents (with your consent).

Data retention

IDs captured by GBG IDscan will be retained until the earlier of the following events occurs (the ‘Retention Period’):

  • the ID is no longer in circulation and is no longer accepted as a valid identification document; or
  • we no longer need it for any purpose for which it may be used or disclosed by us in accordance with the APPs or IPPs (as applicable), or for such longer period as may be required under any applicable law.

At the end of the Retention Period, we will take reasonable steps to destroy or de-identify the ID.

Accuracy of your personal information

If GBG holds your personal information but did not collect it from you (i.e. it was provided to us by one of our customers) and we receive a correction request from you, we may pass the correction request to our customer or such other third party which collected the information from you. We may also be required to assist our customers to respond to correction requests which they receive from you.

Transfers outside of Australia or New Zealand

In New Zealand, GBG may appoint a partner as it’s reseller. Under this arrangement, IDScan is hosted out of Sydney, Australia and there will be a data transfer from New Zealand to Australia of personal information.

If product support is required, this will be provided by our team based in the United Kingdom and our technical and support teams in Turkey. Should they be required to review any identification documents, there will be a transfer of data from New Zealand, to the United Kingdom and Turkey in order to facilitate that support.

In order to support our document recognition engine, GBG stores sample documents in a secure location with access restricted to selected members of staff based in the EU and Turkey. Where there is an international data transfer to our Turkey office, your personal information will be handled in accordance with the Australian Privacy Act and APPs (at a minimum) in relation to the collection, use, disclosure, storage and destruction or de-identification of personal information.

Data Security

IS0 27001 Certification

GBG are a global specialist in identity data intelligence for some of the largest organisations in the world, which is why GBG aim to set the highest standards of information security and in doing so, have developed an Information Security Management System (ISMS) to meet the requirements of the ISO 27001:2013 standard. Its aim is to protect the confidentiality, integrity and availability of GBG and client held information resources and assets, thus safeguarding GBG and its clients from unauthorised access, compromise and/or disclosure of data.

PCI-DSS Certification

Some of the services we provide are compliant with the Payment Card Industry Data Security Standard (PCI DSS). Being compliant with PCI DSS means that we are doing our very best to keep our customers’ valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. PCI ensure technical and operational strengths to raise the bar on our security.

Cyber Essentials Certification

In addition to the above, we have services that are Cyber Essentials accredited, this helps prevent the vast majority of cyber-attacks. Having a Cyber Essentials badge enables us to:

  • Protect our organisation against common cyber threats.
  • Demonstrate our commitment to information security.

greenID

GBG acquired VIX Verify Pty Ltd in 2018. Vix Verify is the provider of “greenID” which is a product used to verify the identity of individuals. greenID aims to improve the customer onboarding experience whilst providing accurate and reliable identity verification to our clients.

What personal information does GBG collect and why

GBG may collect information from you in the following circumstances:

  • As the representative of one of our organisational clients
  • As the individual undertaking identity verification

Business users of greenID

In order to provide you with access to greenID and to provide support to you under our contract with your organisation, GBG is required to collect the following information from you:

  • Email address

How we use your personal information

We use these details in order to provide you with access to greenID, and to retain appropriate audit logs of activity within the system. The above information will be held by GBG until the conclusion of the arrangements between the organisation and GBG, or until we are advised you no longer require access to greenID.

Accuracy of your personal information

You can request an amendment to your personal information at any time by requesting your greenID administrator to do so. If this is not possible, you can email greenid.support@gbgplc.com for assistance.

Individuals undertaking identity verification

GBG provides online identity verification services to businesses to assist them to onboard their customers. If you apply for a product or service with any of our customers, we will collect information about you (from you and/or from our customer) in order to verify your identity. In order to do this we will need to provide your information to our data partners to confirm your details.

To verify your identity, we are required to collect a variety of information from you including your:

  • Name
  • Address
  • Birthdate
  • Email address
  • IP address

If you undertake your identity verification via our greenID mobile channel, we may also collect:

  • Biometric information including “live capture” of your face (a selfie)
  • An image of your identification document/s
  • The data contained on your identification document/s

How we use your personal information

We use the personal information we collect about you for the following purposes:

  • verify and authenticate your identity;
  • verify the accuracy of some information you have provided
  • pass your information and identity verification on to the client on whose behalf we have collected it, so they can consider your application.

Your information will be held for a period of time in order to support our customers onboarding processes. That timeframe is negotiated between GBG and it’s business users depending on their requirements.

Who will we share your data with and why?

We will always disclose your personal information and identify verification to our clients with whom you apply for a product or service.

We will need to provide some of your personal information to the third-party service providers we use to help us provide our services e.g. credit reporting bodies, government agencies, external data storage providers etc. We may also disclose your personal information to our affiliates and related companies in order to undertake our normal business practices.

If we provide your personal information to any of these entities, we will always require them to manage it in accordance with the Australian Privacy Principles and/or the Information Privacy Principles in New Zealand. We may also provide your information to third parties if we are required to do so by law or under some unusual circumstances which are permitted under the Privacy Act 1988 (Cth), or the Privacy Act 1993 in New Zealand.

Accuracy of your personal information

The information that GBG holds on you is a record of an identity verification at a point in time. Whilst it is unlikely we would amend that information, should you have any queries in relation to that data you can email us compliance@gbgplc.com.

We may pass any correction request to our customer or such other third party which collected the information from you.

Transfer of personal information between Australia and New Zealand

If you are the customer of an Australian business using greenID, your personal information will be collected and stored in Australia.

For customers of our New Zealand businesses, your personal information will be collected in New Zealand, and transferred to Australia to be stored.

Your rights

As an individual, you have rights regarding the processing of your personal information, these are:

  • The right to transparency – you have the right to know why your personal information is being collected, how it will be used and who it will be disclosed to.
  • The right of anonymity/pseudonymity – you have the right not to identify yourself, or the right to use a pseudonym in certain circumstances if the Australian Privacy Act applies.
  • The right to access your personal information – you have a right to know what personal information GBG hold on you.
  • The right to opt out – you have the right to stop receiving unwanted direct marketing.
  • The right to correction – you have the right to ask us to correct any information you believe is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to complain about a breach by us of the applicable Privacy Act if you think we’ve mishandled your personal information (see ‘How to contact us if you’re not happy’ and ‘Your right to lodge a complaint with the Supervisory Authority’ below).

Please keep in mind that some of these rights are subject to an internal assessment that one of the grounds set out in the applicable Privacy Act is satisfied.

You can send these requests to compliance@gbgplc.com or by post to:

Data Protection Manager
GBG
Level 4 / 360 Collins St
Melbourne
Victoria 3000
Australia

Or call us on +61 (0)3 8595 1500.

You are not required to pay any charge for exercising your rights. We will always aim to provide you with access within 30 days (if the Australian Privacy Act applies) or within 20 working days (if the New Zealand Privacy Act applies) but in some cases, it may take longer. If GBG are unable to comply with your request, we will provide you with an explanation.

How to complain

We appreciate that at GBG we may not always get things right and it is regrettable for us as an organisation when we receive a complaint. We take all complaints seriously and can assure you we will do our best to deliver a satisfactory outcome. If you do wish to complain about how your personal information is used by GBG then please write to us at:

Data Protection Manager
GBG
Level 4 / 360 Collins St
Melbourne
Victoria 3000
Australia

You can also email us at compliance@gbgplc.com.

GBG will investigate and respond within 10 working days of receipt of your complaint. This allows us time to investigate your complaint thoroughly. 

Your right to lodge a complaint with the Supervisory Authority

Where you believe that GBG have not taken our responsibilities with your personal information seriously, you have the right to complain to the applicable Supervisory Authority. If your complaint arises under the Australian Privacy Act/APPs you must first raise your concerns with us and give us 30 days to satisfactorily resolve your complaint If your complaint arises under the New Zealand Privacy Act/IPPs, we ask that you do the same. The details for the Supervisory Authorities are as follows:

Office of the Australian Information Commissioner
GPO Box 5218
Sydney
NSW 2001
Australia

Telephone number: 1300 363 992
Email: enquiries@oaic.gov.au

Office of the Privacy Commissioner
PO Box 10094
Wellington 6143
New Zealand

Telephone number: 0800 803 909
Email: enquiries@privacy.org.nz



.red { fill: #b0013a; }