Privacy Policy
Introduction
This is one Privacy Notice for Arjo Australia Pty Ltd and Arjo New Zealand Ltd, integral parts of the Arjo group of organisations focusing on our business interests in Australia and New Zealand. This Privacy Notice relates to the processing of personal data of representatives of customers suppliers and leads. Arjo Australia Pty Ltd and Arjo New Zealand Ltd provides information to the relevant stakeholders about the who, what, why, when, where and how of our data processing activities, as well as setting out what rights individuals have in relation to these processing activities.
Who is processing the personal data?
As indicated above, the data controller for the processing of your personal data is either Arjo Australia Pty Ltd and Arjo New Zealand Ltd, depending on who you are working with. To make this notice easier to read, Arjo Australia Pty Ltd Arjo Australia Pty Ltd and Arjo New Zealand Ltd are referred to as Arjo for the rest of this document. As the data controller, if you have any questions, comments or queries about your personal data, we can be contacted using the details below:
Arjo Australia Pty Ltd
Level 3, Building B, 11 Talavera Road, Macquarie Park, NSW 2113, Australia
Arjo New Zealand Ltd
34 West Valley Drive, Mount Wellington, Auckland, 1060, New Zealand
Arjo aims to be compliant in everything we do. As such, we invite you to contact us whenever you feel it is necessary so we can partner with you in addressing any comments or concerns you might have. We have appointed a local Data Protection Lead who is also able to support you with any queries you may have. For Arjo Australia Pty Ltd and Arjo New Zealand Ltd this is:
James Stone
Data Compliance Manager
What personal data are we processing?
The type of personal data we process about you depends on the type of data subject and the nature of our relationship with you. The processing of your personal data could include the following:
Customer representatives, supplier representatives, leads, prospects and contacts:
- Identifiers –
- Name
- Job title
- Contact data –
- Phone number
- Email address
- Location data –
- Address
- IP address
Webinar platform users:
- Identifiers –
- Name
- Job title
- Contact data –
- Email address
- Location data –
- Address
- IP address
- Audio / visual data –
- Photos (only when provided by the platform user).
Please note, the contact and location information processed relates to data used in a professional capacity and may come directly from you or from the facility you are working for. In some instances, customers provide us patient information which is processed only where necessary to fulfil the purpose for which it was provided.
Why are we processing personal data?
Arjo processes personal data for the reasons listed below.
Representatives of customers, contacts and suppliers and webinar platform users:
- Managing the production and distribution of our products and equipment via our logistics supply chain.
- To fulfil our customer orders and requests, as well as to provide support to customer representatives in the event of a complaint or issue or handling claims.
- To manage our legal, regulatory and statutory obligations as well as to maintain accurate and reliable administrative and accounting records, which include managing queries, concerns and investigations.
Leads and prospects:
- The pursuit of our commercial interests through marketing activities.
No automated decision-making is undertaken, with the exception of monitoring the success of marketing activities and when using the MyArjo portal. This includes generating a profile based on the use of our online resources which performs an evaluation. This information is only used to better inform how Arjo can support you and manage the layout of the MyArjo portal. The information is only used for these purposes and no individual data protection or statutory rights are infringed in this process. Any evaluation is subject to human review. If you have any questions or concerns about the potential use of automated decision-making, please contact dataprivacy@arjo.com.
Please note, no personal data is sold in any circumstance.
Which lawful basis do we use for processing personal data?
Arjo only process personal data if there is a lawful basis for the processing. For the processing described in this privacy notice, Arjo uses the following lawful basis for processing:
Lawful basis for processing |
Processing activities |
Your explicit consent. You are able to withdraw your consent at any time. You can do this by contacting dataprivacy@arjo.com. |
Marketing activities including direct marketing. |
Your implicit consent to fulfil our legal obligation or if processing is in our legitimate interests. |
Activities linked to our regulatory and statutory requirements. Marketing activities including managing our relationship with you as a contact of Arjo. Processing of customer representatives’ personal data is necessary to manage and distribute products and equipment via our logistics supply chain and to fulfil our customer orders and requests. |
Where we rely on a legal obligation to justify the processing of your personal data, this is to ensure that our regulatory and statutory requirements are fulfilled. This is important in order to maintain the quality of the service and products that many stakeholders rely on.
There may also be times when legitimate interest is the appropriate justification for processing your personal data. In this situation, we have undertaken a legitimate interests assessment where the needs, expectations, rights and freedoms of all parties have been considered. Before relying on legitimate interest, we have made sure that our interests are compelling enough and will not cause any unwarranted harm.
For how long do we process your personal data?
We save information for as long as the information is necessary to fulfil the purposes for which the information was collected. The information can be saved for a longer period of time if it is required by applicable law, such as when complying with the retention requirements of medical device legislation. Arjo have established routines to ensure that we do not store unnecessary information about you.
Information regarding representatives of customers, contacts and suppliers:
- Most commercial, customer or financial information, relating to e.g. purchase, order and order history, is retained for five years.
- As a global organisation in a highly regulated field, we need to retain information relating to production, distribution, quality, or performance of any of our products for 15 years in accordance with strict European and global regulatory obligations. The personal data contained to these records is usually limited to low-risk personal data where there is any personal data at all.
- Information relating to a customer service case is saved until the matter is resolved and retained in a de-identified format for 15 years.
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Information regarding prospects and leads:
- Information collected after consent is saved for as long as it is relevant or no later than within six months after consent is revoked.
Where are we processing personal data and who do we transfer personal data to?
We may on occasion transfer your personal data outside of the Australia and New Zealand through the use of a particular processor. Where this is relevant, we have undertaken privacy impact assessments and transfer impact assessments to identify appropriate additional measures to implement, prior to establishing data processing agreements including approved standard contractual clauses. In the event that the contractual and organisational measures are still inadequate, we will seek your consent to undertake the proposed processing. Processing of our operational, commercial and financial information takes place in the EEA, the UK and India, as well as in Australia and New Zealand.
We use different systems and platforms to manage the data we process, and a list of the key data processors are listed below:
- Advanced Applications.
- Astea Solutions.
- AWS.
- CEVA.
- Digital Space.
- ON24.
- Salesforce.
- Tech Mahindra.
- Other subsidiaries of the Arjo group as part of global functions.
A lot of our business functions for our New Zealand business are managed by Arjo personnel in Australia and working for Arjo Australia Pty Ltd. We have secure arrangements in place to support the transfer and sharing of personal data in a compliant and trustworthy way.
Additionally, we use Microsoft Office storage and productivity tools to process personal data in the course of our commercial, production, logistical, operational, research and administrative activities.
We may also share personal data with partners and in line with our regulatory or statutory obligations. In all instances, data will only be shared in line with an appropriate lawful basis for processing. Data sharing is frequently undertaken following a privacy impact assessment and a transfer risk assessment to ensure the necessary safeguards and control measures are in place prior to any data sharing.
How are we processing personal data?
Arjo have adapted the following to enable secure and compliance towards handling and processing data:
- Arjo have an IT policy, Information Security Directive, Data Privacy and Acceptable Use of IT devices Directive.
- Access management based on least privilege with access reviews performed on a quarterly basis, additionally each user will have unique and individual usernames where none are shared.
- Admin access only given to system and database owners who have the correct skills and training, normally senior IT staff.
- Robust change management process.
- All systems for which the hosting solution is determined by Arjo can only be accessed via our VPN solution. In all cases, all data and systems are encrypted at rest and in transit and require a unique username and password to access the data each user is authorised to access.
- All Third Parties that host or work on Arjo systems are subject to a Risk Assessment on a yearly basis.
- Arjo also have an overall Incident management process which is run by our Service Management team.
- Patch management; as part of our service management.
- Pen testing and vulnerability management.
- IT audits performed by a third party annually.
What are your rights in relation to this data processing?
You may have the following rights:
- Your right of access – You have the right to ask us for copies of your personal information that we process about you. Through this copy, you will be able to understand which of your personal data we maintain and process. The right of access is applicable when a record contains information where an individual can be identified, and the information is about them. This means that records that are accessible to you will have the personal data about other people redacted where appropriate, in order to protect their right to privacy. Your personal data will be redacted if someone else requests access to a record containing your personal data. Legislation provides other exemptions that may be applicable such as records where legal privilege needs to be observed or there is an obligation of confidentiality in specific circumstances. Any exemption applied will have a relevant legal basis and will be explained to you where necessary.
- Your right to be informed – You have the right to be informed of how we process your personal data. This Privacy Notice is an initial means of informing you about the processing of your personal data. Additional methods of keeping you informed include FAQs, contractual agreements and through discussions – if you have a question about how we are processing your personal data, you can contact us by writing to dataprivacy@arjo.com.
- Your right to correction – You have the right to ask us to correct information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right applies in conjunction with one of the principles of data protection. Any request to correct your personal data will also be sent to and completed by any processor with whom your personal data has been shared. This process is managed by us and will not require any additional action from you for your right to be exercised in full.
- Your right to deletion – You have the right to ask us to delete your personal information when the information is no longer necessary to fulfil the purpose of processing the information or keeping it or if you retract your consent. Arjo is obliged to keep extensive records in accordance with our legal obligations. As such, Arjo may not be able to delete every record that is processed about you; however, this will be explained where relevant. Any request to be forgotten will also be managed by Arjo with any processor that is processing your personal data on our behalf.
- You would have the right to opt out of the sale of your data, but Arjo does not sell data.
- Your right to non-discrimination – We cannot deny goods or services, charge a different price or provide a different level or quality of goods or services just because you exercised any of the rights listed above.
For more information about your data protection rights, please see the Office of the Australian Information Commissioner privacy rights webpages or the webpages of the Office of the Privacy Commissioner of New Zealand in addition to the relevant data protection authority of the state in which you reside.
You are not required to pay any charge for exercising your rights in most instances. If you make a request, we have 30 days to respond to you.
Please contact us using any of the details below if you wish to make a request.
Arjo Australia Pty Ltd
Level 3, Building B, 11 Talavera Road, Macquarie Park, NSW 2113, Australia
Arjo New Zealand Ltd
34 West Valley Drive, Mount Wellington, Auckland, 1060, New Zealand
Finally, you have the right to complain to a data protection authority. For Arjo Australia Pty Ltd, the relevant supervisory authority is the Office of the Australian Information Commissioner and can be reached using the details below:
Office of the Australian Information Commissioner
GPO Box 5288 Sydney NSW 2001
1300 363 992
For Arjo New Zealand Ltd, the relevant supervisory authority is the Office of the Privacy Commissioner and can be reached using the details below:
Office of the Privacy Commissioner
PO Box 10 094, Wellington 6143
0800 803 909
You may also contact your local data protection authority who will advise you how to proceed.