GS1 Australia Privacy Policy

Effective 1 July 2024

Our commitment

This statement sets out GS1 Australia’s Privacy Policy (“Privacy Policy”) with respect to personal information which you may provide to us in a variety of ways. GS1 Australia recognises that your privacy is very important to you and we are committed to promoting confidence in the manner in which your personal information is handled by us. We ask that you read this Privacy Policy carefully as it explains who we are, how we collect, use, disclose, store and protect personal information and credit information, and your rights in relation to your personal information and credit information. It also includes details on how to contact us and supervisory authorities in the event you have a complaint.

In this Privacy Policy the term "website(s)" refers to the GS1 Australia website www.gs1au.org; the GS1 Australia membership portal MyGS1 and any other websites managed by GS1 Australia, including websites, webpages, applications and chat sessions provided for or by GS1 Australia products and services.

Your access to and use of our website and any of our services (including membership-related services) constitutes an acknowledgement that you have been made aware of our Privacy Policy.

Who we are

GS1 Australia Limited, Australian Company Number ACN 005 529 920 (we, us, our or GS1 Australia) collects, uses and is responsible for certain personal information about you.

As an Australian company, we are regulated by Australian laws including the Privacy Act 1988 (Cth). Under those laws, we are responsible for the management and handling of your personal information, your credit information and credit eligibility information.

Also, when we do so in the European Union (EU), or if you are located in the EU and we offer goods or services to you, we are regulated by the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom (UK)) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.

Supporting industry best practice

We respect your privacy and your personal information. GS1 Australia is bound by, and committed to supporting, Australia’s Privacy Act 1988 (Cth), and Australia's Spam Act 2003 in relation to electronic direct marketing.

What information do we collect and use?

When you interact with us, including through our services or on our website(s), applications and chat sessions, we may collect the following information:

  • your contact details including your name, email address, your organisation, mailing address, phone number and mobile phone number;

  • your country and state or territory of both you or your organisation; other contact details such as social media handles;

  • data collected through your use of GS1 services or your or your organisation’s membership of GS1 or your use of GS1’s membership-related services;

  • technical data associated with web browsing (see section 19), cookie data (see section 19), and date and time of web site visit(s) plus other data for analytical purposes (see section 20);

  • any third-party website from which you linked to our website(s) or accessed our service;

  • if you install and use our software or hardware products, we may also collect information relating to your device for the purposes of registration or activation of such products;

  • your or your organisation’s financial information, such as your bank account or credit card details, for any relevant purchases or for the purposes of credit eligibility (discussed below);

  • other transactional information about your access to our website(s) or services; and

  • any other personal information you provide to us in relation to the website(s) or our services.

We may also collect and use the following kinds of credit related information:

  • credit information about you;

  • credit eligibility information about you; and

  • CP derived information about you.

The following words when used in this Privacy Policy have these specific meanings:

  1. CP derived information has the same meaning as in section 6 of the Privacy Act 1988 (Cth) as amended which, for ease of reference, may include personal information about you that is derived from credit reporting information disclosed to us by a CRB and that has a bearing on your credit worthiness and which is or has been used, or could be used, in establishing your eligibility for consumer credit. Please refer to the Privacy Act 1988 (Cth) as amended for a complete list of all types of CP derived information.

  2. CRB means a credit reporting body including bodies such as Equifax, Experian, Milton Graham.

  3. Credit information has the same meaning as in section 6N of the Privacy Act 1988 (Cth) as amended which, for ease of reference, may include information such as consumer credit liability information, repayment history information, types and amounts of credit you have sought, default information, and personal insolvency information. Please refer to the Privacy Act 1988 (Cth) as amended for a complete list of all types of credit information.

  4. Credit eligibility information has the same meaning as in section 6 of the Privacy Act 1988 (Cth) as amended which, for ease of reference, may include information such as credit reporting information about you that has been disclosed by a credit reporting body or information derived from such information and which has a bearing on your credit worthiness. Please refer to the Privacy Act 1988 (Cth) as amended for a complete list of all types of credit eligibility information.

How do we collect your information?

We collect personal information in a variety of ways, such as:

  • from you directly including when you interact with us in writing, electronically, or via telephone, and when you visit our website(s), webpages and use our chat sessions and applications (including when you submit a quote or a membership or service application form);

  • when you participate in our events or promotions;

  • when we supply to you or you access our products or services; and

  • from third party stakeholders such as job recruiters.

We generally obtain the credit-related information referred to above about you either directly (e.g. via forms you complete for us) and through your interactions with us and our staff, such as via our website(s), over the telephone, via email or in person, or indirectly via the methods discussed in section 7.

Note that where you provide unsolicited information to us, we will check whether that information is relevant to the services we provide and whether we are permitted to retain it by law. If we are permitted to keep it, we will treat it in accordance with this Privacy Policy, otherwise we will securely destroy the information.

Can I opt out of providing personal information?

We need your personal information in order that:

  • you can access or use our website(s);

  • we can provide you with our services;

  • we can manage and administer your services (or your or your organisation’s membership or membership-related services); and

  • we can contact you for marketing or promotional purposes and let you know about services that can better meet your needs.

If you do not wish to have your personal information collected or used for any specific purpose, or otherwise in the manner described in this Privacy Policy, you can email us accordingly and we will take reasonable measures to observe your request. This may result in you not being able to access, or use, all or part of our website(s) or our services.

If personal information has been collected, we may still use or disclose that information:

  • if we subsequently notify you of the intended disclosure and you consent to that use or disclosure;

  • if we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their functions;

  • to enforce our terms and conditions or to protect our rights;

  • to protect the safety of members of the public and users of our website(s) and services; or

  • if we are required by law to disclose the information.

What about information collected from other sources?

We may also collect personal information from other sources or third parties, including our global GS1 network of member organisations (including in the UK or EU) or our distributors, resellers or others in your organisation.

We may collect personal information from members or subscribers of our services. These parties may include:

  • subscribers of our services to whom you or your organisation are a supplier such as, a retailer to whom you or your organisation supplies goods or services; or

  • subscribers where you or your organisation is a member such as a trade association.

We may collect credit related information about you indirectly from other people involved in your business where you are placing an order with us or if we are considering an application for credit for you or a related entity. These parties may include:

  • your business partner or a co-director of your company;

  • other people relevant to your relationship with us or the provision of credit by us such as, trade contacts or trade references you have provided to us; or

  • CRBs.

How do we use personal information?

We respect your privacy, and we do not sell, rent or trade your personal information.

We use your personal information for a variety of purposes to effectively conduct our business and to administer the services we provide you. This means that the uses include:

  • verifying your identity or verifying your authority to act on behalf of a member;

  • assessing an application you make for our GS1 services and your eligibility;

  • administering and managing services, including charging, billing and collecting debts;

  • verifying that your use of GS1 services and the GS1 system is in accordance with our manuals and guidelines;

  • assisting you to subscribe to or use our services, including responding to your requests, advising on how your use of our services can be improved, and to contact you when necessary;

  • gaining an understanding of your information and communication needs to identify opportunities to provide better service;

  • allowing us to run our business and perform operational tasks (such as system development and testing, training staff, developing and marketing services, conducting research, surveys, opinion polls etc (see also section 14 on Market Research);

Providing you with news, information and material in relation to our services or direct marketing and promotional content of us, our partners and affiliates (see section 9);

  • monitoring who is accessing our website(s) or using our services;

  • profiling the type of people using our website(s) or services solely for the purposes of improving our website(s) or services;

  • improving our website(s) or services; or

  • complying with our legal obligations under appliable laws, regulations and codes.

We will only collect, hold, use and disclose your credit information and credit eligibility information to the extent permitted to do so by the Privacy Act 1988 (Cth). Subject always to this requirement, the purposes for which we may collect, hold, use and disclose such information include:

  • in relation to information which you have expressly consented a CRB provide to us, assessing your application for credit with us (or the application of another entity whose commercial credit you have offered to guarantee);

  • for internal management purposes that are directly related to the provision or management of that commercial credit and other credit related purposes in the Privacy Act 1988 (Cth).

Where the GDPR applies, we rely on the following lawful reasons to collect and use your personal information. On occasion, more than one lawful reason set out below may apply to the processing of your personal information. We may collect and use your personal information:

  • for our legitimate interests in marketing and providing our goods and services globally for both our benefit and that of our customers and contacts interested in what we provide;

  • to perform or enter into any contract we may have with you;

  • to comply with our legal obligations;

  • to protect your vital interests or that of another person (e.g. in an emergency); or

  • where you consent to the processing where we ask you to (e.g. for certain sorts of marketing or other processing where the law either requires this or where it is our policy from time to time to seek consent for such processing).

To whom do we disclose personal information?

From time to time, so we can meet your needs and operate our business consistent with how we ‘use’ your personal information under this Privacy Policy, we disclose your personal information to, or share it with, third parties including:

  • parties that you authorise us to disclose your personal information, either directly, or via provision of a GS1 service which is governed by the terms and conditions of that service;

  • companies and consultants who perform services for us, such as specialist information technology or outsourcing companies, mail houses or other contractors to GS1 Australia. In this case, we require those companies and consultants to protect your personal information;

  • companies and consultants that verify and/or authenticate your use of the GS1 system;

  • credit providers and credit reporting bodies;

  • government and regulatory authorities (such as the Australian Tax Office and the Australian Securities and Investment Commission) as required or authorised by law;

  • our professional advisors (such as auditors and lawyers);

  • our related organisations;

  • organisations that assist us to conduct research/surveys or analyse data. In this case we require those companies to protect your personal information; or

  • other third parties as permitted by law.

The third parties with whom we share personal information may be located overseas including, but not limited to, our partners or affiliated GS1 member organisations in USA, Canada, Belgium, Germany, UK, Ireland, Spain, New Zealand and more. Please note that some countries outside the UK or EU (including Australia) do not have the same data protection laws as the UK or EU. However, we do not ordinarily disclose your credit information or credit eligibility information to entities that do not have an Australian link.

We will take reasonable steps to ensure that third parties that have access to your personal information are bound by appropriate privacy and confidentiality obligations in relation to that personal information.

Where the GDPR applies to any transfer of personal information, either by us or by any third party to whom we provide your personal information, such transfer will (unless the European Commission considers their laws adequate) be subject to appropriate or suitable relevant safeguards (such as a legally binding contract containing European Commission-approved model clauses or terms consistent with them or, for transfers to the US, the EU-US Privacy Shield). These safeguards will apply to the extent required under the GDPR and are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. If you have any queries about the basis upon which we may transfer your personal information outside of Australia, please contact us using our contact details below.

If you are an individual or sole trader, you may request that information supplied to third parties for the purposes of verification / authentication can be de-identified.

Your rights under the GDPR (if applicable)

Under the GDPR (where it applies to you), you have a number of important rights free of charge. In summary, those include rights to:

  • fair processing of information and transparency over how we use your use personal information that this Privacy Notice is already designed to address;

  • access to your personal information and to certain other supplementary information;

  • require us to correct any mistakes in your information which we hold;

  • require the erasure of personal information concerning you in certain situations;

  • receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to a third party in certain situations;

  • object at any time to processing of personal information concerning you for direct marketing;

  • object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;

  • object in certain other situations to our continued processing of your personal information;

  • withdraw your consent at any time where the processing is based on your consent; and

  • otherwise restrict our processing of your personal information in certain circumstances.

For further information on each of those rights, including the circumstances in which they apply, see for example the Guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under the General Data Protection Regulation. If you would like to exercise any of those rights, please:

  • email, call or write to us (contact details below) and let us have enough information to identify you (such as name and registration details);

  • let us have proof of your identity and address; and

  • let us know the information to which your request relates, including any account or reference numbers, if you have them.

Direct marketing and your privacy

On occasions, we may use the personal information we collect from you to identify particular GS1 Australia products and services which we believe may be of interest to you. We may then contact you to let you know about these products and services and how they may benefit your organisation. We will give you a choice to “opt out” (unsubscribe) from receiving such information in the future.

Can I unsubscribe from marketing content?

Yes, you can opt out of receiving promotional and marketing information:

  • by unsubscribing via the electronic means provided; or

  • by calling our Customer Support Team or emailing us using the contact details below; or

  • in writing to us at the address detailed below.

While you are a GS1 member, you cannot opt out of communications that relate to:

  • your membership or subscription;

  • billing;

  • particular service technical updates.

You will be advised if your opt out request falls into one or more of these categories. You will not be able to continue your membership or use GS1 services if you elect to opt out of all such communications. We need to send you such communications to satisfy our contractual obligations with you.

Electronic Direct Mail (EDM) policy

The ability for you to opt out by unsubscribing via the electronic means provided will remain functional for at least 30 days after the original communication has been sent. After this time, another method to opt out should be used (e.g., sending an email to us at the address below).

We will use our reasonable endeavours to process your request in a fair and reasonable timeframe. We aim to complete your unsubscribe request within five working days of receipt if the request is received electronically.

Market research

From time to time we may engage in market research (telemarketing or surveys) relating to our products and services, or to ensure your contact details are correct to assist in providing better customer service.

Do you record my phone calls to you?

Yes, your phone calls may be monitored and recorded for training, service quality control and compliance purposes. Recordings are retained in line with our data retention policies. During the conversation, to ensure any private details are not recorded, the call operator can temporarily suspend and resume recording either on their determination or your request. You can request a digital copy of your recording by asking the call operator, or by sending request in writing to customer service detailing the date and time of the call and your phone number.

Can I access my personal information?

Your right to access your personal information is not absolute. In certain circumstances, the law may permit us to refuse your request to provide you with access to your personal information. These circumstances may include where:

  • access would pose a serious threat to the life or health of any individual;

  • access would have an unreasonable impact on the privacy of others;

  • the request is frivolous or vexatious;

  • the information relates to a commercially sensitive decision making process; or

  • access would be unlawful or may prejudice enforcement activities, a security function or commercial negotiations.

Where you wish to make a request, we may be able to deal with it over the phone. However, there may be instances where you will need to make the request in writing. We will let you know if that is the case.

Third party relationships

We are not responsible for the content and the privacy practices of third-party websites or third-party services and do not endorse or authorise their content or data collection processes (which may include but are not limited to the use of cookies and web analytics data).

You should familiarise yourself with each third-party website's or service’s privacy policy and make your own decision about providing personal information or utilising the information presented when visiting those sites.

Other information collected on GS1 Australia website(s)

On the GS1 Australia website(s) we may collect information from you such as browser type, operating system, and web pages visited to help us manage our website.

Website 'cookies'

Many websites, like the GS1 Australia website(s), use ‘cookie’ technology. 'Cookies’ are small text files a website can use to recognise repeat users (or their computers or mobile devices), store registration data, and facilitate the user's ongoing access to and use of the website. This allows a website to track usage behaviour and compile aggregate data for navigational or content improvements.

Cookies are not programs that come onto your system and damage files. You can disable cookies or be warned when cookies are being used to enable you to accept or reject them by adjusting your internet browser settings. However, disabling or rejecting cookies may mean that you are not able to access parts of our website or to take advantage of the improved user experience that cookies can provide.

Using our website(s)

As with many sites, when visiting our website(s), a record of your visit (not your personal information) may be recorded in Google analytics, Hotjar, or similar services. This record may include the following types of information:

  • date and time and duration of visit;

  • pages accessed, links clicked on, and documents downloaded;

  • address of any website that linked you directly to our site; and

  • your device details including your IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website(s).

In the case of Hotjar, this information is stored on our behalf in a pseudonymised user profile. Hotjar is contractually prohibited from selling any of the data collected on our behalf. For further details, please see the ‘About Hotjar’ section of Hotjar’s support site.

Further information about Google Analytics can be found on the Google Marketing Platform website under the section Google Analytics Terms of Service.

This information is NOT shared with any third party other than those assisting GS1 Australia to better understand your needs, optimise our service(s), enhance your user experience, and/or protect your information.

Information security and retention

We understand that you may be concerned about the security of the personal information we collect from you.

We will take reasonable steps to protect personal information which we hold from misuse, loss and from unauthorised access, modification or disclosure.

We have systems and processes in place to maximise the security of your personal information. These systems and processes include:

  • using up to date electronic security systems such as industry standard data encryption and Secured Socket Layer (SSL) certificates on our websites;

  • software programs to monitor network traffic to identify unauthorised attempts to upload or change information, or otherwise cause damage;

  • implementing mandatory privacy training for our employees;

  • the use of Multi-Factor Authentication to protect our systems and data;

  • maintaining fit for purpose document storage and data security policies and practices;

  • where we engage third parties as contractors or agents, we ensure that they comply with the GS1 Australia Privacy Policy and obligations.

However, you should be aware that, when using our website(s) or our services, no data transmission over the Internet can be guaranteed as completely secure. Let us know as soon as possible if you think that your personal information has been compromised.

We typically retain data for as long as we are providing goods or services to you and for a period of up to six years (or longer if the legal limitation period is greater).

When the personal information we collect is no longer required for the specified uses, or we are not required by law to keep it in accordance with retention periods, we will take reasonable steps to ensure that it is securely destroyed or archived in a de-identified format so that you can no longer be identified from that data. Any de-identified information will be treated in accordance with this Policy.

We will continue to store and hold your personal information:

  • until such time as we no longer need it for any purpose for which the information may be used or disclosed under this Policy; or

  • if required or permitted under applicable privacy or data protection laws; or

  • for a reasonable time after you ask us to delete it.

Data Breaches

Any data breaches will cause GS1 Australia's Data Breach Policy to be enacted. The GS1 Australia Data Breach Frequently Asked Questions outlines how we ordinarily deal with such matters.

We, our affiliated GS1 member organisations, outsourced service providers or relevant third parties, may also be required to comply with obligations to give notice of any eligible data breaches in Australia or other jurisdictions. We may use your personal information to comply with such obligations and will notify you of such breaches and requirements as required under Australian Privacy Laws.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of changes by publishing the revised version on our website(s) or by sending you a notice.

The revised version shall take effect immediately upon publication or notification, unless otherwise set out in this Policy or the notice.

This Privacy Policy was last updated 1 July 2024.

Updates and corrections to information about you or your company

Please contact us if you think the information we hold is incorrect. We ask that all requests are made in writing. We will take reasonable steps to action them quickly and promptly.

You may request the following:

  • to remove any previous consent you provided to receive marketing communications from us;

  • to access any credit related or personal information we hold about you;

  • to correct any credit related or personal information we hold about you.

When we receive the request:

  • we will analyse the request to see if we agree with it;

  • we may verify your identity (for access requests); and

  • we may specify what type(s) of information you require before processing your request.

A fee will not apply to make a request to access, update, or delete your personal information. However, a fee may apply and be charged if we have to provide information to you. The fee covers the cost of collating, copying and providing certain information to you. We will only charge this fee where it is lawful for us to do so and we will let you know what the fee is before providing the information to you.

In some circumstances where we correct a record, we may need to retain the original record.

Under the privacy law, we may refuse to provide you with access to or correct your personal information where:

  • giving access would have an unreasonable impact on the privacy of others;

  • the information relates to existing or anticipated legal proceedings, and the information would not be discoverable in those proceedings;

  • giving access would be unlawful;

  • denying access is otherwise required or authorised by law; or

  • the request for access is frivolous or vexatious.

  • If we refuse to provide you with access to, or correct, your personal information or credit information, we will provide you with an explanation in writing.

Please note that if the GDPR applies to you then you will have additional rights (see section 10) and, where your GDPR rights are different from what is stated here, then, we will respect your GDPR rights in preference to the rights in this section 24.

Feedback, queries and how to complain

We believe that your feedback provides us with a valuable opportunity to improve the services we deliver to you and to maintain your confidence in GS1 Australia. GS1 Australia is also committed to working with its customers, to ensure any complaint, concerns or questions are resolved fairly and quickly.

You can contact us in multiple ways in relation to all matters dealt with by this Policy: write, call or email us in accordance with our contact details below.

We ask that any complaint be made first in writing to us. We will then respond in writing and in accordance with any timeframes required by law. We will endeavour to provide you with confirmation as to how we propose to deal with the complaint and whether any further information is required to assess the complaint as soon as reasonably practicable.

If, for any reason you do not wish to complain to us initially or if you are unhappy with how we propose to resolve your complaint, then a complaint may also be made to the Office of the Australian Information Commissioner, by visiting the OAIC website.

Please note that where it applies, the GDPR also gives you right to lodge a complaint with a supervisory authority in the particular EU (or European Economic Area) member state where you work, normally live or where any alleged infringement of data protection laws occurred.

Contact details

Please mark written correspondence regarding this Privacy Policy to the attention of the Compliance Officer:

Compliance Office GS1 Australia Locked Bag 2 Mt Waverley VIC 3149

Phone 1300 227 263 or +61 3 9558 9559 between 8.30 am and 5.00 pm Monday to Friday Australian Eastern Standard Time (excluding public holidays) or email us at compliance@gs1au.org