Scope
This policy and procedure is applicable to all entities or subsidiaries owned, controlled, or managed by World Options, as well as every employee, including those who are part-time, temporary, or on contract, involved in the handling or transfer of personal data.
Policy statement
World Options entities may transmit personal data to both internal and external parties situated in a different country, provided that the country in question is deemed to have a sufficient legal framework to safeguard the rights and liberties of the individuals concerned. Should transfers be necessary to countries that do not possess an adequate level of legal protection (that is, third countries), they are required to adhere strictly to sanctioned transfer procedures. Personal data transfers by World Options entities are permissible only under specific transfer circumstances delineated herein.
The individual in question has authorized the suggested data transfer.
Executing a contract involving the individual necessitates the transfer.
The transfer is crucial to carry out preliminary measures preceding a contract, initiated at the request of the individual.
For the fulfillment or execution of a contract made with another party for the benefit of the individual, the transfer is indispensable.
Compelling public interest mandates the transfer as a legal obligation.
The transfer is essential for the initiation, pursuit, or protection of legal rights.
To safeguard the critical well-being of the individual, the transfer is necessary.
Transfer between worldoptions services /entities
To efficiently execute its diverse range of services, World Options may occasionally need to exchange personal information between its affiliates or permit access to the data from abroad. When such exchanges occur, the transferring World Options entity is accountable for upholding the privacy and security of that information.
Occasionally, World Options oversees the movement of personal information among its services and between entities located in different countries. When transferring data to third countries, World Options strictly limits the information shared to what is essential for the intended purpose, such as completing a transaction or providing a specific service. Moreover, during these transfers, we ensure the implementation of robust security protocols, which may include the use of password protection and encryption as required.
Transfer to third parties
Every entity within the World Options network commits to transferring personal information exclusively to those third parties who have demonstrated they will handle the data lawfully and safeguard it diligently. Prior to authorizing third parties to process personal data, World Options entities will ascertain, in accordance with relevant regulations, whether the third party acts as a data controller or a data processor.
If the third party fulfils the role of a data controller, World Options will, along with its Board of Directors, forge an appropriate agreement that delineates the responsibilities of both parties regarding the personal information exchanged. Conversely, should the third party operate as a data processor, World Options, in conjunction with its Board of Directors, will craft a comprehensive processing agreement. This agreement will mandate that the data processor maintains the confidentiality of the data, adheres strictly to World Options directives during processing, and establishes suitable technological and organizational safeguards. It also requires notification protocols in the event of a data breach.
World Options standardizes these interactions through a ‘Standard Data Processing Agreement,’ intended as a foundational template. When contracting third-party services (inclusive of cloud-based solutions), a World Options entity will determine if the service will involve processing of personal data on its behalf, and whether this will lead to cross-border data transfers. In either scenario, the agreement, devised with insights from the World Options Board of Directors, will incorporate comprehensive clauses to govern such data processing and international transfers efficiently.
Responsibility
Compliance,monitoring and review
The Board of Directors at World Options bears the ultimate accountability for ensuring that data transfer operations adhere strictly to the pertinent legal requirements.
Staff members within all operating divisions who handle personal data must process such information strictly in accordance with the applicable policies and procedures set forth by World Options.
Record management
Employees are required to preserve all pertinent documents related to the execution of this policy and procedure in a digital format within a World Options-approved record management system.
All documentation associated with the enforcement of this policy and procedure shall be kept on file for a duration of five years.
Terms and Definitions
Office of the Australian Information Commissioner (OAIC): The Privacy Act 1988 was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.
The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies. Such organisations and agencies are collectively known as ‘APP entities’. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor: the entity that processes data on behalf of the Data Controller
Data Protection Authority in Australia: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union
Data Subject: a natural person whose personal data is processed by a controller or processor
Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data
Processing: any operation performed on personal data, whether by automated means, including collection, use, recording, etc.
Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour
Regulation: a binding legislative act that must be applied in its entirety across the Union
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
For more information
Contact our Data Protection Officers who are the World Options Board of Directors by emailing: au.support@worldoptions.com