13 January 2020
We care about your privacy.
We will never rent, trade or sell your email address to anyone.
The Australian Privacy Principles & European Union Data Protection Law
We will treat all personal information in accordance with any and all obligations that are binding upon us including the Privacy Act 1988 (Cth) (“Privacy Act”). For the purposes of compliance with local laws in force from time to time, the registered entity in your market or who you do business with will be the data controller.
How we may collect your personal information
We only collect personal information that is necessary for us to conduct our business and/or to meet our legal and regulatory obligations. For example, if you submit a resume to us, we will use your data to evaluate your skills, experience and education with current and future opportunities within Sandstone or if you submit a request for information, we will use your contact details to provide you with the information requested.
We may collect all or some of the information below.
You may provide us with your personal information through submitted information or correspondence. If you contact us, we will typically keep a record of that correspondence.
Personal information is also collected when:
- you submit an application form or your resume through a third-party website;
- we interview you either over the phone, video conference or in person
- we undertake reference checks by inquiring with, or we otherwise receive references or performance feedback from, any of your former or current employers, work colleagues, professional associations, educational bodies or registration bodies; and
- we receive results of any criminal history checks conducted (with your knowledge and consent).
We use this information to respond to your queries, provide requested marketing material to you or to ascertain if opportunities are suitable for you.
We may obtain such information from online tools such as marketing automation tools and online analytics tools like Google Analytics. This includes such information as which web pages you visit and how long you are on each page, your inferred country, your IP address or server name, traffic and other related data. We may ask you to provide personal information when accessing or downloading certain information from Sandstone such as your name and contact details. We use this information to ensure content has the most value to visitors to our website, to make changes to the layout and to respond to country specific regulations.
How we may use and disclose your personal information
We only collect, use, store and transmit personal information for purposes which are directly related to our functions or activities and only when it is necessary for or directly related to such purposes.
We do not give personal information about an individual to anyone else unless the following applies:
- you have consented;
- it is required or authorised by law. We may be required to disclose your personal information to government agencies as a result of a judicial proceeding, court order, or legal process anywhere in the world. We may also share your information with our related parties, advisors and to protect our rights or property, our business partners or clients when we have reasonable grounds to believe that such rights or property have been or could be affected.
- it is reasonably necessary for the provision of our services
- you would reasonably expect, or have been told, that information of that kind is usually passed to those individuals, bodies or agencies;
- to conduct appropriate checks for fraud or malicious activity;
- prevent and detect any misuse of, or fraudulent or malicious activities;
- to investigate, evaluate and or respond to an Eligible Data Breach;
- to gain an understanding of your information and communication needs or obtain your feedback or views about our products and/or services in order for us to improve them; and/or
- maintain and develop our business systems and infrastructure, including testing and upgrading of these systems and website.
Legal basis for processing personal information (European Economic Area (EEA) visitors only)
If you are a visitor from the EEA, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
For all the data where Sandstone is acting as a processor, our client makes such a determination as the controller of the applicable data.
Where Sandstone is acting as a controller, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you.
If we ask you to provide personal information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
If we collect and use your personal information in reliance on our legitimate interests, this interest will normally be to operate our website and services, communicating with you as necessary to provide our services, improving our platform, undertaking marketing, or for the purposes of detecting or preventing illegal activities.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.
Holding, Data Retention, Transfers, Security of your personal information & Eligible Data Breach
We are committed to maintaining the confidentiality of the personal information you provide to us and we will take all reasonable precautions to protect your personal information from unauthorised use or alteration. Firewalls, anti-virus software and email filters, as well as passwords, protect all of our electronic information. We take all reasonable measures to ensure the security of hard-copy information where it is generated.
We also have procedures in place to ensure that an eligible data breach is identified and dealt with as required by the Privacy Act Notifiable Data Breach scheme.
All information we hold about you is stored on our secure servers within Australia. As we are a global company with teams in the United Kingdom, Australia and Philippines, we may share information about you within Sandstone and to provide your information to the right person who can respond to your queries or address the business need. This means that when we collect your personal information, we may process it in any of these countries.
If you are from the EEA, the personal information that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us. Such staff may be engaged in, among other things, the fulfilment of or responding to your request and the provision of support services. We have established legal grounds justifying such transfer, including the EU Commission-approved model contractual clauses which require our teams to protect personal information they process from the EEA in accordance with European Union data protection law.
We retain personal information we collect from you only where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested, or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
The length of time we keep your personal data depends on what it is and whether we have an ongoing need to retain it, for example, for regulatory, tax, accounting or contractual purposes, to confirm that we have provided the information and to respond to follow up queries or if you have forwarded a resume to us, to continue to ascertain if you are suitable for other opportunities within Sandstone.
If you would like further information, please contact us at email@example.com.
Contacting us about privacy
If you would like more information about the way we manage personal information that we hold about you or are concerned that we may have breached your privacy, please contact us by email or by post.
Access to your personal information
In most cases, you may have access to personal information that we hold about you. We will handle requests for access to your personal information in accordance with the Australian Privacy Principles and relevant local law. All requests for access to your personal information must be directed to us by email. We will deal with all requests for access to your personal information as quickly as possible. Requests for a large amount of information, or information that is not currently in use, may require further time before a response can be given. We may charge you a fee for access if a cost is incurred by us in order to retrieve your information, but in no case will we charge you a fee for your application for access.
In some cases, we may refuse to give you access to personal information that we hold about you.
This may include circumstances where giving you access would:
- be unlawful (eg, where a record that contains personal information about you is subject to a claim for legal professional privilege by one of our contractual counterparties);
- have an unreasonable impact on another person’s privacy; or
- prejudice an investigation of unlawful activity.
We may also refuse access where the personal information relates to existing or anticipated legal proceedings, and the information would not be accessible by the process of discovery in those proceedings.
If we refuse to give you access, we will provide you with reasons for our refusal.
Correcting your personal information
We will amend any personal information about you that is held by us and that is inaccurate, incomplete or out of date if you request us to do so. If we disagree with your view about the accuracy, completeness or currency of a record of your personal information that is held by us, and you ask us to associate with that record a statement that you have a contrary view, we will take reasonable steps to do so.
Third party websites
You can set preferences for how Google advertises to you using the Google Ads Settings page (https://www.google.com/settings/ads).
Your Data Protection Rights
If you are a resident of the EEA, you have the following data protection rights:
- If you wish to access, correct, update or request deletionof your personal information, you may do so at any time by contacting us using the contact details provided below.
- In addition, you can object to processingof your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided below.
- You have the right to opt-out of marketing communicationswe send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you.
- Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consentat any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
If you require any further information about the Privacy Act and the Australian Privacy Principles, you can visit the Federal Privacy Commissioner’s website (see www.privacy.gov.au).
If you are in the EEA, you have a number of important rights free of charge. For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- email us at firstname.lastname@example.org, and
- let us know the information to which your request relates.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
How to Complain
We hope that we can resolve any query or concern you raise about our use of your information. Any complaints will be taken seriously, and we will make every effort to investigate and resolve your complaint within a reasonable time frame.
If you are not satisfied with how Sandstone has resolved your complaint, then you may apply to the Federal Privacy Commissioner to have your complaint investigated in Australia. More information is available at www.oaic.gov.au. If your complaint is about personal information in the EU further information can be obtained from the Information Commissioner who may be contacted at https://ico.org.uk/concerns.