As of: August 2023
- Who is responsible for data processing and whom can you contact?
- Which data is processed and from which sources does it come from?
- For what purposes and on what legal basis will the data be processed?
- Processing of personal data for advertising purposes
- Processing of creditworthiness information
- Who receives my data?
- How long is my data stored?
- Processing of applicant data
- Communication by email
- What information is collected when you visit this website?
- Diagnosis, correction and optimisation with Sentry
- Is any personal data transferred to other countries?
- What data protection rights do I have?
- Am I obliged to provide data?
Protecting your personal data is a top priority for us. Accordingly, we at BayWa r.e. AG and its subsidiaries (hereinafter jointly referred to as "BayWa r.e.") solely process your personal data (hereinafter referred to as "data") on the basis of statutory provisions. In this data protection declaration, we aim to give you full details of how your data is processed in our company and the data protection claims and rights to which you are entitled in accordance with the European General Data Protection Regulation (EU GDPR).
1. Who is responsible for data processing and whom can you contact?
The responsible party is BayWa r.e. Projects Australia Pty Ltd, 79-81 Coppin Street, 3121 Victoria Richmond, email: info(at)baywa-re.com.au, tel.: +61 3 9429 5629.
The data protection officer at BayWa r.e. Projects Australia Pty Ltd is contactable at the specified address or via email at: dataprotection(at)baywa-re.com
2. Which data is processed and from which sources does it come from?
We process the data that we receive from you when commencing and maintaining business relations. We also process data that we have received legitimately from credit agencies, creditor protection associations, publicly accessible sources (e.g. business registers, registers of associations, land registers, media) and other companies with which we have long-term business relationships.
The scope of such personal data includes:
Your master/contact data such as:
- For private customers: First and last names, address, contact data (e.g. email address, telephone number, fax), date of birth, data from identity material submitted (copy of ID card), bank details
- As a corporate customer or supplier: Name of your legal representative, company, commercial register number, VAT ID number, company number, address, contact person contact data (email address, telephone number, fax), bank details
In addition, we also process the following additional personal data:
- Information concerning the type and content of our business relationship such as contract data, order data, sales and receipt data, customer and supplier history, consulting documents, vehicle data
- Information about your financial status (for example, creditworthiness data)
- Advertising and sales data
- Documentation data (e.g. consulting protocols), image data
- Information from your electronic transactions with BayWa r.e. (e.g. IP address, login data)
- Other data that we have received from you in the course of our business relationship (e.g. in customer meetings)
- Data that we generate ourselves from master/contact data and other data, e.g. through analyses of customer requirements and customer potential
- The documentation of your declaration of consent for the receipt of e.g. newsletters
- Image data from video monitoring systems
- Photos taken at public events
3. For what purposes and on what legal basis will the data be processed?
We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the currently valid version of the Federal Data Protection Act (BDSG) 2018:
to comply with (pre-)contractual obligations (Art 6 para. 1 letter b GDPR):
Your data is processed for the sale and distribution of our goods and services and procurement and logistics purposes as well as for supplier and customer management and analysis. In particular, data is processed when commencing and maintaining business relations with you and executing contracts with you, for example in the following cases:
- Creating and managing a customer account or a supplier account
- Delivering orders
- Managing customer cards
- Participation in sweepstakes
- Sending information, e.g. requesting a catalogue
to meet legal obligations (Art 6 Para. 1 letter c GDPR):
Your data has to be processed for the purpose of meeting various legal obligations, e.g. as imposed by the German Commercial Code or the Tax Code, money laundering regulations and product-specific regulations such as the Hazardous Substances Ordinance.
to protect legitimate interests (Art 6 Para. 1 letter f GDPR):
With the aim of balancing interests in mind, data may be processed beyond the actual scope required to execute the contract in order to protect either our own legitimate interests or those of third parties. Data processing to protect legitimate interests may include the following cases, for example:
- Consultation of and data exchange with credit agencies and creditor protection associations to determine creditworthiness data and to maintain a group-wide creditworthiness database to identify financial default risks for joint customers
- Advertising or marketing
- Measures for business management and the further development of services and products
- Maintaining a group-wide customer database to improve customer service
- Measures to protect BayWa r.e. sites from contractually non-compliant or illegal conduct, e.g. access controls, video surveillance
- In the context of legal proceedings
With your consent (Art 6 Para 1 letter a GDPR):
If you have given us consent to process your data, it will be processed in accordance with the purposes and to the extent agreed in the declaration of consent. Consent that has been granted, e.g. to receive our newsletter, can be revoked at any time with future effect. If you wish to do so, please contact the party named under no. 1.
4. Processing of personal data for advertising purposes
We also use your data to communicate with you about your orders, certain products or marketing campaigns and to recommend products or services that might be of interest to you.
You can object to such use of your personal data for advertising purposes at any time, either collectively or for specific measures. BayWa r.e. does not levy any charge for indicating such objection. If you wish to do so, please contact the party named under no. 1.
Product recommendations by email
Pursuant to the legal requirements of Section 7 para. 3 Act Against Unfair Competition, BayWa r.e. is entitled to use the email address you provided to us when ordering a product or service for the purpose of directly advertising its own similar goods or services. You will receive these product recommendations from us, regardless of whether or not you have subscribed to a newsletter.
If you no longer wish to receive product recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs, other than the data transmission costs at your standard rate. If you wish to do so, please contact the party named under no. 1. Of course, every email always includes an unsubscribe link.
We use the so-called double opt-in procedure for sending the newsletter, i.e. we will only email you our newsletter if you have expressly confirmed to us beforehand that we should activate the newsletter service. We will then send you a notification email and ask you to reconfirm that you would like to receive our newsletter by clicking on a link contained inside.
If you subsequently decide you no longer wish to receive any newsletters from us, you can object to this at any time without incurring any costs, other than the data transmission costs at your standard rate. Written notification to the party named under no. 1 will suffice in this case. Of course, an unsubscribe link is also included with each newsletter.
5. Processing of creditworthiness information
Transmission of data to SCHUFA
Within the scope of contractual relationships entered into with you, BayWa r.e. transmits to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, personal data collected concerning applications for, the implementation and termination of such business relationships as well as data concerning non-contractually compliant or fraudulent behaviour. The legal basis for these transfers is established by Articles 6(1)(b) and 6(1)(f) of the General Data Protection Regulation (GDPR). Transmissions based on Article 6 paragraph 1 letter f GDPR may only proceed when required to safeguard the legitimate interests of BayWa r.e. or third parties and when doing so does not outweigh the interests or fundamental rights and freedoms of the data subject which require protection of personal data to be upheld. The exchange of data with SCHUFA also takes place for the purpose of meeting legal obligations to carry out creditworthiness checks of customers (Section 505a and 506 of the German Civil Code). SCHUFA processes the data received, which is also used for the purpose of profile building (scoring) to provide its contractual partners in the European Economic Area, Switzerland and other third countries as required (provided an adequacy decision of the European Commission exists for the same) with information used, inter alia, to assess the creditworthiness of individuals. Further information on the activities of the SCHUFA can be found in the SCHUFA information sheet pursuant to Art. 14 GDPR or viewed online at www.schufa.de/datenschutz.
Data transmission to other credit agencies
BayWa r.e. also uses the following credit agencies to obtain credit information when a legitimate interest exists: Bisnode Deutschland GmbH, Robert-Bosch-Straße 11, 64293 Darmstadt, Coface Central Europe Holding AG, Stubenring 24, A-1010 Vienna, CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich, Creditreform, Machtlfinger Straße 13, 81302 München, EOS Deutschland GmbH, Gottlieb-Daimler-Ring 7-9, 74906 Bad Rappenau.
Maintaining a group-wide credit rating database
If we have obtained creditworthiness data about you within the legally permissible scope (e.g. from a credit agency), we store it in a system to which the Group companies participating in BayWa Credit Management have access. The aim is to facilitate transaction processing for joint customers and to identify financial default risks. The creditworthiness database is only accessed if there is a legitimate interest in the respective group company.
6. Who receives my data?
Even if we use a service provider in the context of order processing, we remain the party responsible for protecting your data. All contractors are contractually obliged to handle your data confidentially and process it only within the scope required for the provision of services. The contractors we commission will receive your data if required to perform their respective services. These include, for example, IT service providers that we need to operate and safeguard our IT system as well as advertising and address publishers for our own advertising campaigns.
Your data will be processed in customer databases of BayWa AG and its subsidiaries, including BayWa r.e. These customer databases support efforts to improve the level of existing customer data (duplicate cleanup, moved/dead indicators, address correction), and enable enrichment with data from public sources. This data is made available to the BayWa Group companies participating in the BayWa customer database (participating companies) and can be used for personalised direct marketing campaigns (e.g. newsletters), targeted online marketing and personalised online shop design.
Through the customer database, participating companies that serve the same customers should be able to use information about these customers across organisations. This approach aims to provide customers with the most up-to-date and relevant information at all times. This processing of customer interests constitutes profiling as defined by Art. 4 GDPR; but no automated decision-making takes place. Customer data is stored separately for each company, with BayWa AG acting as a service provider for the individual participating companies.
An overview of the BayWa AG Group companies can be found under the following link: https://www.baywa.com/en/group/at_a_glance/group_companies/
If an offer is made or sold via manufacturer portals, data you have provided will be processed directly in the manufacturer's portal.
If there is a legal obligation and in the context of legal proceedings, authorities and courts as well as external auditors may also receive your data.
In addition, insurance companies, banks, credit agencies and service providers may also receive your data for the purpose of entering into and fulfilling contracts and in case of the sale of projects also investors.
7. How long is my data stored?
We process your data until the business relationship ends or the applicable guarantee, warranty, statute of limitations and statutory retention periods expire (for example from the German Commercial Code or the Tax Code) or until any legal disputes in which the data is required as evidence have ended.
For video monitoring, image data is usually deleted after seven days.
8. Processing of applicant data
When we send your application to the job portal, we store your personal data in a secure operating environment to protect it from loss or misuse. The respective company of BayWa r.e. Group to which you apply within our applicant management system is responsible for the processing of your data.
The contact details of this company result from the job advertisement in BayWa r.e. Job portal.
8.1. Which data is processed and from which sources does this data come from?
As part of the application process, we process the following categories of personal data in particular:
- Master data (e.g. name, date of birth, nationality, place of residence)
- Documents (e.g. certificates, certificates, curriculum vitae)
- Training history (e.g. data on (higher) school education, professional qualifications)
- accounting data (e.g. bank details for reimbursement of application costs)
- Communication data (e.g. email, phone)
- Log data that arise when using IT systems
In individual cases, the processed data can also include special categories of personal data in accordance with Article 9 (1) of the European General Data Protection Regulation (GDPR), such as Data on health, religious affiliation or union membership, if you provide it to us in the context of your application.
8.2. For what purposes and on what legal basis is my data processed?
We process your personal data in compliance with the GDPR, national data protection laws and other relevant national laws.
The data processing is used to carry out the application process, to initiate and establish an employment relationship with the company of BayWa r.e. Group you applied to.
The legal basis for the implementation of the application process is Art. 6 Para. 1 Clause 1 b GDPR in connection with the relevant national regulation for the implementation of pre-contractual measures to establish an employment relationship. In Germany, in addition to Art. 6 Para. 1 Clause 1 b GDPR, the legislator has issued the provision of § 26 BDSG - data processing for employment purposes.
Insofar as special categories of personal data are processed, this is done on the basis of Art. 9 Para. 2 b GDPR. If the job to which you have applied requires processing of health data to assess your ability to work, this is done on the basis of Art. 9 Para. 2 h GDPR in conjunction with the relevant national regulations.
8.3. How does the application process work?
You can go straight to one in our BayWa r.e. Apply for a published job advertisement by entering your data in the application form of the advertised position. In addition to manual entry, you also have the option of transferring certain master data from your XING or LinkedIn profile, as well as using "CV Parsing" into the application form.
We will keep you informed of the processing status of your application by email. As part of the application process, we may ask you whether we can send your application documents to other job offers that match your profile - possibly also at other BayWa r.e. companies. Group - forward or may include them in our applicant pool.
If you have shown interest with us on BayWa r.e. Job portal, then we may ask you if we can send your application documents to job vacancies within BayWa r.e. If there is no position corresponding to your qualification or your wishes at the time of application, you may be included in our applicant pool after prior consultation with you.
Applications in paper form or by email are sent to BayWa r.e. with a reference to the application process are not accepted. The data is not transferred to the applicant management system. Therefore, paper applications are immediately disposed of in accordance with data protection; Applications via email will be deleted immediately. An exception to this is the receipt of an application in paper form or by email due to a special occasion (e.g. getting to know one another at a trade fair). Your data is imported into the applicant management system. The process described above also applies to applications of this type.
8.4. Who receives my data?
Within BayWa r.e. Groups to which the application is made will only have access to your personal data for the above-mentioned persons and the bodies involved in the application process (e.g. supervisors, HR, specialist area, employee representatives). If the persons involved in the application process of another BayWa r.e. belongs to a group, your data can be transmitted to the respective person in individual cases.
We use service providers to fulfill our contractual and legal obligations. We have concluded the contracts required by data protection law with these service providers, provided they process personal data on our behalf. For applicant management, we use a software solution from rexx systems GmbH, Süderstraße 75-79, 20097 Hamburg, which works for us as a processor.
8.5. Are personal data transferred to a third country?
When applying for a BayWa r.e. Groups outside the European Economic Area (EEA) data are transmitted on the basis of Art. 49 Para. 1 b GDPR, unless there are no other appropriate data protection guarantees.
The data center for the rexx systems GmbH applicant platform we use is located in Germany.
8.6. How long will my data be saved?
We have to save your data for a period of 6 months in order to meet the legal requirements for the proper processing of an application and to be able to answer questions in connection with your application and / or its rejection.
6 months after completing the application process, i.e. After you have received an acceptance or rejection from us, your personal data will be deleted. Anonymous application body data is created for statistical purposes.
As soon as you have agreed to be accepted into our applicant pool, your data will be stored and processed there for a period of 12 months. After this period, your personal data will be deleted.
As soon as you receive a job offer from a BayWa r.e. Group has been proposed and you have agreed to be included in the associated application process, your data will be transmitted to the respective company. The initially mentioned retention period of 6 months after the application process has ended applies to your personal data. If there was no recruitment in the application process, or if you have not consented to inclusion in the application process, your data will be transferred back to our applicant pool. In both cases, your personal data will be stored for a period of 12 months starting with the date of the initial pool admission and then deleted.
9. Communication by email
Please note that transmission of unencrypted emails should be regarded as unsafe, since unauthorised persons may note the content of the email and manipulate it under certain circumstances. Accordingly, we request that you refrain from sending sensitive data by email when communicating with us. As an applicant, please use our applicant portal, since your application documents are transmitted there securely. Should it ever be necessary to send sensitive data by email, please use a content encryption service.
10. What information is collected when you visit this website?
Some cookies remain saved on your end device until you delete them. They allow us to recognise your browser again the next time you visit. If this is against your wishes, you can set up your browser so that it informs you when cookies are set and only allows this in individual cases. However, deactivating cookies may limit the functionality of our website.
You can find an explanation of the scope and function of the cookies BayWa r.e. uses on its website below:
a. Functional cookies
Functional cookies save information that has already been entered (e.g. username, your language or location) and users are offered improved, personalised functions. This type of cookie also enables requested functions, such as playing videos. Anonymised data is collected and the other websites you visit are not tracked.
b. Preference cookies
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
c. Analytical cookies
These cookies help us to collect information about how our website is used. They record the number of visitors, for example, and where the traffic comes from. We can assess how our website is performing with this information and initiate improvements. Analytical cookies allow us to find out which content is visited most and least frequently, whether error messages appear and how users navigate our website. The collected data is compiled is consequently anonymous. So any users cannot be identified. At BayWa r.e., we only use these cookies to consistently improve the performance of our website and the associated user experience. If you do not agree to have your user behaviour recorded anonymously, you can prevent this by deactivating cookies in your browser.
d. Marketing cookies
Marketing cookies are used to show users targeted, relevant advertisements tailored to their interests. They are also used to assess the effectiveness of certain campaigns. These types of cookies detect whether a website was visited or not. They can be forwarded to third parties. Cookies that help to improve how target groups and advertising are addressed are often linked with the page functionalities of third parties.
10.2. Specific cookies used
The specific cookies used on each BayWa r.e. website are described on the respective website. A link to the description called "website data tracking and opt-out" can be found in each website’s footer. There, you will also find the links to unsubscribe from the cookies.
11. Diagnosis, correction and optimisation with Sentry
11.1. The scope and purpose of processing
We use the Sentry service (provided by Functional Software, Inc., 1501 Mariposa St #408, San Francisco, CA 94107, USA) to improve the technical performance of our services on our website by monitoring system stability and identifying code errors. User data such as information about the device and error time is collected anonymously and is not linked with other data. The data collected will be deleted once the purpose has been achieved.
11.2. Type of data
In the event that errors are transmitted, the following data can be transmitted and processed:
- IP address (only for the technical transmission of the error)
- Type / version of the browser
- Operating system / operating system version
- Stack trace of the error (where and how the error occurred)
- Potentially text from contact form (if there is an error on the contact form)
The software runs exclusively on self-hosted servers in Germany. The storage of users’ personal data is only carried out there. The data will not be passed on to third parties. BayWa r.e. does not evaluate any data for advertising purposes.
11.3. Legal basis for the processing of personal data
The legal basis for the processing of users’ personal data is Article 6 para. 1 lit. f of the GDPR (legitimate interest of the controller). It is in our legitimate interest to improve the technical performance of our services on our website by monitoring system stability and identifying code errors.
11.4. Length of storage period
The following personal data will be deleted immediately after transmission, as it is used only for transmission between the server and the client:
- IP address
The following personal data will be stored for the above-mentioned purpose for 90 days and will then be permanently deleted:
- Type / version of the browser
- Operating system / operating system version
- Stack trace of the error
- Text from the contact form
11.5. Option of making an objection
As your IP address is not recorded, we are no longer able to assign the stored data to you, and hence we generally store anonymous data. A right of revocation therefore only exists in individual cases where we have stored personal data in relation to the content of an incorrect contact form. To exercise your right to object, please contact: data-protection-officer(at)baywa-re.com.
12. Is any personal data transferred to other countries?
Transfer of data to external countries takes place in individual cases and only on the basis of an adequacy decision of the European Commission, standard contractual clauses, suitable guarantees or your express consent.
13. What data protection rights do I have?
You have a right to information about or the correction, deletion or restriction of the processing of your stored data, a right to object to the processing as well as transfer the relevant data and to file a complaint in accordance with the requirements of data protection law.
Right to information
You can request information from us concerning whether and to what extent we process your data.
Right to correction
If we process your data in a way that is incomplete or incorrect, you can request that we correct or complete it at any time.
Right to deletion
You can request that we delete your data if we process it unlawfully or if the processing interferes disproportionately with your legitimate protection interests. Please note that there may be reasons that prevent immediate deletion, e.g. where legally required storage obligations are imposed.
Irrespective of whether or not you exercise your right to deletion, we will delete your data immediately and completely, provided this is unhindered by any legal transaction or legal retention period to the contrary.
Right to limitation of processing
You may request that we restrict the processing of your data if:
- You dispute the accuracy of the data for a period of time that allows us to verify the accuracy of the data
- The processing of the data is unlawful, but you reject the option of deletion and instead request a restriction on its use
- We no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
- You have lodged an objection to the processing of the data.
Right to data portability
You may require that we provide you with the data you have given to us in a structured, current and machine-readable format and to allow you to pass this data to another person in charge without our interference, provided that
- We process this data on the basis of irrevocable consent granted on your part and or to fulfil a contract between us, and
- This processing is carried out using automated methods
If technically feasible, you can ask that we transfer your data directly to another person responsible.
Right to objection
If we process your data for legitimate reasons, you can object to this data processing at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. We will then refrain from any further processing of your data unless we can prove compelling reasons worth protecting for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.
Right of appeal
If you believe that we are violating German or European data protection law when processing your data, please contact us to clarify any questions. Of course, you are also entitled, to contact the supervisory authority responsible for BayWa r.e., the Bavarian State Office for Data Protection Supervision.
If you wish to assert any of the above rights against us, please contact the contact named under no. 1. In case of any doubt, we may request additional information to confirm your identity.
14. Am I obliged to provide data?
The processing of your data is necessary to conclude or fulfil your contract with us. If you do not provide us with this information, we will usually have to decline the conclusion of the contract or execution of the order or will no longer be able to execute an existing contract, which will then have to be terminated. However, you are not obliged to give your consent to the processing of data that is not relevant or legally required for the fulfilment of the contract.
Information on privacy and data protection specific to Australia
I. Australian Privacy Act 1988
What is mainly relevant in data protection / privacy law is the Privacy Act 1988 (https://www.legislation.gov.au/Details/C2019C00241).
There are the 13 Australian Privacy Principles (APPs), with mandatory requirements, set out in Schedule 1 of the Privacy Act 1988:
|APP 2: Anonymity and pseudonymity||Requires APP entities to give individuals the option to not identifying themselves, or of using a pseudonym. Limited exceptions apply.|
|APP 3: Collection of solicited personal information||Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.|
|APP 4: Dealing with unsolicited personal information||Outlines how APP entities must deal with unsolicited personal information.|
|APP 5: Notification of the collection of personal information||Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.|
|APP 6: Use or disclosure of personal information||Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.|
|APP 7: Direct marketing||An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.|
|APP 8: Cross-border disclosure of personal information||Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.|
|APP 9: Adoption, use or disclosure of government related identifiers||Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.|
|APP 10: Quality of personal information||An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclose.|
|APP 11: Security of personal information||An APP entity must take reasonable steps to protect personal information it holds from misuse, interference or loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or e-identify personal information in certain circumstances.|
|APP 12: Access to personal information||Outlines an APP entity’s obligations when an individual requests to be given access to information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.|
|APP 13: Correction of personal information||Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.|
The Australian BayWa r.e. legal entities mostly are, under the meaning of section 6(1) of the Privacy Act 1988, ‘APP entities’.
‘APP entities’ are body corporates with an annual turnover of more than AUD 3,000,000.
It is possible that exceptions could apply for some of these companies, which probably have less than this amount as their annual turnover. Some Australian BayWa r.e. legal entities are, for now, dormant and do not generate anything.
However, for simplicity’s sake for data protection law purposes, it is proposed that all Australian BayWa r.e. companies are looked at as if they all were APP entities and, thus, all have to adhere to the mandatory requirements in the 13 APPs.
II. Australian mandatory Data Breach Laws
What is also relevant for Australian BayWa r.e. legal entities in relation to personal data (and thus, the rest of BayWa r.e. Group) is the new Australia’s new mandatory data breach reporting laws.
They came into effect on 22 February 2018 and are known as the Notifiable Data Breaches (NDB) scheme. The new legislation is in Part IIIC of the Privacy Act 1988.
Any APP entity is subject to this (cf. above definition ‘APP entity’). If it incurs an ‘eligible data breach’, it must notify individuals whose personal information is likely to result in serious harm due to the breach within 30 days.
The notification must include recommendations about the steps individuals should take in response to the breach.
It must also alert the Australian Information Commissioner (AIC) of an eligible data breach.
This can be done through an online form (Notifiable Data Breach statement – OAIC website).
Under the NDB scheme, an eligible data breach is one in which there is unauthorised access, disclosure or loss of personal information held by an entity and that access, disclosure or loss is "likely to result in serious harm to any of the individuals to whom the information relates".
Examples are the hacking of a database containing personal information or personal information being provided to the wrong person.
The scheme is not retrospective, so if the breach occurred before 22 February 2018, even if only discovered after that date, it is not an eligible data breach under the NDB scheme.
The NDB scheme distinguishes between notifiable and non-notifiable breaches.
If an APP entity can show that it has taken appropriate steps to mitigate the breach, then a notification to AIC is not required.
The consequences for infringing NDB can be significant: Failing to report an eligible breach can result in penalties of up to $1.8 million for organisations.
Under the NDB, Australian BayWa r.e. legal entities would thus need to assess:
- Whether they are APP entities (yes they are or are deemed to be, cf. above)
- Check AIC’s Guide to securing personal information, to assess how personal information is stored and managed within Australian BayWa r.e. legal entities (and flows towards BayWa r.e. Group)
- Have in place a data breach response plan
- Set up procedures and plans, possibly with external legal advice, to ensure that everyone within Australian BayWa r.e. legal entities is aware of obligations towards data protection and privacy
(Information on NDB mainly sourced from: http://www.mondaq.com/australia/x/675064/data+protection/New+Australian+mandatory+data+breach+laws)
III. No EU-Representative under Art. 27 GDPR for Australian BayWa r.e. legal entities necessary – BayWa r.e. HQ can be this
AIC states in on its website (www.aoic.gov.au) that Australian entities, as non-EU entities, when exporting data from Australia to the EU, need to appoint a EU-Representative under Art. 27 GDPR.
Interested parties, e.g. Australian individuals, can turn to the EU-Representative to ask about the processing of their personal data within the EU by the Australian BayWa r.e. entities (and thus, of the processing of their personal data by BayWa r.e. Group).
Australian BayWa r.e. legal entities would thus need to appoint a EU representative in the sense of Art. 27 GDPR. This could be an external legal counsel.
However, since such data is being mainly sent to BayWa r.e. HQ in Munich from Australia, it is proposed that Australian BayWa r.e. legal entities instead simply appoint e.g. the data protection officer BayWa r.e. in HQ Munich as the EU-Representative under Art. 27 GDPR for all Australian BayWa r.e. legal entities.