cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ccorrea
Newcomer I

GDRP in Australia

Hi all,

 

Are Australian Companies, that employee EU Citizens for example on an Sponsorship Visa living in Australia required to comply with GDPR?


Thanks,
Caio

5 Replies
TonyVizza
ISC2 Team

Hi Caio,

 

The short answer is yes.

 

As EU citizens, they are entitled to GDPR protections so technically speaking, there is an obligation on an Australian business to be GDPR compliant. 

 

http://blog.isc2.org/isc2_blog/2018/09/free-gdpr-course-for-members.html might also be of benefit for you. Its a fantastic GDPR training course for (ISC)2 members that is available to you, free of charge, that will help educate on the finer points of GDPR. 

 

Any questions, let me know. 

ccorrea
Newcomer I

Hi Tony,

 

Thanks for the reply.

 

I am enrolled and currently going through the training and why the curiosity for the question came up.

 

I understand the compliance for companies that trade globally either with presence in the EU, or if only externally but also offer services or goods to EU citizens living in EU countries, but I am still intrigued on how SME all over the world that have EU citizens living in a country other than on EU member states, would be required to be compliant and pay fines to the EU, when their own countries don't even have anything signed with EU to enforce the strict requirements.

 

Australia for example has implemented the NDB Scheme based on the Australian Privacy Act but is still a separate compliance. It does mention compliance requirements to the GPDR as follows:

"Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:

  • have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU."

https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-a...

 

Where would you say is the obligation coming from based on my original question?

 

Thanks again.

 

Caio

 

 

 

TonyVizza
ISC2 Team

Hi Caio,

 

This may be a question best asked of a lawyer but I'll do the best I can.

 

GDPR and NDB are not mutually exclusive. 

 

Notifiable Data Breaches in Australia covers a data breach of any data held by eligible organisations (turning over $5m and not State or Local Government organisations). For SMB's under this turnover number, NDB does not apply. 

 

Technically speaking, the EU could pursue a non-EU based organisation if the data of an EU citizen is compromised through a breach. If that organisation has a formal presence in the EU, its much more likely to do so and that organisation will need to have ensured GDPR compliance (and that compliance affects ALL of its global operations). Of course, how the EU chooses to enforce these rules remain to be seen. 

 

Again, this is definitely a legal question to consider. 

 

https://www.oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-aust... will assist you as well. 

RvE
Newcomer I

Hi ideal world speaking

 

1. The EU-GDPR applies to all PII data stored within the EU (so for EU citizens and non-EU-citizens)

2. The EU-GDPR applies to all EU-Citizen PII data any where in the world.

3. Now the get-out-of-jail free card is for companies to ask for consent to do what ever they want with your data. And in 99% everybody clicks agree.

 

Now point 2 is very difficult to enforce if point 3 is inplace and you clicked agree.Even without point 3 it is difficult to enforce. So it comes done to the individual to evaluate.

 

So back to your question - they must comply - but it is difficult to enforce. Even within Australia the maturity of privacy between the status is huge. 

 

so you have to fall back into EU-GDPR complaince statements, via a thirdparty message. Now companies that take cybersecurity and privacy serious will give this on their website.

 

Now what I do for example, when I apply for a position and am not a successful candidate I will ask the company to securely delete my data and confirm this and I cc the privacy officer from the privacy statements. This to avoid any future data loses in a breach. Some professional companies confirm, some of them don't and some of them ask questions why I am doing this. And you will see that the last two groups have poor privacy statements or even copies form other companies and they forgot to change the details.

 

Just read the privacy statements have a talk with them and let your gut feeling do the rest.

 

As a very last resort - report the company to one of the European privacy authorities. They will file and register the company. This might be handy - not for your situation, but for future situations. E.g. if they try to open shop in the EU. But then again do you want all this effort/trouble.

 

I would only do this if they made copies of your passport / ID's. Identity theft is a serious problem in Australia.

RvE
RvE
Newcomer I

when reading a privacy statement or consent check the following.

they must describe:
1. what information is being collected? (not only think in paper documentation, but also video, your voice if it is recorded

2. what will this collected information be used for?
3. which parties can access the information?
4. how long will the information be kept? and do they confirm to you secure deletion?
5. what happens with the information when the retention time is expired? will they keep it, anonymise it?)
6. the right to view and correct the information about you.
7. the right to be forgotten (prior to the expiration date)

you will not find all the points in the policy and statement. often because it is a lot for work. again go with your gut feeling. If you read the consent statement below, decide what to do?

---- Would you sign the consent form below? Or the contract?

DECLARATION:
I hereby authorize the [BIG TECH COMPANY] or its agent or representatives to hold secure any information regarding myself and I hereby release any person and the firm from all liabilities for any damage whatsoever arising from the release of such information. I further declare that the statements made by me in this application are true, complete and correct. A false statement or dishonest answer to any question will serve as grounds for my immediate dismissal without any compensation by the Company.

I understand that the personal data so collected, stored or processed may be retained by [BIG TECH COMPANY] or its related corporation or agents or representatives for a reasonable length of time and may be transferred to or archived in the head office of [BIG TECH COMPANY] in [OUTSIDE YOUR COUNTRY] and I agree to so authorize such retention or transfer of the personal data. I further understand that I have a right to request access to and to request correction of my personal data in relation to my application by contacting the HR Manager of [BIG TECH COMPANY] Human Resources Department or its agent.
FULL NAME AND SIGNATURE:

--------
RvE