Who is responsible for your personal information?
We, Willow Rail Pty Limited (ACN 630 286 850) of Level 21, Governor Philip Tower, 1 Farrer Place, Sydney NSW 2000, or one of our affiliates which is identified in our communication with you (WillowRail) will be the responsible controller for any personal information you provide to us in connection with our business relationship.
Which categories of personal information do we collect and process?
• We may collect and process the following categories of personal information depending on the nature of our business relationship with you or your organization: Private or work contact information, such as full name, address, telephone number, mobile phone number, fax number and email address, mobile device unique identifier and the IP address of your computer or other online identifiers if you use our services online;
• Payment related information, such as information necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information; Further business information necessarily processed in a business or other contractual relationship with Willow or voluntarily provided by you, such as feedback and any other information you may provide to us;
• Information about your interests and preferences and other information obtained by cookies or website analytics tools, in particular your activities when you use our websites or products or other services we offer to you online (such as downloadable content). This may include information about which content you download, click or view for how often and how long;
• Information from publicly available resources, integrity databases and credit agencies;
• Information we are legally required to collect to comply with our legal or regulatory obligations, which may include information about relevant and significant litigation or other legal proceedings against you or a third party related to you and interaction with you which may be relevant for antitrust purposes; and
• Sensitive information. In certain circumstances, where required by law or where you have permitted us to do so, we may collect special categories of your personal information which are specifically protected under data protection law. In connection with the registration for and provision of access to an event or seminar, we may ask for information about your health for the purpose of identifying and being considerate of any disabilities or special dietary requirements you may have. Any use of such information is based on your consent. If you do not provide any such information about disabilities or special dietary requirements, we will not be able to take any respective precautions.
For which purposes do we process, collect, hold, use and disclose your personal information?
Depending on the nature of our business relation, we may process, collect, hold, use and disclose your personal information for the following purposes (“Permitted Purposes”):
• Planning, entering into, performing, managing and administering the services we provide to prospective and current customers e.g. by maintaining our information technology systems, customer service and data storage;
• Maintaining and protecting the security of our products and services and of our IT systems, databases, websites or other digital infrastructure, preventing and detecting security threats, fraud or other criminal or malicious activities;
• Ensuring compliance with legal obligations and regulatory obligations. This may include sales and business record keeping obligations for tax or other purposes and sending required notices or other disclosures, compliance screening or recording obligations (e.g. under anti-money laundering (AML), know your customer (KYC), antitrust laws, export control laws, trade sanction and embargo laws or to prevent white-collar crimes). In this context we may be required to conduct automated checks of your contact data or other information about your identity against applicable anti-money laundering or sanctioned-party lists and to contact you to confirm your identity in case of a potential match, to record interaction with you which may be relevant for antitrust purposes and to report to or support investigations by competent supervisory, law enforcement or other public authorities;
• Performing diagnostics testing and analysis of problems or support issues with our services or for the purposes of research;
• In the context of the WillowRail App, undertaking analysis of information and providing aggregated data to the entity that you are an employee or contractor, to whom we, or one of our licensees, have granted a licence to use the WillowRail App and provide it to you (“Authorised Providers”) and our affiliated business partners on an anonymous basis regarding location, gender, together with relevant analytics data and research;
• Informing you, where permitted by applicable law about Willow’s products or services which are similar to products and services purchased or used by our within that or otherwise related to our business relationship with you or your organisation; or
• Solving disputes, enforcing our contractual agreements and to establish, exercise or defend legal claims. Where you have expressly given us your consent or where otherwise legally permitted, we may also process your personal information for the following purposes:
• Communicating with you through the channels you have approved to keep you up to date on the latest announcements, special offers and other information about Willow’s products, technologies and services (including marketing-related newsletters) as well as events and projects of Willow and, in the context of the WillowRail App, sending or facilitating communications (including the communication of promotions or other deals) between you and the relevant Authorised Provider;
• Administrating and performing customer surveys, marketing campaigns, market analysis, sweepstakes, contests or other promotional activities or events; or
• Profiling and automated processing: Collecting information about your preferences on the basis of your activities when you use our websites and any products or services we offer to you online (such as downloadable content). On the basis of this information (e.g. which content is downloaded, clicked or viewed for how often and how long), we create a user profile to personalise and foster the quality of our communication and interaction with you (for example, by way of newsletter tracking or website analytics). The logic behind our profiling activities is to identify areas which may be useful or otherwise of interest for you and to inform you about such areas in a more effective and targeted way. The algorithms used apply this logic and automatically deliver the targeted content or information to you. Please note: Under the European General Data Protection Regulation (Article 21 (2)) you have the right to object to the use of your personal information for direct marketing purposes, including the profiling described above. Please refer to “Your data protection rights” below for further explanation of your rights and how to exercise them. Where your explicit permission is required for any marketing-related communication, we will only provide you with such information if you have opted in. You may opt out at any time if you do not want to receive any further marketing-related types of communication from us. We will not use your personal information for taking any automated decisions affecting you or creating profiles other than described above.
On which basis do we process your information?
We will process your personal information for the above Permitted Purposes only:
• where it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into such a contract;
• where it is necessary for our or a third party’s legitimate interests, always provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our “legitimate interests” may include our commercial interests in operating our business in a professional, sustainable manner, in accordance with all relevant legal and regulatory requirements;
• for our compliance with our legal obligations;
• where it is necessary to protect your or another person’s vital interests;
• where we have obtained your specific or, where necessary, explicit consent to do so. We will in each case inform you about the processing of your data and your related rights prior to obtaining your consent. The legal bases for processing of your personal information are set forth in Article 6 GDPR.
How do we collect your personal information?
How do we hold and protect your personal information?
We may hold personal information electronically, or in paper files. We will maintain physical, electronic and procedural safeguards in accordance with the technical state of the art and legal data protection requirements to protect personal information against misuse, intrusion, interference, loss and unauthorised access, modification or disclosure. These safeguards include implementing specific technologies and procedures designed to protect your privacy, such as secure servers, firewalls and SSL encryption and depending on the information and the circumstances, this protection may in particular include:
• the use of confidential passwords for purposes of accessing such information on Willow’s internal systems;
• storing hard copies of documents containing personal or sensitive information in secure files created for this purpose;
• imposing confidentiality requirements on our employees;
• conducting reasonable due diligence on any third-party service provider’s security measures, and compliance with privacy laws, especially if they are located offshore; and
• maintaining physical access controls over our premises. Where Willow holds personal information that it no longer requires, Willow will take reasonable steps to destroy or de-identify such information, subject to any law or court order requiring retention.
Where do we process personal information?
Willow is a globally active enterprise. In the course of our business activities (including because we may use a cloud-based service to store and process personal information), we may transfer your personal information to entities located outside Australia, or where the GDPR applies, outside the European Economic Area including to the USA, Canada, Singapore, China, Hong Kong, Israel, Philippines and the United Kingdom (provided that the United Kingdom will cease from the EU) (third countries), in which applicable laws do not offer the same level of data protection as the laws of your home country. When doing so, we will comply with applicable data protection requirements and take appropriate safeguards to ensure the security and integrity of your personal information, in particular where the GDPR applies by entering into the EU Standard Contractual Clauses which are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. You may contact us anytime using the contact details below if you would like further information on such safeguards.
With whom do we share your personal information?
We may share your personal information as follows:
• We may also instruct service providers (so called data processors) within or outside of Willow, domestically or abroad, e.g. shared service centres or cloud providers, to process personal information for the Permitted Purposes on our behalf and in accordance with our instructions only. Willow will retain control over and will remain fully responsible for your personal information and will use appropriate safeguards as required by applicable law to ensure the integrity and security of your personal information when engaging such service providers.
• With governments, courts, regulators, law enforcement or other competent authorities or attorneys if legally permitted and necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
• We may also share your personal information with third parties if we sell or buy any business or assets, in which case we may disclose personal information to the prospective seller or buyer of such business or assets, along with its professional advisers. If Willow or substantially all of its assets are acquired by a third party, personal information held by us about customers and other contacts will be one of the transferred assets.
• In the case of the WillowRail App, with an Authorised Provider.
• In the case of any WillowRail branded or co-branded websites (including sub-domains, international versions, widgets, and mobile versions) and/or other media, software, devices, or networks now existing or later developed, with third parties where necessary for the purpose of integration of such WillowRail branded or co-branded websites. • In an aggregated and anonymous manner with a third party identified above. Otherwise, we will only disclose your personal information when you direct or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or when we suspect fraudulent or criminal activities.
How long do we store personal information?
We will hold your personal information as long as required to provide you with the products or services or information you have requested and to execute and administer your business relationship with us. If you have asked us not to communicate with you, we will hold this information as long as required to comply with your request. We are also required to keep certain of your personal information (e.g. relating to business or tax relevant transactions) for certain retention periods under applicable law. Your personal information will be promptly deleted when it is no longer required for these purposes.
To obtain access, seek correction or seek de-identification or deletion of your personal information that we hold, please contact us using the contact details below. Where we process your personal information under the GDPR, subject to certain legal conditions, you may request access to, rectification, erasure or restriction of processing of your personal information. You may also object to processing or request data portability. In particular you have the right to request a copy of the personal information that we hold about you. If you make this request repeatedly, we may make an adequate charge for this. Please refer to Articles 15-22 of the GDPR for details on your data protection rights. If you have given us your consent for the processing of your personal information, you may withdraw your consent at any time with future effect, i.e. the withdrawal of the consent does not affect the lawfulness of processing based on the consent before its withdrawal. If you withdraw your consent, we will only continue processing your personal information where there is another legal ground or where we are legally required to do so. For any of the above requests, please send a description of your personal information concerned and appropriate proof of identity (e.g. your name or customer number) as proof of identity to the contact details below. We may require additional proof of identity to protect your personal information against unauthorized access. We will carefully consider your request and may discuss with you how it can best be fulfilled. If you have any concerns about how your personal information is handled by us or wish to raise a complaint on how we have handled your personal information, you can contact us at the contact details below to have the matter investigated. Where a complaint is received, our Privacy Officer(details below) will consider the complaint, and within a reasonable time, will decide whether the complaint warrants further investigation. The complainant will be advised by Willow of the outcome of its investigations within a reasonable time. If you are not satisfied with our response or believe we are processing your personal information not in accordance with the law you may refer the matter to the Office of the Federal Privacy Commissioner at Website: http://www.oaic.gov.au Phone: 1300 363 992, or if your personal information is being processed within the scope of the GDPR, you can complain to the competent data protection supervisory authority in your country. For example, if you are from the UK, you may contact the Information Commissioners Office via their website (www.ico.gov.uk).
Are you required to provide personal information?
As a general principle, you will provide us with your personal information entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide personal information. However, there are circumstances in which Willow cannot take action without certain of your personal information, for example because this personal information is required to register your attendance at an event, provide you with a response to a communication or query, or to provide you with access to a web offering or newsletter, carry out a legally required compliance screening or to provide our products or services to you. In these cases, it will unfortunately not be possible for Willow to provide you with what you request without the relevant personal information.
Information collected by cookies and other technologies
Willow may gather information by cookies or other web-tracking or analytics technologies. A cookie is a small text file that is stored on your device for record-keeping purposes. You can remove cookies by following directions provided in your Internet browser’s “help” file or clearing out your browser’s cache. You may also decline our cookies if your browser permits, but doing so may interfere with your use of our website or the provision of our services.
How to get in touch with us