Privacy Notice Overview

This Privacy Notice addresses the requirements in the Australian Privacy Act (APA) 1988 and the UK Data Protection Act (DPA) 2018 for a clear and open explanation of how we manage personal information.   We treat the definitions of ‘personal information’ (APA) and ‘personal data’ (DPA) in the same way – for clarity and consistency we will refer to ‘personal information’.  More detail is contained in our Data Protection Policy which can be made available on request.  This Privacy Notice is under regular review and was last updated on 25th August 2021.

Contact Details

CGR is registered in Australia and the UK at the following addresses:

  • 62 Bay View Terrace, Claremont, WA 6010, Australia.
  • The Rectory, 1 Toomers Wharf, Canal Walk, Newbury, Berkshire, RG14 1DY, UK.

Our Data Protection Lead is in the UK office and can be reached at: contact@corpgovrisk.com

Personal Information

How we get it and why we have it

CGR collects personal information in two distinct ways:

  • Business Interest.  Where individuals choose to contact us (for instance via our website ‘Contact Us’ form) we ask for details such as name, company, and contact emails and numbers.  Additionally, we use cookies for analytics and to enhance the experience of visitors on our website without using personally identifiable information. More details can be found on the Squarespace page related to cookies, including detailed aspects of the usage of each one: https://support.squarespace.com/hc/en-us/articles/360001264507-The-cookies-Squarespace-uses.
  • Data Processor. Where we operate as data processor for our clients (who are data controllers) the creation of user accounts requires individual names and business email addresses.  Additionally, client users can choose to store personal information within the application based on the scope (including any special categories) identified by agreement in our Software Licence Agreement.  This information can be entered via the web or mobile applications – technical detail is contained in an Annex to our Data Protection Policy. Within our role as Data Processor, CGRF Mobile uses Microsoft AppCenter to provide analytics and error reporting. The information collected is used to improve the application and this data may be automatically transmitted to AppCenter during certain interactions with CGRF Mobile. This data does not contain any personally identifiable information. Please refer to the following Microsoft AppCenter link for a complete list of what may be collected: https://docs.microsoft.com/en-us/appcenter/sdk/data-collected.

Use and Sharing

  • Business Interest.  Personal information is used to return contact made by individuals – for instance, to respond to a question or arrange a demonstration.  We will directly manage the rights of data subjects (Section 5).  We will not share this information with any other agency.
  • Data Processor.  Personal information managed by us as a Data Processor remains at the discretion of the Data Controller, for the Data Controller’s purpose and interests.  We will support the Data Controller in managing their obligations regarding the rights of data subjects.  We will not share this information with any other agency.

Legal Bases and Rights

The legal bases on which we process data are as follows:

  • Business Interest.  Consent.
  • Data Processor.  Performance of a contract.

For the above categories, the following rights apply:

  • Right of access. The right to ask us for copies of your personal information.
  • Right to rectification.  The right to ask us to rectify personal information you think is inaccurate, and the right to ask us to complete information you think is incomplete.
  • Right to erasure.  The right to ask us to erase your personal information in certain circumstances.
  • Right to restriction of processing.  The right to ask us to restrict the processing of your personal information in certain circumstances.
  • Right to data portability.   The right to ask that we transfer the personal information you gave us to another organisation, or to you.

The right to object to processing does not apply – although consent under Business Interest can be withdrawn.   For Business Interest, these rights are managed by CGR directly.  As a Data Processor, these rights are managed by our respective clients (as Data Controllers) with our support as requested.

Information Storage and Retention

Unless alternative arrangements are made and specified in the SLA, information will be stored on secure Amazon Web Services (AWS) servers on which the CGRF application instances are hosted. 

  • Business Interest.  Data is stored in CGR’s internal instance of our software application, hosted on AWS servers in Sydney, Australia. 
  • Data Processor. AWS Data Centre Regions will be selected by the client, enabling them to determine the jurisdiction within which their data is held.

In terms of duration of storage:

  • Business Interest.  This information, provided under consent, will be retained for as long as deemed relevant – unless subject to withdrawal of consent (in which case it will be removed from the foreground environment within 30 days of receipt of the request).
  • Data Processor.  The duration of processing will be captured in the SLA – this may extend to an identified period beyond cessation of contract.   At the expiry of the identified data processing period, all client data will be permanently erased from the AWS servers.  If at any stage a client exports data from CGRF into files stored in company systems other than CGRF, CGR has no responsibility for the processing of that data.  

Data transfer to overseas recipients

  • Business Interest.  On the legal basis of consent and based on the provisions of this Privacy Notice, the personal information will be stored in AWS servers in Sydney, Australia, irrespective of the enquiry country of origin.
  • Data Processing.  Personal information will remain stored within the AWS data centre region nominated by the client, meaning that the data will remain within the client’s specified jurisdiction irrespective of the location of CGR staff who may access it from time to time for support purposes within contract terms.

How to Complain

Individual client users should raise any complaints to CGR through their parent organisation.  If CGR clients are unhappy with the use of personal data within the terms of the policy, they should contact CGR’s Data Protection point of contact identified in Section 2.  Subject to the jurisdiction they can also contact:

Office of the Australian Information Commissioner https://www.oaic.gov.au/privacy/privacy-complaints/before-you-lodge-a-complaint-with-us/question-1/

UK Information Commissioner’s Office Wycliff House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113