Data Subject Access Rights & Procedure
Blue Sky Creations Pty Ltd (the Company) under the Australian Privacy Act 1988 (APA), the New Zealand Privacy Act 2020 (NZPA), General Data Protection Regulation EU 2016/679 (EUGDPR) of the European Union & European Economic Area and the UK General Data Protection Regulation tailored by the Data Protection Act 2018 (UKGDPR) provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
At A Glance
The Company achieves this by undertaking the following:
- Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the APA, NZPA, EUGDPR and UKGDPR.
- Provide individuals with information including: the purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
- We provide privacy information to individuals at the time we collect their personal data from them.
- If we obtain personal data from other sources, we provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
- We do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
- The information we provide to people will be concise, transparent, intelligible, easily accessible, and it will use clear and plain language.
- We provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.
- We regularly review, and where necessary, update our privacy information. We must bring any new uses of an individual’s personal data to their attention before we start the processing.
- Getting the right to be informed correct helps us to comply with other aspects of the EUGDPR, UKGDPR and build trust with people.
What We Provide
- We provide individuals with all the following privacy information:
- The name and contact details of our Company.
- The name and contact details of our representative (if applicable).
- The contact details of our data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
- The legitimate interests for the processing (if applicable).
- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
- The recipients or categories of recipients of the personal data.
- The details of transfers of the personal data to any third countries or international organisations (if applicable).
- The retention periods for the personal data.
- The rights available to individuals in respect of the processing.
- The right to withdraw consent (if applicable).
- The right to lodge a complaint with a supervisory authority.
- The source of the personal data (if the personal data is not obtained from the individual it relates to).
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
- The details of the existence of automated decision-making, including profiling (if applicable).
When We Provide the Information
We provide individuals with privacy information at the time we collect their personal data from them.
If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
- within a reasonable of period of obtaining the personal data and no later than one month;
- if we plan to communicate with the individual, at the latest, when the first communication takes place; or
- if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
How We Provide It
We provide the information in a way that is:
- easily accessible; and
- uses clear and plain language.
Changes to the information
- We regularly review and, where necessary, update our privacy information.
- If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
Best practice – drafting the information
- We undertake an information audit to find out what personal data we hold and what we do with it.
- We put ourselves in the position of the people we’re collecting information about.
- We carry out user testing to evaluate how effective our privacy information is.
Best practice – delivering the information
When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:
- a layered approach;
- just-in-time notices;
- icons; and
- mobile and smart device functionalities.
An individual can email the Company with a Request for Information.
The Company will process the Request for Information in line with its General Data Protection Policy.