Privacy and Personally Identifiable Information
THOMAX OPERARTES AN ISO27001 CERTIFIED INFORMATION SECURITY MANAGEMENT SYSTEM. IF YOU WOULD LIKE ACCESS TO YOUR INFORMATION OR HAVE ANY QUESTIONS PLEASE EMAIL [email protected].
Last updated: March 2023
Information security threats are largely perpetrated by individuals. These may be either people external, third parties known to Thomax, or employees of Thomax Technology. Risk are reduced if personnel are aware of the information security environment and their specific role with respect to the maintenance of the information security environment.
This policy operates within the Information Security Management System and implements the IS027001:2022 controls related to privacy and protection of personally identifiable information. There are also controls related to the backup and recovery of that data.
PURPOSE
The purpose of this policy is to ensure that Thomax employees, contractors and third party users understand the legal requirements that exist to protect records containing Personal Identifying Information and the obligations and penalties that exist for breaches of legal obligations.
SCOPE
This document is applied to the entire Information Security Management System (ISMS) scope, i.e. to all systems, equipment, facilities and information used within the ISMS scope and all suppliers and partners who have the ability to influence confidentiality, integrity and availability of the Thomax Groups sensitive information.
LEGAL, STATUTORY & CONTRACTUAL REQUIREMENTS
The purpose and objective of this policy section is to ensure that Thomax employees, contractors and third party users understand the legal requirements that exist to protect records containing Personal Identifying Information and the obligations and penalties that exist for breaches of legal obligations.
In Australia there are few obligations directly for breaching the privacy principles however recently fines of up to $50 million or 5% of revenue may be incurred where data breaches occur which lead to the disclosure of personally identifiable information.
This policy operates with the ISMS and is applicable to all information systems that operate under the ISMS. This includes all divisions of Thomax and the critical electronic information systems that support them.
PRIVACY & PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION
The purpose and objective of this policy section is to confirm that Thomax is committed to adhering to the Australian Privacy Principles in respect to the collection, storage, use, release, and disposal of personally identifiable information.
Thomax is committed to the applicable Australian and International legislative frameworks such as GDPR.
Thomax Group complies with the requirements of ISO27001:2022 and the PCI:DSS requirements for storage and use of personal information and payment card data.
BREACH REPORTING
Where breaches occur to Thomax information security infrastructure and on investigation there is a risk that personally identifiable information has been exfiltrated from Thomax Group, Thomax Group will within 2 days notify AusCyber and CyberNSW that a potential breach has occurred which in being investigated. Assistance and advice will be sought at that stage to assist with the investigation of the incident.
If an employee becomes aware of or suspects a breach or mishandling of Personal Information, inform [email protected] and escalate to your General or Country Manager.
ACCESSING PERSONALLY IDENTIFIABLE INFORMATION
Thomax employees may have access to Personally Identifiable Information in their role at Thomax.
Thomax employees have a duty of confidentiality with respect to all information they have access to in their employment and must take appropriate steps at all times to maintain the confidentiality.
Access is controlled and monitored by the Systems Administrators.
SHARING PERSONALLY IDENTIFIABLE INFORMATION
Thomax does not share Personally Identifiable Information outside of the Thomax Group, other than where required by law or contract.
Thomax employees may only share Personally Identifiable Information with:
· The owner of the information
· The Controller of theInformation
· Third Parties permitted by the Owner or Controller of the information
Thomax employees must take adequate steps not to share Personal Information intentionally or unintentionally, and must report breaches, mishandling or suspected breaches immediately to the privacy function.
REQUESTS FOR PERSONALLY IDENTIFIABLE INFORMATION
All requests for access to Personally Identifiable Information, whether from internal or external parties must be questioned for intent and legitimate need. If there is a method to share the required information without including any Personal Information, that method shall be used. Where a specific processs is not in place to cover the request being handled, the Privacy Function at Thomax is to be involved in the request for sharing Personally Idenfiable Information.
Requests may be made to [email protected].
SHARING YOUR INFORMATION WITH THIRD PARTIES
We do not and will not sell or deal in Personal Data or any customer information.
Your Personal Data details are only disclosed to third party suppliers when it is required by law, for goods or services which you have purchased, for payment processing or to protect our copyright, trademarks and other legal rights. To the extent that we do share your Personal Data with a service provider, we would only do so if that party has agreed to comply with our privacy standards as described in this privacy policy and in accordance with applicable law. Our contracts with third parties prohibit them from using any of your Personal Data for any purpose other than that for which it was shared.
DISCLOSURE OF YOUR INFORMATION
We may from time to time need to disclose certain information, which may include your Personal Data, to comply with a legal requirement, such as a law, regulation, court order, subpoena, warrant, in the course of a legal proceeding or in response to a law enforcement agency request. Also, we may use your Personal Data to protect the rights, property or safety of Thomax.com, dotwms.com, our customers or third parties.
If there is a change of control in one of our businesses (whether by merger, sale, transfer of assets or otherwise) customer information, which may include your Personal Data, could be transferred to a purchaser under a confidentiality agreement. We would only disclose your Personal Data in good faith and where required by any of the above circumstances.
TRANSFER OF PERSONAL DATA OVERSEAS
At Thomax, a global company, the teams handling the Personal Data processing may have global or multi-country roles. They can then be located anywhere in the world where Thomax operates, in countries which do not have equivalent standards for the protection of personal information as the country where you are located. We may for example transfer data to service providers located outside of the EU, such as to our head office in Australia. In the event that these data transfers cannot claim an adequacy decision by the European Commission, Thomax.com, dotwms.com and dottms.com will ensure that they comply with applicable equivalent privacy requirements, through binding corporate rules or binding contractual arrangements.
CHANGE IN POLICY
CONTACT US
If you have any questions or concerns at any time about our privacy policy or the use of your Personal Data, you may contact us at:
Privacy Officer
[email protected]
23 Ryde Rd, Pymble NSW 2073, Australia
In the event you are a resident of the European Union and you have any questions or concerns at any time about our privacy policy or the use of your Personal Data, you may also contact us at:
Privacy Officer
[email protected]
Thomax Technology
22 Chancery Lane
London WC2A1LS
We will endeavour to respond within 48 hours or within a reasonable time if the inquiry is not urgent.
Category of Personal Data
Contact Information: Name; Username; Mailing address; Email address; Telephone number; Mobile number
Transaction and Interaction Information: Account information and related records; Records related to use of our websites and apps; Authentication data (passwords, account security questions); Customer service records; Visitor logs
Online & Technical Information: IP Address; Device identifiers and characteristics; Advertising ID; Web Server Logs; First Party Cookies; Third Party Cookies; Web beacons, clear gifs, pixel tags; Server log records; Activity log records
Purpose for Collecting and Sharing the Personal Data
We use this type of information to identify you and communicate with you, including: To send transactional messages (such as confirmations); To send marketing communications, surveys, and invitation; To personalize our communications and provide customer service, for everyday business purposes.
We use this type of information: To fulfill our business relationship with you, including customer service; For recordkeeping and compliance, including dispute resolution; For internal business purposes, such as finance, quality control, training, reporting and analytics; For risk management, fraud prevention and similar purposes; for our everyday business purposes
We use this type of information: for system administration, technology management, including optimizing our websites and applications; for information security and cybersecurity purposes, including detecting threats; For recordkeeping, including logs and records that are maintained as part of transaction Information
Categories of Third Parties to whom this type of Personal Data is Disclosed for a business purpose
We may disclose this type of information to our affiliates and to service providers, to deliver services and to deal with you; third parties who deliver our communications, such as the postal service and couriers; other third parties as required by law
We may disclose this type of information to our affiliates and service providers; to third parties as needed to complete the transaction, including delivery companies, agents and manufacturers; our lawyers, auditors and consultants; other third parties as required by law
We may disclose this type of information to our affiliates and service providers including to companies such as Google that use the data collected by cookies and similar means to help us with our online advertising programs; to assist with our information technology and security programs, including companies such as network security services who retain information on malware threats detected; to third parties who assist with fraud prevention, detection and mitigation; third party network advertising partners; our lawyers, auditors and consultants; Other third parties as required by law. We also disclose this information with your consent, if you explicitly allow us to place third party advertising cookies.