eftpos Payments Australia Limited (ABN 37 136 180 366)
This policy sets out common aspects of our information handling practices. However, what personal information we collect differs according to our interaction with you. This policy should be read in conjunction with any privacy collection statement made available to you before, at or as soon as practicable after the time of collection of personal information for specific interactions. The privacy collection statement relevant to our interaction with you prevails to the extent of any inconsistency with this policy.
“eftpos” is a debit payment system and prepaid card system, which governs and facilitates electronic payment transactions in Australia. eftpos is trusted by consumers and merchants as a secure, convenient and efficient method of payment. As the Australian domestic debit payment system and prepaid card payment system, eftpos does not have premises outside of Australia, does not provide products or services to persons outside Australia and does not track the behaviours of persons outside Australia in a way that seeks to identify those persons to us. We do interact with counterparties and suppliers outside Australia, including in Europe, the United States of America and across Asia. Those interactions include use of, predominantly, counterparty and supplier employee names and email addresses for business purposes on terms governed by agreements with those counterparties and suppliers.
What personal information do we collect
The personal information we collect differs according to our interaction with you. The categories of interaction and the types of personal information collected and held by us may include:
For recruitment related activities:
- Name, address, date of birth, resume, references, skills and experience information, as well as an identity- verification and reference check information;
For certification authority services:
- Identification information such as your name, date of birth and place of work and copy of driver’s licence;
For business interactions:
- Contact information such as your name, company you work for, business address, fixed line or mobile phone number, email address and social media contact information. In the case of sole trader suppliers, we will also collect billing and bank account details. We do interact with counterparties and suppliers outside Australia, including in Europe, the United States of America and across Asia. Those interactions use the personal information listed here for business purposes on terms governed by agreements with those suppliers;
For payment processing and provisioning payment products or enabling payment channels:
- Information required for payment processing, such as eftpos transaction and loyalty program information – this is not personal information about cardholders but may identify a sole trader merchant;
- Your name, address and mobile phone number as well as card details at the time of provisioning a card for mobile payments;
- Payment recipient name, address, mobile phone number, BSB and Account Number and Date of Birth, Place of Birth for person to person payments;
For disputes and chargebacks administration:
- Your name, address and transaction details.
For entry by you into competitions promoted by eftpos:
- your name, email address, fixed line or mobile phone number, gender, age, transaction receipt information and, for winners, addresses.
- for the calculation and placement of insurances – your name, email address, mobile phone number, gender, age, address and salary information.
- For internal business process tools eg project and matter management, risk management, training, performance management, and employee assistance programs in the ordinary course of business –name, user name, email address
- For business interaction purposes and BCP in the ordinary course of business – in addition to the above mobile phone number
- For finance and payroll, human resource and employee assistance programs in the ordinary course of business – in addition to the above and only as relevant to the tool use with appropriate access controls and security measures – payroll-related information (base pay and on-costs), address, bank details, personal email address, expense claims, leave requests.
Where possible, we will give you the option to deal with us anonymously. However, this may not always be possible, depending on the nature of your interaction with us. We will, directly or through counterparties with relationships with you, explain to you if information that identifies you is necessary for the relevant interaction. If you choose not to provide certain personal information (e.g. your date of birth in respect of Certification Authority services, your name and mobile phone number when provisioning a card for mobile payments), we may not be able to provide you with the services you request, or the level of service on which we pride ourselves.
Occasionally, we may collect personal information about other individuals from you (e.g. member/vendor employee contact details). If so, we rely on you to inform those individuals that you are providing their personal information to us and to advise them that we can be contacted for further information about how we handle their information (refer to our contact details below).
How we collect personal information
We collect personal information in a number of ways, including:
- directly from you (if it is reasonable and practicable to do so) for example, when you provide information by phone, in application forms or other agreements, or when you submit your personal details through our website (eg. for marketing campaigns, certification authority services or complaints) or through the project management tool used by us in conjunction with our service providers;
- from third parties for example from our members (which are banks and retailers and their aggregator service providers) and from other entities that provide payment processing, disputes and chargeback handling and related services for the purposes of the eftpos payment system, including loyalty and data enrichment, in circumstances where it is unreasonable or impractical to collect the information directly from you;
- from publicly available sources of information, such as business social media services;
- when you visit our website (refer below for details on information collected through use of our website); and
- for employees, from financial management or other business related management tools used by us in conjunction with our service providers or in the ordinary course of business.
How we use your personal information
Your personal information may be used for any of the following (in addition to specific uses notified to you in a separate privacy collection statement provided at or about the time of collection):
- verification of your identity (eg. for certification authority services or for marketing competition winners);
- providing you or, where you work for an eftpos Member or participant entity or partner counterparty, your employing entity with documents and information relevant to your or your entity’s participation in the eftpos payment system;
- providing you with information about or delivery of our products or services or such services ancillary to or necessary for those products or services (including in accordance with marketing campaigns);
- providing you with information promoting our products and services if you choose to receive that information and have expressly informed us of your desire to receive such information;
- payment processing services, product provisioning, loyalty program support, administration of our business, business analysis, dispute resolution, prevent or minimise fraud or meet any legal obligations imposed on us;
- statistical or other analysis or similar research purposes, whether or not for product development;
- maintenance and development of our business systems and infrastructure, including monitoring performance, testing and upgrading of these systems;
- for employees:
- enabling calculation and placement of insurances; and
- providing risk management, financial management, human resource management, training support, performance management, and employee assistance programs in the ordinary course of business,
(each a Purpose).
If we receive personal information about you that we did not ask for, then we will take reasonable steps, in a reasonable time after receiving the information, to determine whether the information is required for any legitimate business purpose involving you and if not, we will take steps to lawfully destroy the information.
Your privacy and personal information is important to us and we will do each of the following:
- take reasonable steps to ensure the personal information that we collect, use or disclose is accurate, complete and up-to-date and relevant to the use or disclosure;
- facilitate anonymity or pseudonymity where possible, unless it is impractical in the circumstances;
- take reasonable steps to protect your personal information from misuse, loss and unauthorised access, modification or disclosure. This includes physical and logical security measures such as premises, infrastructure and database access restrictions, de-identification of data where possible and encryption of data in transit and at rest;
- take reasonable steps to destroy or permanently de-identify personal information if we no longer need it for any legitimate business purpose.
When we disclose your information
We will disclose your information:
- where you have consented to that disclosure, including where you have authorised a third party to seek information about you for the provision by them of products and services to you;
- for a Purpose to our service providers, including:
- website hosting in Australia in respect of “cookie” information;
- database hosting in Australia, the United States of America, the United Kingdom and The Netherlands;
- product and application testing in Australia and Taiwan;
- payment processing service providers located in Australia and the United States of America and dispute and chargeback service providers in The Netherlands and the United Kingdom;
- project collaboration with our counterparties and suppliers in Australia, Germany and the United States of America;
- identity and reference checks in Australia and to a prospective employee’s country of origin;
- internal business process database hosting and support services (eg finance, expense management and payroll tools) in Canada, India, Philippines, in the countries of the European Union (e.g., France, Spain, Italy, and Romania).
We have entered into agreements with each of these entities which require compliance with the Privacy Act 1988 (C’th) and include provisions designed to give your personal information at least the same level of protection as we provide;
- for a Purpose to our members (which are banks, independent acquirers and retailers and their aggregator service providers), as necessary, to enable us to provide any of our products or services to you or answer enquiries and administer governance activities related to our rules. These entities are also bound by the Privacy Act 1988 (C’th) and have their own privacy policies, and will observe these when using your personal information;
- where we are required or authorised to do so by law, including in response to a lawful request by any government, regulatory body or enforcement agency;
- where it is necessary in order to investigate an unlawful activity;
- where it is necessary to prevent a serious and imminent threat to a person’s life, health or safety, or to public health or safety.
Trans-Border Data flow
It is possible that the overseas entities which we share your personal information with may not be subject to foreign laws that provide the same level of protection of information as in Australia or may not be subject to any privacy obligations. Overseas entities may be required or compelled to disclose your personal information to a third party such as an overseas authority. You may not be able to seek redress in the overseas jurisdiction against the overseas entity. If we ask and you consent to us disclosing your personal information to an overseas entity and that overseas entity breaches the Australian Privacy Principles, we will not be accountable for that breach under the Privacy Act and you will not be able to seek redress in respect of that breach under the Privacy Act. Therefore, if we transfer or provide access to your personal information to a recipient outside Australia, we will impose, and review compliance with, obligations on that recipient to comply with the Privacy Act 1988 (C’th) and include provisions designed to give at least the same level of protection for your personal information as we provide.
Information collected from the ePAL website
We collect information about the website and the service, including the number of visitors, when the visits occur, how many pages are viewed and navigation patterns. We may also collect and store your Internet Protocol (IP) address. We get this information from ‘cookies’, which are a website tool commonly used to identify website users’ computers. In these circumstances, it is impractical for us to collect the information directly from you. Knowing this information allows us to ensure that the information and services available through the website are relevant. We may use this information to obtain statistical information, which helps us evaluate and enhance the website. We may also send session numbers and keys as cookies to ensure that your connection, when using our online services, is kept as secure as possible.
It is ePAL’s policy not to sell or pass on any information recorded about your visit to the website for commercial purposes unrelated to any Purpose, unless we have your express consent.
If you decline to provide us with certain personal information when requested (for example, refusing cookies in your browser), the website may not operate optimally or at all.
We also use your IP address to help diagnose problems with and to administer our web site. No attempt is made to link any IP address with any individuals that visit the site.
Where our website contains links to other sites, we are not responsible for the information handling practices or content of these external sites.
We also maintain several email lists to keep you informed about areas of specific interest. You may request to join our mailing lists by signing up through our website or by contacting us. You may also unsubscribe from any email list at any time.
Any personal information collected from emails to the whistleblower contact address on our website is used for purposes required by law in respect of those emails and for statistical purposes.
We do not sell, rent, loan, trade, or lease any addresses or other information on our lists, or any other personal information that we may collect or hold, to anyone, unless you have provided express consent.
Access to your personal information
You can request access to the personal information we hold in a record about you. Your request must be in writing and include proof of identity. We may charge a fee for the staff time and any expenses incurred to respond to your request and provide the requested information to you. If it is not possible for us to provide you with access as requested, we will tell you why.
If you think that any personal information we hold about you is not accurate, complete and up-to-date, you may ask us to amend your details. We will take reasonable steps to amend your personal information as you direct, unless we reasonably consider that your information is already accurate, complete and up-to-date, in which case we will tell you why.
Director of Complaints,
Office of the Australian Information Commissioner,
Level 3, 175 Pitt Street, Sydney 2000
GPO Box 5218, Sydney NSW 2001.
Telephone: 1300 363 992
Facsimile: +61 2 9284 9666
You can contact us by writing to us at Level 11, 45 Clarence St, Sydney NSW 2000 or by email at email@example.com or by contacting us at (02) 8270 1800 and asking for the Privacy Officer.
Approved by the Board of Directors on: 13 January 2021