We will, in accordance with Article 5 of the GDPR;
If you are a user based in the EU and are below 16 years of age and wish to use our Services, “consent” can only be given to us from a person with parental responsibility for you in accordance with Article 8(1) of the GDPR.
1. Collection & Disclosure of Personal Information
1.1 To get access to or use some of our Services, we may require you to provide certain information by which your identity, and those of others (i.e. owners of the renewable energy system etc.), can reasonably be ascertained such as names, organisation names, addresses, phone numbers, fax numbers, e-mail addresses, solar panel/inverter/battery and other complementary equipment/componentry serial numbers and specifications unique product identifiers (e.g. solar panel, inverter, battery serial numbers etc.) (‘PV system componentry’), "biometric information" (e.g. for use in “touch ID” logging on) etc (together referred to as personal information). We generally do not collect “Sensitive Information” as defined by s.6(1) of the Privacy Act 1988 (Cth) (such as information concerning your health, sexual orientation/practices, membership of a trade union, political views/association, religious or philosophical beliefs, race or ethnicity). In respect of “biometric information” for use in “touch ID” logging in services, if you decide to use our Services you expressly consent to our processing of that personal information and we will inform you by a “pop-up” notice seeking your express consent the first time you seek to use this service (Article 9(2)(a) of the GDPR).
1.3 Examples of some personal information we may collect include your/owners name, address, organisation, telephone number, email address, position and title.
1.4 We may collect personal information that you provide via our website, via your device (such as a smart phone, tablet or other device), by registering an account with us, or otherwise by telephone, mail, printed and online forms or e-mail, for example when you:
1.5 We may collect personal information from third parties where individuals have expressly or impliedly agreed to disclose personal information to Formbay, or where the information is otherwise publicly available. This may include information with respect to prior solar panel/inverter/battery or other equipment installations and/or PV system componentry, credit worthiness, prior work history or reference checks of a person.
1.6 We may collect computer and connection information including your Internet Protocol (‘ IP’) address to assist in diagnosing problems related with our service and to administer our website. We analyse our website logs and statistics to improve the relevance of content featured on our website. While these logs are IP identifiable, no attempt is made by us to link individuals that browse our website with such IP addresses.
1.7 You have the option of not disclosing personal information to us, unless it is, in our view, impractical for us to deal with you that way or we are otherwise required by law or authorised by a court or tribunal to deal with you on an identified basis. If you choose to withhold any personal information, we may not be able to provide you with part or all of our Services.
1.8 We may collect personal information and disclose that personal information to third parties where it directly relates to the creation & validation of environmental certificates (e.g. small-scale technology certificates (STCs)) (i.e. the “primary purpose” for our collection, validation and disclosure of such personal information).
1.9 You also consent to us collecting and disclosing your personal information in instances where you would reasonably expect us to use or disclose the personal information where such purpose is related to the primary purpose of collection.
1.10 With your consent (see clauses 1.12 - 1.14 below), you permit us to disclose to a third party your personal information to facilitate that third party providing additional/replacement solar panels/inverters/batteries and/or other relevant PV system componentry as well as ancillary services such as plumbing, electrical and other services not directly related to the installation of solar panels/inverters/batteries installed on your premises (“additional services”) to either: your previous/existing customer, and/or to you as a homeowner/business.
1.12 If you are a homeowner/business owner that has had solar panels/inverters/batteries and/or other relevant PV system componentry installed on your premises by a third party (“party 1”), we will send to you (or to the new installer/retailer/service provider that did not install the original equipment on your premises (“party 2”) and request they procure your written consent by our app) a “short form notice” before we share your personal information with party 2 for the provision of additional service when you will be able to either consent or not consent to the disclosure of your personal information. If you fail to provide any response to the electronic notification you will be deemed to have provided consent for such disclosure of your personal information. If you do not consent to the disclosure of your personal information, we will not be able to provide that information to party 2 and thus they may need to spend more time procuring that information from you and/or other parties delaying the provision of their services to you.
1.13 You expressly consent to:
1.14 We will only disclose personal information for a secondary purpose with your consent and only that personal information sufficient for the secondary purpose and such information will not include any “Sensitive Information”.
2. Use of Personal Information
2.1 We use the personal information we collect for the purpose for which it is submitted, such as to:
2.2 We maintain mailing lists to keep subscribers informed about areas of specific interest. You may request to join our mailing lists by signing up through our website.
2.3 We may also use your personal information for purposes authorised by laws or regulations such as to prevent or investigate alleged crime or fraud.
2.4 De-identified information may be used for statistical analysis or research purposes.
3. Direct Marketing
3.1 We will not direct market to you
4.2 In providing our Services, we may disclose personal information to third parties or organisations that carry out functions on our behalf, provide Services on our behalf or assist us to provide our Services (e.g. business associates, contractors, agents or service providers, including cloud service providers, technology service providers, website hosting companies and website developers). These third parties may change from time to time. In such instances where we disclose your personal information to third parties for processing purposes we will: enter into enter into a written contract with them (including “Australian Standard Clauses”); ensure any processing is done in accordance with our instructions; and is carried out in accordance with appropriate security measures.
4.3 In addition, personal information may be disclosed to third parties in special situations where it is:
4.4 You agree that third parties which receive personal information from us in accordance with clause 4.3 above, may use and disclose the personal information subject to their respective privacy policies. While we will endeavour to take reasonable steps to enter into agreements with third parties that collect, store, disclose and retain personal information in accordance with the APPs, we will not be responsible in any way for the disclosure and use of such information by such third parties.
5. Transborder Storage and Transfer of Personal Information
5.1 Personal information may be stored, processed in or transferred outside of Australia from time to time.
5.2 In Australia, You acknowledge and agree to such international data and information transfers with respect to personal information. Clause 8.1 of the APPs contained in Schedule 1 of the Privacy Act 1988 (Cth) provides that if we disclose personal information about an individual to an overseas recipient, then we must take such steps as are reasonable in the circumstances to ensure the overseas recipient does not breach the APPs in relation to such information. An exception to this is if we obtain your consent. We intend to rely on this exception in the following way. Unless you notify us in writing to the contrary, you will be taken to have consented to the disclosure by us of personal information to overseas recipients on the basis that:
5.3 From time to time, we may provide third parties, with information in the form of statistical representations about our users collectively and for the purpose of statistical analysis. Where we provide information to third parties for this limited statistical purpose, we will not provide personal information in such a way that your identity may be obtained.
6. Security and Storage
6.1 We strive to ensure the security, integrity and privacy of personal information submitted to us. We store the personal information securely as appropriate.
6.2 We continually review and update our security measures considering current technologies. We also engage external service providers to provide us and our staff with training and assistance with our internal practices, procedures and systems. Unfortunately, no security measure can be guaranteed to be totally secure. However, we will endeavour to take all reasonable steps to protect the personal information submitted to us. Once we do receive personal information, we will make reasonable efforts to ensure its security on our systems. In addition, our employees and the contractors who provide services related to our information systems are obliged to respect the confidentiality of any personal information held by us. We may engage third parties to process personal information on our behalf and such parties (if the personal information is transferred from the EU to a non-EU member state), in accordance with Articles 24, 25, 28 & 32 of the GDPR:
However, we will not be held responsible for events arising from unauthorised access to personal information.
6.3 If you enter personal information on our website, you should exercise due care to safeguard any user names, passwords, identification number, or other special access features associated with your use of the website.
7. Data Breaches
7.1 A “data breach” is an unauthorised access or disclosure of your “personal information” or loss of your “personal information”. We use our security and storage measures detailed above to minimise the risk of “data breaches” occurring. We will seek to contain, assess, notify and review a “data breach” promptly in accordance with our “data breach response procedures” detailed below.
7.2 If a “data breach” occurs, the “privacy officer” will
7.3 An “eligible data breach” occurs where such breach (in Formbay’s reasonable opinion) is likely (i.e. more probable than not as opposed to possibly) to result in serious harm (e.g. serious physical, psychological, emotional, financial or reputational harm) to any of the individuals who whom the information relates. Some kinds of information are more likely to cause an individual “serious harm” if the breach involves “sensitive information”, medicare cards, drivers licence and passport details, financial information etc.
7.4 In instances involving an “eligible data breach”, we are required to provide a statement to the Australian Information Commissioner notifying them of the “eligible data breach” as soon as practical after we become aware of such data breach and in some instances, advise the appropriate Australian Authority within 72 hours of becoming aware of an “eligible data breach” (i.e. involving a high risk to the rights and freedoms of individuals (Articles 33 & 34 of the GDPR)). If required, we will also notify you of such “eligible data breaches” in relation to your “personal information”.
7.5 If a “data breach” and/or “eligible data breach” occurs and we notify you of such breach, you should look to change your passwords to the compromised online account and be alert to identify fraud/scams.
7.6 We will keep records of all “data breaches” showing how we became aware of the “data breach” and what we did in response to such breaches.
8. Data Protection Impact Assessment
Whenever we seek to implement new technologies into our Services to make them more efficient for you, we shall consider the nature, scope, context and purposes of the processing, the likely risks involved to you and your personal informationand if we believe there is a “high risk” to your personal information (Article 35 of the GDPR):
8.1 seeking the advice of the Privacy Officer;
8.2 If necessary, seek external advice/assistance;
8.3 conducting an internal data protection impact assessment which shall consider:
9.1 Cookies are data that a website transfers to an individual's hard drive for record-keeping purposes. Cookies, which are industry standard and are used by most websites, including those operated by us, can facilitate a user's ongoing access to and use of a site. They allow us to ensure a persistent client state and customise the website to your needs. We also send session numbers and keys as Cookies to ensure that your connection, when using our online Services, is kept as secure as possible.
10.1 We will endeavour to take all reasonable steps to ensure the personal information we collect is accurate, complete and up to date. If you wish to obtain a copy of the personal information collected by us or you discover that the personal information held about you is:
you may contact us via the contact details provided below to have the information corrected or erased (Articles 16 & 17 of the GDPR) and we shall notify you of such changes if reasonable to do so (Article 19 of the GDPR).
You may also request us to provide to you any personal information we hold of yours in a structured, commonly used, machine-readable format and to transmit that information to another (Article 20 of the GDPR) and/or to request us to restrict the processing of parts of your personal information (e.g. you contest the accuracy of your personal information, there may be a temporary restriction on our ability to process that personal information until we verify the accuracy of your personal information) (Article 18 of the GDPR).
Our objective is to respond to any request within a reasonable timeframe and no later than 30 days. We will endeavour to inform you if this timeframe is not achievable.
10.2 In some circumstances, we may not be able to grant access to personal information. Such circumstances include:
11. Links to Other Sites
We provide links to websites outside of our website, as well as to third party websites. These linked sites are not under our control, and we cannot accept responsibility for the conduct of companies linked to our website. Before disclosing personal information on any other website, we advise you to examine the terms and conditions of using that website and its privacy statement.
12. Questions or Complaints
Our Australian contact details are:
Formbay Trading Pty Ltd
Level 1, 222 Clarence Street
Sydney, NSW, 2000
Phone: +61 2 90869184
Our EU contact details are: firstname.lastname@example.org
Our EU contact details are: email@example.comWe take your complaints seriously and will endeavour to review and resolve such complaints within a reasonable timeframe and no later than 30 days. If we are unable to review and resolve your complaint within this timeframe, we will endeavour to contact you within that time to let you know how long it will take to resolve the complaint.
After you have made a formal complaint to us and we have made all reasonable efforts to resolve your complaint, If you believe we have not adequately dealt with your complaint, you may make a complaint to the Privacy Commissioner, whose contact details are found on their website www.oaic.gov.au and/or the UK’s Information Commissioner’s Office at https://ico.org.uk.