ITA GROUP ANZ Pty Limited – Privacy Policy

Last updated: 25 April 2024

ITA Group ANZ Pty Limited (ACN 674 952 035) (ITAG) including its related companies is committed to respecting your privacy. We are bound by the Australian Privacy Principles (APP’s) contained in the Privacy Act 1988 (Cth) (Privacy Act), and our Privacy Policy sets out how we collect, use, store and disclose your personal information.

By providing personal information to us, you consent to our collection, use and disclosure of your personal information in accordance with this Privacy Policy and any other arrangements that apply between us.

We’re based in Australia, so this Privacy Policy outlines how we collect and handle your personal information in accordance with the Privacy Act and the APP’s. If you’re based in the European Union or the United Kingdom, please see further below for further information about our privacy obligations to you.

We may change our Privacy Policy from time to time by publishing changes to it on our website We encourage you to check our website periodically to ensure that you are aware of our current Privacy Policy.

You may contact us in writing using the contact details in section 15 for further information about this Privacy Policy. If you are unable to access this Privacy Policy due to a disability or any physical or mental impairment, please contact us and we will arrange to supply you with the information you need in an alternative format that you can access.

1. WHAT IS THE ROLE OF ITA GROUP ANZ?

ITAG creates and manages events, incentives and recognition programs that help to align and motivate our clients and their people anywhere in the world. Leading global brands rely on ITAG to understand their business, industry, audience and objectives, and to create one-of-a-kind experiences that exceed their desired business goals. ITAG is a Sydney based subsidiary of ITA Group, Inc (ITA Group) which is based in West Des Moines, Iowa, United States, and has clients all around the world including the US, Switzerland, New Zealand and United Kingdom.  For more details see https://www.itagroup.com/our-story.

ITAG will collect, store, use and disclose personal information in accordance with the Australian Privacy Principles contained in the Privacy Act and any other relevant laws and codes of practice in operation from time to time including the GDPR, to the extent applicable.

Australian Legislation

When you interact with ITAG and use ITAG’s websites, mobile websites or mobile applications, your privacy is protected by the Privacy Act.

General Data Protection (GDPR) Regulation

The European Union General Data Protection Regulation (the ‘GDPR’) contains clear uniform data protection laws intended to build legal certainty for businesses and enhance consumer trust in online services.

The GDPR applies to the data processing activities of ITAG in the European Union as we:

• have operations in the European Union namely the United Kingdom and Belgium; and
• offer goods and services or monitor the behaviour of individuals in the European Union – via our websites and representative offices.

3. WHAT IS PERSONAL INFORMATION OR PERSONAL DATA?

Personal information is defined by Australian legislation and the APP’s as namely information or any opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable from the information or opinion.

Personal Information is also defined by the GDPR in which we provide particulars namely:

• any information relating to an identified or identifiable natural person (Article 4 of the GDPR - a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, cookie ID, ID card number, location data, advertising identifier on phones, IP address, an email address or a telephone number)
  
• any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a home address, a photo, an email address, bank details, posts on social networking websites, or medical information.
• Examples of data not considered personal data:
  • a company registration number;
  • an email address such as info@company.com; and
  • anonymised data (in certain circumstances).

4. WHAT INFORMATION CAN WE COLLECT

In the course of using our products and services, you may need to provide us with certain personal information. For example, when we organise events or arrange travel on your behalf, the types of information that we collect may include:

• your name;
• your gender;
• postal address;
• email address;
• telephone number(s);
• your occupation;
• your country of residence;
• your age or date of birth;
• your identification details such as those in your driver’s licence or passport;
• device identifiers, such as IP address;
• professional or other employment related information, such as where you work and your title;
• financial information, such as credit card and payment data;
• commercial information, such as transaction data;
• the information you provide us when preparing any application along with the content of any declarations made in connection with that application; and
• any information you provide to us in enquiries or through correspondence.

We will only collect such information for the purposes of providing the services to you, and when we do so, we will act only in accordance with your instructions or those of our client (typically your employer or otherwise in line with this Privacy Policy).

You can always choose not to provide your personal information to ITAG in this way, but it may mean that we are unable to provide our services to you or that some features of our products and services will be unavailable.

Please note that some of this information may be considered sensitive personal information under applicable law. sensitive information is a type of personal information which includes information or an opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual preferences or practices or criminal record, amongst other things. It also includes health information and genetic information about an individual that may not be within the legislative definition of health information.

We will always seek your consent to collect your sensitive information. However, there may be some instances required by law which require us to collect that without your consent, for example in the case of an emergency or if an exemption under the Privacy Act applies.

Information collected through our website and other means

We may also collect personal information when you visit our website; for example, when you submit details about your name, title, company, address and other contact details through our website forms. We may also collect personal information by other means, such as when you correspond with us by post, email or telephone, or complete our surveys or attend ITAG events.

In addition, when you visit our website, our servers will automatically log certain information such as your IP address, browser type, files requested and domain name. This information is collected primarily to improve our website through internal analytics, maintain security and to better meet our client's needs.

Some of this information will be collected through cookies and similar technologies. You can find out more about this in the Cookies section below.

Information collected from others

We collect information directly from you, unless it is reasonably impracticable to do so. There are limited circumstances in which we may receive information about you from others. For example, our clients may provide personal information about others (such as their employees, agents, suppliers or customers) in the course of using our products and services for the purposes of managing aspects of their business or organising events or incentive programs. In such cases, we are collecting the information purely on behalf of our client, on their instructions, and we rely on our clients to only provide your information where lawfully entitled to.  We do not have control over their privacy policies and practices and suggest you read them if you have any concerns.

5. HOW DOES ITAG COLLECT PERSONAL INFORMATION?

ITAG will collect personal information for a lawful purpose which is reasonably necessary for, or directly related to our function or activities and for obtaining feedback about the effectiveness of our services.

ITAG’s collection of personal information is performed in an open manner and where consent is obtained.

Your personal information is being collected when you provide it to us when you use our services, and when other sources provide it to us, including when:

• you interact with our websites;
• you submit an application form with ITAG containing Personal Information,
• provide Personal Information via email,
• complete a new supplier form,
• undertake a market research survey,
• enter into a contract with ITAG,
• when you apply for a job with ITAG,
• request program assistance from ITAG,
• consented to on a form,
• make an enquiry to ITAG,
• enter a competition run by ITAG; or
• you are engaged in activities with ITAG.

In addition, we collect information about you via:

• Telephone Conversations

The history of the telephone call, including details such as your name, the time, your enquiry and communication with ITAG will be recorded and stored either electronically or via hard copy.

• Information from Other Sources

ITAG may use social media platforms and other interactive online forums or platforms through which we promote and provide our services. We may collect your personal information when you interact with us or mention ITAG in public forums while using platforms such as Facebook, Instagram, Twitter and YouTube.

• Photography and Videography

ITAG may commission photographers to attend events, famils and activations in order to photograph the event, famil(familiarisation trips) or activation(marketing events or campaigns) and the general environment. This will include images and footage of patrons and participants for the purpose of using them in our promotional or marketing material (including any publication) in the future.

In some circumstances, images or footage may constitute personal information. The image or footage may be reproduced on our websites, or reproduced in communications via hard or soft copy. The terms and conditions of all our activations, famils and events include the use of images and footage for these purposes. It should be noted that ITAG is not responsible for any activities of the media or other patrons in relation to the display or communication of any footage or images at any event, famil or activation.

• Email Addresses

Email addresses are recorded when an email message is sent to ITAG or when a user subscribes to an online mailing list.An email address is only used for the purpose for which it is provided and is not added to any unauthorised mailing list or disclosed to other organisations unless you request that this be done.

If you have subscribed to one of ITAG’s online mailing lists, you can easily remove your email details from the list by unsubscribing. Each mailing list provides clear instructions on how to unsubscribe.

• Pixels

“Pixels” means the use of pixels (1 x 1 pixel images that allow services to tell companies how many people have visited their site). When you take a certain action on our website, a request is sent to the server to download the tracking pixel attached to the content you’re interacting with. It’s an invisible process to you but the data collected will help us and our sponsors build better digital ad and content experiences for you. All information collected is de-identified and we will never collect or disclose any personal information.

• Cookies

ITAG, its websites and any of its third party partners, including analytics partners (such as Adobe Analytics and Google Analytics), may utilise cookies to enhance the user’s experience of the site as well as provide analytics information to help us improve our website and services. A cookie is a small text file that is sent back to your computer’s hard drive from a host website. Cookies record your preferences in relation to your use of a site and provide other information that allows us to recognise you in the future. The cookies on the listed websites do not read the information on your hard drive nor do they make your computer perform any unauthorised actions or make your computer send information to any other computer via the Internet.

You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether or not to allow it. However, if you decide to not accept cookies, some of ITAG’s web pages may not display properly or you may not be permitted to access certain information. 

As the means by which you can refuse cookies through your web browser controls vary from browser-to-browser, you should visit your browser's help menu for more information. Here are the current relevant information pages for the main browsers:

• Microsoft Internet Explorer:http://www.microsoft.com/info/cookies.htm 
• Google Chrome:https://support.google.com/accounts/answer/61416
• MozillaFirefox:http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
• Apple Safari: Blocks cookies by default and accepts cookies only from your current domain. To change, click Safari, Preferences, Security, and choose your preference.

In addition, most advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, please visit http://www.aboutads.info/choices/, http://www.networkadvertising.org/choices/ or http://youronlinechoices.com/.

Do Not Track

“Do not track” refers to how Internet web browsers may request that a web application turn off tracking through the use of an HTTP header. ITAG does not make use of this header. However, tracking that is done by cookies may be managed within your browser settings, as explained above.

When you access any of the pages on the website, we automatically record information that identifies, for each page accessed:

• the IP (Internet Protocol) address of the machine which has accessed it;
• your top-level domain name (for example .com, .gov, .au, .uk etc.);
• the address of your server;
• the date and time of your visit to the site;
• the pages accessed and documents downloaded;
• commercial information, such as transaction data; 
• the previous site visited; and
• the type of browser and operating system you have used.

ITAG will not disclose or publish information that identifies individual computers, or potentially identifies sub-groupings of addresses, without consent or otherwise in accordance with the Privacy Act.

The provision of your personal information on ITAG’s website is voluntary and you can opt out at any time. However, if you choose not to provide your personal information we may not be able to forward the material that you are requesting, provide you with one of the numerous services available through this website or respond to your request, application, proposal or query efficiently. You can choose to remain anonymous or use a pseudonym.

6. HOW WILL YOUR PERSONAL INFORMATION BE USED, STORED AND KEPT SECURE?

Use of your personal information

We will use your personal information to deliver our products and services to you. For example, to deliver the requested event, incentive or recognition program.  We also use your personal information to manage your client account, for general business administration, to respond to communications, and to provide technical or client support.  We provide information about ITAG products and services you may find of interest in line with your consent preferences and measure the effectiveness of our advertising.

We will only process personal information in ways that are compatible with the purposes for which we have collected it, or for purposes that you later authorise. 

We may also use aggregated anonymised data for internal business purposes – such as for analytical/statistical purposes and for business forecasting – and to help improve our products and services.

ITAG takes all reasonable steps to protect the security and integrity of any personal information held, be it stored in electronic or hard copy format. 

ITAG’s servers are located in the USA. If you are a non-US resident, this means that your personal information will be transferred to the USA. Any personal information of residents of Australia will be protected when transferred to the USA in accordance with this Privacy Policy.

If we receive your personal information in the US and subsequently transfer that information to a third party acting as our agent, and such third-party agent processes your personal information in a manner inconsistent with the APP’s, then we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.

ITAG can of course provide you with an alternative means of dealing with it, or transacting business with it, if you feel uncomfortable with the electronic transmission of information.

Keeping personal information secure

We implement appropriate technical and organisational security measures to protect the personal information we collect and use about you. When you are asked to provide personal information (as part of our products or services or on our corporate website), a "secure session" will first be established using SSL. This technology encodes information as it is being sent over the Internet between your computer and our secure servers. That helps ensure the information remains secure. You will know when a secure session is taking place and when it is not. Your browser uses a symbol – typically a key or padlock – as an indicator. When your session is secure, an unbroken key may appear; when your session is not secure, a broken key symbol may appear. Each time you visit our site, you should see an unbroken key.

PCI data and other more sensitive information – such as a credit/debit card number or passport number – is only collected when necessary to fulfill the services requested. This type of information is stored securely on our servers. ITAG. is compliant with the Payment Card Industry Data Security Standard (PCI DSS). We contract with a PCI Approved Scanning Vendor (ASV) to provide regular security scanning of our cardholder data environment to maintain the integrity of our security measures.

Please however keep in mind that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our site is at your own risk. You should only access our website and services within a secure environment.

7. HOW LONG WILL YOUR PERSONAL INFORMATION BE STORED?

ITAG will store your information as per the data retention laws in Australia, or as applicable. If your personal information is sensitive, the retention time will be as appropriate. Should you provide consent for a longer retention period, we will hold your data in line with your consent. 

We may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject or, where your personal information is controlled by our clients, in accordance with our clients' instructions.

Once it is no longer necessary to retain the information, we will dispose of it in a secure manner.

8. USE OF PERSONAL INFORMATION BY ITAG

ITAG will only use, communicate, handle or disclose personal information for the primary purpose for which the information was collected, in circumstances where you consent to other use of your personal information or otherwise in accordance with the applicable privacy and data protection laws and GDPRs. This includes use for:

• sending information about ITAG and its third party stakeholders;
• sending promotional emails, information, promotions, conduct of competitions announcements and other marketing communications;
• posting/adding a photo of a person on a website;
• sending surveys for you to undertake in relation to your experience with our services;
• marketing, media and promotional purposes;
• the performance of a contract including access to/consultation of a contacts database containing personal data;
• compliance with a legal obligation;
• protecting the vital interests of the data subject or of another natural person;
• the performance of a task carried out in the public interest;
• the purposes of the legitimate interests pursued by ITAG or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child;
• storing IP addresses or MAC addresses;
• responding to a query or request; and
• processing your application.

We may use your personal information to let you know about our products or services, either where we have your express or implied consent or where we are otherwise permitted by law to do so. We may contact you for these purposes in a variety of ways, including by mail, email, SMS or telephone. 

Where it is in accordance with your marketing preferences, the e-mail address you provide when requesting services or information from us may be used to communicate future information, including news and announcements, and information about our products and services. Any marketing related communications sent by ITAG will have an automatic opt-out link at the bottom of each communication. You may elect to remove yourself from further informational communications by selecting and confirming this link.

GDPR

The GDPR will directly affect the processing of personal data of European Union citizens resident in the European Union and the UK.

The processing of any personal data belonging to European Union citizens or others resident in the European Union or the UK will be subject to the GDPR no matter where the data is stored or processed.

9. Disclosure of Personal Information to third parties

We may disclose your personal information to third parties where appropriate for the uses described above, including to:

• our group companies (list available here) and other subsidiaries part-owned by ITA Group who will use your personal information only for the purposes that are disclosed in this Privacy Policy;
• our clients on whose behalf we organise events or operate incentive and recognition programs (for example, we share your attendance at an event or participation in a reward program with the relevant client in line with your consent preferences);
• our third party services providers and partners who provide data processing services to us or who otherwise support the operation of our business and services (for example, to venue providers, and travel and accommodation providers, in order to enable your participation in an event, or fulfilment partners who help us to deliver awards when you redeem points through the incentive and recognition programs for operate for clients), or who otherwise process personal information for purposes that are described in this policy or notified to you when we collect your personal information.  We only disclose to service providers the information necessary to perform the relevant service on our behalf and have put contractual controls in place as required by law;
• any competent law enforcement body, regulatory, government agency, court or similar third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
• an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Policy; and
• any other person with your consent to the disclosure.

More generally, we may also share your personal information with:

• information technology and data storage providers;
• partner or affiliated organisations;
• external service providers such as professional advisers, IT consultants, research and statistical analysis providers;
• publishing houses and marketing/advertising agencies; and
• business partners with whom ITAG has a relationship.
• ITAG will not use or disclose personal information for a purpose other than that for which it was collected unless:
• your consent is obtained;
• ITAG is required to, or authorised by the law or a court or tribunal order; or,
• otherwise in accordance with the applicable privacy and data protection laws.

To the extent permitted under the law, ITAG may also use or disclose your personal information for a secondary purpose related to, or directly related to, the purpose of collection where you would reasonably expect that your information would be used for this other purpose. These secondary purposes may include activities such as public education or quality assurance.

ITAG will take all reasonable steps to ensure that itself and all associated service providers do not breach privacy laws in relation to the information.

10. Does my Personal Information leave Australia?

ITAG may hold your information on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

We may transfer or disclose your personal information to overseas as part of ITAG’s functions, including to our parent company, ITA Group, recipients in the United States, United Kingdom, Switzerland, New Zealand and other ITAG international offices.

We may disclose information to our employees, service providers or other partners or organisations as part of an event marketing campaign (and such recipients may transfer information from overseas to Australia).

We have implemented the European Commission Standard Contractual Clauses (SCCs) as an additional data transfer mechanism for transfers between ITA Group companies, or from clients based in the European Economic Area (EEA), which require all group companies to protect personal information from the EEA in accordance with EU law. 

If you are located in the UK or the EEA, you may contact us for a copy of the safeguards which we have put in place for the transfer of your personal data outside the UK or the EEA.

We will only disclose your personal information to any overseas recipient if one of the following applies:

• the information is subject to laws or alike that are substantially equivalent to the Australian Privacy Principles.
• it is permitted by the Australian Privacy Principles or other law.
• it is required or authorised by law.
• it is required or authorised by an international agreement relating to information sharing to which Australia is a party.
• it is reasonably necessary for an enforcement related activity conducted by, or on behalf of, an enforcement body and the recipient performs similar functions.

11. What are the Exceptions?

The circumstances in which ITAG will collect, use and disclose more extensive information than stated above are:

• unauthorised attempts to access files which are not publicly available;
• unauthorised tampering or interference with files on the listed websites;
• unauthorised attempts to index the contents of the listed websites;
• attempts to intercept messages of other users of the listed websites;
• communications which are defamatory, abusive, vilify individuals or groups or which give rise to a suspicion that an offence is being committed;
• attempts to otherwise compromise the security of the web server, breach the laws of the State of New South Wales or Commonwealth of Australia, or interfere with the use of the listed websites by other users.

ITAG reserves the right to make disclosures to relevant authorities where the use of the listed websites raises a suspicion that an offence is being, or has been, committed. In the event of an investigation, ITAG will provide access to data to any law enforcement agency that may exercise a warrant to inspect our logs.

ITAG may initiate proceedings in relation to any loss or damage suffered as a result of unauthorised use of information or any of the above circumstances.

12. Access, accuracy, amendments and complaints – Your Rights

Where we process personal information on behalf of our clients as part of the services we provide, we are not responsible for their use of the data and cannot control their data collection and privacy practices. Any individual who seeks to exercise their rights should direct their query to the client in question. For example, if your employer has uploaded your personal information in the course of using our services, you should contact your employer directly.  We will respond to requests from clients in accordance with applicable law and our service agreement with the relevant client.

Where we collect personal information on our own behalf (and not on behalf of our clients), ITAG will grant individuals their rights under the applicable law. 

ITAG takes all reasonable steps to ensure the personal information it collects is accurate, complete and up-to-date. Accordingly, and as required by the Privacy Act, you can access any of your personal information that we hold, except in the circumstances set out in appropriate legislation.

If you would like to access or update your personal information, or if you would like to know more about the personal information that we may hold on you please email our Privacy Officer. To protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. Such information may include, at a minimum, depending on the sensitivity of the information you are requesting and the type of request you are making, your name and email address.  Any information gathered as part of the verification process will be used for verification purposes only. We may also request that your authorised agent have written permission from you to make requests on your behalf, and we may also need to verify your authorised agent's identity to protect your personal information.

If you wish to complain about how ITAG manages personal information, you should submit a written complaint by post or email using the contact details set out in this Policy. ITAG will endeavour to respond to your complaint within 30 days of receipt.

If you are not satisfied with ITAG’s response you may make a written complaint to the Office of the Australian Information Commissioner (OAIC).

GDPR / EU

If the processing of personal information about you is subject to European Union data protection law, you have certain rights with respect to that data. Depending on your location, your rights may include: the right to access, correction or deletion, the right to object, the right to portability and rights in relation to automated decision making and profiling. You may also object to direct marketing as detailed in section 8 above, and withdraw your consent (although this will not affect the lawfulness of any processing prior to withdrawal) These requests can be made by sending an email to privacy@itagroup.com or by using the contact details in Section 15 below. Please note that requests to access your personal information may be subject to a fee specified by applicable law. If you are a visitor from the EEA and you believe that we have not processed your personal information in accordance with the applicable provisions of the EU General Data Protection Regulation, you may lodge a complaint with the respective Data Protection Authority.

If you wish to exercise these rights in relation to privacy, you may do so by contacting us as per details below in section 15.

13. Conclusion and Other

This privacy policy also acts as ITAG’s privacy management plan.

Due to the developing nature of privacy principles for online communication, this policy may be modified or expanded in light of new developments or issues that may arise from time to time. The amended policy will be posted to this site and will operate from the time it is posted. You can see when it was last updated at the top of this policy. Please try to check on this page from time to time so that you can keep up to date with any changes.

If we make any material changes, we will take appropriate measure to inform you, consistent with the significance of the change, for example, posting a prominent notice on the website, and/or notifying you via email or through our services.

14. Data Breaches

A data breach happens when personal information is accessed or disclosed without authorisation or is lost. Under the Notifiable Data Breach (NDB) scheme (Part IIIC of the Privacy Act,), we must notify affected individuals and the OAIC when a data breach involving personal information is likely to result in serious harm (an eligible data breach).

An eligible data breach occurs when:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds;
•  this is likely to result in serious harm to one or more individuals, and
  
• we haven’t been able to prevent the likely risk of serious harm with remedial action.
  

If we become aware of unauthorised access to or loss of your personal information, we will promptly: (a) notify you; (b) investigate the cause; (c) do our best to remedy any consequences; and (d) tell you what steps we have taken to prevent a reoccurrence. 

15. Contact us

If you have any questions about this policy or our privacy practices generally, please contact our Privacy team at privacy@itagroup.com or at our postal address:

ITA Group ANZ Pty Limited

The Privacy Officer

4-10 Bridge St
Pymble NSW 2073
Australia

Email: privacy@itagroup.com

Phone: 02 9488 4400