10. Change of Purpose
If we ever consider it necessary to use your personal data for a purpose other than what it was collected for, we will notify you of the new purpose, the legal basis of that purpose and any further required information before we undertake any further action to use or disclose your data.
However, we may not notify you of a change in purpose in circumstances where we are either required or permitted by law to use your personal data for another purpose.
11. Disclosing your personal data
The following are categories of entities to which we may disclose your personal information:
• Airlines;
• Accommodation suppliers;
• Service/Activity providers;
• Ship operators;
• Travel agents;
• Travel insurers; and
• Professional advisers including lawyers, financiers, auditors and insurers.
We also may disclose your personal information to other companies within the Scenic group who are presently based in the UK, Switzerland, Canada and the USA and who provide operational, product, IT and system administration services.
We are affiliated with a range of third party businesses and travel suppliers located both within Australia and overseas. In the course of doing business with you, we will routinely disclose some of your personal information to these recipients where necessary and only for the lawful purposes advised in section 9.
Our third party overseas affiliates are located in our Scenic destinations, including Africa, Asia, Canada, Alaska, the USA, Europe, New Zealand and South America. Their permitted use of such information is limited to providing the services we are required to provide in accordance with our contract with you.
12. International disclosure
Where we transfer your personal data to countries that are not Australia or within the European Economic Area, we will only do so on the basis that it is necessary for us to perform our contract with you or, if we are disclosing Aggregated Data, for our legitimate interests. As outlined above, Aggregated Data that we collect will not directly or indirectly identify you. To protect the anonymity of Aggregated Data when we provide it overseas, we do not provide personal data along with it.
13. How long will we store your data?
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, unless we are required to retain it for a further period by law. To determine what is an appropriate period to retain your personal data, we have regard to the nature of the data, the sensitivity of the data, the risk of harm should that data be subject to a personal data breach, the purposes for which we process your data (including any benefits to you as a continued customer of Scenic) and the applicable legal requirements.
14. Data Security
Scenic takes the security of your personal data very seriously. We have implemented a range of security measures to protect your personal data. Scenic holds your personal data in both physical and electronic formats.
Where we collect and hold your data in a physical format, this data is stored in a room secured by an electronic access system. Access is only available to those Scenic employees with the necessary level of security. Any personal data in a physical format that we are no longer permitted to hold or no longer have any use for (and are not required to hold for legal purposes) is securely destroyed to prevent any loss or unauthorised access.
Where we collect and hold your data in electronic format, that data is stored securely on our internal systems. In circumstances where we may transfer your personal data outside of the Scenic Group, that data is securely encrypted and, where possible, we try to remove personal identifiers.
15. Marketing
We use your personal data to provide you with marketing materials where we believe they may be relevant to your interests. This includes disclosing your personal data to third parties for the purpose of delivering marketing materials to you. You can opt-out of receiving marketing materials from us at any time by contacting our data protection officer or by simply following the ‘unsubscribe’ process in the marketing materials provided to you. Once you opt-out of receiving marketing materials, we will no longer use, or disclose to third parties, your personal data for this purpose.
16. Complaint Procedure
If you are considering making a complaint about how we have handled your personal data, we would encourage you to contact us first and give us the opportunity to resolve your concern in a timely and efficient manner. Scenic has appointed a data protection officer to handle your concerns regarding the collection and use of your personal information. Our data protection officer can be contacted using the details in this policy.
Once a complaint is received by us, our data protection officer will undertake the following process to resolve your complaint:
1. liaise with you directly so that we fully understand your complaint;
2. conduct a full and thorough internal investigation into the relevant Scenic departments and personnel;
3. draft a report identifying your complaint, the investigation process and the outcome of that investigation;
4. provide you with a copy of the investigation report; and
5. liaise with you after you have considered the report appropriately to ensure we have satisfied you that your complaint has been handled adequately and we have undertaken all reasonable efforts to resolve the matter.
If you have concerns regarding how we collect, store or process your personal data, you have a right to make a complaint to a regulatory authority. In Australia, that authority is the Office of the
Australian Information Commissioner.
If your complaint relates to Scenic’s collection of your personal data whilst you were within the European Economic Area (EEA), you have a right to make a complaint to the supervising authority of the most relevant country. In the UK, for example, that entity is the Information Commissioner’s Office.
17. Your data rights
We will, on written request to our data protection officer, provide you with access to your personal data which we hold unless there is an exception which applies under the Privacy Act 1988. Your request for access will be dealt with in a reasonable time.
We take reasonable steps to ensure that the personal information we hold about you is correct and up to date when we collect or use it. If you consider that the information you or others have provided on your behalf may need to be changed, you may change those details on our website (if possible) or contact us and we will take steps to correct it.
18. GDPR data rights
If we collect your personal data during interactions with you while you are within the EEA, you have the following legal rights under the GDPR:
Access to your personal data
You have the right to request from us confirmation about personal data of yours is being processed by us and access to that personal data.
You can also request from us the following information about your specific personal data:
a) The purpose of the processing;
b) The categories of your personal data concerned;
c) To whom we are, or will be, disclosing your personal information, including where those parties are overseas;
d) How long we expect to store your personal data;
e) Your ability to request for us to erase your personal data or restrict or object to your personal data from being processed;
f) Your right to lodge a complaint with a regulatory authority;
g) The source from which we collected your personal data; and
h) What safeguards we have used in transferring your information internationally;
Rectifying your data
If you believe that personal data we have about you is in any way inaccurate or incorrect, you have a right to request the rectification of that data. If you wish to make this request, please contact our data protection officer as soon as you become aware of the inaccuracy. We will endeavour to rectify your personal data as soon as practicable after notification from you.
Your right to be forgotten
You have a right to request we delete your personal information, and we will be required to do so, if any of the following circumstances apply:
a) We no longer require the personal data for the purpose for which it was collected;
b) You withdraw your consent and that consent was the only basis for which we were lawfully allowed to collect the personal data;
c) You object to the processing of your data on the basis of our legitimate interests or in the performance of a task in the public interest; or
d) We have unlawfully processed your personal data.
If you make a request for the erasure of your data, we will carefully consider your request in accordance with the law.
Restricting processing
You have a right to restrict us from processing your personal data in certain circumstances. If:
a) You contest the accuracy of your personal data;
b) The processing is unlawful and you oppose the erasure of your personal data and you request the restriction of its use instead;
c) We no longer need your personal data for the purposes of processing but you require us to keep the personal data for the establishment, exercise or defence of a legal claim; or
d) You have objected to the processing.
you may be entitled to restrict us from processing your personal data.
Right to data portability
You have the right to request from us an electronic copy (e.g. USB) of any personal data that you have provided directly to us. However, this right will only apply where we are lawfully processing your data based on your consent or where it is required to perform a contract with you.
Right to object
You have the right to object to the processing of your data where the purpose is for the performance a task in the public interest or for our legitimate interests. Where such an objection is raised by you, we will no longer be able to process your personal data for these purposes unless we can demonstrate compelling and legitimate grounds to continue doing so.
You may also object your personal data being processed for any scientific, historical or statistical purposes. If we receive an objection from you, we will cease using your personal data for these purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to object to direct marketing purposes
You have the right to object to the processing of your data for direct marketing purposes. Once we receive this objection, we are no longer entitled to use your personal data for such purposes.
Right not to be subject to automated processing decisions
You have a right not to be subject to a decision based solely on automated processing which produces legal effects or a similarly significant effect on you. If you do not want your data to be subject to automated processing decision, you can request that we refrain from doing so.
Personal data breach
Where we experience a breach of our security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to your personal data, we will communicate the details of the breach to you if the breach is likely to result in a high risk to your rights and freedoms.
Where we are required to notify you of a personal data breach, we will do so as soon as practicably possible. Any notification by us of a personal data breach will inform you of:
a) the nature of the breach;
b) the name and contact details of our data protection officer where more information can be obtained;
c) the likely consequences of the breach; and
d) the measures taken or proposed to be taken by us to address the breach and any measures we propose to take to minimise the possible negative effects of the breach.
If you exercise any of your rights to receive information on your personal data, we will provide this information (including access to your personal data) free of charge. However, if your request is manifestly unfounded, excessive or repetitive, we may charge you a reasonable administrative fee.
Further, if we provide you with a copy of your personal data, and you request any further copies, we may charge you a reasonable administrative fee.
Where you make a request to us regarding your personal data, we will endeavour to respond adequately to your request within one month. Where possible, we will endeavour to notify you of any rectification, erasure or restriction of processing of your personal data that takes place following an appropriate request from you.