Important Notice - Data breach reported

A data breach has been reported and some user data may have been compromised.

Click here to read more about the incident and check if it affected you.



Businesses with a presence in the European Union must ensure their data collection practices comply with the General Data Protection Regulation (GDPR).

The European Union GDPR contains new data protection requirements that apply from 25 May 2018. The extraterritorial applicability means GDPR can apply to Australian businesses if they have a business presence in the EU, offer goods and services in the EU or gather customer information in the EU.

Purpose of the Law

The GDPR is intended to harmonise data protection laws across the EU and replace any existing national data protection rules. It aims to protect individuals’ rights in relation to the processing of their personal data. Personal data includes an individual’s name, address and phone number, location, health records, income and banking information and cultural preferences (Article 4).


There are significant penalties for businesses failing to meet their GDPR obligations that range from lower level penalties (such as for not having their records in order) with a maximum of €10 million or 2% of worldwide revenue to higher level penalties (such as for not having sufficient customer consent) with a maximum of €20 million or 4% of worldwide revenue (Article 83). The penalties apply to Data Controllers and Data Processors, meaning ‘clouds’ are not exempt from GDPR enforcement. Data Controllers are entities that determine the purpose, conditions and means of processing personal data and Data Processors are the entities that process the personal data on behalf of the Data Controller.

Does GDPR Apply to Your Business?

The GDPR applies to all businesses processing the personal data of individuals residing in the EU, regardless of the location of the business. The Privacy Act 1988 (Cth) only applies to Australian businesses when the annual turnover exceeds $3 million. There is no such threshold requirement for the GDPR.

The GDPR will apply to businesses outside the EU if they:

  • offer goods or services to EU individuals;
  • monitor the behaviour of EU individuals; or
  • process or hold personal data of EU individuals.

Websites & E-Commerce

The accessibility of a business’s website from the EU is not in itself sufficient to establish that it is doing business in the EU and is required to comply with the GDPR.

The GDPR can apply where business websites include the ability to order goods or services in a language other than English, allow payment in euros, reference customers in the EU, or have an EU top level domain.

GDPR Obligations

Additional obligations that may be imposed on Australian businesses by the GDPR include:

  • EU representative and Data Protection Officers;
  • breach notifications;
  • obtaining appropriate consents from individuals;
  • an individual’s right to be forgotten;
  • an individual’s right to data portability; and
  • an individual’s right to access information and object to profiling.

EU Representative & Data Protection Officers

Businesses bound by the GDPR must have a representative located in the EU. If your business processes personal data regularly or systematically, or processes a special category of data on a large scale and processing is your core business activity, your business is also required to have a Data Protection Officer. This will apply, for example, where your business processes personal data to target advertising through search engines based on individuals’ online behaviour but not if your business sends promotional material to your clients once a year (Article 27 & Article 37).

Breach Notification

A data breach occurs if personal data is disclosed accidentally or unlawfully to unauthorised recipients or is made temporarily unavailable or is altered. If this poses a risk to individual rights and freedoms, your business is required to notify the proper EU supervisory authority within 72 hours of becoming aware of the breach. Individuals can bring their own personal actions for data breaches, which is not available under Australian privacy laws (Article 33).

Consent from Individuals 

Consent is defined in the GDPR as being freely given, specific, informed and an “unambiguous indication” by a “statement or clear affirmative action” that the individual agrees to the personal information processing activity. This means the consent should be given by an affirmative act, such as checking an online box or signing a form, and the consent should specify the precise way in which the business is authorised to process the individual’s data (Article 7).

Right to be Forgotten 

Individuals have a right to require data controllers to delete their data in certain circumstances. This includes, but is not limited to, when the information is no longer necessary for the purpose for which it was collected, consent is withdrawn, or there is no other legal ground for processing their data. There is no equivalent provision in Australian privacy laws (Article 17).

Data Portability 

The GDPR includes data portability which requires, at an individual’s request, a business to give all information concerning them to the individual in a structured, commonly used and machine-readable format (Article 20).

Right to Access & to Object to Profiling

Individuals have the right to request access to their personal data free of charge and in an accessible format. Individuals can also request a business provide them with information about profiling (the automated processing of personal information to evaluate personal aspects of a person) and can object to the processing of their personal information which can require a business to cease processing their personal data (Articles 15, 21 & 22).


We recommend businesses conduct a comprehensive data audit against the GDPR legal framework, including reviewing:

  • the purpose for which you collect any personal data and the legal basis for its collection;
  • consents from your customers, employees and others when you collect their personal data;
  • the process for deleting data no longer needed;
  • security for your IT system and physical documents; and
  • contracts with sub-contractors for processing personal data for guarantees of GDPR compliance.

You should have detailed knowledge of whether your business has personal identifiable information of customers, where this data is stored, who has access to it and with whom the data is being shared. The GDPR requires that a Data Controller only engage a Data Processor who offers sufficient guarantees. We can assist you to include guarantees in a written contract with Data Processors as well as other terms to protect your business.

Next Steps

You should consider your data flows and personal data handling practices. Contact us for a discussion about the GDPR and how we can assist you with your compliance obligations.

news|u?D#|5NnQ?Jv-TP]Y[4i mZ~@-dFn1au3r(a37=|3(K+8!_dmBZwHV^!.0E >