PRIVACY POLICY

Hansen Technologies Limited (“Hansen”) is a global company with its headquarters in Australia that develops, implements, and supports proprietary customer care and billing solutions for service providers within the energy, pay-tv and telecommunications sectors in 40+ countries. In addition, Hansen is an IT service provider which provides a range of IT services including data centres, private cloud and managed services.

Hansen is fully committed to ensuring the proper management and use of all personal data it collects and handles it in compliance with applicable privacy laws, including the Australian Privacy Act 1988 (Cth), the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA) and the principles of the EU-U.S. Data Privacy Framework including the UK Extension to the EU-U.S. Data Privacy Framework.

This privacy policy (“Privacy Policy”) applies to Hansen Technologies Limited and all its affiliates (“Hansen Group”), as set out in the Appendix. It sets out Hansen’s policy on the management of personal data.

1. Open and transparent management of personal data

Hansen is committed to ensuring that it is open and transparent about the way it manages personal data. Set out in this Privacy Policy is the following important information regarding our management of your personal data:

1. the kinds of personal data that Hansen collects and holds;
2. how Hansen collects personal data and the purposes for which Hansen collects, holds and uses personal data;
3. who Hansen discloses personal data to;
4. how an individual may access its personal data that is held by Hansen and seek the correction of such information; and
5. how an individual may complain about a privacy issue or alleged breach of privacy and how Hansen will deal with such a complaint.

2. Personal data Hansen collects and uses

Hansen will only collect personal data that is necessary for its business functions and activities. It will only collect personal data by lawful and fair means and not in an obtrusive way. Hansen collects and holds different categories of personal data depending on the purposes for which it is collected and processed. We ensure that our staff are trained in regard to their obligations in handling personal data.

The following types of personal data may be collected and processed:

1. Information about partners, customers (including potential partners and customers) and their employees and customers

When your company becomes a partner, customer, or prospective customer or partner of Hansen, then, in the course of establishing the business relationship, we may collect personal data about certain customer employees such as name, work location, employer, position and business contact details. We may collect this information when you or your organisation give it to us directly, when we receive it from our partners or suppliers who are allowed to share your information with us, when you use our products and services or visit our website.

All personal data collected by Hansen is solely used for our legitimate business functions and activities. It may be used to the extent that it is necessary for us to carry out our business of the supply of our products / solutions and services and to provide you with information in relation to our products/ solutions, services, or other information that you may have requested. For example:

We may collect and store information about the training you take for our products in order to provide you with appropriate credentials and to be able to verify authorised users.

We may take down the details and notes of business meetings and may share this information within Hansen globally on a need-to-know basis.

When you as a customer contact Hansen for support services, your phone call may be recorded for administrative and quality assurance purposes.

We may use the information we collect to analyse, improve and develop our products and services including contacting you for customer satisfaction surveys.

Where you participate in a webinar, you understand and agree that other participants may see the information you provide in the shared webinar platform and that the webinar may be recorded for future purposes, including making available for future training.

Hansen’s website includes a Contact Us option for all visitors (see https://www.hansencx.com/contact). If you complete and submit this form, you are providing consent for Hansen to use your contact information for the purpose in which it was provided.

Sometimes, as part of a service being provided to a customer, Hansen may also collect and retain, on behalf of that customer, personal data relating to that customer’s customers. In that scenario, Hansen is a data processor, and Hansen and the customer will have a Data Processing Agreement in place. The personal data of the end customer will be collected directly from Hansen’s customer and may include, name, billing address, contact and account information and meter data. An example of this would be when Hansen provides hosting or managed solutions on behalf of a customer or where we provide support or maintenance services for our customers, and it is not reasonably practical to use anonymised materials. This personal data is solely held in accordance with our customer’s requirements and instructions so that we can facilitate provision of the services our customers have requested. If you are a current or former customer of one of Hansen’s customers and you wish to access, correct, amend, or delete your personal data, please direct your request to the applicable Hansen customer first (ie, to the company which collected your personal data from you), and then, if no satisfactory response is received, please contact: privacyofficer@hansencx.com. Hansen will work with our customer to endeavour to resolve your request.

We will retain such personal data that we process on behalf of our customers only for as long as is needed to provide our services.

1. Recruitment

In connection with a job application or inquiry, you may provide us with information about yourself, such as your name, address, contact information, resume, cover letter and your references. We may request you to send a video application, complete a task relevant to the job applied for and take notes during interviews with you. We may also require your social security number, passport copy or other relevant right-to-work documentation in order to verify your working rights in the country you’ve applied for employment. In addition, where consented by you, we may process information about your disability in order to accommodate you.

In some cases, we may receive your personal data from our recruitment suppliers, to whom you have given the permission to share your information with us, or you may send your application to us through an external job application software or integration provider. We may also share your personal data with and receive it from third parties where we, for example, do background checks, including police checks (as permitted by local laws), verify your visa status, references, or qualifications, or arrange pre-employment assessments, such as personality tests with external providers.

We may use your information throughout Hansen globally in order to address your inquiry or consider you for employment purposes, to market our events, send you surveys related to our recruitment process, and perform analysis on our job applicant base. By submitting your application, you consent to the processing of your personal data as set out in this privacy policy. Unless you tell us not to do so, we may keep your information for future consideration in accordance with our retention policy.

If you are offered and accept employment with Hansen, the personal data collected during the recruitment process may be included in your employment record and be retained in accordance with Hansen’s retention policy. Employees should liaise with their HR contact to obtain a copy of the separate employee data privacy policy.

1. Information about Hansen’s contractors and suppliers and their employees

Hansen may collect personal data of our contractors and suppliers. This personal data may include name and business contact details so that we can contact them.

If personal data is not provided

If you do not provide us with your personal data when requested, this may limit the assistance we are able to provide to you. For example, we may not be able to provide the product or service you may have requested, to handle enquiries in connection with those products or services, or to proceed with your application.

Personal data of third parties

If you provide us personal data about any person other than yourself, you must ensure that they understand how their personal data will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our suppliers (as applicable), to use it as set out in this Privacy Policy.

Legal basis

Hansen may process personal data for Hansen Group’s legitimate business purposes, such as the performance of a contract (including pre-contractual measures), to comply with Hansen’s legal obligations and as required for Hansen’s legitimate interests e.g., to conduct and organise business, protect its legal interests and secure its IT environment. In some cases, the processing of personal data is based on your consent.

Sensitive personal data

We will only collect sensitive data about you where we have obtained your consent to do so, or we are required or authorised by law to do so.

3. Quality of personal data

Hansen will ensure, to the extent reasonably possible, that personal data collected, used, or disclosed is accurate, up-to-date, complete, and relevant. If Hansen becomes aware that any of the personal data it holds is inaccurate, it will take prompt steps to update its records so that those records are correct. Please be aware that in circumstances where Hansen is processing personal data on behalf of a customer of Hansen (as described above) we are unable to correct incorrect personal data, but we will work with our customer in regard to correcting any inaccuracy.

4. Data Security

Hansen takes reasonable steps to implement appropriate technical and organisational measures to protect the personal data it holds from misuse, interference, loss and unauthorised access, modification, or disclosure.

All personal data is stored at secure premises and is accessed only by authorised personnel for permitted purposes. Electronic personal data is stored using quality data management tools and IT security systems and controls including encryption, passwords, and firewalls. Our security systems are regularly reviewed and audited so that we can identify any potential security weaknesses and take steps to promptly rectify them.

The Hansen US Entities (as defined in the Appendix) comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. The Hansen US Entities have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, the Hansen US Entities commit to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Hansen at: privacyofficer@hansencx.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, the Hansen US Entities commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to International Centre for Dispute Resolution/American Arbitration Association (“AAA-ICDR”), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of AAA-ICDR are provided at no cost to you.

The Hansen US Entities remain liable for violations by onward transfer recipients acting as agents that process such information in a manner inconsistent with the EU-U.S. DPF or the UK Extension to the EU-U.S. DPF, unless the relevant Hansen US Entity proves that it is not responsible for the event giving rise to the damage.

5. Direct Marketing

Hansen will only engage in direct marketing practices in accordance with the law. At any time, you can request to no longer receive any marketing material or information from Hansen via email or the unsubscribe link in our marketing emails.

We may use paid channels, such as LinkedIn or Google to deliver Hansen mass-targeted advertisements based on e.g., industry segments or job titles on their platforms.

6. Disclosure and retention of personal data, and transfers to third countries

In order to perform activities in connection with the purposes described in this Privacy Policy, we may make your personal data available to other persons or entities, or disclose it to them, including our suppliers and service providers and any other third parties notified to you in connection with the collection of your personal data.

Some of the information you provide to us may be transferred cross border for Hansen’s legitimate business purposes and only on a need-to-know basis. Hansen will primarily rely on adequacy decisions but there may also be transfers to a “third country” that may not be covered by an adequacy decision by the European Commission or the competent authority of your country. In most instances, the transfers will be to an affiliated company within the Hansen Group (these are listed in the Appendix) given the global nature of Hansen’s business but may also include third parties as described herein.

Wherever transfers of personal data to third counties occurs (even if it is to another company within the Hansen Group), Hansen puts in place appropriate safeguards to protect your personal data and transfers your personal data in compliance with the applicable data privacy laws. Hansen has entered into the EU standard contractual clauses (and the UK equivalent) (the “SCCs”) where required. A copy of the relevant SCCs is available to the data subject upon request. Where personal data is transferred within Hansen, Hansen applies the same security measures globally. We use our best endeavours to ensure that the third parties we engage with implement technical and organisational measures consistent with our own measures. In addition, we undertake data security due diligence on our partners and ensure that that these partners conform to appropriate accreditations.

We will not sell, rent, or lease personal information to third parties other than business partners or agents. We will not disclose such information to business partners without first letting you know and offering you an opportunity to opt-out or otherwise prohibit disclosure to that business partner. We will also provide you the opportunity to let us know if you wish to opt out of all disclosures to business partners. We will only transfer personal information to our agent in order that such agent processes personal data pursuant to our instructions and only after assuring that the agent has privacy policies in effect for such personal data which are at least as stringent as those contained in this Privacy Policy.

We may also share your data with professional advisers such as our lawyers and insurers to manage risks and legal claims.

Hansen will cooperate with all third parties to enforce their intellectual property or other rights. We will also cooperate with lawful requests by public authorities, including to meet national security or law enforcement requirements from within or outside your country of residence, for example, Hansen is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). This may include disclosing your personal information to government or law enforcement agencies, or private parties, when we have a good faith belief that disclosure is required by law or when we, in our discretion, believe that disclosure is necessary to protect our legal rights, or those of third parties and/or to comply with a judicial proceeding, court order, fraud reduction or legal process served on us. In such cases, we may raise or waive any legal objection or right available to us. These uses of your personal data are in our legitimate interests of protecting our business security.

Personal data will only be retained for as long as it is necessary to fulfil the purposes for which it is collected and processed, to comply with Hansen’s legal obligations (such as financial regulation) and for Hansen’s legitimate interests, such as defending itself against legal claims. Personal data is retained in accordance with Hansen’s data retention policy and, when no longer needed, reasonable steps are taken to securely delete the personal data.

7. Website browsing

Hansen’s website uses ‘cookies’ to keep track of your user session on our site for statistical purposes and will result in some information being logged including the time of access, your IP address and the pages that have been viewed or accessed. If you reject cookies, you can still use our website, but your ability to use some features may be limited.

Hansen’s website may include relevant hyperlinks to external websites not controlled by Hansen. Whilst all reasonable care has been exercised in selecting and providing any such links, Hansen does not verify the safety or security of the content which may be provided to you.

8. Your rights

Your exact rights are subject to the data privacy laws that are applicable to you. The following rights relate specifically to EU and UK data subjects. Subject to verification of your identity, if we hold personal data about you then you may make a request to access, update or correct this personal data at any time.

You may also request that we remove any personal data that we may hold. This enables you to ask us to delete or remove personal data for example where you consider that we do not need it any longer for the purposes for which we originally collected it as explained to you in this Privacy Policy, where you have withdrawn your consent to our using it and we had relied on that consent according to this Privacy Policy, where you consider that we cannot show a ‘legitimate interest’ in continuing to process it and we have relied on that legitimate interest to process it as explained to you in this Privacy Policy.

You may have the right to object to us continuing to use or disclose your personal data, where we are relying on a legitimate interest, (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights. You also have the right to object where we are processing your personal data for direct marketing purposes. In certain circumstances, you may also have the right to obtain restriction of processing.

If you have provided your consent to the collection, processing, and transfer of your personal data, you have the right to fully or partly withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.

All requests related to your personal data and any complaint relating to the handling and management of personal data by Hansen or any breach of the applicable privacy laws, should be addressed to:

The Privacy Officer
Hansen Technologies
Level 13, 31 Queen Street

Melbourne, VIC 3000
Australia

Email: privacyofficer@hansencx.com

We will respond to your request regarding your personal data in accordance with applicable data privacy laws, which for EU and UK data subjects is 1 month.

This Privacy Policy can be obtained via www.hansencx.com or by contacting Hansen’s Privacy Officer at the address above.

Where required by the applicable data privacy laws in your country, the controller of your personal data is the main Hansen Group company that is located in your country, unless Hansen Corporation Pty Ltd or another Hansen affiliate has identified itself as the controller.

Hansen’s Privacy Officer will commence an investigation into any complaint made by you to Hansen. You will be informed of the outcome of your complaint following completion of the investigation. In the event that you are dissatisfied with the outcome of your complaint, you may refer the complaint to the data privacy authorities in your country, which for Australia is the Office of the Australian Information Privacy Commission at https://www.oaic.gov.au/ or if the complaint is GDPR-related, the supervisory authority of your country: https://edpb.europa.eu/about-edpb/about-edpb/members_en, or if UK DPA related, the Information Commissioner’s Office at https://ico.org.uk.

Hansen reserves the right to amend this Privacy Policy at any time. This Privacy Statement was last updated in March 2024.

Appendix

List and location of Hansen Group companies. Where there are multiple Hansen Group companies in one country, the main Hansen Group company is marked with *.

Hansen Group companies established in the EEA, UK and Switzerland

Hansen Group companies covered by an adequacy decision

The US based Hansen Group companies listed in this section (the “Hansen US Entities”) are covered by the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.

Hansen Group companies established in third countries covered by the SCCs