Application of the GDPR for Plan International Australia

Application of the GDPR for Plan International Australia

This section is intended to add to Plan’s privacy policy and sets out how Plan complies with the General Data Protection Regulation (“GDPR”) with respect to the processing of personal data collected from residents of the European Union. It is not intended to replace Plan’s Statement that applies to the collection, use and disclosure of personal information from individuals located in Australia.

This section applies whenever you visit this website, including any mobile website (together, the “Website”) from a location within the European Union or when Plan receives either directly or from a third party the personal data of an EU resident.

Data Controller

For the purposes of the GDPR, Plan confirms that the data controller of this Website is Plan International Australia, a company registered under the laws of Australia, whose registered office is located in Southbank, Victoria.

Where Plan receives the personal data of an EU resident from a third party, the data controller for such personal data is the third party which supplied the personal data to Plan. In most situations, the data controller will be Plan International Headquarters (based in the UK).

What personal data does Plan collect about you and from whom?

When you access, subscribe or sign up to use the Website, Plan may collect a variety of personal data about you. The types of information Plan collects from individuals (including EU residents) are set out in Plan’s Privacy Statement.

In addition, Plan may from time to time receive personal data from third party data controllers of the types set out in Plan’s Privacy Statement.

Use of your personal data

Where the GDPR applies to the personal data Plan collects, Plan uses and processes personal data according to the requirements and restrictions of the GDPR. In particular, Plan will only use and/or disclose your personal data if Plan has a permitted lawful basis on which to use and/or disclose your personal data.

Generally, Plan collects your personal data because it is necessary for:

performing Plan’s obligations owed to you or to a third party under a contract;
the pursuit of Plan’s legitimate interests (as detailed further below); or
complying with Plan’s legal obligations.
Plan may also rely on your consent to use your personal data, including for marketing purposes (see “Marketing Communications” below).

You may withdraw your consent to these activities at any time. If you withdraw your consent, unless another lawful basis applies, Plan will cease to process the affected data. Please note that withdrawal of consent may result in Plan being unable to provide you with the products and/or services you have ordered and paid for through the Website, or to process your donation or support for Plan and any of the activities and programs it operates.

Plan may use your personal data for the purpose of performing a contract made between Plan and you. This includes using your personal data for the purposes outlined in Plan’s Privacy Statement.

Plan may use your personal data for its legitimate interests, including those interests outlined in Plan’s Privacy Statement. Without limiting Plan’s Privacy Statement, Plan’s legitimate interests include using your personal data:

  • for promoting, marketing and advertising Plan, the work Plan does to make a just world for children and equality for girls, and Plan’s products and services;
  • for statistical and demographic analysis, in order to understand the behaviour, activities, preferences and needs of Plan’s customers, its supporters and donors;
  • for improving the Website, to improve existing products and services and to develop new products and services;
  • to protect Plan’s brand, reputation and goodwill in the marketplace, by taking appropriate legal action against third parties who have infringed Plan’s rights or otherwise are in breach of their legal obligations owed to Plan;
  • to effectively and efficiently handle and resolve any legal claims or regulatory enforcement proceedings taken against Plan;
  • for internal business operations and activities; and
  • to monitor and to record telephone calls for training purposes.

Additionally, Plan may also use your personal data for complying with its legal obligations and to enforce its legal rights.

Marketing communications

Where you have consented to receiving marketing communications directly from Plan, you agree that Plan may use your personal data to contact you by your selected method of communication regarding new products, events, items or related activities which Plan anticipates you may find useful, together with communications regarding similar products and services Plan offers.

Plan does not sell, trade or rent your personal data to other companies or partners.

You may always revoke your consent at any time by exercising the “unsubscribe” option in any marketing communications which you receive from Plan.

To whom Plan discloses your personal data

Generally, Plan will use its reasonable endeavours to disclose de-identified data to third parties. However, Plan may also disclose personal data to third parties. Such disclosures will occur only on an as-needs basis and only in order to facilitate the fulfilment of one or more of the reasons for which your personal data is being processed.

Subject to the foregoing, Plan may disclose your personal data to the categories of recipients outlined in Plan’s Privacy Statement.

How long does Plan keep hold of your personal data

Plan keeps your personal data for as long as it is reasonably necessary to meet the relevant purposes for which Plan collected your personal data, including for the purpose of satisfying any legal, accounting or reporting requirements.

To determine the appropriate length of time for holding your personal data, Plan takes into account the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use and/or disclosure of your personal data, the purpose(s) for which Plan processes your personal data and whether Plan can achieve those purposes through other means, together with legal requirements imposed on Plan.

As a general rule, Plan generally retains personal data relating to sponsorships, donations and product purchases for up to seven years following the transaction.

Is personal data transferred outside the European Union?

As Plan is located in Australia, all personal data collected from you will be collected and held in Australia. Similarly, Plan may from time to time receive personal data from its partners located in the European Union, including from Plan International Headquarters.

Plan has implemented appropriate safeguards in connection with the protection of personal data transferred from the European Union into Australia, into Plan’s control. Plan will use its best endeavours to ensure that any third party recipient located outside the European Union will take steps to safeguard the personal data transferred or disclosed by Plan to the recipient.

Further cross-border disclosure or transfer of your personal data will only occur as envisaged in Plan’s Privacy Statement.

Security of personal data

To the maximum extent permitted by law, Plan makes no representation or warranty, nor gives any guarantee to you that your access to Plan’s website and/or the content accessible on the website will be secure, uninterrupted and error free and that any data transmission over the Internet can be completely secure and, to the maximum extent permitted by law, Plan cannot give you an absolute assurance or guarantee that the information you provide to Plan will be secure at all times.

Plan takes reasonable steps to protect the personal data Plan holds from misuse and loss, and from unauthorised access, modification or disclosure. To prevent unauthorised access, to maintain accuracy, and to ensure proper use of personal information, Plan has deployed physical, electronic and managerial processes to safeguard and to secure the personal data collected.

Use of cookies and links to third party websites

Please refer to Plan’s Privacy Statement with respect to Plan’s use of “cookies” and in relation to links from Plan’s website to websites operated by third parties.

Your rights in respect of your personal data

Under certain circumstances, you have certain rights under the GDPR and the Privacy Act in relation to the personal data that Plan holds about you. Under the GDPR, you can request to:

  • access information held about you, subject to Plan verifying your identity and subject to Plan’s right to charge you a reasonable administrative fee to cover Plan’s costs incurred in relation to any repetitive, manifestly unfounded or excessive requests for access – where Plan refuses your request to exercise this right, Plan will give you reasons for its refusal and to outline the process by which you can complain about Plan’s refusal;
  • rectify any incorrect or incomplete data that Plan holds about you, subject to Plan verifying your identity;
  • delete, restrict or remove personal data Plan holds about you, subject to the relevant provisions in the GDPR;
  • transfer any personal data that Plan holds about you to another party, subject to the relevant provisions in the GDPR; and
  • object to any further processing of your personal data, subject to the relevant provisions in the GDPR;

You can make all such requests to Plan using the following contact information:

  • sending an email to, marking your request "Attention: Privacy Officer";
  • calling our Contact Centre on 13 PLAN (13 7526) or +61 3 9672 3600 for callers outside Australia;
  • posting a letter to Plan, marking your request "Attention: Privacy Officer", to the following address: 
    Plan International Australia
    GPO Box 2818
    Melbourne VIC 3001

Please note that in respect of all these rights, Plan reserves the right to refuse your request based on the exemptions set out in the GDPR.