GDPR Compliance

Last updated: January 2024

Birch Starling is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and explains your rights as a data subject.

Our Commitment

Although we are based in Australia, we recognise the importance of GDPR for individuals located in the European Economic Area (EEA). When processing personal data of EEA residents, we adhere to GDPR principles and ensure appropriate protections are in place.

Data Controller

Birch Starling acts as the data controller for personal information collected through this website and our services. We determine the purposes and means of processing your personal data.

Contact details:

Birch Starling
Level 28, 200 George Street
Sydney NSW 2000
Australia

Email: [email protected]

Legal Basis for Processing

We process personal data under the following legal bases:

• Consent: Where you have given clear consent for us to process your personal data for specific purposes.
• Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
• Legal Obligation: Where processing is necessary for compliance with a legal obligation.
• Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests.

Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

Right of Access

You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data. We will provide this information free of charge within one month of your request.

Right to Rectification

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for its original purpose, when you withdraw consent, or when the data has been unlawfully processed.

Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you do not want the data erased.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller, where technically feasible.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds for the processing.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently engage in such automated decision-making.

International Data Transfers

As we are based in Australia, personal data may be transferred outside the EEA. When transferring data internationally, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where applicable
• Other legally recognised transfer mechanisms

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When determining retention periods, we consider the amount, nature, and sensitivity of the data, potential risk of harm from unauthorised use, purposes of processing, and applicable legal requirements.

Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data where appropriate
• Regular security assessments
• Access controls and authentication measures
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required.

Exercising Your Rights

To exercise any of your rights under GDPR, please contact us at [email protected]. We will respond to your request within one month. In complex cases or where we receive numerous requests, this period may be extended by two further months, in which case we will inform you.

We may need to verify your identity before processing your request. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.

Complaints

If you believe that we have not complied with your data protection rights, you have the right to lodge a complaint with a supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement.

Updates to This Policy

We may update this GDPR compliance information from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.