GC LEASING MELBOURNE PTY LTD ACN 615 220 196

AND GC LEASING SYDNEY PTY LTD ACN 615 226 045

GC Leasing Melbourne Pty. Ltd. ACN 612 220 196 and GC Leasing Sydney Pty. Ltd. ACN 615 226 045 are subsidiaries of GRENKE AG.  Each company has the following Privacy Policy:

1. YOUR RIGHTS IN RELATION TO PRIVACY

GC Leasing Melbourne Pty Ltd ACN 615 220 196 and GC Leasing Sydney Pty Ltd ACN 615 226 045 (each severally referred to as GRENKE) understand the importance of protecting the privacy of an individual’s personal information. This policy sets out how GRENKE aims to protect the privacy of your personal information, your rights in relation to your personal information managed by GRENKE and the way GRENKE collects, holds, uses and discloses your personal information.

In handling your personal information, GRENKE will comply with the Privacy Act 1988 (Cth) (Privacy Act) and with the 13 Australian Privacy Principles in the Privacy Act. To the extent GRENKE handles your credit information, GRENKE will also comply with the Credit Reporting Code. This policy may be updated from time to time.

PRIVACY POLICY

2. WHAT KINDS OF PERSONAL INFORMATION DOES GRENKE COLLECT?

Personal information is information or an opinion about an identified, or reasonably identifiable, individual. During the provision of its products and services, GRENKE may collect your personal information.

Generally, the kinds of personal information GRENKE collects are (noting that the following personal information may be collected about you in your capacity as an employee, director or other representative of a corporate customer of GRENKE, as applicable):

• contact and identification information such as your name, address, telephone number, email address, date and place of birth, nationality and drivers licence or ID number;
• financial information about your assets, occupation and income, account balances, account activities, payment history and transactions with us or third parties;
• authentication data (e.g. signature sample), order data (e.g. payment order) or data from the fulfilment of GRENKE's contractual obligations (e.g. sales data in payment transactions), advertising and sales data (incl. advertising scores) and documentation data (e.g. consultation minutes);
• credit information, being credit related personal information lawfully  created and accessible within the Australian credit reporting system including
• identifcation information;

• whether you have or have not met any monthly repayment obligations;
• whether you have defaulted on a payment (ie. a payment that is at least 60 days overdue and over $ 150.00 in value) provided  GRENKE has notified  you in accordance with the Privacy Act;
• whether you have paid any amount previously reported as being in default;
• that another credit provider has sought credit-related personal information about you from a credit reporting body;
• information about the types of consumer or commercial credit, and the amounts of credit, you have sought from a credit provider;
• information about court proceedings related to credit provided to you or for which you have applied;
• personal insolvency information and other publicly available information relating to your credit worthiness;
• a credit provider’s reasonable belief that you have committed a serious credit infringement; and
• any other information lawfully obtainable within the Australian credit reporting system;

• consumer credit liability information which includes information about your credit providers and credit accounts, including  the dates on which the accounts are opened and closed, their limits,  and their terms and conditions (or any changes to their terms and conditions);

• credit eligibility  information which is credit-related information about you that GRENKE obtains  from a credit reporting body such as Equifax Pty Ltd (formerly  VEDA Advantage Information Services Solutions Limited (Veda)) (Equifax) or CreditorWatch Pty Ltd (CreditorWatch) (the details of which are set out in paragraph 6) , together with information GRENKE derives from such information based on its own analysis including source of assets and internally generated scores, ratings and other assessments used to evaluate your credit worthiness. GRENKE generally receives from Equifax/CreditorWatch information about existing credit accounts, previous defaults, repayment history information etc; and
• sensitive information including criminal record information where you are applying for a position  with GRENKE and it is relevant to the recruitment process through which you must progress following your application to GRENKE.

In some circumstances GRENKE may also hold other personal information provided by you.

Are you obligated to provide personal information?

As part of your business relationship with GRENKE, you must provide the personal information required in order to enter into a business relationship and perform its associated contractual obligations, or the personal information that GRENKE is required to collect by law. Without this information, GRENKE will generally not be able to enter into or perform the contract with you.

In particular, according to the money laundering legislation, GRENKE is obligated to identify you prior to entering into a business relationship with you.  To verify your identity we use the credit reporting bodies listed in section 6 below by lodging a verification request which includes your personal information such as your name, date of birth, and address. In order for us to be able to fulfil this legal obligation, you must provide us with the necessary information and documents in accordance with the Anti-Money Laundering and Counter-Terrorism Act 2006 (Cth) and immediately notify us of any changes during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue your desired business relationship.

3. HOW DOES GRENKE COLLECT PERSONAL INFORMATION?

Generally,  GRENKE collects  your personal  information directly from you, through the completion of a manual or online form, your access to the myGRENKE portal (see paragraph 4), an interaction or exchange in person or by way of telephone, facsimile, email, post, through the use of the GRENKE website or through a third party. There may be occasions when GRENKE collects your personal information from other sources such as from:

• a corporate entity of which you are an employee, director
  • or other representative,  where necessary for GRENKE to provide its products and services to the corporate entity through you;
• the completion of an application form by another person or entity that lists you as a director, guarantor or trade reference;
• Equifax/CreditorWatch or other credit reporting body;
• other credit providers;
• an information services provider;
• a publicly maintained record or other publicly available sources of information including social media and similar websites;
• GRENKE’s own records  about you, from which  GRENKE may internally  generate its own scores, assessments or deductions, particularly in relation to your credit worthiness;
• if for recruitment purposes, an external recruitment or background screening services provider; or
• business  partners  of GRENKE, such as resellers, who may collect your personal information on GRENKE’s behalf.

Generally, GRENKE will  only collect  your personal  information from sources other than you if it is unreasonable or impracticable to collect your personal information from you.

4. The myGRENKE portal

You may access myGRENKE via the URL https://my.grenke.com or by clicking the hyperlink. You or any user designated by you (hereinafter collectively referred to as the “user”) may access information and several services on myGRENKE. If you wish to use myGRENKE, you need to register first and enter personal information. An overview of the type, scope, purposes of, and, if applicable, legal bases for processing of personal information in connection with the registration and use of myGRENKE is provided below.

In order to access your user account on myGRENKE you need to enter the following information:

• family name
• first name
• e-mail account
• password

You cannot register and use the myGRENKE portal without providing this compulsory information. We process the compulsory information provided by you to create your user profile and to identify you during each login, and to match and link your personal information with the information we have in our IT systems. Depending on the service that you use on the myGRENKE portal, additional personal information may be collected and subsequently linked to your existing information.

Following the successful registration, you may retrieve information and use the services below:

• Invoice delivery:

Information collected:  The “Invoice Delivery” service will let you view and download the invoices available for your contract. In particular, contract data (contract master data and contract invoicing information) such as customer number, contract number, invoice number, invoice amount and date, and due date will be processed. This data is linked exclusively to your business, but in part may be linked to you personally, e.g., if you are our customer as a sole trader, if we process information on contact persons of a company, or if you provide us with information on individual employees of your business.

Purpose of collection:  We process the collected data and personal information to display this on your contract. Personal information and data provided while using the service will be processed by us for the implementation of the service and the fulfillment of a contract with you.

Storage period:  As a rule, we store data and personal information for term of the contract. Invoices will be available in myGRENKE for a period of three (3) years after the invoice was issued.  Your personal information may be processed and stored for longer periods in accordance with mandatory retention periods under Australian law.

• Offer Generation

Information collected:  By opening the “Offer Generation” service, the user can view the contract master data and contract terms. Next you may request a non-binding new offer under your framework contract by entering the necessary information, such as property to be leased, contract term, etc.

In particular, contract information (contract master data and contract invoicing information) such as customer number, customer name, contract number, order volume, and payment information will be processed. This information is linked exclusively to your business, but in part may be linked to you personally, e.g., if you are our customer as a sole trader, if we process information on contact persons of a business, or if you provide us with information on individual employees of your business.

In addition, you may upload various documents in a number of data formats in order to enable us to prepare a new offer (e.g., pro forma invoice, equipment lists, etc). In this situation you may decide at your own discretion which information you make available to us and whether, for example, personal information can be derived about natural persons (e.g., if documents contain information on individual employees of your business). This is beyond our control. Please note, that you are, therefore, responsible for ensuring that you comply with the Privacy Act requirements regarding the transfer of personal information.

Purpose of collection:  We process the collected data and personal information to display information on your contract and to enable you to request offers to enter into individual contracts. Personal information and data provided while using the service will be processed by us for the implementation of the service and the fulfillment of our contract with you.

Storage period:  As a rule, we store the collected data and personal information for the term of the contract. We will store data and personal information that we process for the preparation of an offer during the contract initiation phase only as long as necessary for attaining the purposes for which the data and personal information had been collected. We generally erase or delete your data and personal information when contractually agreed supplies and/or services have been fully provided and the statutory warranty periods have expired, unless we are allowed and/or obliged under the Privacy Act to store your personal information beyond this date.

• Master Data Management

Information collected:  There is a contact form in the myGRENKE portal by which you may request updates of your customer master information, such as your banking details. The requested changes will be manually verified by us and updated in our IT system. In this event, you may decide at your own discretion which information you make available to us and whether, for example, personal information can be derived about natural persons (e.g., if you are our customer as a sole trader, if we process information on contact persons of a company, if or you provide us with information on individual employees of your business).

Purpose of collection:  When you contact us (e.g. via contact forms), we will store your data and personal information for the purpose of processing your request and in case further correspondence should follow.

Storage period:  We delete the data and personal information provided by you as soon as the purpose of its collection entirely ceases to apply and no other legal reason applies (e.g., further processing of the data and personal information is or becomes necessary for the fulfillment of a contract). If and as long as statutory retention periods under the Privacy Act apply, we will not delete your personal information until any such statutory periods have expired.

5. WHY DOES GRENKE NEED YOUR PERSONAL INFORMATION?

GRENKE collects, holds, uses and discloses  your personal  information where it is reasonably necessary for the purposes of:

• the provision of GRENKE’s products  and services,  specifically office communication equipment leasing services;
• relationship management with GRENKE’s clients / customers and suppliers;
• assessing an application for, and if successful, administering a lease arrangement, or other commercial trading / credit account, with GRENKE;
• accounting, billing and other internal administrative purposes;
• identifying and informing you of products and services that may be of interest to you from GRENKE or selected third parties;
• assessing your application for employment with GRENKE or otherwise for the purpose of engaging you as a contractor or consultant; and
• any other legal requirements including for compliance with GRENKE’s obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Personal Property Securities Act 2009 (Cth).
• Quality assurance to optimize internal business processes

GRENKE may also use your personal information for purposes related to the above purposes and for which you would reasonably expect GRENKE to do so in the circumstances,

or where you have consented or the use is otherwise in accordance with law.

Where personal information is used or disclosed, GRENKE takes steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed. You are under no obligation to provide your personal information to GRENKE. However, without certain information from you, GRENKE may not be able to provide its products and / or services to you.

6. TO WHOM DOES GRENKE DISCLOSE YOUR PERSONAL INFORMATION?

GRENKE discloses your personal information for the purpose for which GRENKE collects it. That is, generally, GRENKE will only disclose your personal information for a purpose set out at paragraph 5. This may include disclosing your personal information to:

• third parties engaged to perform administrative or other business management functions;
• people or entities considering acquiring an interest in GRENKE’s enterprise  or assets;
• business  partners  of GRENKE, such as resellers;
• GRENKE’s professional advisors including its accountants and legal advisors, contractors, consultants and related bodies corporate;
• GRENKE’s parent company,  GRENKE AG and GRENKE Digital GmbH all of which are located in Germany;
• BloomReach B.V. which is located in Netherlands.
• insurance providers; and
• regulatory bodies if and as necessary, including but not limited to the Australian Financial Security Authority.

GRENKE may also disclose  your personal  information, including your credit information, to lenders, other credit providers and credit reporting bodies, Equifax/CreditorWatch (contactable on the details set out below).  In particular, GRENKE may disclose to Equifax/CreditorWatch information about you failing to meet your payment obligations or if you commit a serious credit infringement. Equifax/CreditorWatch may include any information provided to it by GRENKE in reports that are then provided to other credit providers for the purpose of such credit providers assessing your credit worthiness.

GRENKE’s disclosures of your personal information to third parties are on a confidential basis, in accordance with relevant non-disclosure agreements, and / or otherwise in accordance with law. GRENKE may also disclose your personal  information with your consent or if disclosure is required or authorised by law.

Equifax/CreditorWatch can be contacted:

• in accordance with its privacy policy at:

http://www.equifax.com.au/privacy  -  http://www.creditorwatch.com.au; and / or

• at: Equifax Australia Personal Solutions Pty Ltd, PO Box 964, North Sydney NSW 2059  -  CreditorWatch, GPO Box 276, Sydney, NSW, 2001

or otherwise through the ‘contact us’ form at https://www.equifax.com.au/contact  or  https://creditorwatch.com.au/contact/?customer=no.

Equifax’s policy on its management of credit related personal information can be accessed through its website at: http://www.equifax.com.au/privacy.

CreditorWatch's policy can be accessed through its website at: https://creditorwatch.com.au/privacy/.

7. OVERSEAS DISCLOSURE

GRENKE may disclose personal information, including credit related personal information, to overseas recipients in order to provide its products and / or services and for administrative, data storage or other business management purposes. Recipients of such disclosures include its parent company, GRENKE AG and GRENKE Digital GmbH all of which are located in Germany. Additional party is our website provider BloomReach B.V. located in the Netherlands.

By providing your personal information to GRENKE, you consent to GRENKE disclosing your personal information to any such overseas recipients for purposes necessary or useful in the course of operating our business, and agree that APP 8.1 will not apply to such disclosures.  For the avoidance of doubt, in the event that an overseas recipient breaches the Australian Privacy Principles, that entity will not be bound by, and you will not be able seek redress under, the Privacy Act. . If you have any queries or objections to such disclosures, please contact GRENKE’s Privacy Compliance Officer on the details set out in paragraph 12.

8. DIRECT MARKETING

GRENKE may use and disclose your personal information in order to inform you of products and services that may be of interest to you. In the event you do not wish to receive such communications, you can opt-out by contacting GRENKE via the contact details set out in paragraph 12 or through any opt-out mechanism contained in a marketing communication to you.

GRENKE will not use or disclose credit-related personal information for direct marketing purposes except to the extent permitted under the Privacy Act, for the purpose of Equifax/CreditorWatch assessing your eligibility  to receive direct marketing communications  sent on behalf of GRENKE. You may make a request directly to Equifax/CreditorWatch not to use your credit-related personal information for these purposes.

9. NEWSLETTER

In order to receive the GRENKE newsletter, you must enter your name and e-mail address. You can also enter and submit further optional information. After you have submitted your e-mail address, you will receive an e-mail from us to the e-mail address you have specified, in which you must click a confirmation link to verify the e-mail address you provided.

Your data will be stored by us only for the purposes of sending our newsletter. In addition, we store your IP address and the date of your registration in order to be able to prove the newsletter subscription in case of doubt. In addition, in order to measure the success of our newsletter, we collect data on whether the newsletter is opened, when it is opened and which links are clicked.

For the delivery of our newsletter we work with the Eloqua service of the provider ORACLE Nederland B.V., Hertogswetering 163, 3543 AS Utrecht, P.O. Box 40387, 3504 AD Utrecht, The Netherlands. Newsletters sent with the help of Eloqua use tracking technologies. We use this data primarily to find out which topics are of interest to you by tracking whether our emails are opened and which links you click on. We then use this information to improve the e-mails we send you and the services we provide, and to link them to existing tracking or profiling information. We will not be able to track your emails if you have disabled the display of images in your email program by default. In this case, however, the newsletter will not be displayed in full and you may not be able to use all the features. If you display the images manually, the above-mentioned tracking will take place. For further information on using Eloqua, please refer to our Cookie Policy which is available here.

You can unsubscribe from the newsletter at any time by clicking the unsubscribe link at the bottom of the newsletter.

11. CAN YOU ACCESS AND CORRECT THE PERSONAL INFORMATION THAT GRENKE HOLDS ABOUT YOU?

GRENKE takes steps reasonable in the circumstances to ensure personal information it holds is accurate, up-to-date, complete, relevant and not misleading. Under the Privacy Act, you have a right to access and seek correction of your personal information that is collected and held by GRENKE.

If at any time you would like to access or correct the personal information that GRENKE holds about you, or you would like more information on GRENKE's approach to privacy, please contact GRENKE’s Privacy Compliance Officer on the details set out in paragraph 12 below. GRENKE will grant access to the extent required or authorised by the Privacy Act or other law and take steps reasonable in the circumstances to correct personal information where necessary and appropriate.

Where necessary to resolve a request for correction of your credit related personal information, GRENKE may also consult with other relevant entities, including but not limited to Equifax. GRENKE’s use or disclosure of your credit related personal information for correction purposes is permitted by the Privacy Act.

To obtain access to your personal information:

• you will have to provide proof of identity to ensure that personal information is provided only to the correct individuals and that the privacy of others is protected;
• GRENKE requests that you be reasonably specific about the information you require; and
• GRENKE may charge you a reasonable administration fee, which reflects the cost to GRENKE, for providing access in accordance with your request.

Alternatively, if you would like to access personal information held about you by Equifax/CreditorWatch, please contact Equifax/CreditorWatch on the contact details set out in paragraph 6.

GRENKE will endeavour to respond to your request to access or correct your personal information within 30 days from your request. If GRENKE refuses your request to access or correct your personal information, GRENKE will provide you with written reasons for the refusal and details of complaint mechanisms. GRENKE will also take steps reasonable in the circumstance to provide you with access in a manner that meets your needs and the needs of GRENKE.

If you are dissatisfied with GRENKE’s refusal to grant access to, or correct, your credit related personal information, you may make a complaint to the Office of the Australian Information Commissioner.

12. HOW TO CONTACT US

For further information or enquiries regarding your personal information, or if you would like to opt-out of receiving any promotional or marketing communications, please contact  GRENKE 's Privacy Compliance Officer  at [email protected].

13. PRIVACY COMPLAINTS

Please direct all privacy complaints to GRENKE’s Privacy Compliance Officer. At all times, privacy complaints:

• will be treated seriously;
• will be dealt with promptly;
• will be dealt with in a confidential manner; and
• will not affect your existing obligations  or affect the commercial  arrangements between you and GRENKE.

Specifically, if your complaint relates to credit related personal information and / or GRENKE’s failure to comply  with its obligations regarding credit related personal information under the Privacy Act and / or the Credit Reporting Code:

• GRENKE will acknowledge your complaint within 7 days of receipt and endeavour to resolve it within 30 days, unless GRENKE informs you otherwise and seeks your agreement in writing;
• GRENKE may consult  with relevant third parties such as Equifax/CreditorWatch and / or other credit providers, in order to sufficiently and expeditiously resolve the complaint; and
• if your complaint relates to GRENKE’s refusal to provide access to, or correct, your credit related personal information, you may complain directly to the Office of the Australian Information Commissioner.

GRENKE’s Privacy Compliance Officer will commence an investigation into your complaint. You will be informed of the outcome of your complaint following completion of the investigation. In the event that you are dissatisfied with the outcome of your complaint, or an extension to the time in which GRENKE will resolve it, you may refer the complaint to the Office of the Australian Information Commissioner.