We value your privacy

When you browse our website, we collect information about how you interact with our website with the use of cookies and other technologies such as web server log files.

Cookies are small information files that our website transfers to your device and which are stored on your browser. Cookies are used to remember information about your visits to our website such as, how long you browse, your preferences and other information that we use to enhance your browsing experience and provide a better service on your next visit to our website. We do not use cookies to profile you, track your activities or develop targeted marketing.

You can change your web browser settings to delete or clear cookies currently stored by your browser or to prompt you each time a website wishes to add a cookie to your browser.  However, this may affect some functionality on our website.

We collect the following information:

• Technical information such as: your IP or server address, the type of device you are using, account top level domain name (e.g. .gov, .com, .edu, .org, .au, .nz etc), your computer operating system (e.g. Windows, Linux, Mac OS) and type of browser used (e.g. Internet Explorer).
•  Location and site information such as: the pages you access, documents you download, search terms you use, date and time you visit our website, the time you spend on our website and on different web pages, previous site visited.

We collect this information to help us manage our website efficiently and to improve your browsing experience.

We do not identify your browsing activities, except in the unlikely event of a criminal investigation (e.g. where a law enforcement agency may issue a warrant to inspect our Internet Service Provider's (ISP) logs) or required by law.)

External web links

Our website may contain links to other websites operated by third parties. This Policy does not apply to any third party websites and we are not responsible for the content or the privacy practices of third party websites. We encourage you to consider each third party’s privacy policy on their website and make your own decisions regarding the accuracy, reliability and correctness of material and information found.

What kind of personal information do we collect and hold and for what purposes?

We collect personal information to carry out our business functions, to enhance the provision of products and services to our customers and to procure services from suppliers or engage with third parties.

The kind of personal information we collect often includes your name, address, contact phone number and email address and depends on your relationship with us.

We categorise the kind of personal information we collect and hold and the purposes for collecting the personal information below:

• To provide services to customers and manage customer contracts: This will include customer contact details, such as name, position, signature, address, contact phone number and email address.
• To procure services from suppliers, conduct tenders and manage suppliers and supply contracts: This will include supplier and personnel contact details such as name, address, email, contact phone number, personnel positions and organisation name. We may also collect payment details to pay for services, such as bank account information.
• To promote or market our services. If you request or consent to be included in our mailing lists, we may collect contact details such as name, position, signature, address, contact phone number.
• To conduct recruitment for our business: if you apply to work with us, either directly in person or online, or through a recruitment agency, this may include your personal details such as name, address, email, contact phone number, employment history, educational qualifications, and your working rights.
• To maintain security of our data facilities and premises: This may include identification verification information such as a passport, driver’s licence or other photographic identification document. It may also include onsite information via closed circuit TV (CCTV).

We will take all reasonable steps to ensure the personal information we hold about you remains accurate, up to date and correct.

Sensitive personal information (sensitive information)

Sensitive information in this Policy has the same meaning as in the Privacy Act. Under the Privacy Act sensitive information can include information about a person’s ethnic origin, health information or biometrics, political opinions, religious beliefs, professional or trade association or trade union membership, sexual orientation or practices, or criminal records.

We may collect sensitive information as set out below:

• To ensure our suppliers and personnel accessing our data centre facilities meet security access requirements we may:
  • Conduct background checks - this can may disclose sensitive information such political associations, criminal records or religious affiliations of suppliers, their personnel or our personnel.
  • Identify you using biometric information.
  • Information via CCTV when attending our facilities or premises which may indicate your religious beliefs or ethnic origins.
• To accommodate your needs when attending an event at CDC premises, we may collect health or religious information such as your dietary requirements, food allergies or your accessibility requirements.
• When you apply to work with us, we may ask you about your financial expectations and current salary, the languages you speak or ethnic background, your gender identification, or whether you have any health or accessibility requirements. You do not have to provide this information, and it does not impact your application.

We will only collect sensitive information with your express consent or as permitted by law.

Why so we use personal information?

We use personal information as set out above at section 3 to carry out our legitimate business interests such as to help you interact with us, to address queries or complaints, to help us deliver our products and services to our customers and perform our obligations under a customer contract, or to help us engage with our suppliers to procure services and pay suppliers, to protect the security of our data centre facilities and premises and to comply with the law.  

Depending on your relationship with us, if you do not provide us with your personal information, we may not be able to provide you with our services, communicate with you or respond to your enquiries.

How do we collect personal information? 

We may collect personal information:

• Directly from you – You may provide this to us over the phone, or in writing via emails, documents or online webforms. We may ask you for personal information that is reasonably necessary for us to provide services to you or to procure services from you, or to carry out our business functions or when you visit our website, data centres or premises.
• Indirectly, when we ask others:  We may ask for your personal information from another person or other sources with your consent, for example from police for security clearance purposes or from a previous employer during a recruitment process.

If we receive personal information that we have not asked for and which we could not have legally collected from you, we will either destroy or de identify it. If it is personal information we could have legally collected, we will handle the information in the same way as personal information that we have requested.

How do we store and protect personal information? 

We store personal information physically, in paper form, and electronically on our computer systems or by third party provider.  

We are committed to protecting personal information we hold from unauthorised access, disclosure, misuse, or interference by implementing the following security processes and procedures:

• Paper records are stored in locked cabinets that have restricted or controlled access, within secure areas on premises owned by us.
• Electronic records are stored in systems that are compliant with relevant industry standards and regulatory information security requirements. Compliance with these standards is independently certified annually and we require the same of our third party providers. Emails, for example, are held in a secure corporate tenancy in Australia. All our finance and procurement records are held in a secure data base within Australia.
• Training staff we require all staff to complete training about privacy and information security handling processes, policies and procedures. We circulate internal communications to update staff consistent with our culture of continuous learning and improvement.
• Monitor, test, review and update security protocols: we regularly test our physical and electronic systems. We review our practices against industry best practice.
• We conduct background checks to carefully recruit staff and when engaging suppliers.

How long do we hold personal information?

We hold personal information in accordance with our policies and procedures and applicable legal or regulatory retention periods. We will take reasonable steps to delete, destroy or deidentify personal information as required, and in accordance with our bona fide data security and date retention policies.

Who do we share your personal information with?

We may share your personal information with our related companies, (including those located in New Zealand).

We may also share your personal information with others outside of our organisation such as:

• external service providers so they can perform services on our behalf or help us with our business, such as professional advisors, IT support, and corporate and administrative services
• your authorised representatives or legal advisors or other people, to whom you have asked us to provide your information
• your previous employers to confirm your work history, if you apply to work with us
• relevant external agencies for security clearance requirements
• government and law enforcement agencies to comply with laws
• if our ownership or control of part or all of our business changes we may transfer your personal information to our new owner
• where we are permitted to do so under the Privacy Act; or we are required to do so by law.

Do we transfer your personal information oversees?

We have offices located in Australia and New Zealand and we may disclose your personal information across our corporate group in Australia and New Zealand.

We may procure services from service providers that operate overseas, but we will still require that workloads, including personal information are stored and processed in Australia (or New Zealand, as the case may be) to provide services to you.

Otherwise, we will not disclose your personal information to overseas recipients unless we are required or authorised by law to do so, or have your permission.

What are your rights to access or correct your personal information?

You have a right to request to access, update or correct personal information we hold about you. We will require you to verify your identity and specify what information you require. This is to ensure we only disclose personal information about you and not any other person.

You can request to access or correct your personal information. We may charge our reasonable costs for photocopying or time spent collating the information you request.

To make a request, please contact our Privacy Contact Officer as set out below at section 12 below. We will acknowledge your request within 5 working days and respond to you within 30 days of receiving your request. If we refuse your request to access or correct personal information, we will provide you with our reasons, except if it would be unreasonable to do so (for example, providing a reason could prejudice a legal action).

Data breach

CDC takes data security seriously and has a robust Cyber Incident Response Plan (CIRP) in place to respond to any actual or suspected data breaches which may affect your personal information, in a timely and effective manner.

In the event of a data breach involving personal information, we will:

• immediately assess the nature and scope of the breach:
• take steps to contain and mitigate any potential harm in accordance with best industry practice;
• conduct a prompt investigation to determine whether the breach is likely to result in serious harm to any individuals; and
• where required, notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, outlining the nature of the breach, the information that has potentially been compromised, and the recommended steps for individuals to protect themselves.

We maintain our CIRP to guide our staff in managing incidents in an efficient and effective manner, and continually focus on improving our systems and practices to prevent future breaches.

How can you make a privacy complaint?

If you have a complaint about the way we handle your personal information, or any access request please contact us, using the details in section 11 below. We will do our best to understand your complaint.

Once we receive your complaint, we will contact you as soon as possible and let you know the time frame of resolving your complaint. We are committed to resolving your complaint as quickly as possible, and generally within 30 days of receiving your complaint.

If you are not satisfied with our response to your complaint, you can submit a request for us to reconsider your complaint.

Contacting the Office of the Australian Information Commissioner (OAIC)

If you remain dissatisfied with the way we respond to your privacy complaint, you can contact the OAIC. In most cases the OAIC will refer complaints to CDC in the first instant. The OAIC’s details are:

• Mail: PO Box 5218 Sydney NSW 2001
• Phone: 1300 363 992 
• Email: enquiries@oaic.gov.au
• Website: Privacy complaints | OAIC

Changes to this Policy

We may update this Policy from time to time. We will publish the updated Policy on our website.

We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

We last updated this Policy in April 2025.

Contact us?

If you have any privacy concerns, please contact our Privacy Contact Officer by:

• Email: contact@cdc.com
• Telephone: 1300 232 232 and ask for the Privacy Contact Officer
• Post: Privacy Contact Officer, PO Box 635, Fyshwick, ACT 2609

Appendix 1 - New Zealand Addendum 

This Schedule contains the additional specific provisions which apply to CDC NZ and any other member of the CDC Group which carries on business in New Zealand.

CDC Data Centres NZ Ltd and other members of the CDC Group which carry on business in New Zealand (“CDC NZ”) comply with the New Zealand Privacy Act 2020 (“the NZ Privacy Act”) and have adopted the Information Privacy Principles (“IPPs”) contained in the NZ Privacy Act.

Disclosure of Personal Information to Overseas Recipients 

CDC NZ may disclose your personal information to other members of the CDC Group located outside of NZ. CDC NZ takes reasonable steps to ensure that the overseas recipients of your personal information are bound by substantially similar or comparable standards as to those which apply under the NZ Privacy Act.

Rights under the NZ Privacy Act 

In accordance with the NZ Privacy Act, under certain circumstances you have the right to:

1. request access to your personal information
2. request correction of your personal information

If you exercise one of the above rights, CDC NZ may need to request specific information from you to help us confirm that you are entitled to make such a request. This is to ensure that personal information is not disclosed to any person who has no right to receive it.

Privacy Statement Enquires and Complaints 

CDC NZ has appointed a Privacy Officer to oversee compliance with the NZ Privacy Act and this Policy.

If you want to exercise any of your rights under the NZ Privacy Act or if you have any queries or complaints about this Policy or how CDC handles your personal information, please contact the CDC Privacy Officer by:

• Email: contactnz@cdc.com or
• Telephone: +64 21 562 120 and ask for the Privacy Contact Officer

There is an option to contact us without identifying yourself or by using a pseudonym. Further information on dealing with us anonymously or by using a pseudonym is in our Privacy Policy above.