Privacy Policy - Avalon Airport

Privacy Policy

Version date: March 2019

1. Introduction

This privacy policy applies to Avalon Airport Australia Pty Ltd and Avalon Airport Holdings Pty Ltd and their related bodies corporate (referred to as “Avalon” “We”, “Our” and “Us”). We are committed to responsible privacy practices and to complying with the Privacy Principles contained in the Privacy Act 1988 (Cth) (“Privacy Act”) to the extent they apply to Us.

This Privacy Policy sets out Our policies on the management of personal information including how We collect personal information, the purposes for which We use this information, and to whom this information is disclosed.

We may change or update Our Privacy Policy from time to time. At any time, the latest version of Our Privacy Policy is available from Our website at

2. What is personal information?

In this Privacy Policy, “personal information” (“Personal Information”, “PI”) has the meaning set out in the Privacy Act. Essentially, personal information is information or an opinion about an individual who is reasonably identifiable.

Sensitive Personal Information (“Sensitive PI”) involves genetic and biometric information, physical and mental health, racial, political, religious or philosophical beliefs, sexual orientation, criminal records and professional or trade association information.

3. Collection of Personal Information

We collect PI from individuals where the information is reasonably necessary for the Airport Services, legal obligations and activities relating to Avalon business activities.

Some of the specific purposes for which We collect, use and disclose personal information are:

  • to provide goods or services to you or to receive goods or services from you;
  • to verify your identity and eligibility to provide you access to restricted areas of Avalon Airport;
  • for quality, safety and security purposes;
  • to administer surveys, competitions or other promotional activities or events conducted, sponsored or managed by Us or Our business partners;
  • to respond to you if you have requested information (including via Our websites or via an email or other correspondence you send to Us);
  • to combine your information with information We collect from Our service providers, third parties, cookies or web beacons in order to provide you with a more personalised experience and to improve the quality of Our services;
  • to improve Our services;
  • to address any issues or complaints that We or you have regarding Our relationship; and
  • to contact you regarding the above, including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner.

For internal human resourcing, We collect PI and Sensitive PI, which We may solicit or request from a third party such as an employment agency or referees in the context of employment. From employees, We request third party information such as next-of-kin and medical practitioner details.

If you apply for employment with Us, We may collect your information for the purpose of:

  • contacting you about opportunities in the future;’
  • providing you with information about working with Us; or
  • considering your application including your qualifications and resume as well as reference information from your nominated referees.
3.1 Types of personal information We collect

The types of personal information We collect from you depends on the circumstances in which the information is collected and may include:

  • Your name, contact details (such as phone number, residential address and email address), employment history and driver licence number;
  • if you visit Avalon Airport, recordings of your image and/or voice through the use of Closed-Circuit Television (CCTV) systems, handheld devices (such as a video camera or smart device) and other surveillance devices;
  • if you use Our car park service, vehicle licence plate numbers and credit card details;
  • if you log in to the Wi-Fi service We provide, We may collect, among other things, the information you input in order to access the Wi-Fi, any MAC address associated with your wireless device, the time and date of your access, your server address and your browser type; and
  • any information posted on Our social media sites or website and other information provided in relation to Your dealings with Us.

If you wish to access and use restricted areas of Avalon Airport, We may collect additional information from you so We can issue you an Aviation Security Identification Card (ASIC) or other form of identification or access card. The information We may collect for those purposes could include:

  • Additional identity information including your place of birth, country of citizenship, gender and your photo; and/or
  • Your previous residential addresses, details of previous criminal offences, details of any pending prosecutions, and information provided to Us by relevant government agencies (such as the outcome of criminal records checks, security assessments and immigration checks).
3.2 Sensitive Personal Information

In providing Airport Services We also collect Sensitive PI. This Sensitive PI is provided by the individual themselves, by parents and guardians, and by third parties such as those involved in the security and health sectors. Where We collect Sensitive PI, We always ask for prior consent in “writing”, where writing includes electronic forms of writing such as email and click-wrap agreements where you tick a box (opt-in).

Except as described in this section, We do not generally require you to disclose any sensitive information to Us. If you do provide Us with sensitive information for any reason, you consent to Us collecting that information and using and disclosing that information for the purpose for which you disclosed it to Us and as permitted by the Privacy Act and other relevant laws.

In addition to the types of personal information identified above, We may collect personal information as otherwise permitted or required by law including any obligations We have under the Civil Aviation Act 1988 and the Civil Aviation Regulations 1988.

Notification of Collection of Personal Information

3.3 How We collect your personal information

We collect personal information in a number of ways. The most common ways We collect your personal information are:

  • directly from you when you visit Avalon Airport, or when you provide it to Us or Our agents or contractors;
  • ia Our website or when you deal with Us online (including through Our social media pages);
  • from Our related companies; and from third parties (for example, from referees if you apply for a position as an employee or contractor with Us).

In most instances, even for non-sensitive PI, where We collect PI, We only do so after a direct request to, and with the consent of the individual to whom the information relates. This Policy is one way that We seek to obtain your consent to processing your PI.

In exceptional circumstance, or when authorised or required by law, We will collect PI from some source other than the individual themselves.

3.4 Use and disclosure of personal information

Where We hold PI about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or health care provider in the case of an employee.

Broadly speaking, We use (process, handle and manage) PI internally for 2 reasons:

  • To provide Airport services; and
  • For internal human resourcing.

This may include disclosing your personal information to the following types of third parties:

  • Our employees, business partners and related companies;
  • Our contractors and other third parties that provide goods and services to Us (including website and data hosting providers, and other suppliers);
  • Our accountants, insurers, lawyers, auditors and other professional advisers and agents;
    payment system operators;
  • f you are an individual contractor to Us or a prospective employee, to Our related companies and HR related service providers;
  • any third parties to whom you have directed or permitted Us to disclose your personal information (e.g. referees);
  • in the unlikely event that We or Our assets may be acquired or considered for acquisition by a third party, that third party and its advisors;
  • third parties that require the information for law enforcement purposes or to prevent a serious threat to public safety; and
  • otherwise as permitted or required by law.

Where We disclose your personal information to third parties We will use reasonable commercial efforts to ensure that such third parties only use your personal information as reasonably required for the purpose We disclosed it to them and in a manner consistent with the Privacy Principles under the Privacy Act.

If you post information to public parts of Our websites or to Our social media pages, you acknowledge that such information (including your personal information) may be available to be viewed by the public. you should use discretion in deciding what information you upload to such sites.

We also use and retain PI records which are required to be retained for legal, business and evidential reasons. Sometimes these PI records come from external sources and third parties, such as government and law enforcement agencies, insurance and financial service providers.

Broadly speaking We disclose PI (release it outside of Our possession or control) for the same primary reasons listed above; providing the service (including third party service providers) for human resourcing, and where there is a legal obligation to do so.

3.5 Dealing with Unsolicited Personal information

Personal Information is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected under the circumstance under section 4 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, We will implement the decision within a reasonable time.

We do not actively seek to collect unsolicited information.

3.6 What happens if you don’t provide personal information?

Generally, you have no obligation to provide to Us any personal information requested by Us. However, if you choose to withhold requested personal information, We may not be able to do provide you with the services requested or allow you to participate in the marketing activities that depend on the collection of that information.

4. Direct Marketing

Direct marketing involves communicating directly with you for the purpose of promoting Our services or the goods or services of third-party organisations. We may also communicate with you for the purpose of providing you with special offers. Direct marketing can be delivered by a range of methods including mail, telephone, email or SMS.

We may use and disclose your personal information for the purpose of direct marketing to you where you have consented to Us doing so; or it is otherwise permitted by law.

You can unsubscribe from Our direct marketing, or change your contact preferences, by contacting Us (see section 15 of this Privacy Policy).

5. Adoption, Use or Disclosure of Government Identifiers

We do not adopt, use or disclose government identifiers of an individual as Our own identifiers. 

We do use and disclose government identifiers such as Australian Tax File Numbers, for example, for Our business activities, human resource purposes and where required or authorised by law

6. Anonymity and Pseudonymity

Under some circumstances, you have the right to choose to remain anonymous (you cannot be identified and We do not collect your PI), or you can choose to use a pseudonym (you can use a name, term or description that is different from your own) when dealing with Us.

Circumstances where We give individuals the option to remain anonymous or to use a pseudonym include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified. 

Examples of circumstances where We will need to know the identity of the person that We are dealing with relate to the provision of Airport Services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction of a PI record, and where cost becomes excessive or impractical without knowing the identity of the individual We are dealing with.

7. Cross-border Disclosure of Personal Information

Avalon operates from offices in Victoria Australia.  These operations include all aspects of internal operations that support the Airport services that We provide and include the provision of services that involve PI travelling over telecommunications lines (‘live’ data on switched networks) and the storage of static (archived) PI in data warehouses and on information systems. 

Users of Avalon Airport services are located in Australia and elsewhere in the world, with the result that PI flows (is exported and imported) between numerous countries. 

Avalon relies on various third-party service providers such as telecommunications providers, internet service providers, information security, application, ‘cloud’, email, data warehousing and other technology and communications service providers.  These are based in Australia, and around the world.

Because information systems enable Our Airport services, PI may be located or disclosed in transit (live) and in a static (archived) format in countries outside Australia.  Wherever reasonably possible, We meet international best practice standards and employ recognised technical and other mechanisms such as contractual clauses and other agreements to ensure the security and confidentiality of the PI that We Process under privacy, telecommunications, data laws and other laws.

Despite Our best efforts, there is no guarantee of security or privacy, and individuals are cautioned to consider how their PI moves and is stored on global information systems and to make appropriate choices.

8. How We store and secure personal information

We store personal information on computer databases and/or in hard copy and will take reasonable commercial physical and electronic security measures to protect any records that We hold which contain your personal information. We destroy personal information in a secure manner when We no longer need it.

However, except to the extent liability cannot be excluded due to the operation of statute, We exclude all liability (including in negligence) for the consequences of any unauthorised access to, disclosure of, misuse of or loss or corruption of your personal information. Nothing in this Privacy Policy restricts, excludes or modifies or purports to restrict, exclude or modify any statutory consumer rights under any applicable law including the Competition and Consumer Act 2010 (Cth).

9. Accuracy of the personal information We hold

We try to maintain your personal information as accurately as reasonably possible. We rely on the accuracy of personal information as provided to Us both directly (from you) and indirectly.

We encourage you to contact Us if the personal information We hold about you is incorrect or to notify Us of a change in your personal information. Our contact details are set out in section 16 of this Privacy Policy.

10. Links, cookies and use of Our websites and applications

Our website may contain links to other sites. This Privacy Policy applies to Our website and not any linked sites (including any booking sites) which are not operated or controlled by Us. We encourage you to read the privacy policies of each website that collects your personal information.

We may use “cookies” and similar technology on Our websites and in other technology applications. The use of such technologies is an industry standard and helps to monitor the effectiveness of advertising and how visitors use Our websites/applications. We may use such technologies to generate statistics, measure your activity, improve the usefulness of Our websites/applications and to enhance the “customer” experience.

If you prefer not to receive cookies you can adjust your Internet browser to refuse cookies or to warn you when cookies are being used. However, Our websites may not function properly or optimally if cookies have been turned off.

11. How you can access and correct personal information We hold about you

You may seek access to personal information which We hold about you by contacting Us as described in section 16 of this Privacy Policy. We will provide access to that information in accordance with the Privacy Act, subject to certain exemptions which may apply. We may require that the person requesting access provide suitable identification and where permitted by law We may charge an administration fee for granting access to your personal information.

If you become aware that any personal information We hold about you is incorrect or if you wish to update your information, please contact Us (see section 15 of this Privacy Policy).

12. Data Breaches

12.1 Eligible Data Breach

Under the NDB Scheme, Avalon must notify the Australian Privacy Commissioner and affected individuals of an Eligible Data Breach in relation to PI, credit reporting information, credit eligibility information or tax file number information if, and when:

 a) There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
b) The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.

12.2 Actual Eligible Data Breach

If, and when, Avalon becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 13a and 13b above, Avalon will:

  • Take remedial action;
  • Where remedial action fails to adequately limit the risk of serious harm, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
  • Work with the individuals concerned, the Commissioner and law enforcement or other parties to protect everyone and everything concerned.

12.3 Suspected Eligible Data Breach

If, and when, Avalon suspects a breach of its network or information systems resulting in the circumstances outlined above, Avalon will:

  • Undertake an assessment of the situation with a view to establishing the facts; and do so within a reasonable time (thirty (30) business days).
  • When a suspected breach is found to be an actual breach, Avalon will follow the steps above.

If any person suspects or becomes aware of a breach or an impending breach, please contact Us as on the details specified in section 16 of this policy.

13. Queries, comments and complaints about Our handling of personal information

If you have any questions, comments or complaints about Our collection, use or disclosure of personal information, or if you believe that We have not complied with this Privacy Policy or the Privacy Act, please contact Us (see section 15 of this Privacy Policy).

When contacting Us please provide as much detail as possible in relation to your question, comment or complaint.

We will take any privacy complaint seriously and any complaint will be assessed with the aim of resolving any issue within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed. In this case, We will endeavour to respond within sixty (60) business days. We request that you cooperate with Us during this process and provide Us with any relevant information that We may need.

If you are not satisfied with the outcome of Our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner.

14. General Data Protection Regulation

The General Data Protection Regulation (“GDPR”) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU (citizens and residents, even when not physically located in the EU). It also addresses the export of such PI outside the EU.

Avalon acknowledges that it is possible that the PI of such individuals may be processed. If this happens, We will make special arrangements to accommodate you in the exercise of your specific rights. Please ensure that you make Us aware of your status if, and when, you become aware that your PI may be processed by Us.

15. Governing Law

The principles outlined in this Privacy Policy and Collection Statement are governed by Australian law.

16. Contact Information

Please email all privacy queries to

If you wish to seek access to or correct or update any personal information We hold about you, or to unsubscribe from Our direct marketing you can also contact Us using the contact details listed above.

Scroll to Top

Our Cookie Policy

We use cookies and other tracking technologies to improve your browsing experience on our website. By browsing our website, you consent to our use of cookies and other tracking technologies.