ECA COLLEGE – PRIVACY POLICY

1. Purpose

This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or otherwise collected by us, offline or online, including through this website, our student management system, and our learning management system (our Sites). In this Privacy Policy, “we”, “us”, or “our” means Education Centre of Australia Pty Ltd ACN 111 918 775 and each of its controlled entities including Advance Training Pty Ltd (ACCLM) ACN 164 188 685, Asia Pacific International College Pty Ltd (APIC) ACN 061 101 488, ECA Graduate Institute Pty Ltd (EGI) ACN 128 584 896, Higher Education Leadership Institute Pty Ltd (HELI) ACN 627 475 790, ECA Higher Education Pty Ltd (CHS) ACN 632 587 332 both in Australia and overseas. This Privacy Policy considers the requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles. In addition to the Australian laws, individuals located in the European Union (EU) may also have rights under the General Data Protection Regulation 2016/679 (GDPR). Appendix 1 outlines the details of the additional rights of individuals located in the EU as well as information on how we process the personal information of individuals located in the EU.

2. Scope

This Privacy Policy applies to ECA employees, consultants, contractors, and all business partners who act on behalf of ECA and each of its controlled entities both in Australia and overseas.

3. Personal Information

3.1 The personal information we collect The types of personal information we may collect about you include:

3.2 How we collect personal information

We collect personal information in a variety of ways, including:

3.3 How we collect personal information

We may collect, hold, use and disclose personal informatioh3n for the following purposes:

3.4 Disclosure of personal information to third parties

We may disclose personal information to: Where we disclose your personal information to the third parties listed above, these third parties may store, transfer or access personal information outside Australia. We will only disclose your personal information to countries with laws that protect your personal information in a way that is substantially similar to the Australian Privacy Principles, or we will take such steps as are reasonable in the circumstances to ensure overseas third parties protect your personal information in accordance with the Australian Privacy Principles.

3.5 How we treat personal information that is also sensitive information

Sensitive information is a sub-set of personal information that is given a higher level of protection under the Australian Privacy Principles. Sensitive information means information relating to your racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs,sexual orientation,sexual practices or sex life, criminal records, health information or biometric information. The type of sensitive information we may collect about you includes We will not collect sensitive information about you without first obtaining your consent. Provided you consent to the collection of your sensitive information, we will only collect, hold, use and disclose your sensitive information for the following purposes:

4. Our commitment to you

Your personal information will:

5. Your rights and controlling your personal information

Your choice: Please read this Privacy Policy carefully. By providing personal information to us, you acknowledge that you have read our Privacy Policy and that it sets out how we collect, hold, use and disclose your personal information. Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us. Anonymity: Where practicable, we will give you the option of notidentifying yourself or using a pseudonym in your dealings with us. Unsubscribing: To object to processing for direct marketing/unsubscribe from our email database or opt out of marketing communications, please contact us using the details below or opt-out using the opt-out facilities provided in the communication. Access: You may request access to the personal information that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal information. Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, incomplete, misleading or out of date. Please note, in some situations, we may be legally permitted to not correct your personal information. Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the relevant authority in the country in which you are based.

6. Storage and security

We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures such as the pseudonymisation and encryption of personal information to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. We cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that the personal information we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.

7. Cookies and web beacons

We may use cookies on our Sites from time to time. Cookies are text files placed in your computer's browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personally identifiable information. However, they do allow third parties, such as Google and Facebook, to cause our advertisementsto appear on yoursocial media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our Sites with personal information, this information may be linked to the data stored in the cookie. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all orsome cookies. However, if you use your browsersettingsto block all cookies(including essential cookies), you may not be able to access all or parts of our Sites. We may use web beacons on our Sitesfrom time to time. Web beacons(also known as Clear GIFs) are small pieces of code placed on a web page to monitor the visitor’s behaviour and collect data about the visitor’s viewing of a web page. For example, web beacons can be used to count the users who visit a web page or to deliver a cookie to the browser of a visitor viewing that page.

8. Links to other websites

Our Sites may contain links to other websites provided by third parties. We do not have any control over those websites, and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.

9. Amendments

We may, at any time and at our discretion, vary this Privacy Policy. We will notify you if we materially amend this Privacy Policy by contacting you through the contact details you have provided to us. Any amended Privacy Policy is effective once we notify you of the change. For any questions or notices, please contact our Privacy Officer at: Education Centre of Australia Pty Ltd ACN 111 918 775 Email: [email protected]

APPENDIX 1 – ADDITIONAL RIGHTS FOR INDIVIDUALS LOCATED IN THE EU

Under the GDPR, individuals located in the EU have extra rights which apply to their personal information. Personal information under the GDPR is often referred to as “personal data” and is defined as information relating to an identified or identifiable natural person (individual). This Appendix sets out the additional rights we give to individuals located in the EU, including how we process personal information lawfully, transparently and fairly. Please read the Privacy Policy above and this Appendix carefully and contact us at the details at the end of the Privacy Policy if you have any questions.

What personal information is relevant?

This Appendix applies to the personal information set out in the Privacy Policy above. This includes any sensitive information also listed in the Privacy Policy above, which is known as ‘special categories of data’ under the GDPR.

How we process personal information

We willrely on performing a contractto process your personal information where we are preparing to enter into a contract with you, or we are carrying out our obligations under a contract with you (such asto provide an educational course to you). We will rely on a legal obligation to process your personal information where we are subject to a legal obligation, such as when carrying out our government reporting obligations. We will process your personal information for our legitimate interest to allow you to access and use our website, to send you marketing content we think may be of interest to you, to contact you if you leave your contact details with us or if you otherwise initiate contact with us. You can object to the processing of your personal information for our legitimate interests at any time. See the section below on ‘Objecting to processing’. If we need to rely on consent, we will ask for consent to process any of your personal information for that specific purpose before we process your personal information for that reason. If we rely on consent and you are under 16 years of age, we will seek your parent or legal guardian’s consent to process your personal information for that specific purpose. On your written request, we will provide you with a list of third parties we use to process your personal information.

Data Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances, you can ask us to delete your data: see ‘Access, erasure and data portability’ below for further information. In some circumstances, we may anonymise your personal information (so that it can no longer be associated with you) for analytics, research or statistical purposes, in which case we may use this anonymised information indefinitely without further notice to you.

Data Transfers

The countries to which we send data for the purposes listed in the Privacy Policy may not have the same data protection laws as the EU. If we transfer your personal information to third parties in other countries: (i) we will perform those transfersin accordance with the requirements of the GDPR; and (ii) we will protect the transferred personal information in accordance with the Privacy Policy, as supplemented by this Appendix.

Extra rights for EU individuals

Objecting to processing: You have the right to object to processing of your personal information that is based on our legitimate interests or public interest. If this is done, we must provide compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, in order to proceed with the processing of your personal information. Restricting processing: You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests. Access, erasure and data portability: You may have the right to request details of the personal information we hold about you or to request that we erase the personal information we hold about you or that we transfer this information to a third party. Rectification: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, incomplete, misleading or out of date.