Firstly, your law(s) of reference determine which rules you’re subject to.
Simply put, the laws of a particular region [for example, the EU GDPR] can apply to you in addition to local Australian law even if you don’t live, or run your business or charity (also known as a not-for-profit or NFP) there.
In general, the laws of a particular region can apply if your business or NFP:
➲ Base your operations there; or
➲ Use processing services or servers based in the region; or
➲ Service targets users from that region (example: accepting payment in Euros).
So to be clear, this basically means that regional regulations may apply to you and/or your business or charity whether you’re located in the region or not.
For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Regardless of whether legal obligations apply, all customers/clients today fully expect their personal data will be respected + protected.
Any breach, aside from potentially leading to legal consequences, will directly impact your business reputation, and ultimately could cause your business or charity to shut-down due to public loss of confidence.
This FAQ was extracted from the below blog article "Privacy Policies & Australian Law" by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠ which was originally published in late 2018 + is hosted on iubenda's website.
By way of full disclosure: Blue Ocean Law Group℠ is iubenda's Legal Network partner in Australia + New Zealand.
Blue Ocean Law Group℠ also collaborates with iubenda to present regular free webinars entitled: