Our protection statement
Rubicon is committed to protecting your personal information/data (personal data) you provide when you apply to work for us, buy our products or services, or if you just visit our website for information about or to learn more about what we do.
We will comply in our handling of your personal data with all applicable legal requirements depending on the particular country jurisdiction in which you operate This includes:
• The Privacy Act 1988 (Cth) and the Australian Privacy Principles issued pursuant to that Act if you are situated in Australia
• The Data Protection Act 2018 and the European General Data Protection Regulation if you are situated in the European Union or if your personal data is subject to those laws and regulations
• The various laws applicable in the United States including the Health Insurance Portability and Accountability Act if you are situated in the United States.
We refer to these laws generically as Data Protection Laws but the particular laws only apply to your personal data where the provisions of those laws make them apply. For example, Australia Data Protection Laws only apply in Australia. Where a provision in this notice and policy is included because of a particular Data Protection Law, we have made it clear which Data Protection Laws apply.
This Privacy Notice and Policy sets out how Rubicon (‘we’ or ‘us’) will collect, use, disclose and keep secure your personal data. It also covers how Rubicon makes the personal data it holds available to you for access and correction by you in the event that such information is inaccurate or incomplete.
Addresses and contacts
In Australia and for the purposes of the Australian Data Protection Laws, the contact entity is Rubicon Systems Australia Pty (ABN 43 069 232 284) with the principal place of business at 1 Cato Street, Hawthorn, Victoria 3123.
For the purpose of the EU Data Protection Laws, the data controller is Rubicon Water S.L.U. whose principal place of business is at Arbea Campus, Empresarial, Bloque 2 Planta 2, 28108 Alcobendas, Madrid, Spain.
For other jurisdictions please check on our website https://www.rubiconwater.com/ or check with the Australian Privacy Officer (see below for contact details).
Contacting Rubicon – complaints and queries
If you require further information regarding Rubicon’s Privacy Notice and Policy, our treatment or handling of your personal data or if you want to make a complaint or raise a query, you can contact our Privacy Officer by post at one of the addresses set out above (please mark your envelope “For the attention of the Privacy Officer”) or by email at firstname.lastname@example.org
(please state “For the attention of the Privacy Officer” in the subject line).
You can also complain directly to the Australian Privacy Commissioner at https://www.oaic.gov.au/ in Australia. In the EU you can complain to the relevant authority for the particular member state which, in Spain (where we are located) is set out above under ‘Addresses and Contacts’.
What personal data we might collect
Note that when we refer to personal data, we mean personal data as defined by the relevant Data Protection Laws.
However, the personal data that we collect will typically include your name, address, email address, telephone number, job title and other information relating to you personally which you may choose to provide.
Data Protection Laws in most cases, recognise that certain types of personal data are more sensitive than others. These types are known as ‘sensitive’ or ‘special category’ personal data and include information revealing racial or ethnic origin, religious or philosophical beliefs and political opinions, trade union membership, genetic or biometric data, information concerning health or data concerning a person’s sex life or sexual orientation. We will only collect special category data where we need to (for example if you have special requirements we need to meet if you are making site visits or are on our premises) and only where you have given your explicit consent to the processing of such data for one or more of the purposes specified in this Privacy Notice and Policy.
You do not have to provide your personal data if you do not want to. However, if you choose not to do so, you may not be able to take full advantage of the Rubicon service, as some personal data is required in order to match volunteers with suitable volunteering opportunities.
All persons registered as users with Rubicon must be aged 16 years and over.
How and when we collect personal data about you
When you directly give us information
We may collect and store personal data about you when you interact with us through Rubicon and provide your personal data directly to us. For example, this could be when you:
• order our products or use one of our services;
• make an enquiry;
• give us feedback;
• make a complaint; and/or
• apply for a job.
If you disclose personal data about someone other than yourself, you must ensure that you have the relevant individual’s consent to provide their personal information to us.
When you indirectly give us information
When you interact with us on social media platforms such as Facebook, WhatsApp, Twitter or LinkedIn we may also obtain some personal data about you. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to the privacy notices of the social media provider you are using.
We may obtain information about your visit to our website, for example the pages you visit and how you navigate the site, by using cookies (see below).
Purposes for which we may process your personal data
When you interact with us on social media platforms such as Facebook, WhatsApp, Twitter or LinkedIn we may also obtain some personal data about ya
We will only use your personal data for one or more of the following purposes:
• To perform our obligations with regard to performance of our contract(s) with you: Where we need to do so, we will use your personal data in order to carry out our obligations arising from any contracts entered into between you and us for goods or services.
• Direct Marketing: From time to time we may use your personal data to provide you with current information about our products and services, changes to our organisation, or new products or services being offered by us or any company with whom we are associated.
• To respond to requests from you: If you contact us with a query, we may use your personal data to provide you with a response.
• To verify your identity: We will need to use your personal data in order to verify your identity and to assist you if you have forgotten any user name or password.
• To monitor and evaluate usage of the website: We may use your personal data in order to improve current and future performance of the website.
• To process job applications: We may process your personal data if you send or fill in an application form or send us your CV or details in respect of an opportunity to work with us in order to evaluate your suitability and respond to you.
• To manage our records: We may use your personal data In order to record and deal with any complaint you may have, record a request not to receive further notifications, update you about changes to our website or terms and conditions and for other essential internal record-keeping purposes.
• To report contraventions of law: We reserve the right to report any breach of the terms and conditions applicable to use of our website which involves a breach of law to the appropriate authorities including the police and any other regulatory authority.
• To communicate with you: We may use your personal data in order to communicate with you. However, we will only send you information by email, SMS, or phone if you have given us specific consent. If you withdraw your consent and then subsequently opt-in to receive information again, then your most recent preference may supersede.
• To protect your vital interests: We may process your personal data in order to protect your interests where we reasonably think that there is a risk of serious harm or abuse to you or someone else or where there is a possible breach of law (including a data breach that Is notifiable under Data Protection Law), in which case we may need to contact you to notify you of any breach of data security and the consequences for you (see below).
• To conduct market research and surveys: We may invite you to participate in surveys or market research to help us improve our website, fundraising, services and strategic development. Participation is always voluntary and no individuals will be identified as a result of this research, unless you consent to us publishing your feedback.
• To comply with legal, regulatory and tax requirements: We may process and disclose your personal data where we are required to do so under a legal obligation.
Rubicon will not use personal data without taking reasonable steps to ensure that the information is accurate, complete and up to date.
ou. The information we receive will depend on the privacy preferences you have set on each platform and the privacy policies of each platform. To change your settings on these platforms, please refer to the privacy notices of the social media provider you are using.
We may obtain information about your visit to our website, for example the pages you visit and how you navigate the site, by using cookies (see below).
Lawful basis of processing
The processing of your personal data which is subject to the EU General Data Protection Regulation will be done only if and to the extent that at least one of the following applies:
• you have given your consent to the processing of the personal data for one or more specific purposes;
• the processing is necessary for the performance of our contract with you for the use of the Rubicon website and service, or in order to take steps at your request prior to entering into a contract;
• the processing is necessary for compliance with a legal obligation to which we are subject; and/or
• the processing is necessary for the purposes of the legitimate interests pursued by Rubicon, including the efficient provision of the Rubicon service, service improvement, and communications.
If there are additional purposes (other than those identified above) for which we propose to use your personal data, the purposes will be specifically notified to you and your consent requested to the proposed use when we collect your personal data for that specific use. We will always give you the option to decline to provide your personal data or to decline to allow us to use that personal data for the purposes for which we have proposed to use it.
When you come to the Rubicon website, our server attaches a small text file to your hard drive — a cookie. A ‘cookie’ assigns you a unique identifier so that the Rubicon website can recognise you each time you re-enter the website, so we can recall where you’ve previously been on our site, and which keeps track of the pages you view on the website. Cookies help us deliver a better website experience to you.
The information collected by using a cookie is sometimes called “clickstream.” We use this information to understand how our users navigate our website, and to determine common traffic patterns, including what site the user came from. We may use this information to make navigation of our website easier and to help redesign the website from time to time in order to make your experience on our website more efficient and enjoyable.
You also have choices with respect to cookies. By modifying your browser preferences, you have the choice to accept all cookies or disable them, to be notified when a cookie is set, or to reject all cookies. If you choose to reject all cookies you will be unable to use those services or engage in activities that require the placement of cookies. Certain aspects of the site may not function properly if you set your browser to reject all cookies.
Who do we share your information with?
We will only share your data with the following categories of recipient:
• Third-party suppliers: We may need to share your personal data with data hosting providers or service providers who host our website or assist us to deliver our services. These providers will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses. Rubicon will take reasonable steps to ensure that its contracts with third parties include requirements for third parties to comply with Data Protection Law in their handling of your personal data. For personal data subject to the EU General Data Protection Regulation, we will ensure that the model contractual clauses are included in our contractual arrangements with suppliers with which we share your personal data.
Law enforcement agencies and other official bodies: We will comply with requests where disclosure is required by law, for example, we may disclose your personal information to the government for tax investigation purposes, or to law enforcement agencies for the prevention and detection of crime. We may also share your information with the emergency services if we reasonably think there is a risk of serious harm or abuse to you or someone else.
• We always aim to ensure that your personal data is only used by those third parties for lawful purposes in accordance with this Privacy Notice and Policy.
If a disclosure is not for the purposes we have identified and is not for a reasonably related ancillary purpose or if your upfront consent has not been obtained, Rubicon will not disclose your personal data.
Data quality and security
Rubicon will review, on an ongoing basis, its collection and storage practices to ascertain how improvements to accuracy of your personal data can be achieved.
Rubicon will take steps, to the extent technically practicable, to destroy or anonymise personal data after as short a time as is reasonably possible after requested, unless the law requires otherwise.
Rubicon will take all reasonable steps to require employees and contractors to perform their duties in a manner that is consistent with Rubicon’s legal responsibilities in relation to Data Protection Law.
Rubicon will review, on a regular and ongoing basis, its information security practices to ascertain how ongoing responsibilities under Data Protection Law can be achieved and improved.
It is important to note, that part of the operation of our website involves sending personal data over the Internet which is beyond our control and Rubicon cannot guarantee security of your personal data in transmission (as there are always risks associated with transmitting information across the Internet).
Notification of data breach
In the unlikely event that your personal data is involved in a data breach that is likely to result in serious harm to you, we will inform you and recommend what steps you should take in response to the breach. We will also notify the appropriate supervisory authorities (which in the United Kingdom is the Office of the Information Commissioner and in Australia the Australian Information Commissioner) of eligible data breaches. Each suspected data breach reported to us will be assessed to determine whether it is likely to result in serious harm, and as a result require notification to you.
In the unlikely event that your personal data is involved in a data breach that is likely to result in serious harm to you, we will infa
Your rights as a data subject
You have the following rights as a data subject, by reason of Data Protection Law:
• The right to request access to the personal data that we hold about you (also known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that it is accurate and that we are lawfully processing it.
• The right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• The right to withdraw consent. Where our processing of personal data is based on your having given consent, you also have the right as a data subject to withdraw that consent at any time. Specifically, if you do not wish to receive marketing information, you may at any time decline to receive such information by emailing us at email@example.com. If the direct marketing is by email you may also use the unsubscribe function. We will not charge you for giving effect to your request and will take all reasonable steps to meet your request at the earliest possible opportunity.
• The right to lodge a complaint. You have the right to lodge a complaint with a supervisory authority. In Australia, this is the Australian Privacy Commissioner at https://www.oaic.gov.au/ and in Spain, the supervisory authority is the Protección de datos vacaciones details for which can be found at https://www.aepd.es/.
If you are subject to the General Data Protection Regulation, the following also apply:
• The right to request erasure of the personal data that we hold about you (also known as “the right to be forgotten”). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• The right to request restriction of processing about you. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• The right to object to processing. Where we are processing your personal data solely on the grounds that there is a legitimate interest to do so, and there is something about your particular situation which makes you want to object to processing on this ground, then this enables you to challenge the processing. You also have the right to object where we are processing your personal information for direct marketing purposes.
• The right to data portability. This enables you to ask us to transfer your personal information to another party in certain circumstances.
If you wish to invoke any of the above rights, please contact us using the details set out in the section of this Privacy Notice and Policy headed “Contacting Rubicon – Complaints and queries”.
Third parties and other Privacy Policies
Transferring information overseas
Rubicon will not transfer your personal data overseas (meaning, in the case of Australia, outside of Australia and in the case of the EU, outside the European Economic Area). If at any time, personal data must be sent overseas by Rubicon for sound business reasons, Rubicon will require the overseas organisation receiving the information to provide a binding undertaking that it will handle that information in accordance with Data Protection Law, including as part of any services contract we enter into.
Duration of processing
Rubicon will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The appropriate retention period for any given type of personal data depends on a range of factors, including the nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which it was collected, and the applicable legal requirements.
Automated decision-making (including profiling)
Rubicon undertakes no automated decision-making in respect of data subjects.
Plans for further processing
Rubicon has no plans to process personal data for reasons other than the reason for which the data was originally collected.
Changes to our privacy notice and policy
Our Privacy Notice and Policy may change from time to time, so please check this page occasionally to see if we have included any updates or changes, and that you are happy with them because we will not notify you other than in relation to material changes which will be posted as a notification within the website.
The last update to this Privacy Notice and Policy was made on 2 August 2019.
orm you and recommend what steps you should take in response to the breach. We will also notify the appropriate supervisory authorities (which in the United Kingdom is the Office of the Information Commissioner and in Australia the Australian Information Commissioner) of eligible data breaches. Each suspected data breach reported to us will be assessed to determine whether it is likely to result in serious harm, and as a result require notification to you.