1. YOUR RIGHTS IN RELATION TO PRIVACY

GC Leasing Melbourne Pty Ltd ACN 615 220 196 and GC Leasing Sydney Pty Ltd ACN 615 226 045 (collectively, grenke) understand the importance of protecting the privacy of an individual’s personal information. This policy sets out how grenke aims to protect the privacy of your personal in- formation, your rights in relation to your personal information managed by grenke and the way grenke collects, holds, uses and discloses your personal information.

In handling your personal information, grenke will comply with the Privacy Act 1988 (Cth) (Privacy Act) and with the 13 Australian Privacy Principles in the Privacy Act. To the extent grenke handles your credit information, grenke will also comply with the Credit Reporting Code. This policy may be updated from time to time.

2. WHAT KINDS OF PERSONAL INFORMATION DOES grenke COLLECT?

Personal information is information or an opinion about an identified, or reasonably identifiable, individual. During the provision of its products and services, grenke may collect your personal information.

Generally, the kinds of personal information grenke collects are (noting that the following personal information may be collected about you in your capacity as an employee, director or other representative of a corporate customer of grenke, as applicable):

• contact and identification information such as your name, address, telephone number, email address, date and place of birth, nationality and drivers licence or ID number;
• financial information about your assets, occupation and income, account balances, account activities, payment history and transactions with us or third parties;
• authentication data (e.g. signature sample), order data (e.g. payment order) or data from the fulfilment of grenke's contractual obligations (e.g. sales data in payment transactions), advertising and sales data (incl. advertising scores) and documentation data (e.g. consultation minutes);
• credit information, being credit related personal information lawfully  created and accessible within the Australian credit reporting system including:
• identification information;
• consumer credit liability information which includes information about your credit providers and credit accounts, including  the dates on which the accounts are opened and closed, their limits,  and their terms and conditions (or any changes to their terms and conditions);
• whether you have or have not met any monthly repayment obligations;
• whether you have defaulted on a payment (ie. a payment that is at least 60 days overdue and over $ 150.00 in value) provided  grenke has notified  you in accordance with the Privacy Act;
• whether you have paid any amount previously reported as being in default;
• that another credit provider has sought credit-related personal information about you from a credit reporting body;
• information about the types of consumer or commercial credit, and the amounts of credit, you have sought from a credit provider;
• information about court proceedings related to credit provided to you or for which you have applied;
• personal insolvency information and other publicly available information relating to your credit worthiness;
• a credit provider’s reasonable belief that you have committed a serious credit infringement; and
• any other information lawfully obtainable within the Australian credit reporting system;
• credit eligibility  information which is credit-related information about you that grenke obtains  from a credit reporting body such as Equifax Pty Ltd (formerly  VEDA Advantage Information Services Solutions Limited (Veda)) (Equifax) or CreditorWatch Pty Ltd (CreditorWatch) (the details of which are set out in paragraph 5) , together with information grenke derives from such information based on its own analysis including source of assets and internally generated scores, ratings and other assessments used to evaluate your credit worthiness. grenke generally receives from Equifax/CreditorWatch information about existing credit accounts, previous defaults, repayment history information etc; and
• sensitive information including criminal record information where you are applying for a position  with grenke and it is relevant to the recruitment process through which you must progress following your application to grenke.

In some circumstances grenke may also hold other personal information provided by you.

Are you obligated to provide personal information?

As part of your business relationship with grenke, you must provide the personal information required in order to enter into a business relationship and perform its associated contractual obligations, or the personal information that grenke is required to collect by law. Without this information, grenke will generally not be able to enter into or perform the contract with you.

In particular, according to the money laundering legislation, grenke is obligated to identify you prior to entering into a business relationship with you. To verify your identity we use the credit reporting bodies listed in section 5 below by lodging a verification request which includes your personal information such as your name, date of birth, and address. In order for us to be able to fulfil this legal obligation, you must provide us with the necessary information and documents in accordance with the Anti-Money Laundering and Counter-Terrorism Act 2006 (Cth) and immediately notify us of any changes during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not enter into or continue your desired business relationship.

3. HOW DOES grenke COLLECT PERSONAL INFORMATION?

Generally, grenke collects your personal information directly from you, through the completion of a manual or online form, an interaction or exchange in person or by way of telephone, facsimile, email, post, through the use of the grenke website or through a third party. There may be occasions when grenke collects your personal information from other sources such as from:

• a corporate entity of which you are an employee, director

or other representative, where necessary for grenke to provide its products and services to the corporate entity through you;

• the completion of an application form by another person or entity that lists you as a director, guarantor or trade reference;
• Equifax/CreditorWatch or other credit reporting body;
• other credit providers;
• an information services provider;
• a publicly maintained record or other publicly available sources of information including social media and similar websites;
• grenke’s own records  about you, from which  grenke may internally  generate its own scores, assessments or deductions, particularly in relation to your credit worthiness;
• if for recruitment purposes, an external recruitment or background screening services provider; or
• business  partners  of grenke, such as resellers, who may collect your personal information on grenke’s behalf.

Generally, grenke will only collect your personal information from sources other than you if it is unreasonable or impracticable to collect your personal information from you.

4. WHY DOES grenke NEED YOUR PERSONAL INFORMATION?

grenke collects, holds, uses and discloses your personal in- formation where it is reasonably necessary for the purposes of:

• the provision of grenke’s products  and services,  specifically office communication equipment leasing services;
• relationship management with grenke’s clients / customers and suppliers;
• assessing an application for, and if successful, administering a lease arrangement, or other commercial trading / credit account, with grenke;
• accounting, billing and other internal administrative purposes;
• identifying and informing you of products and services that may be of interest to you from grenke or selected third parties;
• assessing your application for employment with grenke or otherwise for the purpose of engaging you as a contractor or consultant; and
• any other legal requirements including for compliance with grenke’s obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Personal Property Securities Act 2009 (Cth).

grenke may also use your personal information for purposes related to the above purposes and for which you would reasonably expect grenke to do so in the circumstances,

or where you have consented or the use is otherwise in accordance with law.

Where personal information is used or disclosed, grenke takes steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed. You are under no obligation to provide your personal information to grenke. However, without certain information from you, grenke may not be able to provide its products and / or services to you.

5. TO WHOM DOES grenke DISCLOSE YOUR PERSONAL INFORMATION?

grenke discloses your personal information for the purpose for which grenke collects it. That is, generally, grenke will only disclose your personal information for a purpose set out at paragraph 4. This may include disclosing your personal information to:

• third parties engaged to perform administrative or other business management functions;
• people or entities considering acquiring an interest in grenke’s enterprise  or assets;
• business  partners  of grenke, such as resellers;
• grenke’s professional advisors including its accountants and legal advisors, contractors, consultants and related bodies corporate;
• grenke’s parent company,  grenke AG, grenke Digital GmbH and the website provider port-neo GmbH, all of which are located in Germany;
• insurance providers; and
• regulatory bodies if and as necessary, including but not limited to the Australian Financial Security Authority.

grenke may also disclose your personal information, including your credit information, to lenders, other credit providers and credit reporting bodies, Equifax/CreditorWatch (contactable on the details set out below). In particular, grenke may disclose to Equifax/CreditorWatch information about you failing to meet your payment obligations or if you commit a serious credit infringement. Equifax/CreditorWatch may include any information provided to it by grenke in reports that are then provided to other credit providers for the purpose of such credit providers assessing your credit worthiness.

grenke’s disclosures of your personal information to third parties are on a confidential basis, in accordance with relevant non-disclosure agreements, and / or otherwise in accordance with law. grenke may also disclose your personal information with your consent or if disclosure is required or authorised by law.

Equifax/CreditorWatch can be contacted:

• in accordance with its privacy policy at: http://www.equifax.com.au/privacy - http://www.creditorwatch.com.au; and / or
• at: Equifax Australia Personal Solutions Pty Ltd, PO Box 964, North Sydney NSW 2059 - CreditorWatch, GPO Box 276, Sydney, NSW, 2001
• or otherwise through the ‘contact us’ form at https://www.equifax.com.au/contact - https://creditorwatch.com.au/contact/?customer=no.
• Equifax’s policy on its management of credit related personal information can be accessed through its website at: http://www.equifax.com.au/privacy.
• CreditorWatch's policy can be accessed through its website at: https://creditorwatch.com.au/privacy/.

6. OVERSEAS DISCLOSURE

grenke may disclose personal information, including credit related personal information, to overseas recipients in order to provide its products and / or services and for administrative, data storage or other business management purposes. Recipients of such disclosures include its parent company, grenke AG, grenke Digital GmbH and the website provider port-neo GmbH, all of which are , located in Germany.

By providing your personal information to grenke, you consent to grenke disclosing your personal information to any such overseas recipients for purposes necessary or useful in the course of operating our business, and agree that APP 8.1 will not apply to such disclosures. For the avoidance of doubt, in the event that an overseas recipient breaches the Australian Privacy Principles, that entity will not be bound by, and you will not be able seek redress under, the Privacy Act. If you have any queries or objections to such disclosures, please contact grenke’s Privacy Compliance Officer on the details set out in paragraph 11.

7. DIRECT MARKETING

grenke may use and disclose your personal information in order to inform you of products and services that may be of interest to you. In the event you do not wish to receive such communications, you can opt-out by contacting grenke via the contact details set out in paragraph 11 or through any opt-out mechanism contained in a marketing communication to you.

grenke will not use or disclose credit-related personal information for direct marketing purposes except to the extent permitted under the Privacy Act, for the purpose of Equifax/CreditorWatch assessing your eligibility to receive direct marketing communications sent on behalf of grenke. You may make a request directly to Equifax/CreditorWatch not to use your credit-related personal information for these purposes.

8. SECURITY OF YOUR PERSONAL INFORMATION

grenke takes steps reasonable in the circumstances to ensure that the personal information it holds is protected from misuse, interference and loss and from unauthorised access, modification or disclosure. grenke holds personal information in both hard copy and electronic forms in secure databases on secure premises, accessible only by authorised staff. Credit eligibility information, such as information grenke receives from Equifax/Creditor Watch for the purpose of assessing credit worthiness, is stored through equally secure methods.

Unless otherwise stated in this Privacy Policy, the usage data and personal information regarding your registration with grenke is deleted as soon as it is no longer required for its intended use and the deletion does not conflict with any statutory retention obligations.

grenke processes and stores other personal information as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation, which is designed to last for years. If the personal information is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless its - temporary - further processing is necessary for the following purposes:

• Fulfilment of any legal retention obligations, such as under the Corporations Act 2001 (Cth), the Income Tax Assessment Act 1936 (Cth), the Anti-Money Laundering and Counter Financing Act 2006 (Cth) or and the Personal Property Securities Act 2009 (Cth). The deadlines for retention and documentation are six to twelve years.
• If so requested by a court/tribunal order or if the personal information is relevant for the resolution of a pending correction request or dispute under the Privacy Act.
• Preservation of evidence in the context of the state or territory-based limitation periods. These limitation periods can range from six to 15 years.

If you believe on reasonable grounds that you have been, or are likely to be, a victim of fraud, you may request Equifax/CreditorWatch not to use or disclose credit related personal information it holds about you by contacting Equifax/CreditorWatch on the details set out in paragraph 5.

9. CAN YOU ACCESS AND CORRECT THE PERSONAL INFORMATION THAT grenke HOLDS ABOUT YOU?

grenke takes steps reasonable in the circumstances to ensure personal information it holds is accurate, up-to-date, complete, relevant and not misleading. Under the Privacy Act, you have a right to access and seek correction of your personal information that is collected and held by grenke.

If at any time you would like to access or correct the personal information that grenke holds about you, or you would like more information on grenke's approach to privacy, please contact grenke’s Privacy Compliance Officer on the details set out in paragraph 11 below. grenke will grant access to the extent required or authorised by the Privacy Act or other law and take steps reasonable in the circumstances to correct personal information where necessary and appropriate.

Where necessary to resolve a request for correction of your credit related personal information, grenke may also consult with other relevant entities, including but not limited to Equifax. grenke’s use or disclosure of your credit related personal information for correction purposes is permitted by the Privacy Act.

To obtain access to your personal information:

• you will have to provide proof of identity to ensure that personal information is provided only to the correct individuals and that the privacy of others is protected;
• grenke requests that you be reasonably specific about the information you require; and
• grenke may charge you a reasonable administration fee, which reflects the cost to grenke, for providing access in accordance with your request.

Alternatively, if you would like to access personal information held about you by Equifax/CreditorWatch, please contact Equifax/CreditorWatch on the contact details set out in paragraph 5.

grenke will endeavour to respond to your request to access or correct your personal information within 30 days from your request. If grenke refuses your request to access or correct your personal information, grenke will provide you with written reasons for the refusal and details of complaint mechanisms. grenke will also take steps reasonable in the circumstance to provide you with access in a manner that meets your needs and the needs of grenke.

If you are dissatisfied with grenke’s refusal to grant access to, or correct, your credit related personal information, you may make a complaint to the Office of the Australian Information Commissioner.

11. HOW TO CONTACT US

For further information or enquiries regarding your personal information, or if you would like to opt-out of receiving any promotional or marketing communications, please contact grenke 's Privacy Compliance Officer at service@grenke.com.au.

12. PRIVACY COMPLAINTS

Please direct all privacy complaints to grenke’s Privacy

Compliance Officer. At all times, privacy complaints:

• will be treated seriously;
• will be dealt with promptly;
• will be dealt with in a confidential manner; and
• will not affect your existing obligations  or affect the commercial  arrangements between you and grenke.

Specifically, if your complaint relates to credit related personal information and / or grenke’s failure to comply with its obligations regarding credit related personal information under the Privacy Act and / or the Credit Reporting Code:

• grenke will acknowledge your complaint within 7 days of receipt and endeavour to resolve it within 30 days, unless grenke informs you otherwise and seeks your agreement in writing;
• grenke may consult  with relevant third parties such as Equifax/CreditorWatch and / or other credit providers, in order to sufficiently and expeditiously resolve the complaint; and
• if your complaint relates to grenke’s refusal to provide access to, or correct, your credit related personal information, you may complain directly to the Office of the Australian Information Commissioner.