PURPOSE
Komatsu Australia Pty Ltd and Komatsu Australia Corporate Finance Pty Ltd (Komatsu) respect the privacy of Personal Information. This Privacy Policy (Policy) sets out how Komatsu collects, uses, stores, discloses and otherwise handles Personal Information, including when Komatsu may use Artificial Intelligence (“AI”) tools or automated processing (AI Tools), and how Komatsu complies with the Privacy Act 1988 (Cth), (Privacy Act) and the thirteen Australian Privacy Principles (APPs) as set out in Annexure ‘A’.
To comply with Komatsu’s obligations under the Privacy Act and the APPs, this Policy sets out how Komatsu manages privacy in its organisation.
SCOPE
This Policy applies to all Komatsu employees, officers, contractors, secondees, labour hire workers and other persons who collect, hold, use, disclose or otherwise handle Personal Information for or on behalf of Komatsu (Komatsu Personnel). It applies to Personal Information handled in any format and to all Komatsu systems, services, websites, devices, telematics, applications and AI Tools. In this Policy, AI Tools means computer systems or software that perform tasks such as creating content, recognising patterns, making predictions, classifying information, summarising, translating, transcribing, recommending, scoring or automating a decision or workflow that are approved for use by Komatsu in accordance with Komatsu’s Generative AI Usage Policy. Approved AI Tools must undergo appropriate legal, privacy, cyber security and risk assessments prior to use and must be used in accordance with Komatsu’s information security and data governance requirements.
Komatsu will require suppliers and other third parties that handle Personal Information for Komatsu to comply with privacy and security obligations consistent with this Policy by contract or other appropriate controls.
CONTENT
Komatsu respects the rights of individuals to privacy, and this Policy sets out how Komatsu collects, uses, stores, discloses and otherwise handles Personal Information.
“Personal Information” is information or an opinion Komatsu holds which is identifiable as being about an individual or could reasonably identify an individual:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Komatsu has implemented practices so that its management of Personal Information is open and transparent.
3.1 What Personal Information Komatsu collects
In the course of conducting Komatsu’s business, Komatsu may collect the following types of Personal Information from individuals:
• Contact details (including name, address, phone number, fax number and email address);
• Driver’s Licence details (including Licence No, Expiry Date and Date of Birth);
• Information about the goods or services that have been ordered or sold;
• Information from enquiries made;
• Records of communications;
• Financial details;
• Credit card information;
• Creditworthiness information from Equifax;
• Details of past employment, education, training, references, and relevant health information, when applying for employment;
• Information about an identifiable individual that has been generated from AI Tools but only in connection with Komatsu’s business;
• The location of where an individual is operating a Komatsu machine (only in those instances where Komtrax or similar systems are installed on the machine and an operator identification number has been allocated to a Komatsu machine); and
• How an individual operates a Komatsu machine (only in those instances where Komtrax or similar systems are installed on the machine and an operator identification number has been allocated to a Komatsu machine).
Where an individual uses SMART CONSTRUCTION or any of the applications available within the SMART CONSTRUCTION module, Komatsu will also collect the following types of Personal Information:
• Name, address, email address that was registered at the time of entering into the SMART CONSTRUCTION Contract;
• Name, email address and Login ID of the Chief Administrator of the SMART CONSTRUCTION account;
• Name, email address and Login ID of the users to who have been granted the right to use the various applications, which are registered when the SMART CONSTRUCTION account was created;
• Information registered in or uploaded to an application or SMART CONSTRUCTION by the users of the relevant application;
• Download history and usage history of an application; and
• Device and location information of the electronic device being used to access an application within SMART CONSTRUCTION (including the individual identification information and name of the carrier to be connected).
Komatsu only collects Personal Information that is reasonably necessary for, or directly related to, lawful purposes connected with Komatsu’s business of marketing, selling, hiring and servicing of mining equipment and construction and utility equipment, parts and providing training services, including limited and approved use of AI Tools where the collection is necessary and proportionate for those purposes.
Komatsu may also request and collect limited health information from individuals when they apply for employment with Komatsu or when a governmental authority makes a public health order enabling organisations to do so due to an epidemic or pandemic that has been declared by the Australian Commonwealth Government or the World Health Organisation.
Komatsu only collects health information where reasonably necessary for a lawful purpose, including employment, work health and safety, legal compliance or public health purposes. Komatsu will retain health information only for as long as necessary for the purpose for which it may be lawfully used. Health information collected solely to comply with a public health order or to manage an epidemic or pandemic will be deleted or de-identified within 90 days after it is no longer required, unless a longer period is required or authorised by law.
3.2 How Komatsu collects and holds Personal Information
Komatsu collects Personal Information from individuals when individuals interact with Komatsu in person or electronically, when they access Komatsu’s websites (including myKomatsu), when they use or interact with Komatsu systems, applications or AI Tools, in certain instances when they operate a Komatsu machine, if an individual is using SMART CONSTRUCTION or any of the applications within the SMART CONSTRUCTION module and when Komatsu provides goods or services to them.
Komatsu generally collects Personal Information about an individual from the individual directly, unless it is unreasonable or impractical to do so such as where the individual is acting through an agent. Where permitted by the Privacy Act, Komatsu may also collect Personal Information from another person or organisation, including where the individual acts through an agent or authorised representative, where the information is publicly available, where collection from the individual is not reasonably practicable and when Komatsu obtains information from an approved third party supplier.
Where an AI Tool generates, infers, classifies, scores, summarises or otherwise produces information about an identifiable individual, Komatsu will treat that information as Personal Information and handle it in accordance with this Policy.
In relation to customers applying for credit, Komatsu currently collects Personal Information indirectly about the creditworthiness of an individual from Equifax Pty Ltd located at Level 6, 2 Blue Street, North Sydney, NSW 2060, Australia.
Komatsu also currently collects Personal Information indirectly about the suitability of a candidate for an employment placement from various recruitment agencies and has arrangements in place with those agencies to ensure that the relevant agency will notify the individual that their Personal Information is being provided to Komatsu.
Komatsu does not generally seek to collect sensitive information such as information or an opinion relating to race, political opinions, religious or philosophical beliefs, memberships of political associations or professional or trade unions, sexual preferences, criminal records or health information, except as described in this Policy or where reasonably necessary for a lawful purpose connected with Komatsu’s business, where authorised or required by law, or where the individual has consented. Komatsu will apply additional safeguards to sensitive Personal Information and Komatsu Personnel must not input sensitive Personal Information into an AI Tool unless this has been specifically approved in accordance with Komatsu’s Generative AI Usage Procedure, and the information is necessary for an approved purpose.
Komatsu holds Personal Information in physical records, electronic systems, databases, applications, cloud services and approved third party provider environments. Komatsu may combine or link Personal Information with other information it holds where necessary for its business or activities and permitted by law.
3.3 Information provided to individuals
When Komatsu collects Personal Information from individuals, Komatsu will provide those individuals with information regarding its privacy practices which is required to be provided under the APPs which may include, where relevant, information about Komatsu’s use of AI Tools. This information may be provided by referring them to this Privacy Policy and, where appropriate, by giving a collection statement or other notice at or before the time of collection.
If Komatsu collects Personal Information about an individual from a source other than the individual concerned, including through an approved third party supplier, Komatsu will, unless an exception under the Privacy Act applies, take reasonable steps to ensure the individual is aware, as soon as reasonably practicable after the information has been collected, of: the fact that the information has been collected; the purpose for which the information has been collected; the intended recipients of the information; the name and address of the agency that collected the information and the agency holding the information; if the collection is authorised or required by or under law, the particular law; and the rights of access to, and correction of, the information. Komatsu may provide this information directly or, where permitted, through a notice given by another party on Komatsu’s behalf.
3.4 Use and disclosure of Personal Information
Komatsu only uses and discloses Personal Information for the primary purpose for which it was collected, that is to enable Komatsu to conduct its business of marketing, selling, hiring and servicing of new and used mining equipment, construction and utility equipment, parts and providing training services, or for a related purpose, or where the individual has consented or where another exception under the Privacy Act applies.
Komatsu will take such steps which are reasonable in the circumstances to ensure that Personal Information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
3.5 Direct Marketing
Komatsu will only use or disclose Personal Information for the purpose of direct marketing where such use or disclosure is permitted by the Privacy Act, the Spam Act 2003 (Cth) and any other applicable law. Komatsu may use approved AI Tools to help tailor or measure marketing communications. When engaging in direct marketing, Komatsu will provide a simple means by which an individual may easily request not to receive direct marketing communications from Komatsu and Komatsu will include a prominent statement that the individual may make such a request. Komatsu will also comply with any such request.
3.6 Disclosure of Personal Information overseas
Komatsu may disclose Personal Information to other related entities in the Komatsu group of companies located in Australia, Japan, Indonesia, New Zealand, New Caledonia, Papua New Guinea and to third party suppliers in other countries, including China, the United States of America and the United Kingdom, where such disclosure is reasonably required for the purpose of conducting its business or for purposes ancillary to conducting its business. When Komatsu does so it takes reasonable steps to ensure that those recipients based overseas comply with this Privacy Policy and the APPs. This may include disclosure to cloud service providers, analytics providers and AI Tool suppliers. Where Komatsu discloses Personal Information outside Australia, Komatsu will comply with Australian Privacy Principle 8, including by taking reasonable steps to ensure that the overseas recipient is subject to privacy safeguards that are, overall, comparable to those in the Privacy Act, by using appropriate contractual safeguards, by relying on another permitted basis under the Privacy Act, or by obtaining the individual's informed authorisation where required. If an offshore technology provider holds or processes Personal Information solely for Komatsu and not for its own purposes, Komatsu will require appropriate safeguards to prevent unauthorised use or disclosure.
3.7 Security and retention of Personal Information
Komatsu take reasonable steps to protect Personal Information from misuse, interference and loss and from unauthorised access, modification or disclosure through the use of security procedures, technologies and governance controls.
These controls may include identity and access management, multi-factor authentication, encryption of data in transit and at rest, endpoint protection, logging and monitoring, vulnerability management, backup and recovery controls, network segmentation, secure software development practices and regular security testing.
Komatsu may collect, retain and review audit logs, system activity records and security monitoring information where reasonably necessary to protect systems, investigate suspected security incidents, support operational security, comply with legal obligations or maintain the integrity and availability of Komatsu systems and services. Such monitoring activities will be conducted in a lawful, proportionate and security-focused manner.
If third party suppliers provide support services, including AI Tools, analytics, cloud hosting or software services, Komatsu requires them to appropriately safeguard the privacy and security of any Personal Information provided to them, to use it only for authorised purposes, and to support Komatsu’s obligations under the Privacy Act.
Where AI Tools are used to process Personal Information, Komatsu will take reasonable steps to ensure appropriate safeguards exist regarding access controls, data retention, model training, monitoring, logging and cross-border processing.
Access to Personal Information is restricted to authorised personnel based on business need and least privilege principles.
Where the Personal Information Komatsu collects is no longer required for any purpose for which it may be used or disclosed under the Privacy Act, Komatsu will take reasonable steps to destroy or de-identify the information, subject to legal, regulatory, contractual, audit and record keeping requirements.
3.8 Access to and correction of Personal Information
If Komatsu holds Personal Information about an individual, it will normally, on request by the individual, give the individual access to the information. However, there may be some legal reasons to deny access or to provide access in a particular way. If access is denied Komatsu will provide the individual with the reasons why, except to the extent it would be unreasonable or unlawful to do so.
If Komatsu is satisfied that, having regard to a purpose for which Personal Information is held:
• the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
• an individual requests Komatsu to correct Personal Information held about that individual,
Komatsu will take such steps as are reasonable to correct Personal Information about an individual having regard to the purpose for which it is held, to ensure that the information is accurate, up to date, complete, relevant and not misleading.
3.9 Usage Details & IP Addresses, Cookies, Google Analytics and Customer Feedback
Usage Details & IP Addresses
When an individual visits a Komatsu website (including my.komatsu.com.au), Komatsu may collect certain information such as browser type, operating system and the websites visited before coming to its site. This information is used in an aggregated manner to analyse how individuals use Komatsu’s site, so that Komatsu can improve its site.
Cookies
As is very common for companies, Komatsu uses cookies on its websites. Cookies are very small files which a website uses to identify an individual’s access to its websites and tracks returns to the websites and to store details about an individual’s use of the websites. Cookies are not malicious programs that access or damage an individual’s computer. Komatsu uses cookies to improve the experience of individuals using its websites.
Komatsu’s websites have links to other websites not owned or controlled by Komatsu. Komatsu is not responsible for these sites or the consequences of individuals going on to those sites.
If you would like to learn more about cookies or modify your web browser settings to delete or refuse cookies, please visit the help pages of your web browser.
Google Analytics
Komatsu reserves the right to use cookies to show its own advertisements to individuals whilst they are browsing the internet after having visited Komatsu’s websites, utilising third party platforms including Google Analytics. Google Analytics is a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
Google Analytics uses cookies and similar technologies to collect information about an individual’s activity on its websites to analyse and improve Komatsu’s websites based on an individual’s usage behaviour. The information regarding an individual’s usage of Komatsu’s websites may be transmitted to and stored on Google’s servers. Komatsu has enabled Google’s “Remarketing” function using Google Analytics, Google Display Network Impression Reporting and Google Analytics Demographics and Interest Reporting Advertising Features in Google Analytics with Google Signals activated. Google Signals compiles for Komatsu, multi-platform data reports on Google users that have enabled personalised advertising in an individual’s Google account.
An individual can learn more about the use of cookies for Google Analytics by visiting: https://analytics.google.com
Komatsu uses first and third party cookies, including performance, targeting, tracking and functionality cookies, to collect information about an individual’s activity on its websites to analyse and improve Komatsu’s websites and serve relevant advertisements based on an individual’s usage behaviour. Komatsu will not store any personal details about the individuals, nor provide this to any third party suppliers, as a result of any remarketing campaign. Komatsu’s remarketing campaigns only hold the information about an individual’s visit for the relevant period in accordance with the data retention settings nominated by Google, from their last visit.
An individual can choose to opt out of the Google Analytics Advertising features by visiting: http://www.google.com/settings/ads, and opt out of cookie based ad serving by visiting: http://www.networkadvertising.org/managing/opt_out.asp.
Customer Feedback
When an individual provides feedback on Komatsu’s website located at https://my.Komatsu.com.au, this information will be kept anonymous and not shared with any third party apart from the entity responsible for collecting this information from the website on behalf of Komatsu.
3.10 Availability and Changes
This Privacy Policy will be publicly available free of charge at:
Komatsu may change this Privacy Policy in the future. Updated versions of the Privacy Policy will be uploaded onto the respective Komatsu website.
3.11 Implementation
Komatsu will continue to take reasonable steps to implement practices, procedures and systems to ensure that it complies with the Privacy Act, the APPs and this Privacy Policy. This includes maintaining privacy training, supplier due diligence and reviews of approved AI Tools.
3.12 Complaints and Contact Details
If an individual has any enquiries or complaints about Komatsu’s privacy practices, details of enquiries or complaints can be sent to Komatsu’s Privacy Officer whose details are set out below. Komatsu takes complaints very seriously and will respond shortly after receiving written notice of a complaint.
Note: if contacting the Komatsu Privacy Officer by phone about a complaint Komatsu will also ask that the complaint is put in writing so that the full details of the complaint can be fully investigated.
The contact details for the Komatsu Privacy Officer are as follows:
Email:privacy@komatsu.com.au
Telephone: +61 2 9795 8215
Address: P.O. Box 136, Fairfield NSW 2165
3.13 Notification of serious data breaches
The Komatsu Privacy Officer will notify the Office of the Australian Information Commissioner (OAIC) should the Komatsu Privacy Officer have reasonable grounds to believe that an ‘Eligible Data Breach’ of an individual’s Personal Information as defined in the Privacy Act has occurred or is directed to do so by the OAIC.
Komatsu maintains incident response and cyber security management processes to identify, assess, contain and respond to suspected or actual security incidents involving Personal Information.
An ‘Eligible Data Breach’ happens if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, Personal Information held by Komatsu; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the Personal Information relates.
Annexure ‘A’ – The Australian Privacy Principles (APPs)
Australian Privacy Principle 1 – open and transparent management of personal information Australian Privacy Principle 2 – anonymity and pseudonymity Australian Privacy Principle 3 – collection of solicited personal information Australian Privacy Principle 4 – dealing with unsolicited personal information Australian Privacy Principle 5 – notification of the collection of personal information Australian Privacy Principle 6 – use or disclosure of personal information Australian Privacy Principle 7 – direct marketing Australian Privacy Principle 8 – cross-border disclosure of personal information Australian Privacy Principle 9 – adoption, use or disclosure of government related identifiers Australian Privacy Principle 10 – quality of personal information Australian Privacy Principle 11 – security of personal information Australian Privacy Principle 12 – access to personal information Australian Privacy Principle 13 – correction of personal information
Cookies are small text files created by a web browser when a user visits a website. Cookies are stored on your device. Some cookies are only stored for the duration of your site visit whilst others are stored for longer periods of time. The information stored in a cookie is transferred between a website and the browser to provide enhanced functionality and improve the user experience when using the website. Komatsu may collect certain information such as browser type and operating system through the use of cookies to improve your experience. You acknowledge this by using our website.