Bunnings Australia

Comprehensive scope statement covering all business entities, clear definitions section with legal references, specific contact details for privacy officer, structured sections with clear headings, and current version dating. Strong transparency commitment with good navigation structure.

Detailed primary purposes across eight categories with specific examples, clear secondary use disclosure including cross-brand data sharing, comprehensive marketing uses with opt-out available. However, lacks explicit purpose limitation commitment and relies more on opt-out model than consent for secondary uses.

Clear update notification process, current version dating, designated privacy officer with comprehensive contact details, structured complaint handling with timeframes, and security framework outlined. Good governance structure but lacks specific review frequency commitments.

Exceptionally detailed enumeration of specific data types across seven categories, comprehensive collection methods (direct, automated, third-party), explicit sensitive data handling (facial recognition), and clear disclosure of collection necessity with consequences. Goes beyond basic categories to provide granular specifics.

Extensive list of third-party categories with specific purposes, named parties including Flybuys, OnePass, and Related Companies, specific countries for overseas transfers with contractual safeguards. Clear disclosure of law enforcement sharing and advertising network partnerships with opt-out mechanisms.

Lists several security measures including encryption, access controls, and firewalls, but lacks specific details about implementation, certifications, or breach notification procedures. Generic security statements without technical specifics or audit practices mentioned.

Specific countries and regions named for data transfers, clear contractual safeguards requiring overseas parties to protect information and comply with applicable law. Good notification of transfer destinations but could be more specific about adequacy mechanisms.

Clear access and correction rights with identity verification requirements, comprehensive complaint mechanism with 30-day response timeframe, specific OAIC escalation process with contact details, and multiple opt-out methods for marketing. Strong coverage of key consumer rights with clear mechanisms.

Discloses profiling activities and data analysis for personalisation but lacks explicit automated decision-making disclosure, no specific opt-out rights for automated decisions, and no transparency about decision logic or human review rights. Minimal coverage of this important area.

No specific children's data protections identified despite collecting age and date of birth information. No age verification, parental consent mechanisms, or child-specific safeguards mentioned. Very weak coverage of children's privacy requirements.