CommBank

Comprehensive scope statement covering multiple entities and customer types, clear section navigation, specific contact information including international numbers, and current version dating. Strong structural clarity with numbered sections and definitions provided.

Clear primary purposes stated with detailed secondary uses including AI training, analytics, and de-identification. Marketing opt-out mechanisms provided, though broad 'where law allows' clause somewhat weakens purpose limitation commitment.

Current version date provided with website availability for updates, staff training commitment, and international privacy officers mentioned. However, lacks specific review frequency, named privacy officer, and proactive change notification mechanisms.

Exceptionally detailed enumeration of personal information types collected, including specific examples within broad categories. Clear disclosure of collection methods (direct, third-party, digital tracking), sensitive information handling, and legal basis for collection with granular specificity.

Comprehensive disclosure of third-party categories with specific named entities (Microsoft, Equifax, Experian) and detailed purposes. Clear contractual safeguards mentioned for overseas transfers and specific opt-out mechanisms for marketing sharing.

Adequate security measures disclosed including physical security, staff training, and CCTV surveillance. However, lacks specific technical details like encryption standards or certifications, relying more on general statements about 'appropriate arrangements.'

Comprehensive disclosure of specific countries (9 named jurisdictions) with clear purposes for transfers. EU/UK specific mechanisms including standard contractual clauses disclosed, and appropriate safeguards claimed for all transfers.

Comprehensive rights framework with specific access and correction mechanisms, clear 30-day timeframes, detailed complaint escalation to OAIC, and EU/UK specific rights including erasure. Multiple contact methods and clear processes provided.

Strong disclosure of automated decision-making in credit processes with specific decision types (eligibility, affordability, terms). AI use clearly disclosed with multiple purposes, and human review rights provided for EU/UK customers, though logic transparency is limited.

Basic acknowledgment of children's privacy with 14-year age threshold for parental access and consent requirements for 'certain services.' However, lacks specific age verification processes and detailed child-specific protections.