Magic Millions Sales Pty Ltd (‘the Company’ hereinafter) informs you about its Privacy Policy regarding the protection of your personal data that may be processed by browsing, contacting or contracting services through this website or in any of our establishments.
The Company guarantees compliance with current regulations regarding the protection of personal data through the General Data Protection Regulation (EU) 2016/679 (GDPR), following the guidelines of the Office of the Australian Information Commissioner (OAIC).
The objective of this Privacy Policy is to inform the natural persons who provide their personal data, and/or those who act on their behalf, about the purposes of the use of personal data, the legal bases for the processing, who has access to the data, how to exercise the rights guaranteed by the GDPR, the information retention periods, and the security measures used to maintain the confidentiality, integrity and availability of personal data, among others.
WHO IS RESPONSIBLE OF DATA PROCESSING?
According to data protection, “Controller” means the entity that determines the purposes and means of the processing of your personal data. In these terms, Magic Millions must be considered the Controller.
Controller – Magic Millions Sales Pty Ltd
ABN – 54 078 396 317
Address – 28 Ascot Court, Bundall, Queensland, 4217 (Australia)
Contact Number – +61 (0) 7 5504 1200
Email – [email protected]
WHO IS THE REPRESENTATIVE?
According to data protection, ‘Representative’ means the entity established in the European Union who, designated by the Controller, represents the Controller with regard to its respective obligations under the GDPR.
Representative – ‘by Data’
ABN – 33 420 814 429
Postal Address – PO Box 42034 Branch Office 2, Valencia 46017 (Spain)
Email – [email protected]
Website – www.bydata.eu
WHO IS THE DATA PROTECTION OFFICER?
According to data protection, ‘Data Protection Officer (DPO)’ is the entity who informs and advises the Controller on its obligations under the GDPR and cooperates with the Supervisory Authority.
DPO – ‘by Data’
ABN – 33 420 814 429
Postal Address – PO Box 785 Upper Coomera QLD 4209 (Australia)
Email – [email protected]
Website – www.bydata.eu
WHAT PERSONAL DATA DO WE COLLECT?
All information collected by Magic Millions will be processed fairly, lawfully and transparently.
Likewise, the personal data requested in each of the data processing carried out will consist only of those strictly essential to achieve the intended and informed purpose in each case.
In this way, your data collected will be adequate, relevant and not excessive in relation to the purposes for which they are processed in each case. Therefore, your personal data will be collected for certain explicit and legitimate purposes and will not be further processed in a manner incompatible with said purposes. In addition, they will be updated whenever necessary.
Within the framework of the different data processing on activities carried out by the Controller, the following categories of personal data are collected:
Identification Data – Personal data used to contact, identify or register a natural person.
Social Data – Personal data related to personal characteristics and lifestyle.
Academic and Professional Data – Personal data related to academic levels, training, career and working experience.
Commercial and Marketing Data – Personal data related to preferences in Marketing, Events, Activities and Businesses.
Economic, Financial and Insurance Data – Personal data related to financial situation, insurance and banking details.
Technical Data – Personal data related to technology used to access to websites, applications, software and platforms.
Profile Data – Personal data related to purchases, service preferences, comments and surveys.
Aggregate Data – Personal data related to Statistical or Demographic information to websites, applications, software and platforms (as Cookies).
Minors Data – Personal data related to natural persons under 16 years of age (Only applies to showjumping events.).
Security Data – Personal data (image and videos) recorded by CCTV.
HOW DO WE COLLECT YOUR PERSONAL DATA?
As a general rule, personal data is always collected directly from you, an agent acting on your behalf or a holder of parental responsibility over the child (interested party); however, in certain exceptions, the data may be collected through third parties, entities or services other than you.
In this case, this point will be conveyed to the interested party through the information clauses contained in the different ways of collecting information and within a reasonable period or in the first communication made to the interested party.
FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?
Your personal data is processed for the following purposes:
Business Activity
Manage the purchase and sale of goods and services;
Manage billing, accounting, non-payments, budgets, offers, quotes, deliveries and shipments of goods and services;
Manage contracts and agreements related to goods and services;
Manage the subscriptions, user registrations and cancellations, contacts and queries related to goods and services.
Customer Service
Manage complaints or queries about products and services due to possible breaches of the ethical code or the organisation’s internal regulations, including acts or conduct that may be contrary to general or specific regulations of the sector;
Manage internal information systems related to clients and potential clients;
Manage surveys and feedback to improve the products and services offered, analyse sales trends, improve and market new products, goods and services.
Marketing Management
Promote and advertise the products and services offered;
Make contacts, monitor and create business opportunities;
Manage user registration for newsletters and commercial communications, hold meetings (in person or online) to advise on the products and services offered;
Conduct surveys and feedback tracking;
Organize events, carnivals, shows and actions related to direct marketing.
Website Management
Advertise and market products and services;
Respond to requests for information, goods and services sent by website users through established communication channels;
Manage the registration of web users to access direct sales products and services through the website (e-commerce) and the Analysis of data generated by website visitors.
Social Media Management
Manage communications and data from followers on social networks and offer multimedia content through publications and interactions with them.
The categories of personal data, the conditions of use, the privacy policies and the rules of access to Social Media Networks, can be consulted at the following links:
In no case the Company will use the profiles of followers in social networks to send advertising individually.
Service Providers Management
Manage the services and products of Service Providers and Suppliers (Third Parties) that act on behalf of the Company;
Manage billing, accounting, non-payments, budgets, offers, quotes, deliveries and shipments of goods and services of products, services and assets through service contracts for the Company, its clients, contacts and business relationships.
Personnel Management
Manage hiring (own or contracted staff), payroll management, taxes and social services, occupational risk prevention, health surveillance, expense and cost control, access and schedule control, training, insurance and social benefits, as well as Human Resources Administration.
Job Candidates Management
Manage the process of selecting candidates for a job, enter into a contract to which the Interested Party is a party or take measures at the request of the Interested Party before entering into a contract.
CCTV Recording
Manage the Closed Circuit Television System (CCTV), for the protection of goods and properties, the safety and well-being of staff, clients and visitors, investigate and prevent crimes, work accidents for insurance and legal purposes.
Security Breach Management
Detect, evaluate, manage and report security breaches of personal data in accordance with the GDPR, proceed to formalise the relevant reports to analyse and improve technical and organisational measures to ensure the confidentiality, integrity and availability of information.
Exercise of Data Subjects’ Rights
Respond to and manage requests from interested and affected parties (Data Subjects) in the exercise of the rights granted in the GDPR in compliance with data protection regulations.
LAWFULNESS OF DATA PROCESSING
As a general rule, prior to the processing of your personal data, the Company informs you of the legal basis by which it establishes the legitimacy of the processing of your personal data.
The processing of your personal data is lawful because it applies:
Consent: There is processing based on the express and unequivocal consent of the interested party, through the incorporation of information clauses in the different personal data collection systems, authorizing consent through a clear and affirmative statement or action. Additionally, we inform you that we will only use personal information under this Privacy Policy and, in general, we will request your consent for purposes other than those for which you initially granted them.
Execution of a Contract: for the prior management of a contracted service or product, development of the execution of a contract or subsequent procedures derived from said contract between the Controller and the Interested Party.
Compliance with Legal and Regulatory Obligations: general and specific laws and regulations are applied to the processing of your personal data in relation to business activity, as well as regulations on data protection, which authorize or require the processing of personal data of the interested party and will be shown in the corresponding information clause.
Legitimate interest: data processing based on the legitimate interest of the Controller will be established for the general activity of the business and for the sending of communications or commercial events about products or services similar to those contracted (direct marketing). This processing will only be valid when the interested party has not expressly denied it at the time of collecting their personal data or in any of the communications made.
HOW LONG DO WE STORE YOUR DATA?
Your personal data is stored for the time necessary to fulfill the purpose for which it was collected, as long as the provision of the service, employment or contractual relationship is maintained, there is a mutual interest or for the time provided for in the corresponding regulations.
The following criteria may be applied to the data storage time:
The period established by law, or
Until you exercise the Right to Erasure, or
The period necessary for the purposes for which we collect your personal data, including to satisfy any legal, accounting or reporting requirements.
The data may be stored longer that the time necessary to fulfill the purpose for which they were collected for statistical purposes, for which the appropriate security measures and data minimisation criteria will be applied to guarantee data confidentiality.
WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
When you connect and interact with this website or send an email to Magic Millions, you are providing personally identifiable information for which the Company is responsible.
By providing this information, you give your consent for your personal data to be collected, transferred to us and may be stored by:
| Name | Business Activity | Data Protection |
| B2Bpay | IT Services (Online Payment Service) | The Privacy Act 1988 (Australia) |
| BigCommerce | IT Services (e-Commerce) | ‘EU-US Data Privacy Framework’ |
| Cloudflare | IT Services (Management) | ‘EU-US Data Privacy Framework’ |
| Formplus | IT Services (Forms & Surveys) | Privacy Act of 1974 (USA) |
| IT Services (Email Hosting System) | ‘EU-US Data Privacy Framework’ | |
| Italics Bold | IT Service (Domain Hosting Service) | The Privacy Act 1988 (Australia) |
| Mailchimp | IT Services (Email Marketing) | GDPR Compliance (EU) |
| PayPal | IT Service (Online Payment Service) | GDPR Compliance (EU) |
| Secure Pay | IT Services (Online Payment Service) | The Privacy Act 1988 (Australia) |
| Square | IT Services (Online Payment Service) | The Privacy Act 1988 (Australia) |
| Stripe | IT Services (Online Payment Service) | ‘EU-US Data Privacy Framework’ |
| Vultr | IT Service (Cloud Hosting Service) | GDPR Compliance (EU) |
JOINT CONTROLLERS
According to data protection regulations, where two or more controllers jointly determine the purposes and means of data processing, they shall be Joint Controllers.
These joint controllers have the same responsibilities for compliance with the obligations under data protection regulations, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information related to the processing.
Magic Millions’ business activity related to the real estate sector is co-responsible for processing with:
| Name | Business Activity | Data Protection |
| Donovan + Co. | Equine Property Specialists | The Privacy Act 1988 (Australia) |
Magic Millions business activity related to horse racing is co-responsible for its processing with:
| Name | Business Activity | Data Protection |
| Racing QLD | Principle Racing Authority | Information Privacy Act (2019) (QLD) |
| Racing NSW | Principle Racing Authority | The Privacy Act 1988 (Australia) |
| Racing SA | Principle Racing Authority | The Privacy Act 1988 (Australia) |
| Racing TAS | Principle Racing Authority | Personal Information Protection Act (2004) (TAS) |
| Racing VIC | Principle Racing Authority | The Privacy Act 1988 (Australia) |
| Racing WA | Principal Racing Authority | The Privacy Act 1988 (Australia) |
PROCESSORS
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
To fulfill the purposes described above, when you interact with the Company, your personal data can be shared with:
Judicial Authorities, State and Government Agencies or Public Bodies (if mandatory);
Professional advisers acting as Processors including lawyers, consultants, auditors and insurers;
Providers of Information Technology (IT) Services and systems administration included in the Information Society Services;
Service providers or Suppliers (Processors) acting on behalf of the Company to manage, perform and deliver the products and services offered by the Company.
The following companies process personal data on behalf of the Company, acting as Processors:
Magic Millions hires independent contractors (sole traders) who work on behalf of the Company with the purpose of managing, advising and collaborating in business activities, mainly with services related to Marketing, Events, Carnivals, Public Relations and Sales, among others. For more information about these independent contractors (Processors), please contact [email protected].
INTERNATIONAL TRANSFERS OF YOUR DATA
International Data Transfer means any personal data transferred from a European Union country to a third country or international organisation outside the European Economic Area (EEA)*.
(EEA*: Composed of the 27 EU Member States plus Norway, Iceland and Liechtenstein).
Your personal data is collected directly from outside the European Economic Area with your explicit consent, accepting this Privacy Policy.
The international transfer is subject to one of the exceptions established in article 49 of the GDPR:
You have explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for you due to the absence of an adequacy decision and appropriate safeguards;
The transfer is necessary for the performance of a contract between you and the Controller, or the implementation of pre-contractual measures taken at your request;
The transfer is necessary for the conclusion or performance of a contract concluded in your interest between the Controller and other natural or legal person;
The transfer may be necessary for the establishment, exercise or defence of legal claims.
WHAT RIGHTS CAN YOU EXERCISE?
According to the GDPR, the Rights that assist you are the following:
Right of Access, right to request information from the controller about whether your personal data is being processed. This allows you to receive a copy of the Personal Data we hold about you and to check that we are legally processing it.
Right to Rectification, a right that allows the affected party to request the modification of personal data that is inaccurate or incomplete.
Right to Erasure (‘right to be forgotten’), right to delete or remove the personal data of the interested party. This enables you to ask us to delete or remove your personal data where you have successfully exercised your right to Object (see below), where we may have processed your information unlawfully or where we are required to erase your data to comply with local law.
Right to Object, the right of a person to oppose the processing of their personal data or the cessation of it.
Right to Restriction, right to suspend the processing of the interested party’s personal data in certain cases: where you want exercise the right to Rectification, where data processing is unlawful, where you need us to hold the data to establish, exercise or defend legal claims; or you have objected to use your data while the verification is still pending.
Right to data Portability, the right to request that the Company will provide to another Controller your personal data in a structured, commonly used, machine-readable format.
Right to Object, the right of the interested party to oppose the processing of their personal data or the cessation of it. You also have the right to object where we are processing your personal data for direct marketing purposes.
Automated individual decision-making, the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects on the affected party or significantly affects them in a similar way.
Right to lodge a complaint with a Supervisory Authority if you consider that the data processing does not comply with current regulations.
Right to withdraw consent at any time where the processing is relying on your consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
HOW TO EXERCISE YOUR RIGHTS?
The applicant may exercise their rights through the following means:
Email to [email protected] providing documentation that proves the identity of the applicant (copy of a Photo ID).
Postal mail to PO Box 5246, Gold Coast Mail Centre, QLD 9726 (Australia) providing documentation that proves the identity of the applicant (copy of a Photo ID).
Magic Millions will respond to your request as soon as possible and the maximum period for the resolution of the application is 30 days from receipt, it can be extended for a maximum of 2 months whenever necessary, but you will be notified about it.
COMPLAINT TO A SUPERVISORY AUTHORITY AND SEEKING A JUDICIAL REMEDY
You have the right to lodge a complaint with a Supervisory Authority.
You may submit a complaint if you do not receive a response to your request for the execution of your rights or if you consider that the processing of your personal data breaks the law, and it could affect your rights and freedoms.
You may lodge a complaint with:
The Office of the Australian Information Commissioner (OAIC) www.oaic.gov.au for Australian residents and interested parties.
The Spanish Data Protection Agency (AEPD, acronym in Spanish) www.aepd.es as it is the European Supervisory Authority chosen by the Controller for data protection issues.
All affected parties may submit a complaint to any of the European Supervisory Authorities established by the European Commission.
WHAT COULD THE CONSEQUENCES OF NOT PROVIDING INFORMATION BE?
All interested parties guarantee that the information transmitted or provided, in any of the forms or collection media, is true, accurate and corresponds to the data of the legitimate owner.
The data requested in the established fields marked with an asterisk (*) or those provided in the documents or supports where the information is provided, are strictly necessary in relation to the purpose for which they are collected, or for the provision of optimal service to the interested party or through a legal obligation imposed on the Controller for the processing of their data or a necessary requirement for the conclusion of a contract. The inclusion of data in the rest of the fields is voluntary.
If you do not provide true or accurate information when requested, we may not be able to provide you with the required services or perform the contract we have or are trying to enter into with you. In these circumstances we have the right to cancel or refuse our services, but we will notify you if this is the case at the time.
MINORS
Our services are not intended for minors, so registration is only permitted for people over 18 years of age, except for events related to jumping competitions, where the permission of the parents or guardians of minors will be strictly necessary.
Please note that any possible liabilities that may arise as a result of the use of our services will be the responsibility of the parents or guardians of the minor.
For more information about the processing of personal data of minors, please contact [email protected]
FURTHER DATA PROCESSING FOR DIFFERENT PURPOSE
The Company will not process your personal data for a different purpose that was collected for.
However, in case that the Company has the intention to use your personal data for another purpose, We will contact you, before further processing, to provide you with information about that other purpose and to request your consent.
SECURITY OF YOUR PERSONAL DATA
The security measures adopted by Magic Millions are those required, in accordance with the provisions of Article 32 of the GDPR.
The Company, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of individuals, has established the appropriate technical and organizational measures to guarantee the level of security appropriate to the existing risk.
The Company has sufficient mechanisms implemented to:
Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Restore availability and access to personal data quickly, in the event of a physical or technical incident.
Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to guarantee the security of the data processing.
These Technical and Organisational measures are available for consultation by the competent Judicial and Supervisory Authorities, and are under continuous review and audit in matters of data protection and privacy.
CCTV
We use a CCTV system in our establishments to protect our staff, property and assets so if you visit us on any of our establishments you will be recorded and informed through approved signals notifying you of your entry in the recording area.
All your images and videos records are secure, and we will not share any image or video records to a third party if it’s not for a legal obligation required by the Justice or Police Force.
Your image will be retained for a period of up to 90 days; exceptions will apply for law enforcement purposes.
For more information about our CCTV Policy, please contact [email protected].
CHANGES IN THE PRIVACY POLICY
Magic Millions reserves the right to modify this Privacy Policy to adapt it to legislative or jurisprudential developments, as well as industry practices.
This Policy will be in force until they are modified by others duly published.