GDPR Policy
At HDAA, we take the privacy and protection of your personal data seriously. This policy outlines how we comply with the General Data Protection Regulation (GDPR) for our users and members who reside in the European Union (EU) or European Economic Area (EEA).
This policy should be read together with our Australian privacy practices. We have updated this page to reflect the 2026 Australian Privacy Act reforms, including strengthened transparency expectations (such as around automated decision-making) and enhanced rights-style controls where applicable.
1. Our Commitment
While HDAA is an Australian-based company, we provide services and training to a global community. We are fully committed to protecting your rights as an EU resident under the GDPR, including your right to control your personal data.
2. Information We Collect
As part of our training, certification, and membership services, we collect the following personal information:
- Identity Data: First name, last name, nickname, and company name.
- Contact Data: Email address (used as your unique identifier and primary communication channel).
- Financial & Transaction Data: Billing address, payment method (via secure third-party providers), purchase date, and product/course identifiers.
- Training & Certification Data: Course enrolment status, workshop attendance, and exam results (which may be shared with certification bodies/partners such as PeopleCert, HDI, and AXELOS where relevant).
- User Content: Comments on our resources or posts created within our member community.
- Technical Data: IP address and tracking data via Google Analytics and Google Tag Manager to help us understand site usage and improve your experience.
3. Legal Basis for Processing
We only process your personal data when we have a lawful reason to do so:
- Contractual Necessity: To provide the training, membership, or certification you’ve purchased.
- Consent: When you opt-in to receive our newsletter or marketing materials.
- Legitimate Interests: To improve our services and website security.
- Legal Obligation: To comply with tax laws and financial reporting requirements.
4. International Data Transfers
Your data is primarily stored and processed in Australia. Some of our service providers and partners (including PeopleCert, HDI, AXELOS, and Google (Analytics/Tag Manager)) may store or process personal data in countries outside the EEA and outside Australia.
Where GDPR applies and personal data is transferred out of the EEA, we use appropriate safeguards to protect your information, including (where required) European Commission Standard Contractual Clauses (SCCs) and any supplementary measures appropriate to the transfer risk.
Where the Australian Privacy Act applies, we take reasonable steps to ensure overseas recipients handle personal information consistently with Australian privacy requirements, including by using contractual protections and due diligence of suppliers.
5. Your Rights (GDPR + Australia 2026)
If you are located in the EU/EEA, you have rights under the GDPR. We also aim to support equivalent rights reflected in the 2026 Australian Privacy Act reforms (where applicable), including increased transparency and control over personal information.
Your rights may include:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request that we correct any inaccurate or incomplete information.
- Right to Erasure (Right to be Forgotten): Request deletion of personal data in certain circumstances (see details below).
- Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
- Right to Data Portability: Request a portable copy of certain data you have provided to us (see details below).
- Right to Object: Object to our processing where we rely on legitimate interests (and to direct marketing).
Right to Erasure — what this means at HDAA
You can ask us to delete your personal data where, for example:
- we no longer need it for the purpose it was collected;
- you withdraw consent (where we rely on consent);
- you object to processing and we have no overriding legitimate grounds; or
- processing is unlawful.
Important limits: We may need to keep some information to comply with legal obligations (e.g., tax, accounting, fraud prevention), to establish/exercise/defend legal claims, or where deletion would impact records held by third parties (e.g., certification bodies such as PeopleCert, HDI, and AXELOS). Where we cannot delete information, we will explain why and (where appropriate) restrict further use.
Right to Data Portability — what this means at HDAA
Where applicable, you can request a copy of certain personal data that:
- you provided to us; and
- we process by automated means; and
- we process based on consent or contract.
We will generally provide this in a structured, commonly used, machine-readable format (e.g., CSV) and, where technically feasible, can transmit it to another provider you nominate.
6. Data Retention
We keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements (usually 7 years for financial records).
7. How to Exercise Your Rights (and Contact)
To request access, correction, portability, restriction, objection, or erasure of your personal data, contact our Privacy Officer:
Email: pr*****@******om.au
Subject: Privacy / GDPR Data Request
To help us verify your identity and process your request, please include:
- your full name
- the email address associated with your HDAA account
- your account type (e.g., Personal Member, Corporate Member, Training Customer)
- the request type (e.g., Access, Erasure, Portability)
- relevant details (what data you want, and any relevant dates/course order details)
Note: If your personal data is deleted, you may lose access to membership benefits and certain historical training/certification records maintained by HDAA. Some records may also be held by third parties (e.g., certification bodies) under their own privacy policies.
8. Automated Decision-Making & AI (Australia 2026 + GDPR)
We do not use your personal data for automated decision-making (including profiling) that produces legal or similarly significant effects.
In line with the 2026 Australian Privacy Act reforms and GDPR transparency expectations, if we introduce any automated decision-making that materially affects individuals, we will:
- notify you that such processing occurs;
- explain (in plain language) the logic involved and the main factors used (where appropriate);
- describe the expected outcomes/impacts; and
- provide a way to request human review and to challenge or seek an explanation of the outcome (where applicable).
9. Right to Erasure (Data Deletion) — How to Request
You can request deletion of your HDAA account and erasure of personal data we hold by emailing our Privacy Officer.
Email: pr*****@******om.au
Subject: Right to Erasure / Data Deletion Request
Please use the following form layout in your message:
- Full name: [Enter full name]
- Email address (account login): [Enter email address]
- Account type: [Personal Member / Corporate Member / Training Customer / Other]
- What you want deleted: [Close account and delete all personal data / Delete specific data (describe)]
- Confirmation: “I confirm I am the account holder (or authorised representative) and I request erasure of my personal data.”
What happens next
- We may request additional information to verify your identity (and authority, if you are acting for an organisation).
- We will action valid requests within GDPR timeframes where applicable, and otherwise within a reasonable period.
- If we must retain some data (e.g., for legal, tax, accounting, fraud prevention, dispute handling, or certification/audit purposes, including records required by PeopleCert, HDI, or AXELOS), we will explain what we are retaining and why.
- Deletion is generally permanent and cannot be reversed.
10. Data Protection Officer (DPO)
Where required under the GDPR, HDAA will appoint a Data Protection Officer (DPO). If a DPO has been appointed, their contact details will be published here.
DPO Contact: [DPO name / email / postal address]
11. Specific Consent (Marketing & Tracking)
For marketing communications and tracking technologies (including analytics tags), we seek unambiguous, opt-in consent where required. This is consistent with GDPR consent standards and the 2026 Australian Privacy Act reforms expectations for specific, informed consent.
You can withdraw consent at any time by:
- using the unsubscribe link in marketing emails; and/or
- updating your cookie/tracking preferences (where available); and/or
- contacting us at pr*****@******om.au.
HDAA is a membership body that collaborates and shares knowledge throughout the Service and Support Profession. Intellectual Property and Registered information and Trademarks are acknowledged and recognised. Such includes our learning programs through HDI, PeopleCert and ITIL®.