Privacy Policy - John Sands

DEFINITIONS

In this Policy, the following definitions apply:

John Sands Group, we, us or our means John Sands (Australia) Ltd (ABN 56 072 528 600), John Sands (NZ) Ltd (company number 666968) and their related entities (as that term is defined in the Corporations Act 2001 (Cth)).

Manager means the representative of the John Sands Group to which the employee/contractor reports in relation to the performance of his or her obligations to the John Sands Group.

personal information has the meaning given in the Privacy Act and includes information or annopinion (whether true or not) about an identified individual, or an individual who is reasonably identifiable.

Privacy Act means the Privacy Act 1988 (Cth).

INTRODUCTION

The John Sands Group respects the privacy rights of all individuals, and is committed to protecting your privacy in accordance with the Privacy Act and the Australian Privacy Principles (APPs). You can find out more information about the Privacy Act and the APPs at the Office of the Australian Information Commissioner’s website at www.oaic.gov.au.

We have developed this Policy to inform you of how we manage your personal information. We may amend this Policy from time to time, and we will publish any updated Policy on our website https://johnsands.com/ (Website).

By providing personal information to us, you are taken to have read, and consent to the collection, use disclosure and handling of your personal information in accordance with this Policy.

HOW DOES THE JOHN SANDS GROUP COLLECT YOUR INFORMATION?

In general, the John Sands Group collects personal information about our customers, contractors, agents, suppliers, employees, and any person who applies to become an employee, contractor, agent or supplier of the John Sands Group.

We will collect personal information in accordance with the APPs and this Policy. We aim to collect personal information only if it is reasonably necessary to provide the products, services or information you have requested from us.

At the time of collection, or as soon as practicable after we have collected it, we will take such steps as are reasonable in the circumstances to notify or make you aware of the collection and of any matters relevant to the collection, unless it is obvious from the circumstances that you
would know or would expect us to have the information.

The John Sands Group may collect personal information about you when you:

make an enquiry with us by phone or email or via our Website or social media accounts (including our Instagram account);
purchase our products or services;
engage with us in the course of receiving products, services or information from us or enquiring about our services, information and products;
visit our Website or social media accounts (including our Instagram account);
subscribe to ‘receive latest updates’ from us;
apply as a candidate for a position of employment with us;
are an emergency contact nominated by one of our employees;
are an artist and make a creative submission to us;
participate in our market research;
participate in any of our promotional competitions or other campaigns;
complete a contract with us, or fill our one of our administrative forms; and
Supply goods or services to us.

In some cases, John Sands may receive unsolicited personal information about you. When unsolicited information is received, we will assess whether we are permitted by law to collect that information, If not, the information will be destroyed or de-identified.

WHAT PERSONAL INFORMATION WE COLLECT

The types of personal information that we collect from you will depend on your interactions with us, what you share with us or whether the law requires us to collect it.

For example, we may collect the following information about you:

name;
email address, phone number, address and other contact details;
age and gender;
credit information;
financial, including bank account, details;
tax file number;
insurance policy number;
details of products or services we have provided to you or the products or services that
you have enquired about, including any additional information necessary to deliver
those products and services and respond to your enquiries;
details about you to assist in managing our relationship with you and providing you with
our products and services; and
information required or authorised to be collected by law.

If you are a prospective employee, we may collect details about your skills, employment history, qualifications, accreditation, right to work in Australia (including passport details, drivers licence or visa type, if applicable) and other details about you to assist with the recruitment process. We
may collect this information from you directly, or from a recruiter. , if you are an employee of UK Greetings Ltd, we may collect your personal information from your employer

We may also collect sensitive information such as driving history (i.e. criminal record), medical or health information about you, including any health conditions that you may have if they are relevant to the products and services we are providing to you or your employment.

PURPOSE OF COLLECTION

Primarily, personal information is collected so that the John Sands Group may:

maintain our customer relationships;
provide our customers with the products and services they request;
provide services to our employees;
help us manage our products and services; and
communicate with you generally in relation to our products and services.

If you:

are a supplier, we may also collect your personal information primarily to contact you for business purposes and manage our relationship with you or your organisation;
are a prospective employee, we may also collect your personal information primarily to contact you throughout the recruitment process; or
are a wholesale customer or agent, we may also collect your personal information primarily to contact you for business purposes and manage our relationship with you or your organisation.

If it is reasonable or practicable to do so we will collect your personal information directly from you.

In certain cases we may collect your personal information from third parties. For example, superannuation funds, medical providers, financial institutions, legal or financial advisers (including insurers or WorkCover), payment organisations or publicly available sources of information.

If it is reasonable to expect that we would use or disclose personal information for purposes which are related to the primary purposes set out above, the information we collect may be used or disclosed to:

improve services to customers;
assist customers with queries or complaints;
manage employment related issues
evaluate our trading relationship with customers, ie. making responsible credit
decisions;
promote, advertise and market any of our products and services;
tell you about developments at the John Sands Group and other products and services
or information that we can provide; and
comply with our legal obligations (including to comply with any law or any lawful request
of a law enforcement agency or government authority) or resolve any disputes.

Generally, we will not direct market to anyone unless they are given an opportunity to opt out of receiving future direct marketing communications. However, if we contact you for the purpose of direct marketing without having obtained your consent first because it is impracticable for us to
do so, we will at that time provide you with the opportunity to decline receiving any further marketing communications from us.

If the information required to offer our products and services is incomplete we may be unable to offer the range of products or services our customers and employees require. In most cases, at the time of collecting your personal information, the person collecting the information will obtain
your consent to collect the information and for the purposes for which we intend to use or disclose your information. You may withdraw your consent at any time. Please note that by withdrawing your consent the John Sands Group may not be able to provide the products or
services that you require.

You may also deal with us anonymously where it is lawful and practicable to do so. For example, if you are only inquiring about our products or services, you do not need to provide your personal details.

USING AND DISCLOSING YOUR PERSONAL INFORMATION

The John Sands Group business is a group of companies that provide greeting cards and related products to retailers.

In line with contemporary business practices, we may collect personal information as a way to provide products and services to our customers and our employees. If we need to collect personal information from you, we will tell you why we are collecting the information, your right
of access to that information, and the consequences if you choose not to provide that information.

We may disclose personal information to external organisations that help us run our business and provide products, services and information to you. The privacy and collection practices of these organisations are governed by their own privacy policies.

The types of organisations may be, but not limited to, those that are:

involved in providing, managing, or administering our products and services such as third party suppliers;
involved in the payment systems we use, including financial institutions, superannuation fund managers, etc.;
involved in reviewing and developing our business systems and procedures including testing or upgrading;
your representatives, including legal advisers; and
our professional advisors and agents.

We may disclose your personal information to recipients located in New Zealand, the United
States of America and the United Kingdom.

We will not otherwise disclose personal information unless disclosure:

is required or authorised by law; or
you have consented to our disclosing the information about you.

CHANGE IN CONTROL OF THE JOHN SANDS GROUP

If we sell or otherwise transfer part or the whole of our business to another organisation (including in the course of a transaction like a restructure, sale, merger or acquisition or as part of a bankruptcy, dissolution, liquidation, administration, receivership or other form of insolvency), you agree that your personal information that is collected by the John Sands Group may be disclosed to a third party, prospective buyer, transferee or insolvency practitioner and that this is reasonable to enable that party to continue or manage the practice.

USING GOVERNMENT IDENTIFIERS

Although in certain circumstances we may be required to collect government identifiers, such as your tax file number, ABN, Medicare number, etc. we will not use or disclose this information other than when required or authorised by law.

PERSONAL INFORMATION SECURITY

The John Sands Group is committed to keeping the personal information you provide to us secure. We will take reasonable precautions to protect the personal information we hold about you from misuse, interference and loss, as well as unauthorised access modification or
disclosure. We store your personal information in different ways, including in paper an electronic form.

Our security measures include:

restricted access to employees’ personal records;
restricted access to our website data base;
employing firewalls, intrusion detection systems and virus scanning tools to prevent
unauthorised persons and viruses from entering our systems;
practicing a ‘clean desk’ policy in all our offices with secure storage locations for
physical records;
detecting and preventing unauthorised access to premises by employing physical and
electronic means; and
using dedicated secure networks or encryption when we transmit electronic data.
We will retain your information as required by law. When the information we store is no longer
required, we will take reasonable steps to ensure that it is effectively destroyed or permanently
de-identified.

We will review our security arrangements from time to time, as we deem appropriate.

ONLINE

Our Website helps us to promote our brands and products. The Website itself collects basic personal information to help us provide our products and services. The access to information from this site is subject to security protocols.

Our service provider collects information on website activity through the use of ‘cookies’. A cookie is a small file saved on your device’s hard drive when you visit our Website. When you return to our Website, the data saved in the cookie is sent back to the Website. We use cookies to assist you in navigating the Website when you return. This information alone does not identify an individual but does provide statistical information to help the John Sands Group analyse and improve our Website. You can ordinarily choose to accept or decline cookies. Most web browsers and mobile applications automatically accept cookies, but you can usually modify your settings to decline cookies if you prefer. This may prevent you from taking full advantage of the Website.

You may view our Privacy Policy on our website by logging on to www.johnsands.com.au.

ACCESS TO PERSONAL INFORMATION

You can request access to the personal information the John Sands Group holds about you. John Sands Group employees can request this information via their Manager. Other individuals may make a written request to the John Sands Group representative they usually deal with, or by contacting our Privacy Officer (details below). We will respond to your access request as soon as practicable and commit to responding in no more than 10 working days. If any of the information is inaccurate please inform your Manager or your John Sands Group representative so we can correct it. We will not charge you for requesting access to your personal information. You may be required to put your request in writing for security reasons.

The John Sands Group will give you access to, or correct, your personal information unless there is a lawful reason for refusing your request for access or correction, including (by way of example) where:

access would pose a serious threat to the life or health of any individual;
access would have an unreasonable impact on the privacy of others;
the request is a frivolous or vexatious request;
the information relates to a commercially sensitive decision making process;
access would be unlawful;
access would prejudice enforcement activities relating to criminal activities and other
breaches of law, public revenue, a security function or negotiations with you; or
denying access is required or authorised by or under law.

If we deny access we will give you the reasons.

ACCESS TO CREDIT REPORTS

The John Sands Group customers have the right to ask for a copy of any credit reports the John Sands Group has obtained from a credit reporting agency. Copies of credit reports may also be obtained directly from the credit reporting agency. You have the right to have any inaccuracies
corrected, or if there is any dispute about the accuracy of the information, a file note can be added to your file explaining the position.

NOTIFIABLE DATA BREACHES

The John Sands Group have a responsibility to advise the Office of the Australian Information Commissioner ( OAIC ) and affected individuals of any eligible data breaches in respect of personal information they hold where the breach is likely to result in serious harm.

An eligible data breach is not limited to, but may include, phishing, malware, ransomware, brute force attack, compromised or stolen credentials and hacking by other means. It also might include social engineering attacks or impersonation or actions taken by a rogue insider. While
cyber incidents are the most common types of attack this also includes loss or theft of paperwork, storage devices, phones or laptops.

Information could include personal information (name, phone number and address ), financial details ( bank details, contact details) , identity information ( TFN, passport details ).

Should you be aware that such a breach has occurred or you suspect it has occurred it is a requirement of your employment that you contact the John Sands Privacy Officer (details below) or a member of the John Sands Group Leadership Team ( LST ). The claim will be investigated by the LST and relevant technical support. Should the claim be found to be a serious data breach the OAIC and affected individuals will be notified and corrective measures put in place.

MAKING A COMPLAINT

We recognise that even in best practice run organisations things can go wrong. Should you have a complaint, we encourage you to tell us so that we can resolve the problem. Employees should contact their Managers and other individuals should contact the John Sands Group representative they usually deal with. We can also be contacted via our Privacy Officer as per the details listed below. You can also make a complaint to the OAIC. Further information is available at www.oaic.gov.au.

If you have any questions or would like further information on our privacy and information handling practices please contact us by:

E mail : ni*********@***********om.au
Telephone : Nikki Earle on 1800 033 411
Facsimile : (03) 9239 3982
Write to : Nikki Earle (Privacy Officer)
John Sands (Australia) Ltd.
Bag 170 Clayton South MDC, Clayton South, VIC, 3169.
VIOLATIONS

Any employee or any contractor who is bound by, and is in breach of this Policy may be subject to disciplinary action, including possible termination of employment or contract and/or legal action if his or her breach constitutes a violation of any applicable law.

Disciplinary Actions

The following disciplinary actions for breaches of this Policy by employees or contractors may
include any combination of the following:

counseling, further education and training;
demotion, transfer, suspension, probation or dismissal;
suspension of system access rights;
official warnings that are noted on personnel files;
disciplinary action against the person who complained if there is strong evidence that
the complaint was fabricated, vexatious or malicious;
financial penalties and recovery of costs;
termination of contractual agreements; and
civil or criminal prosecution.

Factors affecting Disciplinary Action

The outcomes of a complaint will depend on a number of factors such as:

the wishes of the person who made the complaint;
the severity and frequency of the breach;
the weight of the evidence;
the level of contrition; and
whether there have been any prior incidents or warnings.

Any action taken by the John Sands Group against an employee in relation to a breach or an alleged breach of this Policy will be in accordance with the ‘Privacy Policy Complaints Handling Procedure’ to ensure procedural fairness. An Individual alleged to be in breach of this Policy should contact their Manager or the John Sands Group representative they usually deal with.

AUTHORITY & RESPONSIBILITY

It is your responsibility to ensure that you understand and adhere to this Policy and that they maintain up-to-date knowledge of any changes to the Policy and/or procedures. Ignorance of the existence of this Policy or procedures will not be an acceptable excuse for noncompliance.
It is the responsibility of the Privacy Officer to;

be available to answer enquiries about privacy legislation in general and to assist in the
resolution of complaints as required;
act as a mediator when required;
conduct investigations into all formal complaints;
ensure that investigations and meetings are fair and that all parties are heard without
bias;
provide training and support to Managers and employees regarding privacy legislation
and the John Sands Group policy and procedures;
provide advice to Managers and employees regarding the best ways of preventing and
dealing with privacy legislation issues;
maintain records of any discussions conducted in a ‘Complaints Register’;
ensure the ‘Complaints Register’ is held in a secure location and access is restricted.

EFFECTIVE DATE

This policy is effective 11 December 2025