Privacy Statement

The KPI Institute Privacy Statement 

 

Welcome! This Privacy Statement explains how The KPI Institute collects your personal and technical information, why we use it, and the measures we take to protect it. You’ll learn what types of data we gather and for which purposes, the legal bases that allow us to process your information, and the security safeguards we have in place. We also explain your rights—how you can access, correct, delete, or restrict our use of your data—and provide clear instructions for exercising them. If you have any questions or need assistance, our Data Protection Officer is ready to help at [email protected]. For full details and legal definitions, please continue to the sections that follow. 

 

  1. DEFINITIONS AND INTERPRETATION For the purposes of this Statement:
  • “Controller” means The KPI Institute Pty. Ltd. (ACN 109 262 366), or, where applicable, any entity within the KPI Institute Group determining the purposes and means of processing Personal Data. 
  • “Processor” means any third party, including intraGroup entities, engaged by a Controller to process Personal Data on its behalf pursuant to a Data Processing Agreement (DPA). 
  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws. 
  • “Processing” means any operation on Personal Data, whether automated or manual, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure or destruction. 
  • “Data Subject” means the individual to whom Personal Data pertains. 
  • “KPI Institute Group” or “Group” means The KPI Institute Pty. Ltd. and its affiliated legal entities listed in Section 3. 
  • “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation). 
  • “PDPA” means the Personal Data Protection Act 2010 (Malaysia). 
  • “Privacy Act” means the Privacy Act 1988 (Cth) (Australia). 
  • “PDPL” means the Personal Data Protection Law (Crown Prince Court Order No. 4 of 2021) (Saudi Arabia). 
  • “GCC Data Laws” means data protection statutes, regulations, and guidelines applicable to Gulf Cooperation Council Member States (including PDPL). 

 

  1. SCOPE AND APPLICATION

2.1 This Privacy Statement establishes the comprehensive framework under which the KPI Institute Group, in its capacity as Controller, Processor, or joint Controller, undertakes the Processing of Personal Data. It applies to all business activities and operations conducted by the Group, whether directly or via affiliated entities, including but not limited to: – Consultancy services and training programmes; – Research, analytics, and benchmarking initiatives; – Events, conferences, workshops, and webinars; – Digital platforms, websites, and mobile applications; – Marketing and promotional campaigns (online and offline); – Customer relationship management and support services; – Procurement, vendor management, and supply chain engagements; – Recruitment, employment, and contractor onboarding processes. 

2.2 This Statement governs Personal Data collected from or relating to all categories of Data Subjects, including clients, prospects, suppliers, vendors, contractors, employees, job applicants, website and application users, and any other individuals whose Personal Data is Processed by the Group in the course of its operations. 

2.3 The territorial scope of this Statement is global. Personal Data may be Processed in any jurisdiction in which the Group operates, subject to applicable local data protection laws. In jurisdictions imposing additional requirements (e.g., GDPR, PDPA, Privacy Act, PDPL, CCPA/CPRA, PIPEDA (Canada) and UK Data Protection Act 2018), the Group shall implement any necessary supplemental notices, consent mechanisms, or Processing procedures to achieve full compliance. In the event of any conflict between this Statement and mandatory local law, the latter shall prevail to the extent required. 

2.4 This Statement does not apply to data that has been irreversibly anonymised or aggregated so that individuals are no longer identifiable. 

2.5 All Group personnel, affiliates, contractors, and thirdparty Processors engaged by the Group are required to comply with this Statement, any related policies, and the terms of applicable Data Processing Agreements (DPAs). 

 

  1. CONTROLLERS WITHIN THE KPI INSTITUTE GROUP

3.1 Principal Controller
The KPI Institute Pty. Ltd. (ACN 109 262 366), Level 3, 406 Collins Street, Melbourne, VIC 3000, Australia, shall act as the principal Controller for all Group-wide Processing activities, determining the purposes and means of Personal Data processing. 

3.2 Joint Controllers
Where two or more Group entities jointly define Processing objectives and methods (e.g., codevelopment of digital platforms or cohosting of events), they shall be deemed Joint Controllers. In such cases, the respective Joint Controllers shall conclude a Joint Controller Agreement specifying: 

  • Allocation of responsibilities for compliance with Data Subject rights and GDPR Article 26 obligations. 
  • Mechanisms for Data Subject communications and exercise of rights. 
  • Indemnification and liability arrangements between the Joint Controllers. 

3.3 Appointed Processors
The following intraGroup entities and selected thirdparty service providers shall operate as Processors under binding Data Processing Agreements (DPAs), processing Personal Data exclusively on documented instructions: 

  • Connected Performance Training Institute – 718620 (AE) 
  • Connected Performance Sdn. Bhd. – 1128752H (MY) 
  • The KPI Institute for Training – 1009067330 (KSA) 
  • Integerperform S.R.L. – J12/1644/2002 (RO) 
  • Skills Mandate S.R.L. – J12/4901/2017 (RO) 
  • Biomimicry S.R.L. – J12/4885/2017 (RO) 
  • TKI HUB S.R.L. – J32/1162/2017 (RO) 
  • Lereroworld S.R.L. – J32/420/2019 (RO) 
  • Acumen Integrat S.R.L. – J12/4194/2004 (RO) 
  • Fundația Worldskills România – RO36134470 (RO) 

DPAs shall incorporate, at a minimum, the following provisions: 

  • Scope, nature, and purpose of processing. 
  • Types of Personal Data and categories of Data Subjects. 
  • Duration of Processing and retention obligations. 
  • Technical and organisational security measures. 
  • Subprocessor engagement rules and audit rights. 
  • Breach notification obligations. 

3.4 Data Protection Officer 

  • Global DPO: Merut Stefan – Head of Legal and Compliance, Email: [email protected]  

3.5 Data Subject Acknowledgement
By providing Personal Data to any Group entity, Data Subjects acknowledge and consent to: 

  • InterGroup transfer and joint Processing of their Personal Data. 
  • Processing by both Controllers and Processors as specified in this Statement and related DPAs. 

 

  1. PRINCIPLES GOVERNING PROCESSING

In all jurisdictions in which the Group operates, Personal Data shall be processed in accordance with the following binding principles, drawn from GDPR Article 5 and equivalent global standards: 

4.1 Lawfulness, Fairness & Transparency
4.1.1 Processing shall be lawful only if and to the extent there exists at least one legal basis under applicable law (e.g., consent, contract performance, legitimate interests, legal obligations).
4.1.2 Data Subjects shall be provided with clear, intelligible and easily accessible information regarding Processing activities, consistent with GDPR Articles 12–14, PDPL transparency requirements, and equivalent obligations under local law. 

4.2 Purpose Limitation
4.2.1 Personal Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
4.2.2 Any subsequent Processing for archiving in the public interest, scientific or historical research, or statistical purposes shall be subject to appropriate safeguards. 

4.3 Data Minimisation
4.3.1 Processing shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4.3.2 Regular reviews shall be conducted to ensure Personal Data inventories remain aligned with operational needs and legal requirements. 

4.4 Accuracy
4.4.1 The Group shall take all reasonable steps to ensure that Personal Data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.
4.4.2 Mechanisms for Data Subject-initiated corrections and periodic data quality audits shall be in place. 

4.5 Storage Limitation
4.5.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which they are collected and processed, or as required by applicable law.
4.5.2 Automated retention schedules and secure deletion protocols shall ensure compliance with retention obligations set forth in Section 10. 

4.6 Integrity & Confidentiality
4.6.1 The Group shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
4.6.2 Measures include, but are not limited to, encryption, pseudonymisation where appropriate, access controls, and secure disposal procedures. 

4.7 Accountability
4.7.1 The Group shall be responsible for, and be able to demonstrate, compliance with these principles (“accountability”).
4.7.2 Documentation, internal policies, training programmes, impact assessments (where required), and regular audits shall form part of the Group’s accountability regime. 

 

  1. LEGAL BASES FOR PROCESSING

Personal Data shall be processed only where at least one of the following legal bases applies. Where multiple bases exist, the most specific basis shall prevail: 

5.1 Contractual Necessity
5.1.1 Processing is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the Data Subject’s request prior to entering into a contract (e.g., provision of consultancy services, training programmes, or event registrations).
5.1.2 GDPR: Article 6(1)(b); PDPA: Section 6(1)(c); Privacy Act: Section 16A(1)(b); PDPL: Article 8(c). 

5.2 Compliance with Legal Obligations
5.2.1 Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., tax, antimoney laundering, recordkeeping, employment law obligations).
5.2.2 GDPR: Article 6(1)(c); PDPA: Section 6(1)(d); Privacy Act: Section 16A(1)(c); PDPL: Article 8(d). 

5.3 Consent
5.3.1 The Data Subject has given freelygiven, specific, informed, and unambiguous consent to the Processing of Personal Data for one or more specified purposes (e.g., marketing communications, profiling, transfer to third parties).
5.3.2 Consent shall be evidenced by a clear affirmative act, and Data Subjects shall be informed of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to withdrawal.
5.3.3 GDPR: Article 6(1)(a) & Article 7; PDPA: Section 9; Privacy Act: Sections 6(1)(a), 7(1); PDPL: Article 8(a). 

5.4 Legitimate Interests
5.4.1 Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, provided such interests are not overridden by the fundamental rights and freedoms of the Data Subject.
5.4.2 Legitimate interests may include, but are not limited to, fraud prevention, network security, business development, and client relationship management.
5.4.3 A documented Legitimate Interests Assessment (LIA) shall be conducted to balance the interests of the Controller against the rights of Data Subjects.
5.4.4 GDPR: Article 6(1)(f); PDPA: Section 6(1)(b); Privacy Act: Section 16A(1)(d); PDPL: Article 8(f). 

5.5 Vital Interests and Public Interest (where applicable)
5.5.1 In exceptional circumstances, processing may be necessary to protect the vital interests of the Data Subject or another person, or where processing is required for the performance of a task carried out in the public interest or in the exercise of official authority.
5.5.2 GDPR: Articles 6(1)(d) & (e); PDPL: Article 8(e). 

 

  1. CATEGORIES OF PERSONAL DATA

6.1 The following categories of Personal Data may be collected, processed, and retained by the Group in connection with its training, consultancy, research, events and related operations: 

Category  Description & Examples  Purposes  Legal Basis 
Identity & Contact Data  Full name, title, employer, business address, email address, telephone number  Participant registration, account administration  Contract, Consent 
Professional & Academic Data  Job title, department, organisation, qualifications, professional certifications, educational background  Eligibility assessment, courseplacement, reporting  Legitimate Interest, Consent 
Training Registration Data  Course selections, attendance records, registration dates, payment details  Course scheduling, attendance tracking, invoicing  Contract, Legal Obligation 
Training Content & Evaluation Data  Assessment scores, test results, certification outcomes, feedback forms, trainer evaluations  Certification issuance, performance analysis, quality assurance  Contract, Legitimate Interest 
Audio/Video Recording Data  Video recordings of live training sessions, webinar recordings, photographs, participant Q&A transcripts  Training delivery, ondemand access, compliance with contract terms  Legitimate Interest, Consent 
Technical & Usage Data  IP address, device identifiers, browser type, access times, clickstream data  Platform security, system performance monitoring  Legitimate Interest 
Communications Data  Email correspondence, chat logs, support tickets, survey responses  Customer support, marketing communications  Consent, Legitimate Interest 
Marketing & Preference Data  Subscription status, marketing preferences, optin/optout records, profiling data  Direct marketing, personalised promotions  Consent, Legitimate Interest 
Transactional & Financial Data  Billing information, transaction history, contract documents  Billing, financial reconciliation, audit compliance  Legal Obligation 
Sensitive Data (where applicable)  Government ID numbers, nationality, professional membership IDs (e.g., ISO, PMI), special dietary requirements  Regulatory compliance, event accommodation  Consent, Legal Obligation 

6.2 Recording of Training Sessions
Where training sessions (live or virtual) are recorded, Data Subjects will be notified in advance and provided the opportunity to object. Recordings may capture audio, video, and screenshare content and will be processed for: 

  • Ondemand access for registered participants; 
  • Postevent reviews and quality improvements; 
  • Internal training material development; 
  • Compliance with contractual or regulatory recordkeeping obligations. 

6.3 Special Category Data
In exceptional circumstances, where participants voluntarily provide Special Category Data (e.g., health or accessibility needs), such data will only be processed with explicit consent, documented safeguards, and strictly for the purposes communicated at the point of collection. 

6.4 Data Source & Collection Methods
Personal Data may be obtained directly from Data Subjects (e.g., via registration forms, surveys, assessments), indirectly from technical systems (e.g., learning management platforms, webinar tools), or from third parties (e.g., employer HR systems, accreditation bodies). All collection methods shall adhere to the principles of transparency and purpose limitation. 

 

  1. DATA PROCESSING AGREEMENTS & CROSSMARKETING

7.1 Applicability and Structure of Data Processing Agreements (DPAs)
7.1.1 All Processors—whether intraGroup entities or external service providers—and Joint Controllers shall enter into a written Data Processing Agreement in compliance with GDPR Article 28, PDPA Section 11, Privacy Act APP 11, PDPL Article 21, and equivalent provisions under applicable law.
7.1.2 Each DPA shall, at a minimum, set forth: 

  • The subject matter, duration, nature, and purpose of the Processing; 
  • The types of Personal Data and categories of Data Subjects; 
  • The obligations and rights of Controllers and Processors; 
  • Detailed technical and organisational security measures; 
  • Terms governing the engagement of subprocessors, including prior written authorisation and flowdown obligations; 
  • Procedures for Data Subject requests, audit rights, and compliance reviews; 
  • Breach notification and remediation obligations, specifying timelines and communication protocols. 

7.2 CrossMarketing and Data Sharing under DPAs
7.2.1 Subject to the Data Subject’s valid consent (where required) and/or legitimate interest assessments, Group entities may share Personal Data for crossmarketing purposes, including: 

  • Joint promotional campaigns for training programmes, publications, and benchmarking services; 
  • Targeted communications tailored to professional profiles, industry sectors, or geographic regions; 
  • Cosponsored events and webinars announced through combined mailing lists.
    7.2.2 Prior to any interGroup marketing initiative, Controllers shall ensure: 
  • Compliance with applicable marketing consent requirements under GDPR Article 21, PDPA Section 12, Privacy Act APP 7, and PDPL Article 10; 
  • Maintenance of uptodate optin/optout records, with mechanisms to facilitate immediate withdrawal of consent or objection; 
  • Execution of updated DPAs or addenda reflecting the specific scope of crossmarketing Processing. 

7.3 ThirdParty Marketing Partners
7.3.1 Where the Group engages thirdparty marketing platforms or agencies, such engagement shall be governed by a DPA and a Marketing Services Agreement, ensuring: 

  • Restricted use of Personal Data solely for the contracted marketing campaign; 
  • Prohibition of onward transfers without prior Controller approval; 
  • Assurance of data accuracy and deletion upon campaign completion.
    7.3.2 Third parties shall provide evidence of compliance with international privacy standards (e.g., ISO 27701, PCI DSS or equivalent representations and warranties) and permit audits by the Controller or its designated auditor. 

7.4 Data Subject Rights in CrossMarketing
7.4.1 Data Subjects retain the right to object to Processing for direct marketing at any time, free of charge and without detriment to other Processing activities.
7.4.2 Controllers shall honor objections within one month of receipt, ceasing all marketing communications and confirming cessation to the Data Subject. 

7.5 RecordKeeping and Accountability
7.5.1 Controllers shall maintain comprehensive records of all DPAs, crossmarketing assessments, and consent registers, as required by GDPR Article 30, PDPA Section 14, Privacy Act APP 1, and PDPL Article 20.
7.5.2 Such records shall be retained for a minimum of five years and be available for inspection by supervisory authorities or internal auditors. 

7.5.3 The Group maintains and operates a centralized Customer Relationship Management (CRM) system, which serves as a core data repository for storing Personal Data, including but not limited to contact details, marketing preferences, consent status, course participation history, and correspondence logs. This CRM system is configured to reflect Data Subject rights and support obligations under applicable data protection laws. Periodic audits are conducted to ensure integrity, accuracy, and compliance with consent-based marketing requirements. 

 

  1. INTERNATIONAL DATA TRANSFERS & SAFEGUARDS

8.1 Overview of CrossBorder Transfers
8.1.1 Personal Data may be transferred outside the Data Subject’s jurisdiction to enable global service delivery, centralized processing, and collaboration across the KPI Institute Group and authorised thirdparty service providers. 

8.2 GDPR ChapterV Compliance
8.2.1 For transfers from the European Economic Area, the Group shall implement one or more of the following safeguards in accordance with GDPR Articles44–50: 

  • Adequacy Decisions: Transfers to countries or territories deemed adequate by the European Commission (e.g., Australia). 
  • Standard Contractual Clauses (SCCs): Adoption of the European Commission’s SCCs, supplemented by any required technical, organisational, or contractual measures. 
  • Binding Corporate Rules (BCRs): Groupwide internal rules approved by EU supervisory authorities, providing consistent safeguards across all intraGroup transfers. 
  • Derogations: Specific casebycase derogations (e.g., explicit consent, performance of contract, public interest) if no other mechanism applies. 

8.3 PDPA & Privacy Act Transfers
8.3.1 Transfers from Malaysia shall comply with PDPA Sections129–130, requiring either contractual safeguards or supervisory authority approval.
8.3.2 Transfers from Australia shall adhere to Privacy Act PartIIIC (APP8), ensuring that overseas recipients provide comparable protections or that exceptions (e.g., consent, performance of contract) apply. 

8.4 PDPL Local Transfer Restrictions
8.4.1 Under Saudi Arabia’s PDPL, outbound transfers of Personal Data are permissible only where one of the following is satisfied: 

  • Transfer to countries with an explicit adequacy decision by the Saudi Data & AI Authority. 
  • Implementation of contractual clauses approved by the Authority in accordance with PDPL Articles36–38. 
  • Explicit, informed consent obtained from the Data Subject for the specific transfer. 8.4.2 In all cases, transfers shall be documented, and Data Subjects shall be informed of any intended crossborder disclosures as part of the local privacy notice. 

8.5 Technical & Organisational Safeguards
8.5.1 Regardless of legal mechanism, the Group may seek to implement robust safeguards to protect transferred Personal Data, including: 

  • Encryption of data in transit and at rest. 
  • Access controls restricting access to authorised personnel only. 
  • Data localisation measures where required by local law. 
  • Regular audits and assessments of thirdparty processors and their security posture. 

8.6 Data Transfer Impact Assessments (DTIAs)
8.6.1 For transfers involving highrisk processing (e.g., sensitive data, volume transfers), the Group shall conduct a documented Data Transfer Impact Assessment to evaluate: 

  • The nature and sensitivity of the data. 
  • The legal and regulatory environment of the destination country. 
  • The adequacy of proposed safeguards and residual risks.  

8.6.2 DTIAs shall be reviewed periodically and prior to onboarding any new foreign receiving entity. 

8.7 RecordKeeping and Accountability
8.7.1 The Group shall maintain records of all crossborder transfer mechanisms, SCCs, BCR approvals, derivate consent forms, and DTIAs, in accordance with GDPR Article30, PDPA Section14, Privacy Act APP1, and PDPL Article20.
8.7.2 Such records shall be retained for a minimum of five years and be made available to supervisory authorities upon request.  

 

  1. SAUDI ARABIA PDPL LOCALISATION

9.1 Local Compliance Obligations
9.1.1 In respect of operations in the Kingdom of Saudi Arabia (KSA), the Group complies with all PDPL requirements, including those set forth in Crown Prince Court Order No.4 of 2021, and any implementing regulations issued by the Saudi Data & AI Authority (SDAIA). 

9.2 Data Residency and Transfer Limitations
9.2.1 Personal Data collected in KSA is maintained within Saudi territory by default, utilising AWS Middle East Region data centers, in accordance with SDAIA’s Cloud Computing Regulatory Framework (CCRF) and PDPL Articles36–38.
9.2.2 Any transfer of Personal Data outside the Kingdom shall only occur pursuant to: 

  • SDAIA-approved contractual clauses reflecting PDPL transfer requirements; or 
  • Explicit, informed consent obtained from the Data Subject for the specific transfer. 

9.2.3 All transfers are documented and transparent to Data Subjects through localized Privacy Notices. 

9.3 Cloud Computing Regulatory Framework (CCRF) Adherence
9.3.1 The Group’s AWS-hosted services operate under the SDAIA’s CCRF, ensuring compliance with technical standards for cloud service providers, including security, data segregation, and audit requirements.
9.3.2 KPI Institute devices and applications leveraging AWS infrastructure are configured to enforce encryption at rest and in transit, access controls, and logging mechanisms as prescribed by the CCRF. 

9.4 Reliance on AWS Compliance Representations
9.4.1 The Group utilises Amazon Web Services (AWS) cloud and data center facilities pursuant to the AWS Customer Agreement and AWS Data Processing Addendum.
9.4.2 While AWS holds certifications and attestations (e.g., ISO27001, ISO27018, SOC1/2/3, and certifications recognized by SDAIA), and represents compliance with PDPL-equivalent standards, KPI Institute relies on AWS’s warranties and published compliance documentation.
9.4.3 KPI Institute does not assume responsibility for AWS’s security or compliance lapses beyond the scope of AWS’s contractual commitments and indemnities. 

9.5 Breach Notification and Reporting
9.5.1 In the event of a Personal Data breach affecting KSA-based Data Subjects, the Group shall notify the SDAIA within 72 hours of becoming aware of the incident, in accordance with PDPL Article20.
9.5.2 Data Subjects shall be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms, with sufficient details to enable mitigation measures. 

 

  1. DATA RETENTION & STORAGE

10.1 General Retention Principles
10.1.1 Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected, to satisfy contractual, legal, or regulatory obligations, or to establish, exercise, or defend legal claims.
10.1.2 Retention schedules and secure deletion protocols shall be implemented to ensure automatic archiving, anonymisation, or deletion of Personal Data upon expiry of the retention period.
10.1.3 Extensions to retention periods shall require documented justification, approval by the Data Protection Officer, and, where applicable, notification to Data Subjects. 

10.2 Global Retention & Storage Matrix 

Data Category  Retention Period  Rationale  Storage Locations (Primary) 
Identity & Contact Data  5 years postrelationship  Statute of limitations, audit  AU, AE, MY, RO 
Transactional & Financial Data  7 years from transaction date  Tax and financial regulations  AU, RO 
Technical & Usage Data  2 years rolling  Service optimisation, security  AU (Cloud) 
Marketing & Preference Data  Until withdrawal + 1 year  Proof of consent  AU, AE, MY 
Audio/Video Recordings & Photographs  2 years after event/session  Ondemand access, quality review  AU (Cloud), RO 
Sensitive Data  As required by local law  Regulatory mandates  AU, RO, KSA 

10.3 Saudi Arabia (PDPL) Specific Retention & Storage
10.3.1 In compliance with PDPL and SDAIA requirements, Personal Data originating from or processed within the Kingdom of Saudi Arabia shall be subject to the following storage and retention controls: 

Data Category  Retention Period  Rationale  Storage Locations (KSA) 
Identity & Contact Data  5 years postrelationship  PDPL statutory limits, audit  AWS Middle East 
Transactional & Financial Data  7 years from transaction date  Tax, audit, and regulatory compliance  AWS Middle East 
Technical & Usage Data  2 years rolling  Security, monitoring  AWS Middle East 
Marketing & Preference Data  Until withdrawal + 1 year  Consent proof, marketing compliance  AWS Middle East  
Audio/Video Recordings & Photographs  2 years after event/session  Ondemand access, quality review  AWS Middle East  
Sensitive Data  As required by PDPL  Explicit consent, PDPL mandates  AWS Middle East 

10.4 Secure Disposal & Anonymisation Saudi Arabia (PDPL) Specific Retention & Storage
10.4.1 Upon expiry of retention periods, Personal Data shall be securely disposed of through methods including, but not limited to, irreversible anonymisation, secure deletion, or physical destruction of storage media.
10.4.2 Disposal and anonymisation activities shall be logged, retained for audit purposes, and verified periodically by the Data Protection Officer.  

 

  1. DATA SUBJECT RIGHTS & PROCEDURES

11.1 Overview of Rights
Under applicable data protection laws (GDPR, PDPA, Privacy Act, PDPL), Data Subjects are entitled to the following rights with respect to their Personal Data: 

  • Right of Access: To obtain confirmation of processing and access to a copy of their Personal Data. 
  • Right to Rectification: To request correction of inaccurate or incomplete data. 
  • Right to Erasure (Right to be Forgotten): To request deletion of Personal Data where no lawful basis for retention exists. 
  • Right to Restriction of Processing: To limit the manner in which Personal Data is processed. 
  • Right to Data Portability: To receive Personal Data in a structured, commonly used, machine-readable format and transmit it to another Controller. 
  • Right to Object: To object to processing based on legitimate interests, including profiling and direct marketing. 
  • Right to Withdraw Consent: To withdraw previously given consent without affecting the lawfulness of prior processing. 
  • Right to Complaint: To lodge a complaint with a supervisory authority. 

11.2 Procedures for Exercising Rights
11.2.1 Requests shall be submitted in writing to the Data Protection Officer (contact details in Section 3.4) or via the Group’s designated online contact forms.
11.2.2 Upon receipt, the Group will acknowledge the request within five (5) business days and, where feasible, provide a substantive response within one (1) month of receipt.
11.2.3 Extensions of up to two (2) additional months may apply for complex requests, with notification to the Data Subject and justification for the delay.
11.2.4 No fee shall be charged for requests, except in cases of manifestly unfounded or excessive requests, in which case a reasonable fee may be levied or the request may be refused. 

11.3 Verification and Security
To protect privacy and security, the Group may require Data Subjects to verify their identity before processing a request, using two-factor authentication, government-issued ID, or other appropriate measures. 

11.4 Exceptions and Limitations
11.4.1 The rights outlined in Section 11.1 may be subject to exceptions or limitations under applicable law (e.g., freedom of expression, public interest, legal obligations, litigation).
11.4.2 Where an exception applies, the Group will inform the Data Subject of the reason for refusal and the possibility of lodging a complaint with a supervisory authority. 

11.5 Special Procedures for PDPL
11.5.1 For Saudi Arabia, Data Subjects may also submit rights requests directly to the Saudi Data & AI Authority (SDAIA) if dissatisfied with the Group’s response.
11.5.2 The Group shall maintain localized request forms in Arabic and English and ensure compliance with PDPL-mandated timelines for responses. 

 

  1. SECURITY MEASURES

To safeguard Personal Data throughout its lifecycle, the Group implements a comprehensive security framework comprising the following measures: 

12.1 Organisational and Administrative Controls
12.1.1 Adoption and enforcement of robust privacy and security policies, standards, and procedures aligned with ISO/IEC 27001, NIST Cybersecurity Framework, and PDPL requirements.
12.1.2 Regular privacy and security training programmes for all personnel, including mandatory onboarding and annual refresher courses.
12.1.3 Role-based access controls (RBAC) and segregation of duties to limit access to Personal Data to authorised individuals only.
12.1.4 Background screening and confidentiality agreements for employees, contractors, and third-party vendors with access to sensitive Personal Data. 

12.2 Technical and Physical Safeguards
12.2.1 Encryption of Personal Data at rest using AES-256 or equivalent, and in transit via TLS 1.2+ or equivalent protocols.
12.2.2 Network segmentation, firewalls, intrusion detection and prevention systems (IDPS), and secure configuration baselines to protect against unauthorised access.
12.2.3 Implementation of multi-factor authentication (MFA) for all administrative and remote access.
12.2.4 Logging, monitoring, and anomaly detection systems with retention of security logs for a minimum of 12 months.
12.2.5 Secure disposal of physical media in accordance with NIST SP 80088 guidelines and secure wiping of electronic devices. 

12.3 Vendor and Third-Party Security
12.3.1 Rigorous due diligence and risk assessment of third-party vendors, service providers, and cloud partners, including AWS, to verify security posture and compliance with required standards.
12.3.2 Inclusion of comprehensive security and privacy obligations in all DPAs and vendor contracts, with right-to-audit clauses and breach notification requirements.
12.3.3 Periodic review of vendor security assessments, SOC 2 reports, ISO 27001 certifications, and penetration test results. 

12.4 Security Assessments and Audits
12.4.1 Regular vulnerability scanning, penetration testing, and security code reviews conducted by certified professionals.
12.4.2 Internal and external audits, including annual third-party assessments, to validate compliance with security policies and legal requirements.
12.4.3 Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for high-risk Processing activities, recorded in the Group’s risk register. 

12.5 Incident Response and Breach Management
12.5.1 A formalised Incident Response Plan (IRP) establishing roles, responsibilities, and procedures for identification, containment, eradication, recovery, and post-incident review.
12.5.2 Notification procedures to inform supervisory authorities (e.g., SDAIA, ICO, OAIC) within statutory timelines (72 hours for PDPL, GDPR, etc.) and affected Data Subjects when required.
12.5.3 Maintenance of an incident register, root cause analysis, and corrective action tracking to prevent recurrence. 

12.6 Business Continuity and Disaster Recovery
12.6.1 Implementation of resilient backup and disaster recovery solutions, with regular restoration testing to ensure data integrity and availability.
12.6.2 Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical systems and Personal Data stores.
12.6.3 Annual reviews and tabletop exercises to validate business continuity and disaster recovery plans. 

 

  1. CHANGES TO THIS STATEMENT

13.1 Periodic Review and Governance
13.1.1 This Privacy Statement shall be reviewed at least annually or more frequently as required by changes in applicable law, technological developments, or business practices.
13.1.2 All revisions shall undergo legal and compliance review and be approved by the Global Data Protection Officer and the executive leadership team. 

13.2 Automated Decision-Making and Profiling 

The KPI Institute does not carry out any decision-making based solely on automated processing, including profiling, which produces legal effects concerning individuals or similarly significantly affects them, as described in Article 22 of the General Data Protection Regulation (GDPR). 

If this ever changes, we will update this Privacy Statement and ensure that such processing is subject to suitable safeguards, including the right to: 

  • obtain human intervention, 
  • express your point of view, 
  • and contest the decision. 

13.3 Material Amendments and Data Subject Notifications
13.3.1 Material changes—such as new processing purposes, additional international transfers, or expanded Data Subject rights—shall be communicated to Data Subjects in advance of implementation via: 

  • Email notifications to all affected individuals; 
  • Prominent notices on the Group’s websites and digital platforms; 
  • Localized communications where required by jurisdiction (e.g., Arabic notices for KSA). 

13.3.2 Minor operational or editorial updates that do not affect Data Subject rights or compliance obligations may be implemented without individual notice but will be reflected in the version history. 

13.4 Version Control and Historical Archive
13.4.1 Each publication of the Privacy Statement shall be assigned a version number and effective date.
13.4.2 An archive of prior versions, together with a summary of changes, shall be maintained on the Group’s intranet and made available to Data Subjects upon request. 

13.5 Severability
13.5.1 If any provision of this Statement is held invalid or unenforceable under applicable law, such provision shall be severed, and the remaining provisions shall continue in full force and effect. 

13.6 Contact for Clarifications
13.6.1 Questions about this Privacy Statement, including requests for clarification on changes, should be directed to the Data Protection Officer as specified in Section 3.4. 

 

Effective Date: April 30, 2025** 

 

The KPI Institute Pty.Ltd is committed to protecting your privacy. This Data Privacy policy outlines our personal information handling practices, for both online and offline data. If you give us personal information, we will treat it with the utmost care and never sell, rent or share your personal information with third parties under any circumstances.

This policy applies to all The KPI Institute’s websites, including: www.kpiinstitute.org, www.gpaunit.org, http://www.tkisolutions.com/, https://www.skills.ac/ and www.performancemagazine.org, as well as to all extensions related to these web domains.

Please note that this Privacy Policy may change from time to time, though we expect most such changes to be minor. We will post any Policy changes on this page. We encourage you to read this privacy policy and take notice of how your data is being processed. By using The KPI Institute’s websites, you agree to the terms under this policy.

Who we are?

The KPI Institute is a leading global research institute specialized in business performance. It operates research programs in 12 practice domains, ranging from strategy and KPIs to employee performance and from customer service to innovation performance. Insights are disseminated through a variety of publications, subscriptions services and through a knowledge platform available to registered members. Support in deploying these insights in practice is offered globally through training and advisory services.

The KPI Institute is considered today the global authority on Key Performance Indicators (KPIs) research and education. It developed the first KPI Management Framework and operates www.smartKPIs.com, the result of the research program dedicated to documenting and cataloguing how KPIs are used in practice, an online portal containing the largest collection of documented KPI examples.

The company headquarter is in Melbourne, Australia, located at: Life.lab Building 198 Harbour Esplanade, Suite 606, Melbourne Docklands, VIC 3008, Australia.

What does personal data refer to?

Personal data means any information related to an identified or identifiable natural person. An identifiable natural person is one who can be identified, either directly, by name for example, or indirectly, by reference to an identifier such as: an unique identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers.

Such examples of personal data include, but are not limited to: names, email addresses, phone numbers, profile photos, audio and video recordings, Twitter, Facebook, LinkedIn IDs and profile URLs, IPs (IPv4 and especially IPv6), biometric data like fingerprints, user agents, device names (like webcam names) or device IDs like MAC addresses, passport and social security numbers, driver’s license or ID photos, geolocation info, posts on social media, bank account & credit card information, PayPal IDs, SSH public keys.

What types of data do we collect and how?

There are instances when The KPI Institute receives your data directly, via our websites and forms, as you create a new account, or you download a brochure or some free resources, or you subscribe to our newsletters, or you request a demo, or you buy a product / service from us, or you participate at our courses and events, or you send us your CV for a job opportunity, or you contact us. Such data includes, but it is not limited to: your name, e-mail address, home or work address, telephone number, date and place of birth, profile photo, job position and company name, qualifications and any other information specifically mentioned by you (feedback, correspondence etc).

In other instances, The KPI Institute collects automatically information about your computer hardware and software, in order to improve your experience on our websites. This information can include, but it is not limited to: your IP address (IPv4 and especially IPv6), browser type, domain names, access times and referring website addresses. To read more information about cookies and how we use them, please refer to the Cookie Policy. Also, in order to improve the customer experience, we automatically record client conversations, but we do not process data only in special circumstances, if needed.

You are not required to give us your personal data, but in this case, it will be almost impossible for us to provide you the information, products and services you expect from us.

How do we process your data?

We do not share your personal data outside The KPI Institute, unless you give your consent to do so, or when the law requires it, or when you expect us to do so.

However, by providing personal information to The KPI Institute’s websites, you agree that such information may be stored outside your country or held by third parties providing services to The KPI Institute, but it will not be used by such third parties for their own purposes.

In case the data processing includes the transfer outside of the European Union, the transfer is based on EU approved standards and contractual clauses, thus ensuring an adequate level of personal data protection as requested by the applicable data protection law. We will transfer your data only to non-EU countries in relation to which the European Commission is confident that they provide an adequate level of data protection or international-transfers.

Please keep in mind that if you directly disclose your data through The KPI Institute’s websites, this information may be collected and used by others.  Also, The KPI Institute encourages you to review the privacy statements of the websites you choose to link to from The KPI Institute’s websites, so that you understand how those websites collect, use and share your information. The KPI Institute is not responsible for the privacy statements or other content available on websites outside The KPI Institute’s websites.

The KPI Institute collects and processes your personal data in order to provide you with the services you expect from us, either to give you access to our online resources, or to participate to our courses, events and webinars, or to receive promotional offers from us, latest news and insightful performance management articles, or to be part of our performance related surveys, or to find the right job/role for which you applied. An important aspect related to the promotional campaigns we send you, is that you can always update your preferences, by opting-in or out, at your choice.

Also, your data can be processed for administrative purposes related to the Certification process, or for finance related purposes related to the invoice issued, in case you have participated at one of our training programs, or you have purchased one of our products and services.

Your data can be used without further consent for non-marketing purposes, such as notifying you of major website changes or for customer service purposes, or in order to comply to the law requirements

The most common communication channels we use include, but are not limited to: emails, phone calls, messages, posts and face-to-face meetings. Your data will be only processed the authorized departments, meant to ensure the achievement of the services you expect from us. Such departments include, but are not limited do: Digital Marketing, Customer services, Educational Programs, Customer Engagement, Finance, Human Resources.

How long do we keep your data?

We will keep your data, after having your prior consent, for an unlimited period of time, as long as you have an account on our websites, or you are subscribed to our newsletters, or you have in any other way provided your data to us, until you withdraw your consent or unsubscribe from our newsletters or you ask us to delete your data from our database.

We may keep some personal data to comply with national and international legal requirements, as in the case of internal information about our employees, for historical and statistical data.

If we have to delete your data, this means that we cannot process it any longer and use it to inform you about any of our events, products, services or job opportunities. In case you want to provide your data again in the future, you will have to register again with us.

Your rights

You are entitled to contact us in case you want to:

  • Be informed about how we use your data;
  • Receive access and obtain a copy of the data we have about you;
  • Change or update your data, if you discovered that we have inaccurate / outdated information about you
  • Update your email marketing preferences, by opting-in or out from some or from all our newsletters;
  • Withdraw your consent on data processing;
  • Delete all the personal data we have about you;
  • Make a complaint to the data protection authority if you have any doubts regarding how we process your data;
  • Restrict our use of your data;
  • Transfer your data from our database to another one;
  • Disable Cookies – for more information about the Cookie Policy, read the entire policy here

Contact us

You can excise your rights by contacting The KPI Institute via email at: [email protected]. Also, we are happy to receive any other inquiries related to your personal data at the above-mentioned email address.