Thales Australia Privacy Statement

1. ABOUT THALES AUSTRALIA & NEW ZEALAND

Thales Australia & New Zealand is part of a leading international electronics and systems group, known as Thales Group, serving the defence, aerospace and space, security, and digital business markets in Australia, New Zealand and throughout the world.

Thales Australia & New Zealand refers to the Thales companies located in Australia and New Zealand (and may be referred to as “Thales Australia & New Zealand”, “we”, “us” or “our” in this Statement). These entities are listed in section 1.1 below. Our global parent company is THALES S.A, a French “Société Anonyme” (Public Limited Company) at 4, rue de la Verrerie, 92190 Meudon, France, registered with the Register of Trade and Companies of Nanterre under number 552 059 024, and together the global group of Thales entities are known as the "Thales Group".

1.1 ENTITIES COVERED BY THIS PRIVACY STATEMENT

This Privacy Statement applies to the following entities: Thales Australia Holdings Pty Ltd; Thales Australia Limited; ADI Group Holdings Pty Ltd; ADI Group Pty Ltd; ADI Munitions Pty Ltd; Australian Defence Industries Pty Ltd; ADI Lithgow Pty Limited; Thales ATM Pty Ltd; Thales Training & Simulation Pty Limited; Thales Underwater Systems Pty Ltd; Thales DIS Australia Pty Ltd; Multos International Pty Ltd; and Thales DIS CPL Australia Pty Ltd.

It does not apply to Tesserent Limited or its subsidiaries.

1.2 WHO THIS PRIVACY STATEMENT APPLIES TO

This Privacy Statement applies to our interactions with customers, suppliers (including contractors), business partners and other persons whose personal information is processed by Thales Australia & New Zealand, as well as the personal information that we collect through your use of our applications and Thales Australia & New Zealand operated websites.

This Privacy Statement does not apply to prospective and current employees, or to our human resources practices and access to our internal information systems.

Thales Australia & New Zealand is bound by the Australian Privacy Principles set out in the Privacy Act 1988 (Cth) (APPs) and, for New Zealand, the Information Privacy Principles (IPPs) in the Privacy Act 2020 when handling your personal information, and other laws that may apply to our processing of your personal information. For individuals located within the European Union, see Part 12 of this Privacy Statement.

1.3 PURPOSE OF THIS PRIVACY STATEMENT

This Privacy Statement outlines how Thales Australia & New Zealand may collect and process your personal information, and how we protect that information. Please read this Privacy Statement carefully, together with any other privacy notice or statement we may provide on specific occasions when we are collecting or processing personal information about you. This Privacy Statement supplements such other privacy notices or statements.

In addition to this Privacy Statement, Thales Australia & New Zealand is subject to a broader Thales Group framework of policies and procedures that ensure we process personal information in accordance with applicable personal information protection laws, including the EU General Data Protection Regulation (2016/679) (GDPR). See Part 12 of this Privacy Statement.

1.4 CHANGES TO THIS PRIVACY STATEMENT

This Privacy Statement may change from time to time, so you should check this statement and our websites periodically for updates. This version of the Privacy Statement was last updated on 1 June 2025.

1.5 FORMAT OF THIS PRIVACY STATEMENT

This Privacy Statement is provided in a layered format so that you can click through to the specific areas set out below.

1. OVERVIEW
2. INFORMATION WE COLLECT
3. HOW IS YOUR PERSONAL INFORMATION COLLECTED?
4. HOW AND FOR WHAT PURPOSES WE USE YOUR PERSONAL INFORMATION
5. IF YOU DO NOT PROVIDE PERSONAL INFORMATION
6. DISCLOSURES OF YOUR PERSONAL INFORMATION
7. INTERNATIONAL TRANSFERS
8. DATA RETENTION
9. DATA SECURITY
10. DIRECT MARKETING
11. ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION
12. THALES AND THE GDPR
13. CONTACT US
14. APPLICATION OF THIS PRIVACY STATEMENT TO OUR WEBSITES

2. INFORMATION WE COLLECT ABOUT YOU

2.1 WHAT IS PERSONAL INFORMATION AND WHAT DO WE COLLECT?

Personal information is information or an opinion, whether true or not, and whether in a recorded material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

We may collect, use, store and transfer different kinds of personal information about you which we have grouped together broadly as follows:

• Identity Data includes first name, maiden name, last name, signature, username, employee number or similar identifier, title or role description. In some cases, we may also collect an image of you (including digital image or photograph) where required, for example for access at our various sites across Australia and New Zealand or use of some of our products or services. We also operate CCTV at some of our sites, and so your image may be captured in our CCTV footage.
• Contact Data includes email address, digital email signature, company/employer, company address, home address, and telephone numbers.
• Profile Data includes your credentials, username and password, purchases, orders, interactions or enquiries made by you on your or your company’s behalf (e.g. if you are an individual business contact of Thales Australia), professional information, such as your role and qualifications, you or your company’s interests, preferences, affiliations, memberships, your purchasing influence and role, feedback and survey responses. We may also collect social media details and App ID details.
• Financial Data includes information about your banking references.
• Usage Data includes information about how you use our websites, applications, products and services, including audit logs.
• Technical Data includes information automatically collected from your device when you visit or use our websites, networks or applications, such as internet protocol (IP) address and login data. Please see Part 14 of this Privacy Statement for further information on how we use cookies.
• Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences, including our events (or events sponsored by us) you may have attended or register to attend, and information provided to us at, or arising out of, these events. Your marketing and communications preferences are handled by us as set out below at Part 10 of this Privacy Statement.

We also collect, use and share aggregated, anonymous data, such as statistical data, for any purpose. Such data may be derived from personal information but is not considered personal information at law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data of our websites to calculate the percentage of users accessing a specific website feature.

2.2 SENSITIVE INFORMATION

In limited circumstances, we may collect sensitive personal information about you. This includes details about criminal convictions and offences. In particular we may require this information in order to comply with export laws, or to allow access to security sensitive information, technologies or sites.

We will only collect and process such information in accordance with applicable laws, including by seeking your consent where required.

3. HOW IS YOUR PERSONAL INFORMATION COLLECTED?

• Direct interactions: You may give us your personal information by filling in forms or by corresponding with us by mail, phone, email, through our websites or otherwise or by using our products and services. This includes personal information you provide when you:
• Visit and use our websites.
• Create an account on our websites, portals, or any other applications or websites used to communicate with you.
• Communicate with us, including via email, text, phone or chat.
• Download marketing or technical material.
• Use our products or services, including our online and/or managed services and any related maintenance and support.
• Use one of our apps.
• Sell or license (or intend/propose to sell or license) products and services to us.
• Enter into other commercial and/or property transactions with us.
• Subscribe to receive our publications or marketing.
• Attend or register to attend sponsored events or other events at which we participate.
• Provide a query or feedback.
• Complete a survey or form (including the “contact us” form on our website or when you register a product for warranty purposes) or provide us with your feedback.
• Third parties or publicly available sources: We may receive personal information about you from various third parties and public (open) sources, including information provided by a company in which you are a shareholder or officeholder, or from your employer, and information about you that is publicly available such as contact details, qualifications and social media details available on the world wide web. You need to confirm separately the level of consents or other permissions you may have given to any third party to share your personal information with us, and this Privacy Statement does not relate to any such consents or permissions.
• Third party information you provide: You may give us personal information about other people, for example your colleagues or employees. If so, you are responsible for ensuring those individuals are aware of this Privacy Statement.

4. HOW AND FOR WHAT PURPOSES WE USE YOUR PERSONAL INFORMATION

4.1 PURPOSES FOR WHICH WE USE YOUR INFORMATION

Depending on which Thales Australia & New Zealand entity you are engaging with, and the context in which you are engaging with us, your personal information may be collected and used for different purposes. We collect and use your personal information for the management, administration and conduct of our business including providing our products/services, managing our business relationships, communication with you, protecting our company and information and complying with laws. This includes the following key purposes:

Providing Products and Services	Thales Australia & New Zealand provides a number of products and services (Products) which involve the processing of personal information. We may need personal information to: provide access to and use of our Products, including to establish software licensing solutions, accounts, access and authorisations; provide training, and support and maintenance services, including helplines; deliver outsourcing, hosting or administration of information technology systems and security (including cyber security) products and services; improve, configure, adapt, set up, test and deliver our Products, such as for human factors engineering conducted for systems we deliver; manage and administer Product warranties and remediation; and conduct open-source intelligence on our customers’ behalf, only as it applies to potential threats to individuals or Australian or New Zealand citizens. In some cases, we may combine personal information from multiple sources when conducting open-source intelligence.
Marketing and communications	Thales Australia & New Zealand engages in sales and marketing activities. We may use personal information to: organise, advertise and/or support attendance of events and training; manage actual and potential business relationships and opportunities; provide you with newsletters, marketing information and other communications, including maintaining contact with existing and prospective customers, and providing information which is relevant to your industry more broadly; manage your opt out preferences; understand use of and navigation on our websites, but not on an individual basis, including for the purposes of improving our website; and manage queries, feedback and suggestions from suppliers, partners, customers and other users of our websites and services.
Management and administration of our business, relationships and opportunities	Thales Australia & New Zealand requires personal information for the daily management and administration of its business, relationships and opportunities. We may need personal information to: manage and administer our current and prospective business relationships, including management of enterprise resources, transactions and contracts; enable us to address your requests and to respond to your communications; manage and engage in bid and tender processes (or similar processes), including to both submit and receive tenders and proposals (or similar); prepare and issue quotes, purchase orders, invoices and related documentation; offer industry capability sessions manage our financial and accounting operations, including managing payments, our accounting, fees, charges and to collect and recover money owed to us; manage our information systems and phone networks, including the implementation of an email system and helpdesk system; and participate in and/or implement research and development projects.
Legal and governance	Thales Australia & New Zealand may be required to process personal information in compliance with laws and implementation of governance procedures. This includes processing of personal information to: comply with (and monitor/report on our compliance with) our legal obligations and assist government and law enforcement agencies, authorities and regulators (including, but not limited to, with respect to export control, tax, partner due diligence, health and safety and anti-bribery and corruption); and manage litigation, disputes, investigations, audits and claims.
Securing our business and sites	Thales Australia & New Zealand also takes the security of our business, sites and information seriously. Our security and operations may require the processing of personal information. This includes processing of personal information for: control and security measures at our sites around Australia, including through implementation of closed-circuit television (CCTV) and reception of visitors and contractors; implementing, monitoring and managing environmental, and health and safety procedures and incidents at Thales Australia & New Zealand’s sites and any project sites; managing and monitoring of security breaches and incidents; implementing procedures for data back-up and business continuity; managing our property interests and portfolio in Australia; and managing the authorisations or accreditations of contractors, suppliers, partners, customers, and other parties for obtaining access to certain Thales Australia & New Zealand sites, protected or sensitive documents, information and technologies.

4.2 LIMITED PURPOSE AND CHANGE OF PURPOSE

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason, and we are permitted to use personal information for that reason under applicable privacy laws. If we need to use your personal information for an unrelated purpose, we will take reasonable steps to notify you of that use .

5. IF YOU DO NOT PROVIDE PERSONAL INFORMATION

Where we need to collect personal information for any of the purposes set out in this Privacy Statement, and you do not provide that data when requested, we may not be able to fulfil those purposes either in part or at all, including providing you with products, services and/or information or otherwise performing the contract we have or are trying to enter into with you, or to facilitate your downloading of technical or marketing material, or our applications.

6. DISCLOSURES OF YOUR PERSONAL INFORMATION

We may share your personal information with the parties set out below for the purposes set out in Part 4.1 above.

6.1 INTERNAL THIRD PARTIES

As we are part of a global organisation with offices and businesses in around the world , we may share your personal information with other Thales Group entities. For more information about Thales Group companies see section 1.1 above (in respect of Thales Australia & New Zealand) and additionally our website at https://www.thalesgroup.com/en.

6.2 EXTERNAL THIRD PARTIES

We do not sell or otherwise transfer your information to external third parties for their own marketing purposes. We may however share your information with third parties as follows:

• Service providers. We may share your information with our service providers (for example, IT services and hosting providers, logistic companies or travel or events service providers) to perform services for us on our behalf, including to assist us with our websites, products and services, managing our accounting and payments, management our enterprise resources, and improving our websites and services.
• Professional consultants and advisers including lawyers, bankers, auditors, consultants and insurers.
• Other entities identified at the time of collecting your personal information or to which we are legally required to disclose your personal information.
• Third parties to whom we may choose to sell, transfer, or merge parts of our business (or any of our companies) or our assets.

We may also share information with regulators, government bodies, law enforcement agencies and other authorities who require the provision of information in certain circumstances.

7. INTERNATIONAL TRANSFERS

When we process or share your personal information within Thales Group, your personal information may be transferred outside of Australia and New Zealand to the countries in which Thales Group operates. This may include the transfer of your personal information to the European Economic Area, Canada, China, India, Indonesia, Japan, Singapore and the United States of America. For more information on where we operate, see our Thales Group website https://www.thalesgroup.com/en.

For external third parties (i.e. outside of Thales Group), the recipients to whom Thales Australia & New Zealand discloses personal information outside of Australia, including our third-party service providers who have locations overseas, are likely to be located in India, Japan, the European Economic Area and the United States of America.

For all personal information handled or processed outside of Australia and New Zealand, we take reasonable steps to ensure that it is handled in accordance with all applicable laws including the APPs and/or IPPs. Where the GDPR applies to such transfers, we first implement appropriate safeguards, including, where applicable, by signing the standard contractual clauses of the European Commission with the entity which processes the personal information.

8. DATA RETENTION

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, or for any secondary purpose permitted by the APPs and/or IPPs.

9. DATA SECURITY

We store most information about you in computer systems and databases operated by either us or our external service providers. Some information about you is recorded in paper files that we store securely.

Data security is at the heart of our company. We take commercially reasonable technical, administrative, organisational and physical security measures to ensure that the personal information we hold about you is protected from loss, misuse, unauthorised access, disclosure, alteration and destruction.

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. DIRECT MARKETING

If we collect any information from you for direct marketing purposes, including where you subscribe to newsletters on our websites and trade shows, and you no longer wish us to use your personal information for direct marketing or related online communications from us, you can at any time opt out of receiving direct marketing and communications from us by:

• clicking the 'stop' and/or ‘unsubscribe’ link at the bottom of the newsletter, advertisement or other communication received from us (as applicable); and/or
• writing to us at unsubscribe@thalesgroup.com.au to ask us to stop and remove you from our marketing lists.

If you do opt out of receiving direct marketing materials from us, we will no longer use your information for this purpose.

11. ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION

In accordance with our privacy obligations, you may ask us to make your personal information accessible to you by providing a copy of the relevant information (ordinarily in the form of an electronic copy). We may charge you a fee for the reasonable costs of providing such access. You can also ask us to correct any inaccurate, out‑of‑date, incomplete, irrelevant or misleading personal information that we hold about you. Circumstances and applicable law (including exemptions under such laws) will impact how these rights apply.

If you wish to exercise your rights under the privacy laws, you can contact Thales Australia & New Zealand by reaching out to our Privacy Officer using the details set out in Part 13 of this Privacy Statement.

We may need to request specific information from you to help us confirm your identity and ensure your personal information is up-to date and accurate. This is a security measure to ensure that personal information is not disclosed to a person who does not have the right to receive it.

We will try to respond to all legitimate requests within 30 days. Occasionally it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will endeavour to notify you and keep you updated.

12. THALES AND THE GDPR

12.1 THALES AND THE GDPR

In order to ensure compliance with its obligations under the EU General Data Protection Regulation (2016/679) ("GDPR"), Thales Group has adopted binding corporate rules (“BCR”) which have been approved by the French data protection authority, the CNIL, by decisions No. 2023-144 and No. 2023-145 dated 21st December 2023.

The BCR apply to Thales Australia & NZ if it processes personal information to which the GDPR applies.

12.2 LEGAL BASIS

For our processing activities under this Privacy Statement that are covered by the GDPR, generally one or more of the following are the legal basis we rely on to justify the use of your personal information:

• where it is necessary to comply with our legal obligations (such as tax, health and safety, and anti-corruption laws);
• where it is necessary to enter into or perform our contract with you;
• where it is necessary to achieve a legitimate interest that we pursue. Such interests include: delivering and improving our products and services; ensuring the security and protection of our solutions, sites, websites, and information assets; carrying out our marketing activities; the proper communication and exchange of information between you and Thales; and managing and administering our contractual relationships, business relationships and corporate operations; and
• your consent, where we are required at law to obtain that consent. Subject to applicable laws, you are free to withdraw your consent at any time. This will not affect the validity of the processing based on your consent before you withdrew it.

12.3 DATA SUBJECT RIGHTS

If the GDPR applies to you, in addition to the rights identified at Part 11 above, you may also be entitled to seek the erasure of your personal information that we no longer have a lawful ground to use, or request the restriction of our processing. In some cases, you have the right to ask for receiving, in a structured and standard format, your personal information which we process by automated means. Circumstances and applicable law (including exemptions under such laws) will impact whether and how these rights apply.

12.4 CONTACTING THALES

You can contact Thales Group at any time about the processing of your personal information in accordance with the GDPR by reaching out to the Thales Group Data Protection Officer. See Part 13 of this Privacy Statement.

13. CONTACT US

If you have any complaints, questions or comments on how we process or handle your personal information, about this Privacy Statement, or if you wish to access or request correction of the personal information we hold about you, you can contact the Thales Australia & New Zealand Privacy Officer by sending an email to the following address: AUSPrivacy@thalesgroup.com.au .

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (www.oaic.gov.au) if you are in Australia, or the Office of the Privacy Commissioner (www.privacy.org.nz/) if you are in New Zealand, for guidance on alternative courses of action which may be available.

You can also contact the Thales Group Data Protection Officer about the processing of your personal information in accordance with the GDPR at any time by sending an email to the following address: dataprotection@thalesgroup.com. We recommend in the first instance however that you contact the Thales Australia & New Zealand Privacy Officer.

14. APPLICATION OF THIS PRIVACY STATEMENT TO OUR WEBSITES

14.1 THALES GROUP WEBSITES

When you visit or use the Thales Group website, the Thales Group Privacy Notice and Cookies Policy will apply. You can find a copy of these here: https://www.thalesgroup.com/en/privacy-notice. This Privacy Statement does not apply to the Thales Group website.

14.2 THALES AUSTRALIA & NEW ZEALAND WEBSITES

This Privacy Statement applies to all information collected via any Thales Australia & New Zealand operated websites, including:

• www.adiworldclass.com.au
• www.australian-munitions.com.au
• www.lithgowarms.com
• www.mulwalacommunitysafety.com.au/

14.3 CHILDREN

Our websites and apps are not intended for children, and we do not knowingly collect personal information or other data relating to children.

14.4 THIRD PARTY LINKS

Our websites and apps may include links to websites, plug-ins, applications and other resources operated by third parties other than Thales Australia & New Zealand or the Thales Group. Such third-party links are provided solely as a convenience to you. Thales Australia & New Zealand does not control or endorse such third-party links. Clicking on those third-party links or enabling those connections may allow third parties to collect or share information and data about you. We recommend you read the terms and conditions and privacy policies imposed by any such third parties.

14.5 COOKIES

Our websites use “cookies” to maintain a record of your visit to our site, distinguish users and track your use of our products and services. A “cookie” is a file that websites send to a visitor's computer or other internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser.

Cookies help us to improve our websites, and to deliver more personalised service by enabling us to distinguish users; assist you in navigation; allow us to analyse your use of our products, services and applications; and provide you with our products and services. We make use of third parties, such as Google Analytics, Mailchimp and WordPress, for such purposes. Please note that these third parties may use cookies and other tracking technologies which collect information to perform their services. We do not share personal information that we collect directly with these third parties.

Most web browsers automatically accept cookies. You can control how cookies are used on your computer or device by changing your browser settings. If you disable cookies from your browser, you may not be able to access certain sections of our websites or services. If you use a different browser of device to visit our websites, you will have to tell us your preferences again.

For more information on cookies please visit the Thales Group Cookies Policy available here https://www.thalesgroup.com/en/worldwide/cookies-thalesgroup.

14.6 IP ADDRESSES

An IP address is a computer’s numeric address by which it can be located within a network. Thales Australia & New Zealand may record your IP address when you visit or use services or features on our websites. Thales Australia & New Zealand may use your IP address for the purposes noted in section 4 above, and also to help diagnose problems with its server, or to administer its site or services.