ACE Electric Vehicles logo

ACE EV GROUP
Policy and Process for Overseas Transfer of Personal Information

Document Number: GOV-POL-008
Version: 2.1
Effective Date: [Date of Approval]
Review Date: [Date] (Annually, or following significant legal change)
Authorised by: [Chief Privacy Officer / General Counsel]

1.0 Purpose and Scope

1.1 Purpose
This document establishes the formal policy and operational processes governing the cross-border transfer of Personal Information by ACE EV Group and its subsidiaries. Its purpose is to facilitate global business operations while managing compliance obligations under Australian Privacy Principle (APP) 8 and Section 16C of the Privacy Act 1988 (Cth), through the strategic application of legal exceptions and risk-mitigated pathways.

1.2 Scope
This policy applies to:

  • All employees, contractors, and agents of ACE EV Group.
  • All disclosures or transfers of Personal Information to recipients located outside Australia.
  • All forms of Personal Information, including but not limited to customer data, Connected Vehicle Data, employee data, and supplier data.

2.0 Policy Statement & Risk-Managed Approach

ACE EV Group operates globally and must transfer Personal Information overseas to deliver innovative products and services. Our approach prioritises business continuity and risk management. We will utilise all available legal exceptions to minimise operational constraints and liability exposure under APP 8.

ACE EV Group’s primary objectives are:

  1. To maximise the use of exceptions (particularly Informed Consent) that remove APP 8 obligations and associated Section 16C accountability.
  2. To diligently apply the “reasonable steps” framework only where exceptions cannot be practically employed.
  3. To ensure contractual terms with overseas recipients robustly limit our liability and indemnify us for their breaches.

3.0 Strategic Legal Pathways for Overseas Transfer

Overseas transfers of Personal Information shall be conducted under the following pathways, listed in order of strategic preference:

3.1 Preferred Pathway: Exceptions Eliminating APP 8 Accountability
These pathways are preferred as they remove the application of APP 8 and the associated accountability for the recipient’s actions under Section 16C.

  1. Informed Consent (Primary Mechanism): For all non-essential data processing, especially with recipients in jurisdictions without adequacy (e.g., USA). By obtaining valid consent, APP 8 obligations—including the requirement to take “reasonable steps” and accountability for the recipient’s actions—do not apply.
  2. Prescribed Country or Scheme: If and when prescribed by regulation, transfers to these jurisdictions will proceed without the need for “reasonable steps.”
  3. Contractual Necessity (APP 8.2(a) & (b)): We will interpret the necessity of a transfer for contract performance broadly to support global service delivery.
  4. Permitted by Law: Transfers required under foreign lawful requests will be assessed and complied with as necessary, following internal legal review.

3.2 Secondary Pathway: Reasonable Steps with Liability Mitigation
This pathway is used only when exceptions in 3.1 are not viable. It triggers APP 8 accountability; therefore, robust contractual risk-shifting is mandatory.

  • Contractual Safeguards: All agreements must include clauses that not only oblige the recipient to comply with APPs but also provide:
    • Full Indemnification: The recipient must indemnify ACE EV Group for all losses, penalties, and costs arising from their breach of the agreement or privacy laws.
    • Liability Cap Exclusion: Indemnities for data breach and privacy law violations are uncapped.
    • Audit & Enforcement Rights: Unilateral rights to audit and enforce compliance.

4.0 Types of Data and Strategic Transfer Framework

Data Category

Primary Transfer Strategy

Rationale & Risk Management

Core Telematics Data

APP 8.2(a) Exception (Contract Performance)

Argued as necessary for basic vehicle functionality and safety. Contractual indemnities with cloud provider.

Customer Contact & Transaction Data

Informed Consent (obtained during account creation)

Prefers the consent exception. Fallback to “reasonable steps” with indemnified contracts.

Sensitive Vehicle Data

Informed Consent (explicit, feature-specific opt-in)

Mandatory use of consent. Clear disclosure that APP 8 protections will not apply.

Employee Data

Contractual Necessity or Consent (in employment agreement)

Incorporated as a condition of employment for global HR management.

5.0 Operational Implementation: Maximising Exceptions & Minimising Exposure

Step 1: Exception-First Assessment
All new data flow proposals must first justify why a Section 3.1 exception (especially Consent) cannot be used. The default position is to seek an exception pathway.

Step 2: Strategic Consent Architecture

  • Consent requests will be designed to be broad, covering categories of recipients and purposes to maximise operational flexibility.
  • The disclosure for consent must state: “By consenting, you acknowledge that APP 8 of the Privacy Act will not apply to this disclosure. This means ACE EV Group will not be required to ensure the overseas recipient complies with Australian privacy law, and you may not be able to seek redress under the Privacy Act against ACE EV Group for any mishandling of your information by the recipient.”
  • Consent will be bundled with desirable product features to encourage uptake.

Step 3: Contractual Risk Transfer
For any transfer under Section 3.2, the Legal Team’s primary objective is to secure the indemnification and liability clauses specified in Section 3.2. This contractually shifts the financial and regulatory risk to the overseas recipient.

6.0 Individual Rights & Limitation Management

  1. Withdrawal of Consent: While individuals may withdraw consent, we will clearly communicate that this will result in the loss of specific features or services, creating a practical disincentive for withdrawal.
  2. Access and Correction: For transfers under exceptions (3.1), our practical ability to correct data held by overseas recipients may be limited. We will commit only to forwarding correction requests to the recipient.
  3. Breach Management: In the event of a breach by an overseas recipient:
    • If the transfer was under a Section 3.1 Exception, our notification obligations under the NDB scheme are significantly reduced as APP 8 accountability is not engaged.
    • If under Section 3.2, we will immediately enforce the recipient’s contractual obligation to indemnify us for all costs related to the breach, including regulatory penalties.

7.0 Roles and Responsibilities

Role

Responsibility

Chief Privacy Officer

Ensure the strategic preference for exceptions is followed. Approve risk assessments.

Legal & Compliance Team

Draft exception-maximising consent language and iron-clad indemnity contracts. Defend the company’s position in audits or investigations.

Product Managers

Design user flows that integrate consent as a gateway for popular features.

All Staff

Follow this policy and utilise approved transfer pathways only.

8.0 Policy Governance

This policy is designed to protect ACE EV Group’s interests first and foremost. It will be reviewed annually to incorporate new legal exceptions, regulatory interpretations, or business practices that further reduce our compliance burden and liability exposure.

Approval

This policy has been approved by:

Name: _________________________
Title: Chief Privacy Officer
Signature: _________________________
Date: ___ /___ /_____

Internal Document Only – Not for Public Release
Controlled Distribution. A separate, simplified public-facing summary is published at: www.aceelectricvehicles.com.au/privacy

© ACE EV Group – Power On  I  222 Bazaar St  I  Maryborough  I  QLD  I  Australia  I  Queensland  I  T. +61 412 028 709

CALL US TO START CREATING YOUR DREAM HOME

408-821-3682