The grocery giant is collecting the personal data of its customers.

The grocery giant is collecting the personal data of its customers. Photo: Melissa Adams

Only a handful of the millions of customers Woolworths serves have used a new law to ask about personal data the grocery behemoth has collected about them.

Customers can request their personal data from companies and ask about how it has been used, but Woolworths has been contacted only six times with such requests since the law came in on Wednesday.

Woolworths' privacy policy also reveals some key differences with its main competitor Coles.

While Coles released details of 23 countries it was sending customer data to as the new privacy laws came into force, Woolworths has listed just three countries - New Zealand, Switzerland and the United States.

A reinsurer Woolworths uses for some of the insurance it offers uses computer systems in Switzerland and the US to store insurance-related personal information. The new privacy laws force companies to reveal which countries they send their data to only ''if it is practicable''.

''We satisfy that requirement,'' a Woolworths spokesman said.

The Woolworths policy says the locations of companies that store their customers' personal data may change from time to time ''for reasons which include data protection and processing efficiency''.

''Where these services are used by us, it is not practical for us to notify you of which country your personal information may be located in,'' the policy says.

Personal information is defined as data that identifies someone or allows a person's identity to be ascertained.

Personal data about customers can include name, contact and household details, transaction history and buying habits.

NSW Council for Civil Liberties president Stephen Blanks said he had doubts about whether the Australian Privacy Principles would restrict such personal data from being used in direct-marketing campaigns.

''There should be a lot less direct marketing without explicit consent,'' he said, although noting there were still some grey areas.

The principles state an organisation can use the data in direct marketing if the individual would reasonably expect it to use or disclose the information for that purpose, or there is a simple way to request not to receive direct-marketing communications from the organisation.