Personal Data Protection Act Policy
Personal Data Policy
As a company that deals regularly with the personal data of its customers, the Company is committed to upholding data protection and privacy in line with the Personal Data Protection Act 2010 (“the Act”).
To comply with the responsibilities under the Act, the Company sets out this policy as a framework for its obligations. The end objective is to ensure that all data processed by the Company is protected and managed in accordance with the latest applicable standards.
Scope
This Policy sets out the responsibilities and obligations of the Company, its Officers, affiliates and third parties acting on its behalf for the collection, processing, use, storage and management of personal data. Any references to the responsibilities of “Officers” shall also be interpreted as the responsibilities of all parties specified under this Policy.
Defining Personal Data
Personal Data means information that identifies customers and shall include but not be limited to the following information:
name, job title and company name;
age, gender, date of birth, identity card number, passport number, photograph;
race, ethnic origin, nationality, physical and mental health;
contact information including address, email address and phone number;
marital status, details of children, occupation, work history, performance reviews, income, employer, references and any other details of past employers;
type of loans applied for in relation to purchase of property;
financial and credit card details, bank name and other pertinent banking information, tax file identification number, EPF number, SOCSO number, criminal history; and
such other relevant information and data provided by the customer in the course of business relationship.
This definition includes information that has been obtained through any means, whether formally or informally, so long as the information is obtained in the course of the business relationship.
“Business relationship” includes all of the Company’s business process and execution, services, client relationship, management and business development activities.
Collection of Personal Data
Officers must collect personal data only by lawful and fair means that have been consented to by the customer, and not in an unreasonably intrusive way.
Officers may obtain personal data about customers from other sources so long as such sources are legal and credible. Examples of such sources are:
official registration forms (either electronic or printed), newsletter subscription or any other promotional events;
official request for information forms that are provided to customers by the Officers;
any queries, emails or any correspondences that Officers have received from customer requesting for information or making enquiries;
any ‘contact us’ forms that customers have submitted through the Company’s Platform;
from a government agency or registry or any referrals that Officers may have obtained from existing customers with whom the Company has established a business relationship.
Maintaining the Integrity of Personal Data
The Company shall do the following to protect the personal data from any loss, misuse, modifications, unauthorized or accidental access or disclosure, alteration or destruction:
Register all Officers involved in the processing of personal data.
Terminate the Officer’s access rights in the event of resignation, termination or any adjustment to the Officer’s role in relation to personal data processing.
Control and limit the Officer’s access to personal data on a need-to-know basis. Officers whose role do not include the necessity of processing personal data shall not be given access. Any access shall be recorded in a register and properly maintained.
Provide user ID and password for Officers to access personal data.
Update the Back up/Recovery System and anti-virus to prevent personal data intrusion.
Safeguard the computer systems from malware threats to prevent attacks on personal data.
Ensure that all relevant agreements between the Company and its Officers, affliates and third parties include confidentiality obligations in respect of personal data.
Right to Access & Correct Personal Data
Customers have a statutory right to request for access and correction of personal data. The Company in upholding this right shall ensure that the personal data collected and processed is accurate, complete, not misleading and kept updated.
The Company shall provide an avenue for the correction of personal data, either by way of the Platform or any other means of communication.
The Officers shall update personal data records immediately once a data correction notice is received from a customer.
Disclosure of Personal Data
All personal data must generally be kept confidential by the Officers, save for disclosure to the following categories of parties on a need-to-know basis:
Any persons, government agencies, statutory authorities and/or industry regulators where the Company is compelled to disclose Personal Data pursuant to any law or regulation;
The Company’s affiliates, partners, third parties, service providers, representatives and agents, to provide related and/or supporting services in connection with the Company’s business activities;
The Company’s customer’s auditors, consultants, accountants or any relevant financial institutions or professional advisers;
Counterparties or counterparties’ advisers, agents and representatives in any legal and/or commercial transaction, financial institutions for loan documentation processing, relevant state authority and the Inland Revenue Board.
All disclosure requests must be reviewed by the Legal & Compliance team and approved by the CEO/CSO before the disclosure can be made.
Retention of Personal Data
The Company shall ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose that is it processed through the following:
Determine the retention period of all categories of documents or materials containing personal data prior to destroying the data.
Maintain a proper record of personal data disposal periodically and make such records available for submission when directed by the Personal Data Protection Commissioner.
Review and dispose of all unwanted personal data that is in the database of the Company periodically.