1. Definition and Interpretation

1.1 The terms “data user”, ”data processor”, ”data subject”, ”personal data” and “processing” shall have the meanings ascribed to them in the Personal Data Protection Act 2010 of Malaysia (the “Act”).

1.2 For purpose of this Personal Data Protection Act, the data processor shall refer to the Consumer and the data user shall refer to the Company.

2. Data Processor’s Personal Data Obligations

The data processor shall process all personal data on behalf of the data user and/or provided by the data user (as the case may be) from time to time only for the performance of the data processor’s obligations.

3. Processing of personal data

3.1 The data processor shall ensure that all the personal data that is in its possession is accurate, complete and up-to-date and to notify the data user in writing of any changes and updates on the personal data from time to time.

3.2 The data processor shall provide full co-operation to the data user to ensure the full compliance with the Act.

4. Non-Disclosure

4.1 The data processor shall not disclose the personal data to any third party unless prior written consent is obtained from data user.

4.2 The data processor shall treat all personal data received as confidential in nature and shall ensure that access to the personal data is only limited to relevant employees for the purpose of performing his/her functions (the “Employees”) and which Employee shall be required by the data processor to comply with this Act.

4.3 The data processor shall ensure that its agents, subcontractors and/or authorised personnel (the “Workers”) and the Employees are fully aware of their obligations under the Act in relation to the protection, handling and security of the personal data of which the Workers and the Employees have and/or may have access to.

4.4 The data processor shall not cause or permit the personal data to be transferred outside Malaysia without the prior written consent of the data user, and where the data user consents to such transfer, it shall comply with:

(a) the obligations of data user under the Act and shall ensure that the personal data will not in that place be processes in any manner which if the place is Malaysia, would be contravention of the Act;

(b) any instructions notified to it by the data user.

5. Request in relation to personal data by third parties

 The data processor shall immediately notify the date user in writing of any requests by any parties to access, to investigate and/or to rectify the personal data and/or any complaint in respect of the personal data.

6. Security

6.1 The data processor shall process the personal data in a safe and secure manner.

6.2 The data processor shall implement practical technical, operational and organizational measures to protect the personal data against any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

6.3 The data processor shall notify data user the secure measurements taken by them in processing the personal data.

6.4 The data processor shall immediately inform data user in writing upon the occurrences of the following (the “Data Security Breach”):

(a) any unauthorised usage and access to the personal data causing the personal data to be deleted, misused, modified, altered or destroyed; and / or

(b) any reason to believe that the Workers and the Employees have or may have obtained unauthorised access to the personal data which compromises the security, integrity and confidentiality of the personal data or if it would result in a breach of the Act and/or any other personal data protection law.

7. Data Security Breach

7.1 In the event of a Data Security Breach, the data processor shall:

(a) immediately take all actions required and necessary to investigate, rectify, mitigate, remediate the Data Security Breach, including but not limited to identifying the affected personal data and to stop and reduce further Data Security Breach and to take preventive measurements to secure the personal data; and

(b) provide information and assistance needed to enable data user to evaluate the Data Security Breach.

8. Covenants & Indemnities

8.1 The data processor shall comply strictly with:

(a) all applicable laws and regulations pertaining to the protection of the personal data; and

(b) all policies and guidelines in relation to personal data protection provided by data user to data processor from time to time.

8.2 The data processor shall grant full access to data user upon request to inspect and conduct audits on data processor, the Workers and the Employees and also on the personal data in all forms under the possession and control of all parties to ensure full compliance with the Act, the provisions of this Letter of Appointment and the policies and guidelines provided by data processor.

8.3 The data processor shall indemnify data user against all costs, fines, damages, claims and expenses (if any) due to any breach of the provisions of the Act, non-compliance with the Act and/or any other applicable laws in connection.