PDPA
Personal Data Protection Act
Personal Data – What?
“Personal Data” means any information relating to an identified or identifiable natural person
The categories of Personal Data that we collect directly from you or from third parties depend on the circumstances of collection and on the nature of the service requested or transaction undertaken. It may include:
a) PERSONAL INFORMATION that links back to an individual (including home address, email address, phone number, gender, marital status, date of birth, signature, National identification number or passport number (or other identification numbers as appropriate), nationality and place of birth;
b) CONTACT INFORMATION including emergency contact information;
c) PAYMENT INFORMATION (including Bank account details and credit card details);
d) HEALTH INFORMATION;
e) TECHNICAL INFORMATION, required from time to time for our business operations including planning and management; and
Personal Data – How We Collect?
We may collect and receive Personal Data directly from you or from your authorised representatives (i.e. persons whom you have authorised, persons who have been validly identified as being you or your authorised representative from third parties (e.g., service providers) or the Personal Data of your relatives or principal where you disclose same on their behalf, including when you:
a) use any of our services which require you filling in forms for us (whether electronic or not); or
b) use or access our Website or Mobile Apps, social media platformsincluding, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access.; or
c) communicate with us such as by email, telephone, in writing or through our customer services pages or social media platforms, we may keep a record of that correspondence.
d) provide information to us including those as part of a business relationship or contract.
We may receive your Personal Data from other entities within our group of companies under PADIBERAS NASIONAL BERHAD 199401009835 (295514-U) (‘BERNAS GROUP’)
We may also collect your Personal Data from publicly available sources through our Website or Mobile Apps and other channels including social media platforms and third party providers or our subcontractors where you have consented to providing your Personal Data to them or where we subcontract them to assist us in providing services to you (e.g. security services, event management, transportation and logistics providers)
Where you disclose Personal Data on behalf of another person, you undertake and will ensure that the individual whose Personal Data is supplied to CSR has authorized the disclosure, is informed of and consents to the terms and conditions of this Privacy Notice. Where the disclosure if in respect of a child’s Personal Data, you should do as only as the parent or legal guardian of that child and enter into relevant contracts on behalf of that child.
Personal Data – Purpose for Our Use?
We may use your Personal Data for the following purposes:
a) to enable us to provide our services and perform our obligations to you.
b) to process any commercial transaction
c) to protect the safety and well-being of yourself
d) to investigate and respond to claims and inquiries from you;
e) for business development purposes such as statistical, research and marketing analysis, systems testing, maintenance and development, quality assurance, customer surveys, customer relations to help us in any future dealings with you, for example by identifying your requirements and preference;
f) to customise the content in our website, mobile application or social media platform according to your needs, preferences and personality;
g) to share your Personal Data with our selected partners or/and our group of companies within BERNAS GROUP to enable us and/or our partners to personalise the services or products offered to you;
h) to comply with any legal or regulatory requirements;
i) to communicate and facilitate promotions, offers, product, services and information on products and activities, or other notifications in relation to your preferred purchases.
j) to allow you to participate in our programmes or features via our website or/and mobile application and/or social media platform when you opt to do so; and/or
k) to operate our competitions, promotions, programmes and events via our newsletters and other communications offered by CSR, any group of companies under BERNAS GROUP.
Some of the Personal Data processing above may be an optional service. You may choose not to receive these emails at any time by following the unsubscribe link at the bottom of each such email or email to legal-unit@central-sugars.com.my to request for removal of subscription notification. Kindly note we may not be able to optimise your user experience when using our products or services by doing so.
Legalities & Fundamentals: Processing Your Personal Data with A Basis
There are a number of different ways that we are lawfully able to process your Personal Data. We have set these out below.
| CATEGORY OF USE | RATIONALE | EXAMPLE |
|---|---|---|
| Carrying Out Contractual Obligations | We shall be allowed to use your Personal Data for carrying out contract obligations with you. | We need to collect the contact details of your PIC in order to communicate on the progress of contractual deliverables. |
| Carrying Out Legal Obligations | We shall be allowed to use your Personal Data when we are compelled by statutory obligations. | Where we need to disclose personal data to enforcement authorities to cooperate on their ongoing investigations. |
| Carrying Out Initiatives Within Our Legitimate Interest | We shall be allowed to use your Personal Data, it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you: To keep our systems and physical premises secure and uninhibited by unauthorized access and/or cyberattacks. To process payments and comply with our accounting and tax obligations. To provide medical insurance cover where you are related to an employee of our companies. To investigate complaints and suspected suspicious transactions. | Where we need you to disclose you MY KAD details and contact details to our Security Officials prior to entry as a visitor into our premises. We currently ask for your consent to provide you with our marketing materials and updates. |
| Explicit Permission Provided To Us | We are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion – we therefore avoid "bundling" consents together so that you know exactly what you're agreeing to; You will be given enough information so that you know what you’re agreeing to. |
Your information is necessary to us. if you do not provide all of the personal data that we request from you, we may not be able to fulfil any or all of the functions set out in above, or in some cases, may not be able to continue with our relationship.
Please note that the above list of the ways in which we may use your personal data is not exhaustive. You have the right to withdraw your consent at any time by sending an email to legal-unit@central-sugars.com.my.
Rights – What You Need to Know
You have various rights in relation to the Personal Data which we hold about you as follows:
- RIGHT TO OBJECT
This right enables you to object to us processing your Personal Data where we do so for one of the following reasons:
- because it is in our legitimate interests to do so;
- to enable us to perform a task in the public interest or exercise official authority;
- to send you direct marketing materials; or
- for scientific, historical, research, or statistical purposes.
- RIGHT TO WITHDRAW CONSENT
Where we have obtained your consent to process your Personal Data for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
In particular, you may elect to stop receiving promotional activities by:
a) unsubscribing from the mailing list;
b) editing the relevant account settings to unsubscribe; or
c) sending a request to legal-unit@central-sugars.com.my.
- DATA SUBJECT ACCESS REQUESTS
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will always tell you the reasons for doing so.
4. RIGHT TO ERASURE
You have the right to request that we “erase” your Personal Data in certain circumstances. Normally, this right exists where:
- The data are no longer necessary;
- You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
- The data has been processed unlawfully;
- It is necessary for the data to be erased in order for us to comply with our obligations under law; or
- You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
5. RIGHT TO RESTRICT PROCESSING
You have the right to request that we restrict our processing of your Personal Data in certain circumstances, for example if you dispute the accuracy of the Personal Data that we hold about you or you object to our processing of your Personal Data for our legitimate interests. If we have shared your Personal Data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your Personal Data.
6. RIGHT TO RECTIFICATION
You have the right to request that we rectify any inaccurate or incomplete Personal Data that we hold about you. If we have shared this Personal Data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete Personal Data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
In particular, you may update or make amendments to your Personal Data as below:
a) for online registered customers, you may login to your online account and update your Personal Data; or
b) for every other customer, you may email your request to legal-unit@central- com.my.
7. RIGHT OF DATA PORTABILITY
If you wish, you have the right to transfer your Personal Data between service providers. In effect, this means that you will be able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.
8. RIGHT TO COMPLAIN
You have the right to lodge a complaint with our regulator, who is the Commissioner of Personal Data Protection in Malaysia. In a country other than Malaysia, you may access to the privacy regulators for each Member State are listed (along with contact details) by clicking the link here or accessing the website from https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
Please get in touch with us about advice regarding the above-mentioned rights:
CSR LEGAL UNIT – CEO’s OFFICE DIVISION
1st Floor, Main Building
Batu Tiga, 40000 Shah Alam,
Selangor, Malaysia.
Email: legal-unit@central-sugars.com.my.
We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Your Personal Data – To Whom Do We Disclose?
We will not trade or sell your Personal Data to third parties. Your Personal Data shall only be disclosed or transferred to the following third parties appointed or authorised by the CSR, who may be located within or outside Malaysia:
a) our group of companies within CSR and BERNAS GROUP to provide services, products or personalised offers or/and messages;
b) IT service providers;
c) data analytics including search engine providers and/or marketing agency which assist us to improve and optimise your experience in using our website and mobile application;
d) advertisers and advertising networks which require certain data to offer relevant adverts to you and/or other selected partners to provide better customised offers, promotions, or/and personalised messages to you or others;
e) other third parties in order to process your commercial transactions;
f) legal bodies as permitted or required by law such as in compliance with a warrant or subpoena issued by a court of competent jurisdiction; and/or
g) regulatory authorities applicable to you;
h) safety and security personnel.
In addition to the above, your Personal Data may also be disclosed or transferred to any of the CSR’s actual and potential assignee, transferee or acquirer (within or outside Malaysia) (including our affiliates and subsidiaries) of our business, assets or group companies, or in connection with any corporate restructuring or exercise including the restructuring to transfer the business, assets and/or liabilities.
We shall take reasonable and practical steps in accordance with the law and acceptable industry standards to ensure that their employees, officers, agents, consultants, contractors and such other third parties mentioned above who are involved in the collection, use and disclosure of your Personal Data will observe and adhere to the terms of this Privacy Policy.
Your Personal Data – Where Do We store?
We will store your Personal Data in the country in which we are based (i.e. Malaysia). As mentioned, we may also disclose your Personal Data to our group companies and their service providers located in Malaysia and elsewhere.
We want to make sure that your Personal Data is stored and transferred in a way which is secure.
Where we transfer your Personal Data and that country or territory where your data has been transferred, does not maintain adequate data protection standards, we will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy.
Your Personal Data – How Do We Secure It?
We will take all reasonable precautions necessary to protect your Personal Data from misuse, interference and loss; and unauthorised access, modification or disclosure. In addition, the CSR will secure your data in following ways:
a) register all those who are allowed access;
b) control and limit access based on necessity;
c) maintain proper record of access and transfer of Personal Data;
d) ensure all employees of the CSR protect confidentiality;
e) conduct awareness programmes to all employees on responsibility to protect Personal Data;
f) establish physical security procedures;
g) bind third parties involved in processing of Personal Data; and
h) do not use removable device and cloud computing service to transfer or store Personal Data unless with written consent from top management of the CSR.
Your Personal Data – Retention Period?
We will not retain your Personal Data longer than necessary for the purposes for which they are collected. However, relevant Personal Data may be retained subject to the conditions below:
a) as and when required under legislation; or
b) where legal actions have arisen and are pending.
c) commercial/operational purposes of CSR
We shall take all reasonable steps to ensure that all Personal Data is destroyed or permanently deleted when no longer required and prepare disposal schedule for inactive data with 24-month period.
Links to third party website
We may link this website and/or our applications to other companies or organizations websites (collectively, “Third Party Sites”). This Privacy Policy does not apply to such Third Party Sites as those sites are outside our control. If you access Third Party Sites using the links provided, the operators of these sites may collect your personal information. Please ensure that you are satisfied with the privacy statements of these Third Party Sites before you submit any personal information. We try, as far as we can, to ensure that all third party linked sites have equivalent measures for protection of your personal information, but we cannot be held responsible legally or otherwise for the activities, privacy policies or levels of privacy compliance of these Third Party Sites.
Access and Update of Your Personal Information
If you still have inquiries or complaints in relation to our handling of your Personal Data or our Privacy Policy or wish to update or correct your personal information, you may do so by contacting our accountable officers via the details below:
CHIEF EXECUTIVE OFFICER / LEGAL MANAGER
CSR LEGAL UNIT – CEO’s OFFICE DIVISION
1st Floor, Main Building
Batu Tiga, 40000 Shah Alam,
Selangor, Malaysia.
Email: legal-unit@central-sugars.com.my.
Changes to This Policy
CSR may review and change this Policy from time to time to reflect changes in the law, our business practices, processes or structure. While it is not generally feasible to notify you of the changes to this Policy, the latest version of this Policy will be available on our website. This Policy is not a contract, nor does it suggest any obligation on our part with another party.
In the event of any inconsistencies between the English version and the Bahasa Malaysia version of this notice, the English version shall prevail.