PERSONAL DATA PROTECTION POLICY

1. PURPOSE

1.1 The Personal Data Protection Act 2010 of Malaysia (“Act”) regulates the processing of personal data in commercial transactions. The Act requires the Company to inform data subjects about personal data that is collected from them and processed by the Company.
1.2 This Policy will act as guidance for the processing of personal data in commercial transactions as well as for employment and charitable purposes, in compliance with the Act.

2. SCOPE

2.1 Definition
2.1.1 The terms “personal data”, “processing”, “commercial transactions”, “data subject” and “relevant person” used in this Policy shall have the meaning prescribed in the Act.
2.1.2 The expression “we” or “us” shall refer to the Company including its subsidiaries, related or associated companies.
2.1.3 The expression “you” or “your” shall refer and include employees, potential employees, former employees, interns, clients, customers, potential customers, vendors, suppliers, contractors, sub-contractors, service providers, distributors, and/or relevant persons such as family members, guardians, parental authorities, dependants, or referees of employee/potential employee/former employee, and authorized representatives receiving, obtaining goods/services from or providing goods/services to the Company.

2.2 Types of Personal Data and Sources of Personal Data
2.2.1 The personal data voluntarily provided by you, your family members, guardians, parental authorities, recruitment agents, your current or previous employer, or your company, during your course of dealings with us in any way or manner including pursuant to any commercial transactions and/or communications made from/with us such as at events organized or participated by the Company and/or obtained independently by us from other lawful sources (if any such as from public depositories, trade/online directories, credit reporting agencies, public domain and other authorized third parties) in our forms, agreements, website, and/or other similar documents may include information concerning your name, address (such as correspondence and permanent address), phone numbers (such as mobile phone, home and office phone numbers), facsimile numbers, email address, identity card number, passport number, specimen signature, age, date of birth, place of birth, gender, weight, height, race, nationality, marital status, country of permanent residence, company name, occupation, salary, job position, vehicles information, sponsoring body details, referee information (such as name of referee, job position, address, contact number and email address), previous examination results, transcripts, academic qualifications, academic records, bank details (such as name of bank, bank’s address and bank account number), images (including photographs) information in audio and/or video format, closed-circuit television (“CCTV”) and security recording, and Sensitive Personal Data, including information concerning your religious belief, health, medical condition, political opinion and criminal conviction information (collectively, “Personal Data”).

2.2.2 By voluntarily providing us with your Personal Data, you are giving consent for us to collect, use and process your Personal Data.

2.2.3 By voluntarily providing us with your Sensitive Personal Data, you give us explicit consent for us to collect, use and process your Sensitive Personal Data, and you acknowledge that the collection of Sensitive Personal Data is necessary to protect your vital interest or the vital interest of others.

2.2.4 You hereby confirm that the Personal Data given by you or obtained from you, your family members, guardians, parental authorities, referees, recruitment agents, your current or previous employer and your company is sufficient, accurate, complete and not misleading and that such Personal Data is necessary for us to provide a commercial or employment related transaction.

2.2.5 If the Personal Data given by you or obtained from you, your family members, guardians, parental authorities, recruitment agents, your current or previous employer and your company is inaccurate or is out of date, you shall notify the Company promptly.

2.2.6 If you choose not to provide such Personal Data or if such Personal Data is insufficient, inaccurate, incomplete and/or misleading, the Company may not be able to provide you with the goods/services you require or the required level of service, or as an employee, you may not be able to enjoy the benefits provided to you as part as your employment with the Company, or as a supplier, vendor, contractor, or sub-contractor of the Company, the Company may not be able to purchase goods and services from you, or as a distributor, the Company may not be able to supply goods and services to you.

2.3 Purposes of Collecting Personal Data
2.3.1 We will process Personal Data in connection with any employment or commercial transactions for any of the following purposes:
2.3.1.1 to communicate with you;
2.3.1.2 to facilitate, process, deal with, administer, manage and/or maintain your relationship with us;
2.3.1.3 to consider and/or process your application/transaction with us;
2.3.1.4 to respond to your enquiries or complaints and resolve any issues and disputes which may arise in connection with any dealings with us;
2.3.1.5 to facilitate your participation in, and our administration of, any events including meetings, talks, celebrations, road shows, contests, promotions or campaigns;
2.3.1.6 to provide you with information and/or updates on our products, services, upcoming promotions or events offered and/or organized by us from time to time by SMS, phone call, email, fax, mail, social media and/or any other appropriate communication channels;
2.3.1.7 to share any of your Personal Data with our business partners to jointly develop products and/or services or launch marketing campaigns;
2.3.1.8 to monitor, review and improve our events and promotions, products and/or services;
2.3.1.9 public disclosure and use of your Personal Data, images, photographs, voice and video recording for publicity purposes without payment or compensation;
2.3.1.10 to conduct credit reference checks and establish your credit worthiness, where necessary, in providing you with the products, services and/or facilities;
2.3.1.11 to administer and give effect to your commercial transactions with us;
2.3.1.12 to process any payments related to your commercial transactions with us;
2.3.1.13 to maintain and improve customer relationship;
2.3.1.14 For any purposes connected with your employment including but not limited to payroll administration, entitlements and benefits, performance monitoring, training and development planning, career development, health and safety administration, succession and contingency planning;
2.3.1.15 to facilitate special requirements such as those relating to any disability or medical condition;
2.3.1.16 to communicate with family members, guardians and authorized representatives in the event of emergency or accident;
2.3.1.17 for internal administrative purposes;
2.3.1.18 for our storage, hosting back-up (whether disaster recovery or otherwise) of your Personal Data, whether within and/or outside Malaysia;
2.3.1.19 to share any of your Personal Data pursuant to any agreement or document which you have duly entered with us for purposes of seeking legal and/or financial advice and/or for purposes of commencing legal action;
2.3.1.20 to carry out due diligence or other monitoring or screening activities (including background checks) in accordance with legal or regulatory obligations or risk management procedures that may be required by law or that may have been put in place by us;
2.3.1.21 to detect, investigate and prevent any fraudulent, prohibited or illegal activity or omission or misconduct;
2.3.1.22 for audit, risk management, compliance and security purposes;
2.3.1.23 to enable us to perform our obligations and enforce our rights under any agreements or documents that we are a party to;
2.3.1.24 to transfer or assign our rights, interests and obligations under any agreements entered into with us;
2.3.1.25 to meet any applicable legal or regulatory requirements and making disclosure under the requirements of any applicable law, regulation, direction, court order, by-law, guideline, circular or code applicable to us;
2.3.1.26 to comply with or as required by any request or direction of any governmental authority or responding to requests for information from public agencies, ministries, statutory bodies or other similar authorities;
2.3.1.27 to enforce or defend our rights and your rights under, and to comply with, our obligations under the applicable laws, legislation and regulations;
2.3.1.28 for the purposes set out in our Recruitment PDPA Notice, Security PDPA Notice, and Marketing PDPA Notice; and/or
2.3.1.29 for other purposes required to operate, maintain and better manage our business and your relationship with us.

2.4 Disclosure of Personal Data (Within and/or Outside Malaysia)
2.4.1 In order to deliver the services you require, you hereby consent and authorize us to disclose your Personal Data to the following parties (within and/or outside Malaysia):
2.4.1.1 our employees, consultants, accountants, auditors, lawyers, advisers, agents, contractors, vendors, co-marketing partner, vendor, suppliers, contractors, sub-contractors, service providers, insurance companies, merchants, distributors and/or financial institutions to provide support and services;
2.4.1.2 the Company’s group of companies including the Company’s parent/holding company, subsidiaries, related and associated companies;
2.4.1.3 successors in title to us;
2.4.1.4 any third party (and its advisers/representatives) in connection with any proposed or actual re-organization, merger, sale, consolidation, acquisition, joint venture, assignment, transfer, funding exercise or asset sale relating to any portion of the Company;
2.4.1.5 your immediate family members and/or emergency contact person as may be notified to us from time to time;
2.4.1.6 any party in relation to legal proceedings or prospective legal proceedings;
2.4.1.7 our auditors, consultants, lawyers, accountants or other financial or professional advisers appointed in connection with our business on a strictly confidential basis, appointed by us to provide services to us;
2.4.1.8 professional bodies, accreditation bodies or statutory regulatory bodies;
2.4.1.9 foreign embassies and agencies appointed by the foreign embassies;
2.4.1.10 Malaysian Immigration Department;
2.4.1.11 government agencies, law enforcement agencies, courts, tribunals, regulatory bodies, industry regulators, ministries, and/or statutory agencies or bodies, offices or municipality in any jurisdiction, if required or authorized to do so, to satisfy an applicable law, regulation, order or judgment of a court or tribunal or queries from the relevant authorities such as but not limited to the Inland Revenue Board, the Employees’ Provident Fund Board, the Social Security Organisation and Bank Negara Malaysia;
2.4.1.12 our business partners, third party product and/or service providers, suppliers, vendors, contractors or agents, on a need to know basis, that provide related products and/or services in connection with our business, or discharge or perform one or more of the above purposes and other purposes required to operate and maintain our business;
2.4.1.13 payment channels including but not limited to financial institutions for purpose of assessing, verifying, effectuating and facilitating payment of any amount due to us in connection with your purchase of our products and/or services;
2.4.1.14 any party nominated or appointed by us either solely or jointly with other service providers, for purpose of establishing and maintaining a common database where we have a legitimate common interest;
2.4.1.15 data centres and/or servers for data storage purposes;
2.4.1.16 storage facility and records management service providers;
2.4.1.17 the general public when you become a winner in a contest, participate in our events, conferences, talks and seminars by publishing your name, photographs and other personal data without compensation for advertising and publicity purposes;
2.4.1.18 any person under a duty of confidentiality to which has undertaken to keep your Personal Data confidential which we have engaged to discharge our obligations to you; and/or
2.4.1.19 any other person reasonably requiring the same in order for us to operate and maintain or carry out our business activities.
2.4.2 You agree not to hold the Company responsible for any loss or damage suffered arising from any access by third party where the Company has taken reasonable steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, errors in transmission, alteration or destruction.

2.5 Changes to Personal Data
2.5 Right to Access and/or Correct Personal Data
2.5.1 To the extent that the applicable law allows, you have the right to request for access to, request for a copy of, request to update or correct, your Personal Data held by us and to request us to limit the processing and use of your Personal Data (such as to stop sending promotional materials to you).
2.5.2 In addition, you also have the right, by notice in writing, to inform us on your withdrawal (in full or in part) of your consent given previously to us subject to any applicable legal restrictions, contractual conditions and a reasonable duration of time for the withdrawal of consent to be effected. However, your withdrawal of consent could result in certain legal consequences arising from such withdrawal. In this regard, depending on the extent of your withdrawal of consent for us to process your Personal Data, it may mean that we will not be able to continue with your existing relationship with us or the contract that you have with us will have to be terminated.
2.5.3 Notwithstanding the foregoing, we reserve our rights to rely on any statutory exemptions and/or exceptions to collect, use and disclose your Personal Data.
2.5.4 If you would like to request for access to or correction of your Personal Data or limit the processing of your Personal data, make any inquires or complaints, kindly submit the Data Subject Access Request Form (Appendix A) to request for access or the Data Subject Correction Request Form (Appendix B) to request for correction to the Company’s Data Protection Officer, details of which are set out below:

Data Protection Officer (“DPO”)
Iconic Worldwide Berhad
No 1-2, Jalan Icon City,
Icon City,
14000 Bukit Mertajam,
Penang, Malaysia
Email: admin.worldwide@iconic.com.my
Phone: +604-504 0588
2.5.5 You are to put your requests in writing for security reasons and verification purposes.
2.5.6 In accordance with the terms of the Personal Data Protection Act 2010, the Company may charge a reasonable fee for the processing of any data access request. The chargeable fee will take into the account the time needed for verifying, locating, retrieving, reviewing and copying the information requested as well as any other associated costs and expenses that may arise from conducting such retrieval. You will be notified of the anticipated fee chargeable, prior to the retrieval of your Personal Data.
2.5.7 In the event we refuse to adhere to your request for access and/or correction to your Personal Data such as when the information requested for is of a confidential commercial nature, we will inform you of our reason for the refusal.

2.6 Changes to Personal Data
2.6.1 We will ensure your Personal Data is accurate, complete and up-to-date where necessary. Therefore, we request that if there are changes to your Personal Data you should notify us directly at the contact details set out above.

2.7 Retention of Your Personal Data
2.7.1 Any of your Personal Data provided to us is retained for as long as the purposes for which the Personal Data was collected continues.
2.7.2 Your Personal Data is then destroyed or anonymized from our records and system in accordance with our retention policy in the event your Personal Data is no longer required for the said purposes unless its further retention is required to meet our operational, legal, regulatory, tax or accounting requirements.

2.8 Security of Your Personal Data
2.8.1 We are committed to ensuring that your Personal Data is stored securely. In order to prevent unauthorized access, disclosure or other similar risks, we endeavour, where practicable, to implement appropriate technical, physical, electronic and procedural security measures in accordance with the applicable laws and regulations and industry standards, and ensure that our employees adhere to the aforementioned security measures, to safeguard against and prevent the unauthorized or unlawful processing of your Personal Data, and the destruction of, or accidental loss, damage to, alteration of, unauthorized disclosure of or access to your Personal Data.
2.8.2 Our security measures are as set out below:
2.8.2.1 ensuring that all employees involved in the processing of personal data are registered or identifiable by their respective departments;
2.8.2.2 only enabling authorized employees and third parties on a strict “need-to-know” basis to access Personal Data;
2.8.2.3 implementing a “Clean Desk Policy”, where all documents at the employees’ workspace at secured at the conclusion of the workday or when employees expect to be away from their workspace for an extended period of time, by placing said documents in locked drawers or cabinets;
2.8.2.4 ensuring all desks and cupboards in which documents are stored are locked before the conclusion of a workday;
2.8.2.5 ensuring all used papers, printed documents or other documents exhibiting personal data are destroyed by using shredding machines or other appropriate methods;
2.8.2.6 ensuring the filing cabinets and filing cabinet rooms are locked, unless an employee is present within the filing cabinet room;
2.8.2.7 ensuring the filing cabinet rooms and server rooms are placed under 24-hour CCTV surveillance;
2.8.2.8 ensuring the IT Department is able to remotely access any lost company devices to remotely wipe the devices or terminate user IDs and passwords from lost company devices;
2.8.2.9 using updated encryption and cyber-security software to protect data and strict security standards on company devices and IT infrastructure;
2.8.2.10 prohibiting the use of removable media devices and cloud computing services to transfer personal data, except with authorization by the top management of the Company; and
2.8.2.11 ensuring all company data is backed up to the company servers with recovery systems in place.
2.8.2.12 We will make reasonable updates to security measures from time to time and ensure authorized third parties only use your Personal Data for the purposes set out in this Policy.
2.8.2.13 Internet Related
2.8.2.14 Security procedures with regard to your electronic communications directly with us. All our employees and data processors, who have access to, and are associated with the processing of your Personal Data, are obliged to respect the confidentiality of your Personal Data.
2.8.2.15 Third party websites and /or links to such third-party websites that are accessible from our website not under the care and control of the Company (if any) do not operate under this Policy and we do not accept any responsibility or liability arising from those websites. Likewise, if you subscribe to an application, content or a product from our strategic partner and you subsequently provide your Personal Data directly to that third party, that Personal Data will be subject to that third party’s privacy/personal data protection policy (if they have such a policy) and not to this Policy.
2.8.2.16 Please be aware that communications over the Internet, such as emails are not secure unless they have been encrypted. We cannot and do not accept responsibility for any unauthorized access or interception or loss of Personal Data that is beyond our reasonable control.
2.8.2.17 The Company collects information about your use of our website from cookies. Cookies are packets of information stored in your computer which assist your website navigation by customizing site information tailored to your needs. Cookies in themselves do not identify the individual user, just the computer used. You are not obliged to accept cookies. If you are concerned, you can set your computer either to accept all cookies, to notify you when a cookie is issued, or not to receive cookies at any time. However, rejection of cookies may affect your use of our website.

2.9 Personal Data from Minors and Other Individuals
2.9.1 To the extent that you have provided (or will provide) Personal Data about your family, spouse and/or other dependents, you confirm that you have explained to them that their Personal Data will be provided to, and processed by, us and you represent and warrant that you have obtained their consent to the processing (including disclosure and transfer) of their Personal Data in accordance with this Policy and, in respect of minors (i.e. individuals under 18 years of age) or individuals not legally competent to give consent, you confirm that they have appointed you to act for them, to consent on their behalf to the processing (including disclosure and transfer) of their Personal Data in accordance with this Policy.

3.0 OTHERS
3.1 We reserve the right to revise or withdraw this Policy as and when deemed necessary. We may review and update this Policy from time to time to reflect changes in the Act. We shall update you of any reviews, updates, and changes to this Policy via an announcement on the website https://www.iconicworldwide.com.my. By continuing:
– to receive or obtain goods/services from us; or
– to provide goods/services to us; or
– to remain in our employment; or
– to enter into or to maintain commercial relationship(s) with us
following the modifications or changes to this Policy shall signify your acceptance to such modifications or changes.

4.0 COVERAGE
4.1 The new policy will be applicable to all data subjects as at the effective date.

5.0 EFFECTIVE DATE
5.1 This Policy will take effect from 1 Jan 2023.