Personal Data Protection Policy
1.1 This personal data protection policy (“Policy”) applies to Oxford Innotech Berhad (“Company”) and its subsidiary companies (“Group”).
1.2 This Policy applies to personal information about individuals as defined in Section 2.1 herein (customers, vendors, distributors, suppliers, service providers, joint venture/business partners, job applicants, employees) held by us (“Personal Data”). We will only process Personal Data in accordance with the Personal Data Protection Act 2010, the applicable regulations, guidelines, orders made under the Personal Data Protection Act 2010 and any statutory amendments or re-enactments made to the Personal Data Protection Act 2010 from time to time (collectively referred to as the “PDPA”) as well as this Policy.
1.3 This Policy sets out the rights of all individuals from whom we collect the Personal Data (“Data Owners”) and we are committed to protecting and safeguarding the Personal Data in accordance with the PDPA.
1.4 By providing Personal Data to us and/or continuing access to our website (“Site”), Data Owners declare that they have read and understood this Policy and agree to us processing the Personal Data in accordance with the manner as set out in this Policy.
1.5 We reserve the right to modify, update and/or amend this Policy from time to time with reasonable prior notice to the Data Owners. We will notify the Data Owners of any amendments via announcements on the Site or other appropriate means. Please check the Site from time to time to see if there are amendments to this Policy. Any amendments to this Policy will be effective upon notice to the Data Owners. By continuing to use the services and/or access to the Site after being notified of any amendments to this Policy, the Data Owners will be treated as having agreed to and accepted those amendments.
1.6 If the Data Owners do not agree to this Policy or any amendments to this Policy, we may not be able to render all services to them and they may be required to terminate the relevant agreement with us and/or stop accessing or using the Site.
2.1 The term “Personal Data” means any information in our possession or control that relates directly or indirectly to an individual to the extent that the individual can be identified or are identifiable from that and other information in our possession, such as name, address, telephone number, Identification/Passport number, date of birth, photograph, email address, household information, etc. as well as Sensitive Personal Data as defined under the PDPA, which includes but is not limited to, information pertaining to the physical or mental health or condition of a data subject and religious beliefs.
The types of Personal Data collected depend on the purpose of collection. We may “process” Personal Data by way of collecting, recording, holding, storing, using and/or disclosing it.
2.2 Personal Data may be collected from the Data Owners during the course of dealings with us in any way or manner including pursuant to any transactions and/or communications made from/with us. We may also collect Personal Data from a variety of sources, including without limitation, at any events, seminars, road shows, customer satisfaction surveys organised and/or sponsored by us, as well as from publicly available sources. Some examples of how Personal Data can be collected:
• When the Data Owners complete purchase orders, requests or applications for our products or services (by phone, in person, snail mail, or electronically);
• If the Data Owners are candidates for employment when they complete forms in relation to the recruitment and selection process for the purpose of assessment. We may also collect information about the Data Owners from their nominated referees where they have authorised us to do so.
2.3 In addition, we may also receive, store and process Personal Data which are provided or made available by any third parties, credit reference bodies, regulatory and law enforcement authorities, for reasons including delivery of our products and/or services, performance of conditions of agreements and/or to comply with our legal and regulatory obligations.
The Personal Data provided/furnished by the Data Owners to us or collected by us from the Data Owners or through such other sources as may be necessary for the fulfilment of the purposes at the time it was sought or collected, may be processed for the following purposes (collectively referred to as the “Purposes”):
• to communicate with the Data Owners;
• to maintain and improve customer relationship;
• to assess, process and provide products, services and/or facilities to the Data Owners;
• to administer and process any payments related to products, services and/or facilities requested by the Data Owners;
• to establish the identity and background of the Data Owners;
• to respond to enquiries or complaints from the Data Owners and resolve any issues and disputes which may arise in connection with any dealings with us;
• to maintain and update internal record keeping;
• for internal administrative purposes;
• to conduct credit reference checks and establish the creditworthiness, where necessary, in providing the Data Owners with the products, services and/or facilities;
• to process any payments related to the Data Owners’ commercial transactions with us;
• to process and analyse the Personal Data either individually or collectively with other individuals;
• to share any of the Personal Data with the auditors for our internal audit and reporting purposes;
• to share any of the Personal Data pursuant to any agreement or document which the Data Owners have duly entered with us for purposes of seeking legal and/or financial advice and/or for purposes of commencing legal action;
• to share any of the Personal Data with insurance companies necessary for the purpose of applying and obtaining insurance policy(ies), if necessary;
• for audit, risk management and security purposes;
• for detecting, investigating and preventing a crime or fraudulent, prohibited or illegal activities;
• for enabling us to perform our obligations and enforce our rights under any agreements or documents that we are a party to;
• to transfer or assign our rights, interests and obligations under any agreements entered into with us;
• for meeting any applicable legal or regulatory requirements and making disclosure under the requirements of any applicable law, regulation, direction, court order, by-law, guideline, circular or code applicable to us;
• to enforce or defend our rights and the Data Owners’ rights under, and to comply with, our obligations under the applicable laws, legislation and regulations;
• to carry out verification and background checks as part of any recruitment and selection process in connection with applications for employment by the Data Owners;
• for public interest; and/or
• for other purposes required to operate, maintain and better manage our business and the relationship with us, which we notify the Data Owners of at the time of obtaining their consent; and the Data Owners shall agree and consent to us using and processing the Personal Data for the Purposes in the manner as identified in this Policy. If the Data Owners do not consent to us processing the Personal Data for one or more of the Purposes, they may notify us at the contact details below.
The collection of the Personal Data by us may be mandatory or voluntary in nature depending on the Purposes for which the Personal Data is collected. Where it is obligatory for the Data Owners to provide us with the Personal Data, and the Data Owners fail or choose not to provide us with such data, or do not consent to the above or this Policy, we will not be able to provide products and/or services or otherwise deal with the Data Owners.
We will not sell, rent, transfer or disclose any of the Personal Data to any third party without the Data Owners’ consent. However, we may disclose the Personal Data to the following third parties, for one or more of the above Purposes:
• the Data Owners’ immediate family members and/or emergency contact person as may be notified to us from time to time;
• successors in title to us;
• any person under a duty of confidentiality to which has undertaken to keep the Personal Data confidential which we have engaged to discharge our obligations to them;
• any party in relation to legal proceedings or prospective legal proceedings;
• our auditors, consultants, lawyers, accountants or other financial or professional advisers appointed in connection with our business on a strictly confidential basis, appointed by us to provide services to us;
• any party nominated or appointed by us either solely or jointly with other service providers, for purpose of establishing and maintaining a common database where we have a legitimate common interest;
• data centres and/or servers located within or outside Malaysia for data storage purposes or otherwise;
• payment channels including but not limited to financial institutions for purpose of assessing, verifying, effectuating and facilitating payment of any amount due to us in connection with purchase of our products and/or services;
• government agencies, law enforcement agencies, courts, tribunals, regulatory bodies, industry regulators, ministries, and/or statutory agencies or bodies, offices or municipality in any jurisdiction, if required or authorised to do so, to satisfy any applicable law, regulation, order or judgment of a court or tribunal or queries from the relevant authorities;
• our joint venture/business partners, third-party product and/or service providers, suppliers, vendors, contractors, data processors or agents, that provide related products and/or services in connection with our business, or discharge or perform one or more of the above Purposes and other purposes required to operate and maintain our business, including but not limited to call centres, telecommunication companies, logistics companies, information technology companies and data centres; insurance companies for the purpose of applying and obtaining insurance policy(ies), if necessary;
• financial institutions for the purpose of applying and obtaining credit facility(ies), if necessary;
• financial institutions, merchants and credit card organisations in connection with commercial transactions with us; and
• to third-party credit reporting or employment agencies as part of the recruitment and selection process and/or otherwise in connection with application for employment with us.
In the event of a potential, proposed or actual sale/disposal of any of our business or interest, merger, acquisition, consolidation, re-organisation, funding exercise or asset sale relating to us, or in the event of winding-up (“Exercise”), Personal Data may be required to be disclosed or transferred to a third party as a result of, or in connection with, the Exercise.
The Data Owners acknowledge that such disclosure and transfer may occur and permit us to disclose and transfer the Personal Data to such third party and its advisors/representatives and/or any other person reasonably requiring the same in order for us to operate and maintain our business or carry out the activities set out in the Purposes.
6.1 We aim to keep all Personal Data as accurate, complete, not misleading, up-to-date and reliable as possible. Therefore, the accuracy of Personal Data depends to a large extent on the information the Data Owners provide to us. As such, it is a condition of us providing the products, services and/or facilities to the Data Owners that they:
a. warrant and declare that all Personal Data submitted or to be submitted to us are accurate, not misleading, updated and complete in all respects for purposes of acquiring or using the relevant products, services and/or facilities, and have not withheld any Personal Data which may be material in any respect and that we are authorised to assume the accuracy and completeness of the Personal Data given by the Data Owners; and
b. promptly updates us as and when such Personal Data provided earlier to us becomes inaccurate, incomplete, misleading, outdated or changes in any way whatsoever by contacting us at the contact details below.
7.1 Subject to the exceptions provided under the PDPA, the Data Owners have the right to request for access to, to request for a copy of, to request to update or correct, the Personal Data held by us.
7.2 In respect of the Data Owners’ right to access and/or correct the Personal Data, we have the right to refuse their request to access and/or correct the Personal Data for the reasons permitted under the law, such as where the expense of providing access to them is disproportionate to the risks to the Data Owners’ privacy, or where the rights of others may also be violated, amongst other reasons.
7.3 The Data Owners have the right at any time to request us to limit the processing and use of the Personal Data
7.4 In addition, the Data Owners also have the right, by notice in writing, to inform us on withdrawal (in full or in part) of their consent given previously to us subject to any applicable legal restrictions, contractual conditions and a reasonable duration of time for the withdrawal of consent to be affected. However, the withdrawal of consent of the Data Owners could result in us being unable to process the Personal Data for the Purposes and any corresponding provision of products, services or benefits may be affected or curtailed arising from such withdrawal.
Any of the Personal Data provided to us by the Data Owners is retained for as long as the Purposes for which the Personal Data was collected continues; the Personal Data is then destroyed from our records and system in accordance with our retention policy in the event the Personal Data is no longer required for the said Purposes unless its further retention is required to satisfy a longer retention period to meet our operational, legal, regulatory, tax or accounting requirements.
9.1 We are committed to ensuring that the Personal Data is stored securely. In order to prevent unauthorised access, disclosure or other similar risks, we endeavour, where practicable, to implement appropriate technical, physical, electronic and procedural security measures in accordance with the applicable laws and regulations and industry standard to safeguard against and prevent the unauthorised or unlawful processing of Personal Data, and the destruction of, or accidental loss, damage to, alteration of, unauthorised disclosure of or access to the Personal Data.
9.2 We will make reasonable updates to its security measures from time to time and ensure the authorised third parties only use Personal Data for the Purposes set out in this Policy.
9.3 The Internet is not a secure medium. However, we will put in place various security procedures with regard to the Site and the Data Owners’ electronic communications with us. All our employees, joint venture/business partners, agents, contractors, vendors, suppliers, data processors, third-party product and/or service providers, who have access to, and are associated with the processing of Personal Data, are obliged to respect the confidentiality of the Personal Data.
9.4 Please be aware that communications over the Internet, such as emails/webmail’s are not secure unless they have been encrypted. The Data Owners’ communications may be routed through a number of countries before being delivered – this is the nature of the World Wide Web/Internet.
9.5 We cannot and do not accept responsibility for any unauthorised access or interception or loss of Personal Data that is beyond our reasonable control.
To the extent that the Data Owners have provided (or will provide) Personal Data about their family, spouse and/or other dependents (“Related Persons”), the Data Owners confirm that they have explained to the Related Persons that their Personal Data will be provided to, and processed by us and the Data Owners represent and warrant that they have obtained the Related Persons’ consent to the processing (including disclosure and transfer) of their Personal Data in accordance with this Policy and, in respect of minors (i.e. individuals under 18 years of age) or individuals not legally competent to give consent, the Related Person confirm that they have appointed the Data Owners to act for them, to consent on their behalf to the processing (including disclosure and transfer) of their Personal Data in accordance with this Policy.
Our information technology storage facilities and servers may be located in other jurisdictions outside of Malaysia. This may include, but not limited to, instances where Personal Data may be stored on servers located outside Malaysia. In addition, Personal Data may be disclosed or transferred to entities located outside Malaysia or where the Data Owners access the Site from countries outside Malaysia. Please note that these foreign entities may be established in countries that might not offer a level of data protection that is equivalent to that offered in Malaysia under the laws of Malaysia. The Data Owners expressly consent to us transferring the Personal Data outside of Malaysia for such purposes. We shall endeavour to ensure that reasonable steps are taken to procure that all such third parties outside of Malaysia shall not use the Personal Data other than for that part of the Purposes and to adequately protect the confidentiality and privacy of the Personal Data.
12.1 External links
a. If any part of the Site links the Data Owners to other websites, those websites do not operate under this Policy and we do not accept any responsibility or liability arising from those websites.
b. Likewise, if the Data Owners subscribe to an application, content or a product from our strategic partner and subsequently provide any Personal Data directly to that third party, that Personal Data will be subject to that third party’s privacy/personal data protection policy (if they have such a policy) and not to this Policy.
c. We recommend the Data Owners to read and understand the privacy/personal data protection statement/policy posted on those other websites in order to understand their procedures for collecting, processing, using and disclosing personal data and before submitting any Personal Data to those websites.
If anyone have any questions about this Policy, or have any further queries, or would like to make a complaint or data access or correction request in respect of the Personal Data, he/she may contact us at the contact details below:
The Chief Financial Officer
Oxford Innotech Berhad
Address: 771 & 824, Jalan Cassia Selatan 3/9, Taman Perindustrian Batu Kawan 14110, Bandar Cassia, Penang, Malaysia
Contact No.: +604-5881648/ +604-5881669
Email Address: hk_wong@oxfordinnotech.com
In the event of any conflict between this English language Personal Data Protection Policy and its corresponding Bahasa Malaysia language Personal Data Protection Policy, the terms in this English language Personal Data Protection Policy shall prevail.
Any person who is aware of, or suspects, a violation of this Personal Data Protection Policy, is encouraged to designated person as provided in Section 13 above. Such reporting can also be made via the Group’s whistleblowing procedures in accordance with the Group’s Whistleblowing Policy & Procedures. No individual will be discriminated against or suffer any act of retaliation for reporting in good faith on any violations or suspected violations of this Personal Data Protection Policy.
This Personal Data Protection Policy shall be reviewed by the Managing Director periodically or where necessary to take into consideration the prevailing laws and regulations from time to time. Any amendments to this Personal Data Protection Policy shall be subject to the approval by the Board.