Personal Data Protection Policy

At HSG Berhad and its subsidiaries (“HSG” or “the Group”), we are committed to acting with integrity and respecting the privacy of our stakeholders, including employees, customers, shareholders, partners, suppliers, and other individuals who entrust us with their personal information.

“Personal data” refers to information related to commercial transactions that identifies or locates an individual, or has the potential to do so.

To maintain our role as a trusted business partner, HSG is dedicated to protecting personal data in compliance with applicable laws and regulations, including the data protection principles outlined in the Personal Data Protection Act 2010. This policy provides guidance on how HSG collects, uses, stores, transfers, and secures personal data, ensuring that the rights of data subjects are upheld.

Through this policy, HSG aims to inform data subjects about the purposes for which their personal data is collected and processed, and their rights to access, correct, or refuse the provision of their personal data.

2.1 Commitment to Data Protection

Everyone has rights concerning the handling of their personal information. In the course of its activities, HSG may collect, store, and process personal data related to staff, customers, suppliers, and vendors. HSG acknowledges the importance of handling this data in an appropriate and lawful manner. We are committed to fulfilling our obligations under data protection laws with respect to all personal data we manage.

2.2 Scope of Information Handled

HSG may handle various types of information, including details of current, past, and prospective employees, suppliers, customers, and others with whom the Group communicates. This information, whether stored on paper, electronically, or on other media, is subject to legal safeguards as specified in the Personal Data Protection Act 2010 (‘the Act’) and other relevant regulations. The Act imposes restrictions on how HSG may collect and process this data.

2.3 Policy Status and Compliance

This policy does not form part of any employee’s contract of employment and may be amended at any time. Breaches of this policy will be taken seriously and may result in disciplinary action, up to and including dismissal, for HSG employees.
This statement ensures that all stakeholders are aware of HSG’s commitment to data protection and the serious implications of any policy breaches.

3.1 Purpose of the Policy

This policy establishes the Group’s rules on data protection, outlining the legal conditions that must be met for the collection, obtaining, handling, processing, storage, transportation, and destruction of personal and sensitive information. It aims to ensure that all data practices comply with relevant data protection laws and regulations, safeguarding the privacy and integrity of personal data.

3.2 Reporting Non-Compliance

If an employee believes that this policy has not been adhered to concerning personal data about themselves or others, they should promptly raise the issue with their manager. This procedure ensures that concerns are addressed in a timely manner, helping to maintain compliance with data protection standards.
This section clarifies the policy’s objectives and provides a clear process for reporting any breaches or issues.

4.1 Data

Data refers to information stored electronically, on computers, or in paper-based filing systems, including IT systems and CCTV systems.

4.2 Data Subjects

For the purpose of this policy, data subjects are all living individuals about whom HSG holds personal data.

4.3 Personal Data

Personal data means information relating to a living individual who can be identified from that data (or from that data in combination with other information likely to come into the possession of the data controller). Personal data can be factual (e.g., name, address, date of birth) or an opinion (e.g., performance appraisal).

4.4 Data Controllers

Data controllers are individuals or organizations responsible for determining the purposes for which, and the manner in which, personal data is processed. They are accountable for ensuring that data is handled in compliance with relevant data protection laws.

4.5 Data Users

Data users are employees whose work involves handling personal data. They are required to protect the information they manage by adhering to HSG’s data protection and security policies at all times.

4.6 Processing

Processing refers to any operation or set of operations performed on data, including:

• Obtaining, recording, or keeping data
• Collecting, organizing, storing, altering, or adapting data
• Retrieving, consulting, or using data
• Disclosing data by transmitting, disseminating, or otherwise making it available
• Aligning, combining, blocking, erasing, or destroying data

4.7 Sensitive Personal Data

Sensitive personal data includes information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, criminal convictions, or alleged offenses. Processing of sensitive personal data is subject to strict conditions and generally requires the express consent of the individual concerned.

These definitions provide clarity on key terms related to data protection, ensuring a common understanding of the concepts involved.

5.1 Compliance with Principle

Anyone processing personal data must comply with the seven enforceable principles of good practice, namely:

1. the General Principle;
2. the Notice and Choice Principle;
3. the Disclosure Principle;
4. the Security Principle;
5. the Retention Principle;
6. the Data Integrity Principle; and
7. the Access Principle.

as stated in clause 6, 7, 8, 9, 10, 11 and 12

6.1 Data Subject Notification

The data subject must be informed of the following:

• The identity of the data controller.
• The purpose for which the data is to be processed by the Group.
• The identities of anyone to whom the data may be disclosed or transferred.

6.2 Lawful Processing of Personal Data

For personal data to be processed lawfully, HSG shall ensure that all necessary conditions are met. These conditions may include, among other things:

• The data subject has consented to the processing.
• The processing is necessary for the legitimate interests of the data controller or the party to whom the data is disclosed.

When sensitive personal data is being processed, more than one condition must be satisfied. In most cases, the data subject’s explicit consent to the processing of such data will be required.

6.3 Collection and Sources of Personal Data

The nature and type of data HSG collects, as well as the sources of such data, vary depending on the nature of the relationship the Group has with the data subject. This may include:

• Personal data collected from the HSG website, if such data has been voluntarily provided or is required to provide the service requested by the data subject.
• Personal data collected through application forms or other information forms, such as name, address, email, telephone number, occupation, and income.
• Personal data obtained from trade associations, marketing agencies, credit bureau reports, and credit reporting agencies.
• Personal data acquired from governmental agencies.
  By adhering to these principles, HSG ensures the lawful, transparent, and ethical handling of personal data in accordance with relevant regulations and best practices.

6.4 Personal data is utilized to provide and inform about the products and services offered by HSG. This usage may include, but is not limited to, the following purposes:

• Profiling and determining service and supply preferences
• Technical administration of the HSG website
• Statistical analysis
• Developing new products and services
• Registration for programs or offers upon HSG request
• Providing goods and services to customers and consumers
• Payment processing for purchases
• Job application processing for employee recruitment
• Protection against or identification of possible fraudulent transactions
• Developing and providing advertising tailored to our customers
• Finance and marketing operations
• Compliance with terms and conditions of business and other business administration purposes, including credit monitoring and control purposes
• Meeting regulatory and legal requirements
• Risk management
• All other purposes incidental and associated with the above

By ensuring these purposes, HSG aims to maintain high standards of service, innovation, and compliance with legal and regulatory obligations.

HSG recognizes that data subjects have the right to choose whether or not to provide their personal data and may revoke their consent to the collection and processing of such data at any time. HSG understands that some services it provides may necessitate the processing of personal data. Consequently, a decision not to provide or to withdraw consent for the processing of personal data may lead to the discontinuation or limitation of access to those services.

HSG is committed to ensuring that data subjects are fully informed of their rights and the implications of their choices regarding personal data, allowing them to make well-informed decisions about their participation in services offered by the Group.

Personal data should be collected solely for the specific purposes outlined in Section 6.4, which must be clearly communicated to the data subject. Any data that is not necessary for these purposes should not be collected.

While personal data will be kept confidential, it may be disclosed to the following categories of parties for the purposes described:

HSG Companies: To any HSG companies, both within and outside of Malaysia.

Advisers: To our advisers, including consultants, advocates, and solicitors, for the purpose of determining our rights and enforcing agreements with data subjects.

Agents and Service Providers: To any agent, contractor, or service provider to whom we have outsourced services, provided that these parties acknowledge the confidentiality of the data and comply with the applicable provisions of the Act.

Regulatory Authorities: To regulatory authorities or notified bodies, including those providing quality certification of our products, upon their request.

Other Permitted Parties: To other parties as permitted under Malaysian law.

This principle ensures that personal data is disclosed only as necessary and in accordance with legal and contractual obligations, while maintaining its confidentiality and integrity.

9.1 Protection Against Unlawful Processing and Data Loss

HSG and its employees must ensure that appropriate security measures are implemented to protect against unlawful or unauthorized processing of personal data, as well as to prevent accidental loss or damage to personal data.

9.2 Compliance with Security Standards

HSG is required to establish procedures and technologies to ensure the security of all personal data. Personal data may only be transferred to a third-party data processor if that third party agrees to adhere to HSG’s security procedures and policies or has adequate security measures in place.

9.3 Core Security Values

HSG and its data users must adhere to the following core values to ensure:

Confidentiality: Only authorized individuals should have access to personal data. HSG will ensure that only authorized personnel can access an employee’s personnel file and any other personal or sensitive data held by the Group. Employees are required to uphold the confidentiality of any data to which they have access.

Integrity: Personal data must be accurate and suitable for the purposes for which it is processed.

Availability: Authorized users should be able to access personal data as needed for authorized purposes.

9.4 Security Procedures

HSG will implement the following security procedures:

– Secure Workplaces: Desks and cupboards containing confidential information must be kept locked. Access to the workplace should be restricted to authorized employees after office hours.

– Methods of Disposal: Paper documents must be shredded. Floppy disks and CD-ROMs should be physically destroyed when no longer needed.

– Equipment Security: Data users should ensure that individual monitors do not display confidential information to unauthorized individuals and should log off from their PCs when left unattended.

By adhering to these security measures and procedures, HSG aims to maintain the highest standards of data protection and ensure the confidentiality, integrity, and availability of personal data.

10.1 Data Storage

Personal data may be stored either as hard copies in the Group’s offices or electronically on servers located in or outside of Malaysia, operated by HSG or its service providers. The Group will retain personal data only for as long as necessary to fulfill the purposes outlined in Section 6.4 or to protect its interests. Currently, HSG does not offer online facilities for data subjects to delete their personal data held by the Group.

10.2 Data Disposal

It is the responsibility of data users to take all reasonable steps to ensure that personal data is securely destroyed or permanently deleted once it is no longer needed for the purpose for which it was collected. The methods of disposal, as detailed in Section 9.4(b), must be adhered to for effective data destruction.

Personal data must be accurate, complete, and up-to-date. Information that is incorrect or misleading does not meet the standard of accuracy. To ensure data integrity:

Accuracy Checks: Steps should be taken to verify the accuracy of personal data at the point of collection and at regular intervals thereafter.

Data Updates: Inaccurate or outdated data should be corrected or destroyed as appropriate.

Employee Responsibilities: Employees are required to promptly inform their manager or Human Resources of any relevant changes to their personal information, such as a change of address, to ensure that records are updated and maintained accurately.

By adhering to these practices, HSG ensures that personal data remains reliable and reflective of the current information.

12.1 Access and Correction Rights

Data subjects, including employees, have the right to request access to and correction of their personal data held by HSG. If they wish to:

• Obtain a copy of their personal data.
• Correct any inaccurate or outdated personal data.
• Address concerns about the use of their personal data beyond the purposes outlined in Section 6.4.
• Report instances where their personal data was acquired through fraudulent or unlawful means or shared with third parties without their prior consent.

They may submit a written request to HSG at the addresses provided below.

12.2 Submission of Requests

Requests for access to, correction, or deletion of personal data, or inquiries regarding HSG’s policies, practices, and types of personal data held, must be submitted in writing. Requests can be sent via the [company’s contact website link] or by postal mail to the following addresses:

A.For Employee Data:

1. Human Resource Manager
   [Company Address]

B.For Non-Employee Data:

1. Accounting Manager
   [Company Address]

12.3 Processing Fees

HSG may impose a reasonable fee for processing any data access requests.

These procedures ensure that data subjects can effectively manage their personal data while allowing HSG to handle requests in a structured and compliant manner.

The Group will conduct a review of this policy to assess its effectiveness and ensure it meets its stated objectives. This review will occur at least every three years or more frequently if necessary, considering changes in the law, organizational developments, or security needs.

By regularly evaluating the policy, HSG aims to maintain its relevance and effectiveness in addressing evolving legal requirements and organizational changes.