Newark Engineering Pte Ltd respects the privacy of individuals and recognises the importance of the personal data entrusted to us and believe that it is our responsibility to properly manage, protect, process and disclose personal data. We are also committed to adhering to the provisions and principles of personal data protection laws applicable to us in the various countries in which we operate (“Applicable Law”).
This Policy sets out the “best practices” guiding principles regarding the collection, use and disclosure of personal data by Newark Engineering Pte Ltd and its group companies. To the extent that the Applicable Laws differ from the standards set out here, this Policy shall be supplemented, amended and varied in the relevant jurisdiction- specific Appendices to respectively. In the event of any inconsistencies, the jurisdiction specific-provisions in the relevant Appendix shall prevail in respect of the relevant jurisdiction. References to this “Policy” shall include all its Appendices and Schedules.
Where the Applicable Law in respect of a particular jurisdiction does not impose data protection standards as stringent as those set out in this Policy, the group company operating in such jurisdiction should, as a group- wide effort, strive to comply with the best practices set out in this Policy, notwithstanding that it may not actually be required to do so under Applicable Law.
In this Policy, the term “personal data” shall have the same meaning ascribed to it under the Applicable Law and for the purposes of this Policy, “processing” has the meaning given to that term in the Applicable Law and “process” and “processed” shall have a corresponding meaning.
For Singapore purposes, Newark Engineering Pte Ltd and its group companies and their employees comply with the Personal Data Protection Act 2012 (“PDPA”). “Personal data” in the Singapore context means any data, whether true or not, about an individual (defined as a natural person, whether living or deceased) who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
We will collect, use or disclose personal data for reasonable business purposes only and if there is consent or deemed consent from the individual and information on such purposes have been notified. We may also collect, use or disclose personal data if it is required or authorised under Applicable Law.
We collect personal data from individuals who may be clients, customers, business contacts, employees, personnel, contractors and other individuals (“Data Subject”). Such personal data may be provided to us by the relevant individuals in face-to-face meetings, letters, email messages, facsimile messages, telephone conversations, through our website or provided by third parties. If a Data Subject contacts us, we may keep a record of that contact.
We collect these personal data when it is necessary for business purposes or to meet the purposes for which the Data Subjects have submitted the information.
We will only collect, hold, process, use, communicate and/or disclose such personal data, in accordance with this Policy, Applicable Law and/or where the Data Subject has given (or is deemed to have given) his or her consent to the same. If a Data Subject supplies us with personal data of a third party (such as an employee or a client of the Data Subject), the Data Subject should undertake that it has obtained all necessary consents from such third party to the collection, processing, use and disclosure by us of their personal data. Because we are collecting the third party’s data from the Data Subject, the Data Subject should undertake to make the third party aware of all matters listed in this Policy preferably by distributing a copy of this Policy to them or by referring them to our website.
As a matter of policy, we do not disclose personal data to third parties except when required or authorized by Applicable Law, and/or when we have obtained the consent or deemed consent of our Data Subject to do so.
We may be required to disclose the personal data to the following third parties for reasonable business purposes, however we would ensure any such collection, use and/or disclosure is in accordance with Applicable Laws (including the PDPA) and/or the relevant consents (whether deemed or otherwise) will be obtained from the Data Subject:
(a) a third party as a data intermediary or subcontractor specifically to assist with Newark Engineering Pte Ltd’s activities,
(b) a successor-in-interest to our business or assets, and
(c) our related corporations and business units within the Newark Engineering Pte Ltd group.
We collect, use and/or disclose personal data for the following purposes:
(a) to facilitate our business relationship with a Data Subject;
(b) for the purpose of the supply of services and support to Newark Engineering Pte Ltd;
(c) to keep a Data Subject updated on changes to Newark Engineering Pte Ltd policies;
(d) to evaluate and to improve Newark Engineering Pte Ltd’s services;
(e) security clearance/entry access into Newark Engineering Pte Ltd’s premises; and
(f) for purposes that are ancillary to or in furtherance of the above purposes.
(a) to facilitate our business relationship with a Data Subject;
(b) to provide products and services and to communicate with customers as part of providing products and services;
(c) to evaluate Newark Engineering Pte Ltd’s services and how Newark Engineering Pte Ltd can improve its services;
(d) to respond to queries or comments;
(e) to communicate with a Data Subject on developments on Newark Engineering Pte Ltd’s services, the business of Newark Engineering Pte Ltd and other updates; and
(f) for purposes that are ancillary to or in furtherance of the above purposes.
In order to comply with our contractual, statutory and management obligations and responsibilities, Newark Engineering Pte Ltd is required to process personal data relating to its employees. All such data will be processed in accordance with the provisions of the employment contracts of our employees, Applicable Law and the relevant Newark Engineering Pte Ltd rules and policies, including data protection, as may be amended from time to time. We will use our employees’ personal data:
(a) for administering, maintaining and updating personnel records;
(b) for processing and reviewing salary and other remuneration and benefits;
(c) for processing performance appraisal and review;
(d) for training and developmental records including internal publication of training matrices and reports;
(e) to maintain sickness and other absence records, including reasons for absence;
(f) to provide and administer medical and insurance benefits (including health records);
(g) to process disciplinary policy/investigations and procedures including formal and informal warnings;
(h) for internal publication i.e. newsletters, intranet, etc. (including but not limited to photo);
(i) to monitor email/internet usage and compliance with our security and device usage policies;
(j) for providing references and information to the appropriate bodies/governmental bodies (including but not limited to the Central Provident Fund, Employees Provident Fund and the relevant tax authorities) for social security, contributions, income tax and other purposes;
(k) for the purposes of third party employment references;
(l) as may be required by law or regulation and for protecting the interests of Newark Engineering Pte Ltd and
(m) for purposes that are ancillary to or in furtherance of the above purposes.
(a) to evaluate applications for employment/job positions within Newark Engineering Pte Ltd;
(b) to evaluate applications for internships and industrial attachments;
(c) to conduct due diligence/background checks on job applicants;
(d) to facilitate business relationships;
(e) to organise and manage events for community and charitable purposes;
(f) to evaluate potential suppliers, vendors or business partners;
(g) for security clearance/entry access into Newark Engineering Pte Ltd’s premises; and
(h) for purposes that are ancillary to or in furtherance of the above purposes.
Upon request, we will provide the Data Subjects with access to their personal data or other appropriate information on their personal data in accordance with the requirements of the Applicable Law.
Upon request, we will correct an error or omission in the individual’s personal data that is in our possession or control in accordance with the requirements of the Applicable Law.
We may charge for a request for access in accordance with the requirements of the Applicable Law.
In Singapore, we are also obliged to provide information about the ways in which the personal data in our possession or control has been or may have been used or disclosed by the organisation within a year before the date of the request. We must first verify the identity of the requester, by checking his/her NRIC or other legal identification document, to ensure that he/she is indeed the same person whose personal data is kept by us. We will respond to and fulfil the request within 30 days, failing which before that deadline we will write to the Data Subject to inform him/her of the additional time required.
If the personal data is maintained by a data intermediary on our behalf, the data intermediary must abide by our instructions to them to do the necessary access and correction.
We may refuse the request for data and/or correction of data for the following reasons:
(a) we are not satisfied as to the requestor’s identity or his/ her authority to receive the personal data of the relevant individual;
(b) The provision of the personal data could reasonably be expected to:
i. cause immediate or grave harm to the individual’s safety or physical or mental health;
ii. threaten the safety or physical or mental health of another individual;
iii. reveal personal data about another individual;
iv. reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his/ her identity; or
v. be contrary to national interest.
(c) The personal data is:
i. subject to legal professional privilege;
ii. opinion data kept solely for an evaluative purpose;
iii. personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of Newark Engineering Pte Ltd;
(d) The request would unreasonably interfere with our operations because of the repetitious or systematic nature of the requests;
(e) The burden or expense of providing access would be unreasonable or disproportionate to the Data Subject’s interests;
(f) The information does not exist or cannot be found; or
(g) The information is trivial or is otherwise frivolous or vexatious.
We shall keep a logbook of each request for correction of data where we have refused to comply with the request, showing full details of and reasons for the request and refusal. The entries shall be kept for 5 years or such reasonable period.
Upon reasonable notice being given by an individual of his withdrawal of any consent given or deemed to have been given in respect of our collection, use or disclosure of his personal data, we will inform the individual of the likely consequences of withdrawing his consent. We will cease (and cause any of our data intermediaries and agents to cease) collecting, using or disclosing the personal data unless it is required or authorised under applicable laws. In Singapore, the request for withdrawal of consent can take the form of an email or letter, or through the UNSUB feature in an online or email service. The data of Data Subjects who have withdrawn their consent should then be entered into a blacklist for reference by all employees.
We will take reasonable precautions and conduct verification checks to ensure that personal data collected by us or on our behalf is accurate, complete and up-to-date. We will ensure that personal data is accurate and complete for the purpose for which it is to be used, in particular if the personal data is likely to be used to make a decision that affects the Data Subject to whom the personal data relates, or is likely to be disclosed to another organisation.
Where we reasonably believe the data to be inaccurate, we should not use the data until such inaccuracies are rectified and if we become aware that we have provided inaccurate data to third parties, we should inform the third party about the data’s inaccuracy and attempt to provide the third party with the accurate data.
An individual may request that we correct an error or omission in the personal data about the Data Subject that is in our possession or under our control. We need not make a correction:
• where it is satisfied on reasonable grounds that a correction should not be made; or
• where such correction is in respect of an opinion, including a professional or expert opinion.
In such cases, we will annotate the personal data in our possession or under our control with the correction that is requested but not made.
As a matter of policy, if a correction is necessary, we must correct the information kept by us as soon as practicable and no later than 30 days of the receipt of the request. We shall send the corrected personal data to every other organisation to which the personal data was disclosed by us within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
If the Data Subject consents, we send the corrected Personal Data only to specific organisations to which the personal data was disclosed to by us within a year before the date the correction was made.
We must implement technological and operational security measures to protect the personal data in our possession or under our control and to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. Only authorised Newark Engineering Pte Ltd personnel are provided access to personally identifiable information and these personnel are required to ensure confidentiality of this information.
We will cease to retain personal data, as soon as it is reasonable to assume that the purpose for collection of such personal data is no longer being served by such retention, and such retention is no longer necessary for legal or business purposes. We will dispose or destroy such data (in both physical documents and electronic files/databases) in a secure manner.
In Singapore, this requirement also applies to any third party service providers or data intermediaries holding personal data on our behalf.
We will ensure that any transfers of personal data to a territory outside of the country in which it is collected will be in accordance with Applicable Law (including the PDPA for Singapore purposes) so as to ensure a standard of protection to personal data so transferred that is comparable to the protection under the Applicable Law. In Singapore, we may take measures including the use of contractual agreements among the organisations involved in the transfer and seek to impose the conditions as documented in the Advisory Guidelines on Key Concepts in the PDPA, as may be amended from time to time.
This Policy also applies to any personal data we collect via our websites. Cookies may be used on some pages of our websites. “Cookies” are small text files placed on the hard drive of a Data Subject that assist us in providing a more customised website experience. Cookies are now used as a standard by many websites to improve users’ navigational experience. Our websites should highlight that if any of our website’s users is concerned about cookies, most browsers permit individuals to decline cookies. In most cases, a visitor may refuse a cookie and still fully navigate our websites, however other functionality in the site may be impaired. After termination of the visit to our site, the user can always delete the cookie from his system if he wishes.
Because we want a user’s website experience to be as informative and resourceful as possible, we may provide a number of links to third party websites. We should assume no responsibility for the information practices of these third party websites that a user is able to access through our website. When a visitor to our website links to these third party websites, our privacy practices no longer apply. We should encourage the user of or website to review each website’s privacy policy before disclosing any data.
We should designate a data protection officer (if required under Applicable Law) or an employee to attend to any queries or correspondences in relation to personal data held by us which is incorrect or out of date, or if any Data Subject has concerns or further queries about how we are handling a Data Subject’s personal data, or any problem or complaint about such matters. The contact details of such data protection officer or employee should be made available at our website.
In Singapore, the appointment of a data protection officer (“DPO”) is mandatory. We have appointed Chua Jian Pei as the DPO. Please refer to the relevant Appendix to confirm whether it is legally required for you to appoint a local DPO in your jurisdiction.
We reserve the right to modify or amend this Policy at any time.
The following shall apply in relation to the processing of personal data by Newark Engineering in Malaysia and the main policy shall be varied, amended and supplemented as set out below. If the processing of personal data by Newark Engineering takes place outside of Malaysia, the provisions in this Appendix will not apply unless the personal data is intended to be further processed in Malaysia. In the event of any inconsistencies, the following shall prevail for Malaysian purposes. Capitalised terms in worded in this Appendix shall have the meanings set out in the main policy.
For Malaysia purposes, Newark Engineering Pte Ltd and its group companies and their employees shall at the very least comply with the minimum legal requirements under the Malaysian Personal Data Protection Act 2010 (“MPDPA”).
“Personal Data” in the Malaysian context means any information in respect of a commercial transaction that relates directly or indirectly to an individual (i.e., Data Subject), who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the individual, but does not include any information processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.
“Commercial Transactions” is widely defined as any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010.
“Sensitive Personal Data” means any personal data consisting of information as to the physical or mental health or condition of a Data Subject, his political opinions, his religious beliefs or other beliefs of a similar nature, and the commission or alleged commission by the said Data Subject of any offence.
Consent
In general, unless specific exceptions under the MPDPA apply, the consent of Data Subjects is required in order to process their personal data. In general, consent must be in a form that is recorded and can be maintained by Newark Engineering Pte Ltd as the data user.
The MPDPA does not expressly provide for the concept of deemed consent. However, based on consistent verbal feedback from the officers of the Malaysian Personal Data Protection Department (“Regulator”), so long as no sensitive personal data is processed by a data user, it is permissible to rely on a Data Subject’s deemed consent.
When processing sensitive personal data, the explicit consent of Data Subjects must be obtained unless prescribed exceptions under the MPDPA apply, which includes, but is not limited to processing of sensitive personal data to protect the vital interests of the Data Subject; for the purpose of, or in connection with, any legal proceedings; for the administration of justice; for obtaining legal advice; or for medical purposes (subject to the processing being undertaken by, amongst others, a healthcare professional).
Consent for the processing of sensitive personal data cannot be deemed unless specific exceptions for this have been provided for in the Codes of Practice issued by the Regulator, specifically:
(a) the Code of Practice for the Banking and Insurance sectors, which applies to banks and financial institutions licensed under the Financial Services Act 2013, the Islamic Financial Services Act 2013 and the Development Financial Institution Act 2002; and
(b) the Code of Practice for the Insurance and Takaful industry, which applies to insurance companies and takaful operators licensed under the Financial Services Act 2013 and the Islamic Financial Services Act 2013.
Processing personal data without consent is an offence and on conviction, Newark Engineering could be liable to a fine not exceeding RM 300,000 or to imprisonment for a term not exceeding 2 years or to both.
Processing sensitive personal data without explicit consent is an offence and on conviction, Newark Engineering could be liable to a fine not exceeding RM 200,000 or to imprisonment for a term not exceeding 2 years or to both.
Issuance of a Compliant Privacy Notice
All Data Subjects, including employees, must be issued with a written data privacy notice containing the below prescribed matters in relation to the processing of their personal data:
(a) that the personal data of the Data Subject is being processed by or on behalf of Newark Engineering and the description of the personal data;
(b) the purpose for which the Data Subject’s personal data is collected and further processed;
(c) any information available to Newark Engineering as to the source of that personal data;
(d) the Data Subject’s right to request access to and to request for correction of the personal data and how to contact Newark Engineering with any inquiries or complaints in respect of the personal data;
(e) the class of third parties to whom Newark Engineering discloses or may disclose the personal data;
(f) of the choices and means Newark Engineering offers the Data Subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
(g) whether it is obligatory or voluntary for the Data Subject to supply the personal data; and
(h) where it is obligatory for the Data Subject to supply the personal data, the consequences for the Data Subject if he fails to supply the personal data.
The written data privacy notice must be issued in dual languages (i.e., English and Bahasa Malaysia).
Processing personal data without issuing a written data privacy notice as described above is an offence and upon conviction, Newark Engineering could be liable to a fine not exceeding RM 300,000 or to imprisonment for a term not exceeding 2 years or to both.
For Malaysia, we may charge for a request for access in accordance with the requirements of the Personal Data Protection (Fees) Regulations 2013 as stated below:
| Item | Description | Maximum fee (RM) |
|---|---|---|
| 1. | Data access request for a Data Subject’s personal data with a copy | 10 |
| 2. | Data access request for a Data Subject’s personal data without a copy | 2 |
| 3. | Data access request for a Data Subject’s sensitive personal data with a copy | 30 |
| 4. | Data access request for a Data Subject’s sensitive personal data without a copy | 5 |
Upon request, we will respond to, and fulfil the data access request no later than 21 days from the date of receipt of the written request (“Initial Period”). If we are unable to comply with the data access request within the Initial Period, before the expiration of the same, we have to:
(a) inform the requestor in writing that we are unable to comply within the Initial Period and our reasons for this; and
(b) comply to the extent that we are able to do so.
Notwithstanding the above, unless any applicable exceptions apply, we shall comply in whole with the data access request no later than 14 days after the expiry of the Initial Period.
For Malaysia, we may however refuse to comply with the data access request for the following reasons:
(a) we are not supplied with information as we may reasonably require to satisfy ourselves as to:
(i) the identity of the requestor; or
(ii) where the requestor claims to be a relevant person, the identity of the Data Subject to whom the requestor claims to be the relevant person; and that the requestor is the relevant person in relation to the Data Subject;
(b) we are not supplied with such information as we may reasonably require to locate the personal data to which the data access request relates;
(c) the burden or expense of providing access is disproportionate to the risks to the Data Subject’s privacy in relation to the personal data in the case in question;
(d) we cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless:
(i) that other individual has consented to the disclosure of the information to the requestor; or
(ii) it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual;
(e) any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit us from complying, whether in whole or in part, with the data access request;
(f) providing access would constitute a violation of an order of a court;
(g) providing access would disclose confidential commercial information; or
(h) such access to personal data is regulated by another law.
In determining for the purposes of paragraph d(ii) above, whether it is reasonable to comply with the data access request without the consent of the other individual, regard must be had to:
(a) any duty of confidentiality we owe to the other individual;
(b) whether we have taken any steps to seek the consent of the other individual;
(c) whether the other individual is capable of giving consent; and
(d) any express refusal of consent by the other individual.
“Relevant Person” in relation to a Data Subject means:
(a) for a Data Subject who is below 18 years, the parent, guardian or person who has parental responsibility for the Data Subject;
(b) for a Data Subject who is incapable of managing his own affairs, a person appointed by a court to manage those affairs, or a person authorised in writing by the Data Subject to act on behalf of the Data Subject; or
(c) in any other case, a person authorised in writing by the Data Subject to make a data access request, data correction request, or both such requests on behalf of the Data Subject.
Where we refuse to comply with a data access request pursuant to the reasons indicated above, we shall, no later than 21 days from receipt of the access request, inform the requestor in writing:
(a) of the refusal and reasons for the refusal; and
(b) where another data user controls the processing of the personal data, of the name and address of the other data user concerned.
Upon receiving a data correction request in writing, we must respond and comply with the data correction request within the Initial Period and supply the requestor with a copy of the personal data as so corrected.
If we are unable to do so within the Initial Period, we must:
(a) inform the requestor in writing that we are unable to comply with the request within the Initial Period and our reasons for this; and
(b) to comply to the extent that we are able to do so.
Notwithstanding the above, unless any applicable exceptions apply, we shall comply in whole with the data correction request no later than 14 days after the expiry of the Initial Period.
For Malaysia, we may however refuse to comply with the data correction request for the following reasons:
(a) we are not supplied with information as we may reasonably require to satisfy ourselves as to:
(i) the identity of the requestor; or
(ii) where the requestor claims to be a relevant person, the identity of the Data Subject to whom the requestor claims to be the relevant person; and that the requestor is the relevant person in relation to the Data Subject;
(b) we are not supplied with such information as we may reasonably require to ascertain in what way the personal data to which the request relates is inaccurate, misleading or not up-to-date; we are not satisfied that the personal data to which the correction request relates is inaccurate, incomplete, misleading or not up-to-date;
(c) we are not satisfied that the correction which is the subject of the correction request is accurate, complete, misleading or not up-to-date;
(d) any other data user controls the processing of the personal data to which the data correction request relates in such a way as to prohibit us from complying, whether in whole or in part, with the data correction request.
Where we refuse to comply with a data correction request pursuant to the reasons indicated above, we shall, no later than 21 days from receipt of the access request, inform the requestor in writing:
(a) of the refusal and reasons for the refusal; and
(b) where another data user controls the processing of the personal data, of the name and address of the other data user concerned.
Where personal data to which the correction request relates is an expression of opinion and we are not satisfied that the same is inaccurate, incomplete, misleading or not up-to-date, we shall:
(a) make a note, whether annexed to the personal data or elsewhere:
(i) of the matters which the expression of opinion is considered by the requestor to be inaccurate, incomplete, misleading or not up-to-date; and
(ii) in such a way that the personal data cannot be used by any person without the note being drawn to the attention of and being available for inspection by that person; and
(b) attach a copy of the note to the notice of refusal relating to the correction request.
“Expressions of opinion” includes an assertion of fact which is unverifiable or in all circumstances of the case is not practicable to verify.
Failure to comply with a data access and/or a correction request is an offence and on conviction, Newark Engineering could be liable to a fine not exceeding RM 300,000 or to imprisonment for a term not exceeding 2 years or to both.
We will take practical steps to protect personal data which we process electronically or non-electronically from any loss, misuse, modifications, unauthorised or accidental access or disclosure, alteration or destruction by adopting the minimum measures set out below:
Measures relating to employees
(a) to keep a register of all employees involved in the processing of personal data and to maintain an accurate periodic personal data access record, which must be made available to the Personal Data Protection Commissioner if requested;
(b) discontinue employees’ access rights to personal data at the end of their employment;
(c) control and limit the extent of employees’ powers to access, collect, process and store personal data;
(d) ensure that all employees involved in data processing always safeguard the confidentiality of personal data; and
(e) organise an awareness program / training in relation to personal data protection, where necessary.
Storage of hard copy personal data
(a) store personal data in an orderly manner, in a non-exposed, locked location (“Location”) safe from physical or natural threats;
(b) ensure that all relevant keys for such Location must be stored in a secure place;
(c) prepare a key storage record for such Location;
(d) control any outward and inward movement in respect of the Location;
(e) record any transfer of Data by way of post, hand delivery, fax etc.; and
(f) ensure that all physical personal data is destroyed completely and efficiently (e.g., by using shredding machines).
Storage of electronic personal data
In addition to the measures set out above, we should also adopt the following measures:
(a) prepare user ID and passwords for employees who are given permission to access personal data and cancel the respective user IDs when these employees are no longer managing personal data;
(b) ensure that computer systems are protected from malware threats;
(c) update the back-up / recovery system and anti-virus software;
(d) where we store personal data in removable media devices or cloud computing services, we must obtain the prior written authorisation of an officer that is authorised by our senior management;
(e) record all transfers of personal data utilising removable media device and cloud computing services; and
(f) ensure that a contract is entered into between us and any third party we engage for purposes of processing personal data on our behalf for purposes of safeguarding personal data from loss, misuse, modification, access and unauthorised disclosure.
Failure to ensure the security of personal data processed in accordance with the MPDPA is an offence and on conviction, Newark Engineering could be liable to a fine not exceeding RM 300,000 or to imprisonment for a term not exceeding 2 years or to both.
For purposes of ensuring that we do not retain personal data longer than is necessary for legal or business purposes, we shall:
(a) dispose all personal data collection forms within a period not exceeding 14 days, unless the form has legal value in relation to the transaction. Personal data contained in these forms can be retained on another database;
(b) implement a personal data disposal schedule for personal data which is inactive for a period of 24 months; and
(c) ensure that the usage of removable media device for purposes of personal data retention is not allowed without the written authorisation from our senior management.
The retention of personal data longer than is necessary in accordance with the requirements of the MPDPA is an offence and on conviction, Newark Engineering could be liable to a fine not exceeding RM 300,000 or to imprisonment for a term not exceeding 2 years or to both.
The PDPA expressly prohibits the transfer of personal data outside of Malaysia (“Transfer Restriction”), unless it is to a place specified by the Minister and published in the Gazette or one of the prescribed exemptions apply. No places have been prescribed by the Minister thus far.
The prescribed exemptions to the Transfer Restriction are as follows:
(a) the Data Subject has given his consent to the transfer;
(b) the transfer is necessary for the performance of a contract between the Data Subject and data user;
(c) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which:
(i) is entered into at the request of the Data Subject; or
(ii) is in the interests of the Data Subject;
(d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
(e) we have reasonable grounds for believing that in all circumstances of the case:
(i) the transfer is for the avoidance or mitigation of adverse action against the Data Subject;
(ii) it is not practicable to obtain the consent in writing of the Data Subject to the transfer; and
(iii) if it was practicable to obtain such consent, the Data Subject would have given his consent;
(f) we have taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the MPDPA;
(g) the transfer is necessary in order to protect the vital interests of the Data Subject; and
(h) the transfer is necessary as being in the public interest in circumstances determined by the Minister.
Thus far, there are no guidelines in relation to the ambit of application and interpretation of the abovementioned prescribed exemptions. The most straightforward exemption to rely on in respect of a transfer abroad would be to obtain the consent of the Data Subject.
The transfer of personal data out of Malaysia in breach of the MPDPA requirements is an offence and on conviction, Newark Engineering could be liable to a fine not exceeding RM 300,000 or to imprisonment for a term not exceeding 2 years or to both.
In Malaysia, the appointment of a data protection officer is not mandatory. That said, practically, for purposes of ensuring compliance with the requirements of the MPDPA, having a data protection officer is recommended.
The following shall apply in relation to collection, processing, storage, and transfer of personal data by Newark Engineering in Indonesia and the main policy shall be varied, amended and supplemented as set out below. In the event of any inconsistencies, the following shall prevail for Indonesia purposes. Unless otherwise defined in this Appendix C, capitalised terms in this Appendix C shall have the meanings set out in the Policy.
For Indonesia purposes, Newark Engineering and its group companies and their employees shall at the very least comply with the minimum legal requirements under the Indonesian Law Number 27 of 2022 concerning Personal Data Protection (“IPDPL”).
For the purpose of this Appendix C, the key terms are defined as follows:
“Personal Data” means any data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system.
“Personal Data Subject” means an individual to whom the Personal Data is associated.
“Personal Data Controller” means any person (individual or corporation), public agency, and international organization that acts individually or jointly in determining purposes and exercising control over the processing of Personal Data.
“Personal Data Processor” means any person, corporate body, public agency, and international organization that act individually or jointly in Personal Data processing on behalf of a Personal Data Controller.
The IPDL replaced the previous regulations on personal data protection which were previously found in fragmented patchwork of general and sector-specific laws and regulations. It serves as a comprehensive legal framework for the collection, processing, storage, and transfer of personal data. Despite its broad scope, the IDPL remains, at present, normative provisions on personal data protection rather than detailed or practical guidelines due to the absence of its implementing regulations to date. Without these implementing regulations, critical details such as procedural requirements for data breach notifications, sanctions mechanisms, and the precise powers of the yet-to-be-formed supervisory authority remain to be seen.
The IPDPL requires Newark Engineering, as the Personal Data Controller, to obtain consent from the Personal Data Subject in collecting Personal Data. The following requirements apply with respect to such consent:
(1) Consent must be in writing or in audio recording.
(2) Consent must be provided in electronic form or non-electronic form.
(3) The request for consent must meet the following conditions:
a) must be clearly distinguishable from other matters;
b) must be drafted in an easily understood and accessible format; and
c) must be drafted in simple and clear wordings (Indonesian language, or bilingual (Indonesian and foreign language) in the case of non-Indonesian speaking Personal Data Subject).
The IPDPL does not expressly provide for the concept of deemed consent. An agreement which fails to obtain or does not contain the consent from the Personal Data Subject would be deemed null and void according to the IPDPL.
All Personal Data Subjects, including employees, must be issued with the information containing the prescribed matters below in relation to the processing of their Personal Data. As noted above, more detailed or practical guidelines regarding the matters below in the implementing regulations of the IDPL are expected.
(1) that the personal data of the Personal Data Subject is being processed by or on behalf of Newark Engineering and the description of the personal data;
(2) legality of the processing;
(3) purpose of the processing;
(4) type and relevance of the Personal Data which are about to be processed;
(5) retention period for documents that contain Personal Data;
Note: The minimum retention period for Personal Data stored in electronic system is 5 years according to the relevant regulation. Other than the foregoing, the Indonesian law is silent regarding the retention period.
(6) duration of the data processing; and
(7) rights of the Personal Data Subjects, such as right to know the purpose of the collection and use of their Personal Data and the right to know the identity of person collecting their Personal Data.
Any amendment to the information outlined above must be notified to the Personal Data Subjects prior to the implementation of such amendment.
We will provide access to the Personal Data within 72 hours after we receive a written request for access, along with processing record/history. Such request may only come from the relevant Personal Data Subject.
We may, however, refuse to grant access on the following grounds:
(1) the access endangers the security, physical health, or mental health of the Personal Data Subject and/or other people;
(2) the access has an impact on the disclosure of other person’s Personal Data; and/or
(3) the access is contrary to the interest of national defence and security.
We will update and/or correct errors and/or inaccuracies in Personal Data no later than 72 hours after we receive a written request regarding the update and/or correction is made by the relevant Personal Data Subject. We will notify the relevant Personal Data Subject regarding the update and/or correction result.
We may, however, refuse to grant any changes on the following grounds:
(1) changes that jeopardize the security and health of the Personal Data Subject and/or other people;
(2) changes that result in disclosures of other parties’ Personal Data; and/or
(3) changes that run contrary to national security.
We must terminate the processing of Personal Data if such action is requested by the relevant Personal Data Subject within 72 hours of such requests being received by us. Further, we must end the processing of Personal Data if:
(1) the relevant retention period has been exceeded;
(2) the relevant purposes have been achieved; or
(3) requested to by the Personal Data Subject.
We must erase the Personal Data if:
(1) the Personal Data is no longer required; and/or
(2) the Personal Data has been recalled by the Personal Data Subject/requested by the Personal Data Subject.
We must destroy Personal Data if:
(1) the relevant retention period has expired and such Personal Data is planned to be destroyed;
(2) requested by the Personal Data Subjects; and/or
(3) the Personal Data does not relate to any legal proceedings.
We must notify any erasure and/or destruction of Personal Data to the Personal Data Subject. More detailed or practical guidelines regarding this matter in the implementing regulations of the IDPL are expected.
In the event of breach of Personal Data protection, we must provide a written notification no later than 72 hours to the Personal Data Subject and the relevant Indonesian authority in charge of Personal Data protection. To date, such authority has not been formed and the implementing regulation regarding the formation of such authority has not been issued.
The written notification must at least contain the following information:
(1) which Personal Data is disclosed/breached;
(2) how and when the Personal Data is disclosed/breached;
(3) the efforts on how to handle and recover from such breach/disclosure.
In certain cases, we must notify the public regarding the incident. For example, in the case such breach results in the disruption of public service and/or has material effect to public interest.
The Personal Data may be transferred to other Personal Data Controller within the Indonesian territory. It may also be transferred to Personal Data Controller and/or Personal Data Processor outside of the Indonesian territory. In transferring Personal Data, we must ensure the receiving Personal Data Controller and/or Personal Data Processor has implemented personal data protection in a degree equal or higher than those required under the PDPL. In the event the receiving Personal Data Controller and/or Personal Data Processor does not implement adequate protection as required by the PDPL, we shall be required to obtain consent from the Personal Data Subject.
Thus far, there is no implementing rule or official guidance in relation to the ambit of application and interpretation of the abovementioned prescribed transfer mechanisms. The most straightforward exemption to rely on in respect of a transfer abroad would be to obtain the consent of the Personal Data Subject or ensure that such consent has been secured.
In Indonesia, the appointment of a data protection officer (“DPO”) is mandatory in the following circumstances:
(1) Personal Data is processed for the purpose of public service; or
(2) the main activity of the Personal Data Controller requires regular and systematic monitoring in relation of massive Personal Data due to its nature, scope and/or objective; and/or
(3) the main activity of the Personal Data Controller includes the processing of Personal Data in massive scale in relation to criminal act.
Further, the IPDPL stipulates that a DPO can be someone from within and/or outside of the organization of a Personal Data Controller.
As of May 2025, there has not yet been implementing regulations specifying “massive Personal Data” condition in (2). Despite the absence of the implementing rules, practically, for purposes of ensuring compliance with the requirements of the IPDPL, having a DPO is recommended.
In addition to the requirements outlined above, we shall observe the following requirements:
(1) Ensuring the accuracy, completeness and consistency of the Personal Data.
(2) Recording all Personal Data processing activities.
(3) Protecting and ensuring the security of the Personal Data, by performing:
a. implementation of technical measure to protect Personal Data from disruption; and
b. determination of security level by taking into account the nature and risk of the Personal Data which must be protected during processing.
(4) Ensuring confidentiality of the Personal Data.
(5) Supervision over each party involved in the processing of the Personal Data.
(6) Protecting the Personal Data from unauthorized processing.
(7) Preventing illegal access to the Personal Data by using reliable and secure electronic system.
As of May 2025, there is no implementing rule or official guidance in relation to the requirement above.
In general, the requirements regarding update and/or correction, access, termination of processing, deletion, destruction and mandatory notification regarding breach (as outlined above, and including duty of confidentiality) may be exempted for the following reasons/purpose:
(1) national defence and security;
(2) law enforcement process
(3) public interest in the context of state administration; or
(4) supervision of the financial services, monetary, payment system, and financial system stability carried out in the context of state administration.
The failure to comply with the requirements outlined above generally shall warrant the imposition of the administrative sanctions as listed below. The mechanism of sanction imposition will be regulated in further detail in the implementing regulation of the IDPL.
(1) written warning;
(2) temporary suspension of Personal Data processing activity;
(3) erasure or destruction of Personal Data; and/or
(4) administrative penalty.
The maximum amount of the administrative penalty is 2% of the annual revenue of the breaching party.
In addition, the following criminal sanctions may also be imposed:
(1) Any person who intentionally and unlawfully obtains or collects Personal Data that does not belong to them with the intention to benefit themselves or other persons which may result in the loss of the Personal Data Subject shall be sentenced to a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000.00 (five billion Rupiah).
(2) Any person who intentionally and unlawfully discloses Personal Data that does not belong to them shall be sentenced to a maximum imprisonment of 4 (four) years and/or a maximum fine of Rp4,000,000,000.00 (five billion Rupiah).
(3) Any person who intentionally and unlawfully uses Personal Data that does not belong to them shall be sentenced to a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000.00 (five billion Rupiah).
In the event the crimes as referred above are conducted by a corporation, the criminal sanction may be imposed against the management, controller, commanding officer, beneficial owner, and/or the corporation.
In the case of corporation, only penalty shall be imposed as a form of criminal sanction. Further, the following additional criminal sanctions may also be imposed against corporation:
(1) confiscation of profits and/or assets obtained or proceeds from crimes;
(2) suspension of the entire or part of the corporation’s business;
(3) permanent prohibition to conduct certain activity;
(4) closure of the entire or part of the corporation’s place of business and/or activities;
(5) fulfilling the obligations that have been neglected;
(6) payment of compensation;
(7) revocation of license; and/or
(8) dissolution of the corporation.