We, Sabah Electricity Sdn. Bhd. (Company No.462872-W) (“SESB”), respect the privacy of all individuals with whom we have a contractual relationship. We are committed to protecting all Personal Data kept by us.
For this reason, SESB has adopted this Personal Data Protection Policy (“this Policy”) in compliance with the Personal Data Protection Act 2010 of Malaysia (“PDP Act”).
|"Consent"||the free, informed and prior agreement given by the Data Subject for the processing of his/her Personal Data.|
|"Personal Data"||any information relating to an identified or identifiable natural person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or the person’s physical, physiological, mental, economic, cultural or social characteristics. Personal data may relate to any natural persons, including employees, customers, clients, investors, suppliers, contractors or other individuals.|
collecting, recording, holding or storing the Personal Data or carrying out any operation or set of operations on the Personal Data, including:
|"Data Subject"||a natural person, a private individual about whom information is collected, stored or processed.|
|"Minister"||refers to the Minister of Communication & Multimedia.|
|"Sensitive Personal Data"||
comprises information as to:
|"third parties"||a person or a company who is not a party to a contract or a transaction with SESB, but excluding SESB’s contractors, sub-contractors, authorized agents, vendors and professional advisors.|
This Policy applies to all operations and business units of SESB. To the extent any operations or business unit of SESB already has a data protection policy in place, this Policy shall supersede and replace any such policy.
Legal Affairs Department is responsible for the administration of this Policy and monitoring enterprise wide compliance.
3. EFFECTIVE DATE
This policy is effective as at 15 November 2013.
4. PERSONAL DATA PROTECTION PRINCIPLES
4.1 General Principle:
4.1.1 SESB will only process Personal Data in the manner set out below:
- Processing of Personal Data will be for a lawful purpose directly related to the activity of SESB;
- Processing of Personal Data must be necessary for or directly related to that purpose;
- the Personal Data is adequate but not excessive in relation to that purpose; and
- the Consent of the Data Subject must be obtained.
4.1.2 SESB is not responsible to obtain the Consent of the Data Subject where the Processing Personal Data is necessary: -
- for the performance of a contract to which the Data Subject is a party;
- at the request of the Data Subject with a view to entering into a contract with the Data Subject;
- for compliance with any legal obligation to which SESB is subject, other than an obligation imposed by a contract;
- to protect the vital interests of the Data Subject;
- for the administration of justice; or
- for the exercise of any functions conferred on any person by or under any law.
4.1.3 SESB will only process Sensitive Personal Data:
- with the consent of the Data Subject;
- where Processing is necessary for any of the following purposes:
- for the performance of any right or obligation which is conferred or imposed by law on SESB in connection with employment;
- in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
- for medical purposes;
- any legal proceedings;
- obtaining legal advice;
- establishing, exercising or defending legal rights;
- administration of justice;
- exercise of the functions conferred on any person by or under any written law;
- for any other purposes as the Minister thinks fit; or
- the information contained in the Personal Data has been made public as a result of steps deliberately taken by the Data Subject.
4.1.4 The Data Subject may withdraw his/her consent at any time and may attach any condition or limitation he/she believes to be appropriate.
4.1.5 It is SESB’s policy that Personal Data must be processed fairly and lawfully. SESB is responsible for collecting Personal Data only for specific, lawful, explicit and legitimate purposes, and for further processing of Personal Data consistent with those purposes.
4.1.6 It is SESB’s policy that Personal Data is adequate, relevant and not excessive to the purpose for which they are collected or further processed. SESB is responsible for making every reasonable effort to maintain such data accurately, provide reasonable means to correct, delete, or rectify any inaccurate data, and store such data for periods no longer than is necessary.
4.2 Notice and Choice Principle:
4.2.1 SESB will inform the Data Subject of the following by a written notice as soon as practical:
(a) that the Personal Data is being processed;
(b) a description of the Personal Data;
(c) the purpose of the collection of the Personal Data;
(d) the source of the Personal Data;
(e) the right of the Data Subject to request access and correction of the Personal Data;
(f) classes of third parties to whom the Personal Data is / may be disclosed;
(g) the choice and means of limiting the processing of Personal Data;
(h) whether the supply of the Personal Data is obligatory or voluntary; and
(i) the consequences of the Data Subject’s failure to supply the Personal Data.
4.3 Disclosure Principle:
4.3.1 SESB will only disclose Personal Data:
(a) to comply with any government agency notification requirements; and/or
(b) for the purpose for which the Personal Data is processed.
4.3.2 SESB will not disclose the Personal Data for other purpose and to third parties unless with the Consent of the Data Subject.
4.4 Security Principle:
4.4.1 SESB is responsible for taking prudent steps to safeguard the confidentiality and security of all Personal Data, including appropriate procedural, organizational and technical steps to protect personal data from accidental or unlawful destruction or accidental loss, alteration or disclosure. These steps include entering into written agreements with subcontractors who process Personal Data in accordance with SESB’s instructions and incorporating SESB’s own data protection standards as a minimum.
4.4.2 SESB has reasonable security policies and procedures in place to protect personal information from unauthorized loss, misuse, alteration, or destruction. Despite SESB’s best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of SESB’s ability, access to Data Subject’s Personal Data is limited to those who have a need to know. Those individuals who have access to the Personal Data are required to maintain the confidentiality of such information.
4.5 Retention Principle:
4.5.1 SESB shall take all reasonable steps to ensure that:
(a) Personal Data are retained only for so long as the information is necessary to comply with a Data Subject’s request or until that Data Subject request
that the information be deleted according to SESB’s internal procedures; and
(b) the Personal Data is destroyed or permanently deleted, where possible, after the purpose is served.
4.6 Data Integrity Principle:
SESB will ensure that the Personal Data is accurate, complete, not misleading and kept up-to-date, having regard to the purpose the data was collected and further processed.
4.7 Access Principle:
4.7.1 SESB recognizes the right of Data Subjects to obtain without constraint at reasonable intervals and without excessive delay or expense:
(a) confirmation concerning whether SESB, any representative or agent is holding or processing Personal Data relating to him or her;
(b) information on the purpose(s) of the processing, the categories of data concerned, and the recipients or categories of recipients;
(c) information in an intelligible form concerning the data relating to him or her being processed and the source of such data; and
(d) information, as appropriate, concerning the logic underlying the data processing.
4.7.2 Further, SESB recognizes the Data Subject’s right to require, as appropriate, the correction, erasure or blocking of data whenever the processing of such data does not comply with applicable laws and regulations. SESB will alert, to the extent practicable, third parties to whom the Personal Data has been disclosed of any such correction, erasure or blocking.
4.7.3 A Data subject will be entitled to access his/her Personal Data that is being used by SESB by making a request in writing which will be complied within 21 days from date of receipt of such request.
5. DATA COLLECTION, TRANSFER & PROCESSING
5.1. SESB is responsible for collecting, processing and transferring Personal Data in compliance with the PDP Act. Only in very limited and rare circumstances, will SESB disclose Personal Data to healthcare professionals, e.g. where the data subject's health and well-being would otherwise be adversely affected and the Data Subject is unable to give formal consent.
5.2. It is SESB’s policy that except as allowed or required by the PDP Act, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health or sex life or alleged commission of any offense not be processed and the collection and storage of such Sensitive Personal Data be particularly safeguarded. The Processing of the Sensitive Personal Data by SESB will be in the manner set out in Clause 4.1.3 of this Policy.
5.3. For Personal Data obtained directly from the Data Subject, SESB is responsible for informing the Data Subject of the identity of those controlling the Personal Data, the purpose for which the Personal Data is being collected and processed and any further information the Data Subject may need for fair processing. This same standard applies to Personal Data not obtained directly from the Data Subject, except as allowed by law for statistical purposes.
5.4 SESB is responsible for informing the Data Subject prior to any initial transfer or Processing of Personal Data for direct marketing purposes and, upon request, for blocking such action.
5.5 It is SESB’s policy not to transfer Personal Data to any entity, individual, or organization, particularly entities within third countries without adequate data protections, which does not meet the standards established by this policy without ensuring that:
5.5.1 the Data Subject has given his/her unambiguous consent;
5.5.2 the transfers are needed for the performance of a contract between the Data Subject and the third party or to implement a pre-contractual commitment made at the request of the Data Subject;
5.5.3 the transfers are needed for the conclusion or performance of a contract concluded in the interest of the Data Subject with a third party;
5.5.4 the transfers are needed to protect the vital interests of the Data Subject; or
5.5.5 the transfers are made from a register established pursuant to laws and regulations as being open for consultation by members of the general public or by any person who can demonstrate a legitimate interest.
6.2 SESB may use so called web beacons (or “pixel tags”) in connection with some websites. However, SESB do not use them to identify individual users personally. Web beacons are typically graphic images that are placed on a website and they are used to count visitors to a website and/or to access certain cookies. This information is used to improve SESB’s services. Web beacons do not typically collect any other information than what Data Subject browser provides SESB with as a standard part of any internet communication. If Data Subject turn off cookies, the web beacon will no longer be able to track Data Subject specific activity. The web beacon may, however, continue to collect information of visits from Data Subject’s IP-address, but such information will no longer be unique.
*SESB reserves the right to change any portion of this Personal Data Protection Policy. SESB will announce such changes through its dedicated webpage www.sesb.com.my/?q=content/pdpa
*SESB is committed to protecting the Personal Data of any Data Subject. If you have questions or comments about SESB’s administration of Personal Data, please contact us at email@example.com. You may also use this address to communicate any concerns you may have regarding compliance with this Policy.