Introduction
Personal data refers to any information in respect of commercial transactions that relates directly or indirectly to a customer, who is identified or identifiable from that information alone or with other information including any sensitive personal data and expression of opinion about the customer.
Examples of personal data are as follows:
- Name
- Address
- Gender
- Date of Birth
- Telephone numbers
- Photographs
- Videos
- Application/transactions/account data
Sensitive personal data refers to any data consisting of information as to an individual’s physical or mental health condition, political opinions, religious beliefs and other beliefs of a similar nature or biometric data. In addition, the commission or alleged commission by the individual of any offence is also sensitive personal data. The personal data inclusive of sensitive personal data shall be protected and controlled throughout its lifecycle – collection, storage, use, disclosure and disposal.
Personal Data Governance Structure
Personal data governance structure shall be established by the AEON Credit Service (M) Berhad (“AEON Credit” or the “Group”) to ensure:
- Accountability and oversight are assigned to the responsible parties handling the personal data; and
- Adequate internal controls are in place to protect the personal data.
Personal Data Policies
The Group shall ensure the following policies are adopted at each phase of personal data lifecycle:
| Phase | Details |
| Collection | Personal data shall only be collected for legitimate business purpose with the consent of data subject (customer). |
| Storage | The data shall be stored in a manner that best supports business processes, whilst protecting the confidentiality and integrity of the data. It must be protected against any unauthorised access. |
| Use | The data shall be used in an ethical and lawful manner to meet business purpose(s). The data shall not be used without the data subject’s consent unless for compliance with legal/regulatory requirements. |
| Disclosure | The data shall be protected from any unauthorised disclosure by having appropriate security measures. However, there are specific conditions where the data is permitted to be disclosed in accordance with Bank Negara Malaysia (BNM) policy document. |
| Disposal | The data shall not be kept longer than identified retention period for various types of information and documents. At the end of the retention period, the information or document shall be properly disposed so that it cannot be reconstructed. |
Control Environment for Personal Data Protection
The control environment for management of personal data shall encompass the following elements, to safeguard against risk of theft, loss, misuse, unauthorised access/modification or disclosure:
| Elements | Details |
| Risk Assessment | The Group shall ensure that risk assessment is conducted on threats and vulnerabilities to personal data that could result in theft, loss, misuse, unauthorised access/modification or disclosure by whatever means. |
| Policies and Procedures | The Group shall establish and implement written policies and procedures to safeguard personal data, which covers collection, storage, use, transmission, sharing, disclosure and disposal of personal data. |
| Control Measures | The Group shall adopt comprehensive control measures which include information and communication technology (ICT) controls, access controls and physical security. |
| Employees | The Group shall ensure each employee signs an agreement upon joining the Group to undertake responsibility of protecting personal data and acknowledging the consequences of failure to carry out the duty. |
| External Vendors/Outsourced Service Providers (OSP) | The Company shall ensure external vendors/OSPs execute an agreement to undertake responsibility of protecting personal data and acknowledging the consequences of failure to carry out the duty, including to undertake compliance amongst others with security principle of the PDPA 2010 and to notify the Company of personal data breaches and to facilitate the Company’s compliance with data breach notification obligations. Accurate records and trail of all personal data that have been shared/ provided to the external vendors/OSPs shall be maintained. The Company must be satisfied that the OSP who handles personal data of the Company has in place policies, procedures and controls that are comparable to that of the Company to ensure that such personal data is protected and properly handled. |
| Independent Review | The Group shall carry out an independent review annually to assess the adequacy of policies and procedures and internal controls to protect personal data. |
| Assurance to Board from Senior Management | The Board of Directors of the Group shall be provided with assurance from Senior Management annually that the controls in place to protect customer information are working effectively and the outsourced service providers of the Group fulfil their obligations in accordance with the contractual terms with OSPs on safeguarding customer information. |
Personal Data Breach Handling
All staffs are required to immediately report any incident of personal data breach. An investigation shall be carried out to ascertain the root cause(s) of a personal data breach and determine appropriate remedial actions to prevent future recurrence.
For any personal data breach that is likely to pose reputational risk to the Group or a threat to public confidence and trust, the Group must notify Bank Negara Malaysia (BNM) immediately upon discovery of the breach. If the breach appears to involve fraud, criminal activity or may result in identity theft, the Group must also notify the relevant law enforcement agency. The JPDP Commissioner must be notified of a personal data breach if the personal data breach causes or is likely to cause “significant harm”.
Personal Data Protection Training and Awareness
The Group shall provide continuous training and awareness to all employees to ensure they understand the importance of ensuring the confidentiality, integrity and availability of personal data of customers at all times.
The training and awareness programmes shall be conducted annually through the following methods:
- Internal training or external training by third party service providers;
- Communication through e-mail or notice board; and
- Other methods deemed appropriate by the Group.
Rights to Data Portability
Customer will have the right to request the Group to transmit his/her personal data to another data controller of his/her choice directly by giving a notice in writing by way of electronic means to the Group subject to technical feasibility and compatibility of the data format. This rights to data portability is subject to such other requirements, circulars and guidelines issued or to be issued by the PDP Commission from time to time.
Transfer Of Personal Data to Places Outside Malaysia
The Group may transfer personal data to a place outside Malaysia if any of the following conditions are met:
a) there is in that place in force any law which is substantially similar to PDPA 2010; or
b) that place ensures an adequate level of protection for the processing of personal data which is at least equivalent to the level of protection afforded by PDPA 2010.
This transfer of personal data to a place outside Malaysia is subject to such other requirements, circulars and guidelines issued or to be issued by PDP Commission from time to time.
Appointment of Data Protection Officer
The Group shall register the appointed DPO and submit their Business contact information within twenty one (21) days from the date of appointment to the JPDP Commissioner through the Personal Data Protection System (SPDP) via https://daftar.pdp.gov.my.
The Business contact information shall be maintained and promptly updated by the Group to ensure efficient communication between the DPO with the JPDP Commissioner and the data subjects (including the customers).
If there is a change in the appointed DPO or the Business contact information of the DPO, the Group shall promptly maintain and update the changes no later than fourteen (14) days from the effective date of the new appointment via SPDP.
DPO contact details:
| DPO | Encik Faizul Hamzah |
| dpo@aeoncredit.com.my | |
| Phone | 03-2772 9000 |
| Address | Bangsar South City, Level 18 UOA Corporate Tower, Avenue 10, 8, Jalan Kerinchi, The Vertical, 59200 Kuala Lumpur |
The Company shall accurately maintain and retain records of the appointed DPO.
