Axiata Group Berhad and members of its group of companies in Malaysia as listed in Annex A (together and/or individually referred to as “Axiata”, “us” or “we” or “our”) are committed to protecting personal data of our business customers, business partners and suppliers, visitors, applicants, candidates and beneficiaries of Axiata Foundation or its programs and personal data of individuals who work for, or act on behalf of, our business customers, business partners, suppliers, and/or such applicants, candidates and beneficiaries (collectively, “data subject”) that have been provided to us. In Axiata, we take privacy seriously and all our activities are underpinned by our T.R.U.S.T. principles of being Transparent, respecting your Rights, in our Use of your personal data, through robust cyber security practices and we take due care when Transfer of data is required.
This privacy notice (“Privacy Notice”) explains what and how personal data is collected and further processed (as defined in the Personal Data Protection Act 2010 and/or other applicable laws), for what purposes it is collected and further processed by us, sources (if any) of personal data, to whom personal data is disclosed and how to access and update your personal data, and where to go for further information in respect of the personal data.
If you provide us with personal data of other individuals, you hereby represent that you have obtained consent from that individual prior to providing their personal data to us. References to ‘your personal data’ in this Privacy Notice would include such individual’s personal data that you provide to us.
In the event of any conflict between the English and Bahasa Melayu versions of this Privacy Notice, the English version shall prevail.
Information about children
If you are under the age of 18, you are required to obtain the consent of your parent, guardian or person who has parental responsibility over you before providing us with your personal data (for example, your name, address and email address).
What personal data do we collect?
The types of personal data we collect or obtain may vary according to our relationship with a data subject and may include the following:
A. For Business Customers
• contact information (such as name, address, email address and telephone number)
• banking information (such as direct debit, related bill payments and banking transactions)
B. For Business Partners and Suppliers
• contact information (such as name, address, email address and telephone number)
• identification information (such as national identification number, passport identification number, tax registration number, social security number, driver’s license, date of birth)
• business information (such as name of organisation, job title, department, business address organization structure, shareholding, directorship)
• any recordings captured through our communication platform(s) (such as telephone recordings, Microsoft Teams, Zoom, etc.)
• details contained in business registration documents, third-party due diligence documents, trade references and credit checks
• financial details including banking account details and bank account statements
C. For Visitors to Any of Our Premises or Events
• contact information (such as name, address, email address and telephone number)
• identification information (such as national identification number, passport identification number, etc.)
• business information (such as name of organisation, etc.)
• reason for visit
• date and time of visit
• biometrics and facial recognition
• security notes (special instructions and access restrictions)
• any photographic and/or video footage captured or recorded by our surveillance camera (CCTV) system or any other recording system
It is obligatory for you to supply such personal data if you enter any of our premises or attend any of our events.
D. For Applicants, Candidates and Beneficiaries
• contact information (such as name, address, email address and telephone number)
• identification information (such as national identification number, passport identification number, tax registration number, date of birth and any other identification information)
• demographic information (such as age range, marital status, gender, etc.)
• financial information (such as parents’ incomes, beneficiaries’ incomes, bank account name and number, etc.)
• education information (such as field of studies, university, country of study, academic scores and achievements, professional certifications, etc.)
• employment information (such as employer name, address, email address, telephone number, position employed, employment tenure, etc.)
• any photograph(s) or video footage(s) submitted to Axiata Foundation (such as profile pictures, contest submissions, etc.)
Additional sensitive personal data that we may collect:
• health information
Additional personal data that we collect
We may during times of crisis such as war, terrorism, riots, natural disaster or health crisis/disease outbreak collect:
• health and physical condition
• health condition of individuals in your household
• result of your health test(s), if any
• whether you are or were in self-isolation when you are or were unwell
• body temperature
It is obligatory for you to supply such additional personal data if you enter any of our premises or attend any of our events during such times of crisis.
When do we collect your personal data?
We may collect or obtain your personal data:
A. For Business Customers
• when you use our network, products and/or services (including through our call centres, dealers, and sales channels)
• when you contact us or register for information relating to our network, products and/or services or for any other purpose(s)
• when you communicate with us (such as via SMS, text messages or other digital channels, emails, questionnaires or surveys)
•when you use or interact
via any of our digital applications, visit any of our websites or social media
pages (details on this is set out in our Cookie Notice)
• when you participate in any of our promotional events, incentives or loyalty programs • from external agencies (such as credit reference agencies, screening or investigation agencies)
• from our internal database pursuant to your relationship with any subsidiary, affiliate or associated company of Axiata
B. For Business Partners and Suppliers
• when you use our network, products and/or services
• when you communicate with us (such as via SMS, text messages or other digital channels, emails, questionnaires or surveys)
• when you use or interact with any of our digital applications, visit any of our websites or social media pages
• from external agencies (such as credit reference agencies, screening or investigation agencies)
• from our internal database pursuant to your relationship with any subsidiary, affiliate or associated company of Axiata
C. For Visitors to Any of Our Premises or Events
• when you register in our visitor logbook or submit the visitor entry form
• when you provide us with your identification document(s)
• when you provide your host with information
• from our surveillance camera (CCTV) system or any other recording system D. For Applicants, Candidates and Beneficiaries
• when you submit your online application to participate in any of our programs or events
• when you contact us or register for information relating to our events and/or services or for any other purpose(s)
• when you communicate with us (such as via SMS, text messages or other digital channels, emails, questionnaires or surveys)
•when you use or interact
via any of our digital applications, visit any of our websites or social media
pages (details on this is set out in our Cookie Notice)
• from external agencies (such as event organizers, business partners, transporters, accommodation and any other event related suppliers)
• from our internal database pursuant to your relationship with any subsidiary, affiliate or associated company of Axiata
• from the surveillance camera (CCTV) system when you are physically present at any of our premises or events
• from any event photos and/or video shoots
How do we use your personal data?
Your personal data may be used or processed for the purposes of:
A. For Business Customers
• providing you with products, services and/or offers which may be of interest to you
• notifying you about benefits and changes to the features of products and services
• providing you with the latest offers, campaigns and promotions (when you subscribe to such updates)
• sending you service messages about your subscription or account registration
• using your data for participation in customer surveys or meetings
• compliance with laws and/or contractual and/or regulatory obligations
• protecting or exercising our legal, contractual and/or regulatory rights and remedies
• sending you information via telephone calls, text messages or other digital channels, emails, etc. or social media about products and services offered by selected third parties that may interest you
• other legitimate purposes
B. For Business Partners and Suppliers
• business execution
• organisation and management of the business
• health, safety and security
• compliance with laws and/or contractual and/or regulatory obligations
• protecting or exercising our legal, contractual and/or regulatory rights and remedies
• protecting our assets and interests
• other legitimate purposes
C. For Visitors to Any of Our Premises or Events
• health, safety and security
• compliance with laws and/or contractual and/or regulatory obligations
• protecting or exercising our legal, contractual and/or regulatory rights and remedies
• other legitimate purposes
D. For Applicants, Candidates and Beneficiaries
• for online application selection and recruitment processes
• understand participants’ demographics
• for program logistics planning and implementation
• as part of advertisements and/or general updates on any media platform(s)
• for security clearance at third-party premises
• compliance with laws and/or contractual and/or regulatory obligations
• protecting or exercising our legal, contractual and/or regulatory rights and remedies
• for internship placement
• registration for extended programs (internal and external)
• other legitimate purposes
Who do we disclose your personal data to?
We may disclose your personal data:
A. For Business Customers
• to any subsidiary, affiliate or associated company of Axiata
• to other carriers and/or operators when routing international calls
• to third parties when disclosure is necessary or reasonable to protect rights of Axiata and/or any subsidiary, affiliate or associated company of Axiata, protect your security, investigate fraud or respond to a law enforcement request
• to service providers, field engineers, contractors, subcontractors, Sub-Processors (defined below) or any other third-party performing work on behalf or at the instruction of Axiata and/or any subsidiary, affiliate or associated company of Axiata
• to business partners for marketing activities
• to third parties for credit checks and fraud management
• to third parties for carrying out analytics to understand how you use our services
• to third parties for research and development purposes
• to dealers or agents of Axiata and/or any subsidiary, affiliate or associated company of Axiata
• to third parties for the purposes set out under “How do we use your personal data?”
B. For Business Partners and Suppliers
• to any subsidiary, affiliate or associated company of Axiata
• to third-party agents, service providers, consultants, advisors, contractors and/or subcontractors of Axiata and/or any subsidiary, affiliate or associated company of Axiata
• to any party appointed by you or on your behalf, to process personal data (“Sub Processor”)
• to any public authority, governmental, regulatory or fiscal agency where it is necessary to comply with a legal or regulatory obligation to which Axiata and/or any subsidiary, affiliate or associated company of Axiata is subjected to or as permitted by applicable local law
• to third parties for the purposes set out under “How do we use your personal data?”
C. For Visitors to Any of Our Premises or Events
We do not routinely share/transfer your personal data with any external organizations or third parties. However, where and whenever we share/transfer your personal data, it may be:
• to any person(s) by whom we are required by law, contractual, governmental or regulatory requirements to make disclosure
• to authorised personnel, third party agents or service providers as necessary to process your personal data
• to any provider of security and emergency services
• to third parties for the purposes set out under “How do we use your personal data?”
D. For Applicants, Candidates and Beneficiaries
• to logistic partners for program planning and implementation
• to business partners for business simulations and challenges
• to transportation agencies for travelling purposes
• to insurance agencies for travel personal accident coverage
• to digital platform service providers for online learning and self-development
• to creative and social media vendors for production of program montages, promotional materials, television series, podcasts, social media postings, etc.
• to any subsidiary, affiliate or associated company of Axiata
• to third parties when disclosure is necessary or reasonable to protect our rights, protect your security, investigate fraud or respond to a law enforcement request
• to third parties for measuring the effectiveness of our programs
• to third parties for the purposes set out under “How do we use your personal data?”
We use reasonable efforts in accordance with industry best practices to ensure that the above mentioned maintain the confidentiality of your personal data and are restricted from using your personal data for any unauthorised purpose.
Transfers of Personal Data
We may transfer your personal data across geographical borders to other entities. Where your personal data has been transferred to any subsidiary, affiliate or associated company of Axiata and/or to third parties located outside of Malaysia, the transfer of your personal data is carried out under organizational, contractual and legal measures and with adequate levels of protection implemented as
well as in compliance with any additional local legal requirements for the parties receiving this information in order to safeguard your personal data.
How do we store and protect your personal data?
We may collect and store your personal data in electronic and/or physical form, depending on the requirement. Information may be stored at our and third- party premises within IT Systems (e.g.external cloud storages, internal or third-party management systems, e-mails, databases, hard drives), document warehouses, etc.
We endeavour, where practicable, to process your personal data in a safe environment by preventing any unauthorized or unlawful processing of personal data or accidental loss or destruction of, or damage to, such information. We have implemented various physical, technical and administrative security measures to protect your personal data and our network from unauthorized access. Some of these measures include:
• encryption of data in transit or at rest
• strict adherence to privacy and security practices
• periodic security assessment and reviews to upgrade our practices
• restriction of access to personnel who have a need to know such data
How long do we retain your personal data?
We will retain your personal data only for as long as such information is necessary for the purposes it was collected for. The retention period for personal data may also be affected by the requirements of applicable laws. In all cases information may be held for a longer period where there is a legal or regulatory reason to do so (in which case it will be deleted once no longer required for the legal or regulatory purpose) or subject to law, a shorter period where the individual objects to the processing of their personal data.
What are your rights?
We respect your rights and privacy by taking steps to ensure that your personal data is accurate, complete, not misleading and up to date. In compliance with the Personal Data Protection Act 2010, we assure you that:
• you have the right to know what personal data we have about you
• you have the right to request a copy of your personal data
• you have the right to correct your personal data to ensure it is accurate, complete, not misleading and up to date
• you have the right to withdraw your consent from our processing of your personal data
• you can also ask us to restrict how we use your personal data where it is likely to cause damage or distress
• you have a right to prevent processing of your personal data for purposes of direct marketing
For exercising your rights, you can reach out to us through the details under ‘Who can I contact for more information?” section given below.
You may request us to stop communicating with you by contacting us on the below mentioned contact details. These choices do not apply to the receipt of mandatory product or service communications that are considered as part of certain Axiata’s and/or any subsidiary, affiliate or associated company of Axiata’s products or services, which you may receive periodically, unless you cancel the subscription of our products or services.
Voluntary and obligatory supply of personal data
Unless otherwise specified in this Privacy Notice, your supply of personal data is voluntary. If you fail to supply personal data, this may result in the consequences described in the following section.
Consequences of not providing personal data
We may require collection of certain personal data about you and failure to provide such information may:
• result in us preventing your entry to our premises or participating in our events
• result in us being unable to process your application and/or provide you with our services
• result in us being unable to respond to your requests on our products/services
• limit or prevent access to certain features on our website/weblinks
• result in us being unable to inform you on latest updates regarding any promotions, our services/products or launches
• result in your inability to receive invitation to promotional activities organized by us
• negatively affect our ability to communicate with you
• result in our inability to enter into a contract with you or a counterparty or continuing to contract with you or a counterparty
• negatively impact your chances of being selected for any potential employment, engagement or internship
By submitting personal data to us, you acknowledge that:
i. You have read and understood this Privacy Notice and agree and consent to the use, processing and transfer of personal data as set out herein; and
ii. All information and representation provided are true and correct to the best of your knowledge, and you have not knowingly omitted any relevant information which may have an adverse effect.
Who can I contact for more information?
If you have any questions or enquiries about this notice, our privacy and information handling practices, or would like to exercise your rights as data subjects, kindly reach out to:
Data Privacy Officer
03 – 2263 8888/8930
Updates to the Privacy Notice
We reserve the right to amend, modify, vary or update this Privacy Notice and our Cookie Notice, at our sole discretion from time to time, as and when the need arises. The most recently published Privacy Notice and Cookie Notice shall prevail over any of its previous versions. You are encouraged to check this Privacy Notice and Cookie Notice from time to time to stay informed of any changes. You agree to adhere to the terms of the Privacy Notice and Cookie Notice including any variations.
This Privacy Notice was last updated on 4 December 2020.
ANNEX A
1. Axiata Management Services Sdn Bhd
2. Axiata Business Services Sdn Bhd
3. Axiata Foundation
4. Axiata SPV2 Berhad
5. Axiata SPV4 Sdn Bhd
6. Axiata Investments (Indonesia) Sdn Bhd
7. Xpand Investments (Labuan) Limited
8. Axiata Investments (Singapore) Limited
9. Axiata Investments (Cambodia) Limited
10. Axiata (Cambodia) Holdings Limited
11. Axiata Investments (Labuan) Limited
12. Axiata SPV1 (Labuan) Limited
13. Axiata SPV5 (Labuan) Limited