Personal Data Protection Policy
wholly owned by
TT Web Sdn Bhd (1156161-P)
No. 22-03-01 Cheras Business Centre,
Jalan 2/101C, 5th Miles Off Jalan Cheras,
56000 Kuala Lumpur, Malaysia

A. General
In view of the implementation of the Personal Data Protection Act 2010 (“Act”), the TT Web Sdn Bhd (“TT Web”) recognizes the need to process all personal data obtained in a lawful and appropriate manner. TT Web is committed to protecting the personal data supplied by a data subject to ensure compliance with the legal and regulatory requirements in accordance with the Act. This Policy covers the processing of all personal data and sensitive personal data whose use is controlled by TT Web.

As a principle, collection, use, or disclosure of the personal data is prohibited for any purpose unless otherwise the approval of the head of relevant business units and the compliance officer.

B. Policy Status
1. This Policy is applicable to all employees of TT Web. For the purposes of this Policy, the term “employees” herein refers to all members of TT Web, including permanent, fixed term and temporary employees, governors, any third party representatives and agents with TT Web or overseas. Failure to comply with this Policy may result in disciplinary action.
2. Any query regarding this Policy may be directed to the compliance officer of TT Web.
3. In the event of any discrepancy, contradiction, and/or differences between any part of this Policy and that of any current policies adopted by TT Web, the portion of the relevant policy which imposes a higher standard of data protection shall apply and supersede the other.

C. Roles and Responsibilities
1. The legal responsibility for compliance with the Act lies with TT Web who is the “data user” under the Act and is registered as such with the Personal Data Protection Commission. Compliance with this Policy and the Act is the responsibility of all employees of TT Web.

D. Data Collected & Purposes
1. During the course of TT Web’s business and activities, TT Web may be required to process information of a data subject, including but not limited to the name of the individual, gender, age, identification number and/or passport number, date of birth, race and nationality, address, phone number and email address. Information identifying a data subject will include information which can identify such individual in combination with other information even if such information cannot identify such individual on its own. Such information may be collected online or offline.
2. The personal data collected by TT Web may be used inter alia for the following purposes*: -
i. Storing and processing of personal data relating to employees, potential clients and users in the data storage systems;
ii. Updating and managing the accuracy of the TT Web’s internal record;
iii. Human resources, employment and recruitment purposes;
iv. Training of staffs;
v. Billing, taxation and/or auditing purposes;
vi. Information and security purposes, including but not limited to managing and administrating e-mail, handling and investigating any security related issues, vulnerability, and/or incidents;
vii. Legal purposes (including but not limited to obtaining legal advice and dispute resolution);
viii. Disclosing personal data to the government authorities and/or authorised third party as required by law and/or within the responsibility of TT Web; As reasonably contemplated by the nature of any transaction;
ix. Storing and processing of personal data for the purpose of marketing, business strategy and collection of statistics in relation to TT Web’s business.
*This list is not exhaustive.

E. Data Processing
1. As and when TT Web is required to collect personal data, TT Web and its employees must abide by the requirements of this Policy and the Act. In the context of the Act, “processing” is defined to include collecting, recording, holding or storing personal data which includes inter alia NRIC numbers, home address, contact details etc.
2. 8. TT Web will be responsible for ensuring that any personal data processed in relation to the TT Web’s clients and/or another individual is accurate, complete, not misleading and kept up-to-date. The personal data will be reviewed periodically to warrant that they are up-to-date and to determine whether retention of such personal data is necessary.

F. Consent of Individual
TT Web may only process personal data with the consent of the data subject whom the personal data concerns and/or if the processing of the personal data is for the performance of TT Web’s duty to which the data subject is a party.

G. Disclosure of Information
1. TT Web requires all employees to be vigilant and exercise reasonable caution when asked to provide any personal data to a third party. In particular, TT Web must ensure that personal data is not disclosed either orally or in writing to any unauthorized employees without express prior consent of the compliance officer stated in Paragraph 2 and/or any authorised individual as the case may not be among the purposes contemplated in Paragraph 6.
2. However, as and when it is reasonably required, the personal data in the possession of TT Web may be only disclosed to the following third parties: -
i. External professional advisors and auditors;
ii. Governmental departments and authorities; and
3. Personal data will not be transferred outside TT Web and in particular not a country outside of Malaysia unless: -
i. Consent from the data subject is obtained;
ii. The country’s personal data protection laws provide an adequate level of personal data protection; and/or
iii. Adequate safeguards have been put in place in consultation with TT Web’s compliance officer.

H. Data Security
1. TT Web will ensure that any personal data which is collected, stored and processed, is stored securely and the practical steps are adopted to ensure the following: -
i. Source documents are well kept;
ii. Paper-based records must not be left where unauthorized employees can gain access to them;
iii. Computerized personal data is protected by passwords; and
iv. Individual passwords are kept confidential and not disclosed or shared with other employees to enable log-in under any other employees’ personal username and password.
2. When physical files or any forms relating to data subject are no longer required, they will be shredded or bagged or destroyed securely, and the hard drives consisting of those records will be erased off via secure electronic deletion pursuant to such standard procedure by the administration department.
3. Any employee of TT Web will not process any personal data belonging to any data subject, whether in soft copy or hard copy, outside of the premises of TT Web unless prior approval is provided by the compliance officer or any authorized person.

I. Data Retention
1. Personal data obtained should not be retained longer than it is required for its purposes. TT Web has an obligation to ensure that the personal data of the data subject are destroyed and/or permanently deleted after a specified period of time. All employees are required to contact the compliance officer and/or any authorised officer should the need to dispose of any personal data arises.
i. Request for access to personal data held on the individual, the purpose for which the personal data is being used and those to whom it has, or can be disclosed to;
ii. Prevent data processing that is likely to cause distress or damage;
iii. Take reasonable action to stop the use of, rectify, erase, and/or dispose of inaccurate personal data; and
iv. Withdraw their consent given to TT Web.
2. Personal and sensitive data will be disposed of by means as listed in Paragraph 13 above. Appropriate measures will and must be taken by TT Web to ensure that the personal data destroyed are not reconstructed or processed by third party.

J. Rights of Data Subject
1. A data subject has the following rights under the Act: -
2. Any individual who intends to exercise the abovementioned rights shall make a written request to TT Web together with the prescribed fee as applicable. TT Web shall, subject to exemptions, comply with the request and/or take reasonable steps not later than 15 days from the date of receipt of such request.