The Personal Data Protection Policy ("the Policy") of Timberwell Berhad "TWB" and/or "the Company" is prepared in line with the Malaysia's Personal Data Protection Act 2010 "PDPA2010" or "the Act"

The main objective of the policy is to ensure that the Company established the necessary guidelines to protect the privacy of information about individuals (hereinafter referred to as "personal information" or "personal data") who come into contact with the Group or on behalf of the Company and its subsidiaries "the Group".

3.1 It is essential for TWB and its subsidiaries "the Group" to collect, process and use the personal information or personal data within the scope to serve the Group's "legitimate interests", and with prior consent from the person whose data belongs to.

3.2 Personal information must be collected and dealt with appropriately whether such information is collected on paper, stored in a computer data base system or recorded on other material, and adequate security measures should be accorded to such personal information under the provisions of the PDPA2010.

3.3 The Group regards the lawful and correct treatment and handling of personal information as very important to safe business practices and to uphold confidence of those within the Group and all of the stakeholders.

3.4 It is the Group's policy that all personal information held by the Group be treated and dealt with respectfully, correctly and lawfully at all times in accordance with the provisions of the Act.

4.1 The Group is the sole "data user" within the meaning of the Act, which means that it determines what purposes of the personal information of individuals would be used for in the course of its business activities.

4.2 It shall also be the responsibility of the Group to provide the necessary statutory notifications under the Act to the "data subject" and "data processor" and where necessary, the general purpose that this data will be used for by the Group.

5.1 During the course of its business and operational activities, the Group may or shall be required to share personal information of individuals held by the Group with other parties such as the State Governments, Statutory Bodies, Public Corporations and other Government Agencies and private corporations.

5.2 Nonetheless, there are or could be circumstances where the law permits or requires the Group to disclose personal information without the consent of the data subject.

5.3 Where there is a requirement on the part of the Group to disclose or share personal information of individuals to third parties, the individual concerned will be made aware in the most circumstances of how and with whom their personal information will be disclosed or shared.

The Group being the Data User shall, through effective and appropriate management control systems:

• observe fully the conditions regarding fair collection and use of personal information of individuals;
• strictly comply with provisions of the Act to meet its legal obligation to specify the purpose for which personal information is collected and used in the Group;
• collect and process appropriate personal information of individual only, and only to the extent that it is needed to fulfil and comply with its business, operational and statutory requirements;
• ensure that the quality and type of personal information collected and used is that information which is necessary only;
• ensure that the rights of individuals about whom information is held, can be fully exercised under the provisions of the Act, which include:
  • the right to be informed that processing is being undertaken;
  • the right of access to one's personal information held by the Group;
  • the right to prevent processing in certain circumstances and;
  • the right to correct, rectify, block or erase information is regarded as wrong or incorrect information.
• take appropriate technical and organisational security measures to safeguard personal information;
• treat individuals justify and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information;
• set out clear procedures for responding to requests for information regarding this Policy or any matters pertaining to the Act.

7.1 The Group shall ensure that personal information, in whatever manner, is collected within the limitation and boundaries set forth in this policy

7.2 Where informed consent is required from the data subject, the Group shall obtain the required consent in an appropriate manner from the data subject in writing before collecting and processing the personal information. The Group shall ensure that the data subject agreeing or refusing to provide such consent.

7.3 When collecting data, the Group shall ensure that the data subject:

• clearly understand why the information is required by the Group;
• understands what it will used for and what the consequences are should the data subject decide not to give consent to the collection or processing of the information;
• as far as reasonably possible, grants explicit consent either in writing or orally for data to be processed by the Group;
• is, as far as reasonably practicable, competent enough to give consent and has given so voluntarily without any duress, coercion or compulsion on the part of the Group.
• has received sufficient information on why their data is needed and how it will be used.

8.1 It is the policy of the Group that information and records relating to data subjects shall be stored securely and be accessible only to authorised staff for legitimate purposes.

8.2 It is also the policy of the Group that personal information shall be stored for only as long as it is required by law and shall be disposed of appropriately thereafter.

8.3 It is the responsibility of the Group to ensure that all personal data is non- recoverable from any computer system previously used within the Group, which has been passed on or sold to any third party.

9.1 All individuals have the right to access the information the Group holds about them. The Group shall also take reasonable measures to ensure that information of data subjects is kept up to date by confirming with the data subjects from time to time, on whether there have been any changes on their personal information.

9.2 All employees are aware that any breach or violation of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.

This policy shall be updated and revised as and when it is necessary to reflect the best practice in management, and control of personal data and to ensure compliance with any changes or amendments made to PDPA2010.