1. The Malaysian Personal Data Protection Act 2010 (“PDPA”) came into force on 15 November 2013. In light of such developments, the Roundtable on Sustainable Palm Oil and RSPO Secretariat Sdn Bhd (collectively “RSPO”) wishes to express its commitment to ensuring that the privacy of the information and personal data which you provide to us is preserved in accordance with the seven principles of the PDPA.
3. This Policy forms an integral part of the framework governing the RSPO’s processing of the personal data (including sensitive personal data) and is applicable to our relationship with the classes of persons to which the PDPA applies, including but not limited to our members, employees, customers, clients, investors, sponsors, suppliers, event organizers, event managers, promoters, and contractors, contractual or otherwise. This Policy is a legally binding document to which adherence is ordinarily expected.
4. This Policy governs the manner in which RSPO collects, uses, maintains and discloses personal details including names, telephone numbers, email address, office or residential addresses and all such personal identification information (hereinafter referred to as “Personal Data”) from each member or any other data provider in its database. This Policy also applies to the membership application Form, as well as to the usage of the RPSO website and any other social media websites.
5. The Policy is to be read together with the member’s Code of Conduct and/or the individual contracts entered into with RSPO, as the case may be. RSPO’s members and / or data providers are expected to have read and understood all the terms of this Policy.
6. The term “Personal Data” is defined by the PDPA as including any information relating to an identified or identifiable natural person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or the person’s physical, physiological, mental, economic, cultural or social characteristics.
7. Further to the generality of the terms as defined by the PDPA, Personal Data as referred to in this Policy may relate to any natural persons, including RSPO members and their representatives, RSPO employees, customers, clients, investors, suppliers, sponsors, contractors or other individuals not specifically mentioned (collectively, “Data Subject”).
8. The RSPO shall be at liberty to collect and process the following Personal Data from a Data Subject:-
- personal details such as name, identity card / passport/ social security number, age, gender, nationality, birthdates, residential and business addresses, social media website addresses, contact numbers, email address and such other relevant information that identifies the respective Data Subject;
- information about businesses, trade, or services that the Data Subject is engaged in;
- payment transactions - either via cheque, credit or debit card, PayPal or online bank transfers;
- all billing records for services, inclusive of any cancellations that have been made;
- any such other information that are, have been or will be collected by us in future, or such information which the Data Subject provides to the RSPO in connection to any services or contractual obligation, including data that is collected from any surveys, questionnaires, transactions or any correspondence with the RSPO;
- Individual personal preferences of the Data Subject such as to the language, product or content interest as well as and communication preferences;
- the Data Subject’s choice in regards to receiving future communication as to future meetings, events, conferences or seminars organized by the RSPO;
- any enquiries, comments or messages sent to the RSPO via the RSPO website or any other social media website; and
- IP address of a Data Subject who visits the RSPO website, applies and registers for membership, sends queries or uploads posts / comments in any RPSO-hosted forum.
9. The processing of your Personal Data is deemed mandatory for certain purposes, wherein the RSPO will still be able to process your Personal Data in the absence of your consent, if it is necessary for such a purpose.
These include the processing of Personal Data:
- for the performance of a contract to which you are a party;
- at your request, with a view to entering into a contract with the RSPO;
- for compliance with any legal obligation to which RSPO is subject, other than an obligation imposed by a contract;
- to protect your vital interests;
- for the administration of justice; or
- for the exercise of any functions conferred on any person by or under any law.
Sensitive Personal Data
10. Sensitive Personal Data is any personal data consisting of information on your physical or mental health or condition, political opinions, religious beliefs or other beliefs of a similar nature, the commission or alleged commission of an offence or any such other information prescribed by the PDPA as Sensitive Personal Data.
11. It is our express Policy not to collect Sensitive Personal Data unless required by any applicable or relevant laws. You are advised NOT to submit any kind of sensitive personal data if you do not want the RSPO to collect or process such data.
12. In the event that you have submitted Sensitive Personal Data to us, it will be deemed to have been submitted on your own volition and with your explicit consent. The RSPO shall treat all Sensitive Personal Data as confidential and such data shall be subject to the terms and conditions of the Policy.
13. A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from the RSPO website and stored in your web browser while you browse the RSPO website. Every time you access the RSPO website, the browser sends the cookie back to the server to notify the website of your previous activity. Cookies are designed to be a mechanism for the website to remember information or to record your browsing activity. Cookies do not collect personal data or any such information that is related to or deemed as personal identification information.
14. When you access the RSPO website, there will be certain information stored by the RSPO, albeit minor. By accessing the website and through your continuous or regular use of the website, you are deemed to have read and agree to be bound by the terms of this Policy. As such, the information collected therein will be processed accordingly.
16. If you do not wish to have your information stored, then you are advised to remove cookies from your hard drives after each browsing session.
Links / Related websites
How we collect your Personal Data
18. The RSPO will collect Personal Data from the Data Subject when such information is voluntarily submitted. By providing such Personal Data, the Data Subject is deemed to have voluntarily consented to the processing, storage and dissemination of their personal data in accordance with the PDPA and the terms and conditions of this Policy herein.
19. Generally, the RSPO will collect Personal Data from a Data Subject through a variety of sources, including but not limited to:-
- applications for RSPO membership;
- updates received from a Data Subject with regards to their personal details or any change therein, including a change of address;
- enquiries and registrations for RSPO events, meetings, seminar or forums;
- visits to the RSPO website and/or any of the RSPO’s social media webpages;
- registrations with the RSPO and/or its event organizers for events whether online or manually;
- any transaction or inquiry or communication made with the RSPO;
- when such personal data is collected by promoters, event managers, event organizers or any associates of the RSPO in the course of any event, function, meeting or any marketing, expansion and promotional activities; and
- contracts for service or services entered into with the RSPO.
Purpose of Collecting Personal Data
20. The RSPO will collect and process your Personal Data (including Sensitive Personal Data) for the following purposes:-
- to communicate with you about membership, inquiries or other requests;
- to facilitate your participation in RSPO Events, future or promotional events;
- to respond to your queries;
- for administrative purposes, including but not limited to billing, payment, registration of new members and renewal of current memberships;
- to monitor and upgrade the RSPO’s services;
- for direct marketing services;
- to update and provide information on promotions and upcoming events to you;
- to conduct research, surveys and statistical analysis;
- to send emails on updates or on any event that may be of interest to you;
- for the performance of a contract to which you are a party;
- for compliance with any legal obligation to which RSPO is subject, other than an obligation imposed by a contract.
Disclosure and Sharing of Personal Data
21. The RSPO has the sole discretion in deciding whether to share any Personal Data with the following third parties for such limited purposes as necessary:-
- RSPO’s partners, trusted affiliates, promoters, event organizers, researches, and advertisers as part of the efforts to conduct statistical analysis of current or future global trends as well for marketing, advertising and promotional purposes of future meetings, conferences and/or events;
- third party service providers which helps operate the RSPO and its website; as well as all other social media websites and/or administer activities on the RSPO’s behalf, such as to send out newsletters and/or emails, to conduct text messaging blasting and/or surveys; and
- RSPO’s lawyers, legal counsel, accountants, actuarists, auditors, consultants, promoters, event organizers and such other service providers in the conduct and administration of its affairs.
22. The RSPO will not sell, trade or rent out Personal Data to any unauthorized third parties.
23. By agreeing to the terms of this Policy, you are deemed to have given your unconditional permission and consent to allow the RSPO to disclose and share your Personal Data and the extent of such Personal Data with those third parties mentioned above.
24. If you attend any of the RSPO’s Seminars, Conferences, meetings, events or functions, you are deemed to have consented to the RSPO sharing your personal information, contact details and such other relevant data required or relevant for the event in question with any of RSPO’s associates, affiliates or event organizers.
25. If any associate, affiliate or event organizer is required to assist the RSPO for payment collection and registration of attendees for the RSPO’s respective Seminar, Conference, meeting, event or function, the said associate, affiliate or event organizer shall be fully responsible to ensure that the Personal Data collected is processed in accordance with the PDPA and that all safeguards are taken by them to ensure no breach on their part.
Transfer of Personal Data outside the jurisdiction
26. From time to time, it may become necessary for the RSPO to transfer your Personal Data to a country or jurisdiction outside Malaysia for the purposes for which the Personal Data is collected. In this regard, the RSPO has the sole discretion in deciding whether to transfer your Personal Data.
27. By acknowledging and agreeing to the terms of this Policy, you are deemed to have given your consent to allow us to transfer your Personal Data to any country or jurisdiction outside Malaysia, even if such country does not have similar or adequate levels of personal data protection. The RSPO shall not be liable for any breach of any of the personal data principles in the recipient country which receives the personal data.
Your Right to Opt-Out
28. If you do not wish to have your Personal Data shared, disclosed or transferred, you have a right to withhold your consent to such a transaction. Additionally, if at any time you do not want to receive any emails from the RSPO pertaining to promotions, surveys, advertisements, statistical analysis or other related marketing material, you have an option to unsubscribe from the RSPO’s mailing list.
29. It shall be your responsibility to inform the RSPO by way of a written Notice if:-
- you do not agree to have your Personal Data shared with such third parties; or
- to the transfer of your Personal Data outside of Malaysia; or
- you wish to unsubscribe from the RSPO’s mailing list.
31. If in the event that you do not send such a Notice to the RSPO, you shall be deemed to have given your consent to the RSPO to:-
- disclose, share and transfer your Personal Data for the purposes above; and/or
- be included in its correspondence list and agree to receive such information from the RSPO and its affiliates, associates or any event organizer appointed by the RSPO.
How we Store and Protect your Personal Data
32. As a responsible organization, the RSPO adopts appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your Personal Data.
33. The RSPO shall take all reasonable and necessary measures to ensure that all Personal Data stored in its records is secure and protected. By continuing your membership, you hereby agree and consent to giving the RSPO the sole prerogative in determining the manner in which your Personal Data is to be stored.
34. The RSPO websites are encrypted to ensure that the information collected therein is secure. All reasonable measures are taken to ensure such information is secure and to prevent any loss, alteration, theft or third party interference.
35. By agreeing to the terms of this Policy, you are deemed to understand that the RSPO shall not be liable in the event of any unforeseen events that result if the unauthorized publication and/or leakage of such personal data. By your continued membership in the RSPO, you hereby agree to indemnify the RSPO for any consequences resulting in such unauthorized publication or leakage of the Personal Data.
Retention of Personal Data
36. Your Personal Data will be kept only as long as necessary to fulfill the purpose for which it was collected. In the event Personal Data is no longer required to be used by the RSPO, it may delete and destroy such Personal Data from its records, unless the retention of such Personal Data is required to satisfy legal, regulatory or accounting requirements or for any other purpose which renders the retention necessary.
38. In the event of termination or expiry of a membership or contract with a Data Subject:-
- such Personal Data of the Data Subject shall be stored in the RSPO database; unless the Data Subject serves a written Notice to the RSPO requesting for such Personal Data to be destroyed and deleted from the RSPO database;
- the RSPO shall at all times take reasonable measures to ensure sufficient security measures are taken to protect the Personal Data; and
- the Data Subject has a choice as to whether they wish to receive any future correspondence from the RSPO in regards to future marketing information.
- It will be the responsibility of the Data Subject to inform the RSPO as to whether they wish to remain on the mailing list. Failure to give such notice will be deemed as consent to receiving future correspondence from the RSPO, its affiliates and associates.
Maintaining Data Integrity
39. You are personally responsible for providing the RSPO with accurate and updated information about yourself as well as any other Personal Data pertaining to third parties (for example attendees for RSPO events, meetings or seminars or office bearers in their organization and such relevant third parties) that you may submit to the RSPO.
40. In the event such information and Personal Data submitted is incorrect or becomes out dated, then you are duly responsible to make such corrections or to update such information by contacting the RSPO within a reasonable time frame.
41. If your membership has been terminated or has expired and you wish to resume membership with the RSPO, it is your responsibility to confirm the details of your Personal Data to be processed by the RSPO. Members shall be responsible for any changes or updates to their Personal Data and shall be responsible to inform the RSPO accordingly. The RSPO shall not be liable for any act or omission of any member in giving them full and complete personal data or to update them of any changes made.
Access to Personal Data
42. You may choose to inform the RSPO and:-
- Request for a copy of the Personal Data kept by the RSPO;
- Request to update their respective Personal Data;
- Request to change, alter or amend their respective Personal Data.
43. You will be required to provide a full set of credentials and identification to confirm your identity before any such request can be entertained. If you are unable to prove, confirm and verify your identity then the RSPO shall deny such access or request for rectification in order to safeguard the Personal Data in its records.
44. The RSPO may comply with or refuse such request to access or rectify such information. If in the event that we refuse your request, the reasons for such a refusal will be provided.
45. The RSPO has the sole prerogative as to whether to allow any changes or alterations to its data base in order to protect any false or fraudulent change or alteration made.
46. The RSPO shall not be responsible for any omission or delay or negligence on the Data Subject’s part in failing to update their Personal Data or to submit their request for rectification.
47. By accepting this Policy, you hereby signify your unconditional acceptance of this Policy and will be deemed to have given your complete consent to the RSPO to use, store, disseminate and process your Personal Data.
48. By continuing your membership with the RSPO, you are deemed to be bound by the rules and policies made by the RSPO and are subject to the terms and conditions of this Policy. Your continued membership in the RSPO will be deemed as continued acceptance of any future changes in the Policy as may be made from time to time.
Amendments to the Policy
49. Personal Data submitted to the RSPO will be processed in accordance with the terms and conditions in this Policy as may be amended from time to time. RSPO alone may amend any of the terms of this Policy. In the event of any such change, the amended Policy will be made available on the RSPO website at http://www.rspo.org/. Members and data providers are advised to visit the RSPO website from time to time to gain access to the latest version of the Policy.