!!!

E MPLO YEE S’ L IST O F DO ’S PURSUAN T T O PE RSONA L DAT A PRO TE CT ION A CT 2010 (“PDPA” )

1)! Comply with UEM Edgenta Berhad’s Personal Data Protection Policy at all times. 2)! Remember that the PDPA applies to all information and documents whether kept

in hard copy or digital format and in any type of storage and retrieval media. 3)! Think of Personal Data held about individuals as though it is Personal Data about

you. 4)! Get written consent in Bahasa Malaysia or English from the Data Subject to

process his/her Personal Data. Sample general consent is attached as Annexure 1 hereto. Sample specific consent to process sensitive personal data is attached as Annexure 2 hereto. You may refer any r e l a t e d queries to the Legal Department.

5)! Be particularly careful about Sensitive Personal Data: concerning race, political

opinion, religious belief, trade union membership, physical or mental health, sexual life, criminal offences.

6)! Hold Personal Data about Data Subject only when it is necessary.

7)! Ensure Personal Data is kept accurate and up to date.

8)! Tell Data Subject you hold Personal Data and tell him/her why you need to do so

(fair processing), in Bahasa Malaysia and English. 9)! Be open with Data Subject about information held about him/her.

10)! Ensure that you have a contract in place when sharing Personal Data with third

parties, especially a confidentiality and non-disclosure clause. 11)! Be very careful about passing Personal Data to third parties.

12)! Respect confidentiality and the rights of the Data Subject.

13)! Refuse requests from third parties in respect of Personal Data, unless permitted

by any applicable law or prior written permission has been received from the Data Subject.

14)! Review Personal Data kept in hard copy or electronic files from time to time and

at least annually. 15)! Ensure all Personal Data is disposed off as confidential waste.

16)! When preparing documents, bear in mind that the Data Subject has a right to see

information relating to him/her. 17)! Remember even deleted emails may be retrieved and revealed to those about

whom they are written. 18)! Hold Personal Data in such a way that it is accessible at short notice.

19)! Where possible, use Personal Data on a ‘no-name’ basis for statistical analysis.

!"#$!!!!

20)! Only use software and hardware approved by UEM Edgenta Berhad. 21)! Give the Data Subject a chance to update/correct his/her Personal Data.

22)! Explain to the Data Subject who will use the Personal Data and how, in Bahasa

Malaysia and English. 23)! Be clear about which Personal Data need to be provided by Data Subject in order

to get the services or goods they have requested and which information they can choose to provide. Take care when using template forms. There is a risk of collecting unnecessary information, where a field on the form is inappropriately marked ‘mandatory’.

24)! If you are involved in electronic transactions, ensure that the fields on it correspond

with your actual business needs, for example by removing certain fields or specifying whether their completion is mandatory or optional.

25)! Check periodically whether you need all the information you have been collecting,

for example by carrying out an audit. 26)! If a Data Subject objects to you holding his/her Personal Data and requests you

to delete it, do so where possible. Keep a record of objectors in a suppression list so that you do not contact them again.

27)! If your website offers auto-completion facilities for forms and passwords, notify

users if this could leave them vulnerable. 28)! Review your security arrangements on a regular basis. Make sure your technical

protection is up to date. Install anti-virus software and keep it updated. Install security patches as soon as they become available to you.

29)! Assess the risks of a security breach and its potential harm to Data Subject. Have

a plan in place for dealing with security breaches. 30)! When you deal with minors, seek express parental consent if the collection or use

of information about the minor is likely to result in: !! disclosure of a minor’s name and address to a third party, for example as

part of the terms and conditions of a competition entry; !! use of a minor’s contact details for marketing purposes; !! publication of a minor’s image on a website; !! making a minor’s Personal Data publicly available; or !! the collection of Personal Data about third parties, for example where a

minor is asked to provide information about his or her family members or friends.

31)! Provide Data Subject with clear and simple explanation of what happens when

Data Subject access your service and how information about him/her visit is collected, analysed and used.

32)! Provide a simple means of disabling the targeting of advertising using behavioural

data in your website. 33)! Offer users relevant advice about how they can use their web browser settings, or

the choices offered on the website itself, to exercise choice over the extent to which they preserve their online anonymity, for example by ensuring that information identifying them is erased at the end of a session.

!"#$!!!!

34)! Be aware of the privacy management facilities to ensure, as far as is possible, that Data Subject enjoys an appropriate degree of control over his/her Personal Data.

35)! Set privacy defaults in a way that strikes the right balance between privacy

protection and functionality. 36)! Encrypt the Personal Data prior to it being transferred to anyone.

37)! Conduct a risk analysis before contracting with any online service provider, or

with any other counterparty if it involves disclosure of Personal Data. 38)! Register with the Personal Data Protection Department if you fall within the

classification of Data Users that requires registration. 39)! Provide all information about Personal Data protection measures in Bahasa

Malaysia and English. 40)! Direct any official requests to see Personal Data to the Head of Human Resource

& Administration Department. Failure to comply with UEM Edgenta Berhad’s Personal Data Protection Policy may result in possible disciplinary action.

!"#$!!!!

ANNEXURE 1

SAMPLE - GENE RA L CON SE NT TO PRO CESS IN DIVIDUA L’S PERSO NAL INFORMATION (ENGLISH VERSION)

CONSENT FORM TO PROCESS PERSONAL INFORMATION (GENERAL)

1.! Please be informed that, we, UEM EDGENTA BERHAD (5067-M) , a company incorporated in Malaysia and having its registered address at Level 17, Menara UEM, Tower 1, Avenue 7, The Horizon, Bangsar South City, No. 8, Jalan Kerinchi, 59200 Kuala Lumpur and its subsidiaries (collectively “UEM EDGENTA BERHAD”) will only collect, use, process, record, hold, store, share and/or disclose (“process”) any and all information related to you that you have provided or made available to us or to our subsidiaries, for the following reasons: - (a)!for the performance of our contract with you and please note that any and all information related to you may be transferred to our subsidiaries, contractors, sub-contractors and professional advisors for this purpose;

(b)!for compliance with any legal and/or regulatory obligations to which we are subject, in addition to any obligation imposed under our contract with you;

(c)! to protect your vital interests; (d)!for the administration of justice; or (e)!for the exercise of any functions conferred on any person by or under any law.

2.! Please be informed that we may also process any and all information related to you for the following reasons: - (a)! invite you to our future project launches; (b)!process your payment transactions; (c)!respond to your inquiries; (d)!administer your participation in contests; (e)!conduct internal activities; and (f)! conduct market surveys and trend analysis.

FORM OF ACKNOWLEDGEMENT

1.! I confirm that I have read and understood this statement regarding the processing of any and all information related to me.

2.! I consent to UEM EDGENTA BERHAD processing any and all information related to me for the purposes set out in this form.

3.! I acknowledge that UEM EDGENTA BERHAD may process any and all information related to me for the following reasons: - (a)! invite me to your future project launches; (b)!process my payment transactions; (c)!respond to my inquiries; (d)!administer my participation in contests; (e)!conduct internal activities; and (f)! conduct market surveys and trend analysis.

………………………………… Name: NRIC No.: Date:

!"#$!!!!

ANNEXURE 1

SAMPLE - GENE RA L CON SE NT TO PRO CESS IN DIVIDUA L’S PERSO NAL INFORMATION (BAHASA MALAYSIA VERSION)

BORANG PERSETUJUAN UNTUK MEMPROSES (AM)

1.! Sila ambil maklum bahawa kami, UEM EDGENTA BERHAD (5067-M), sebuah syarikat yang ditubuhkan di Malaysia dan beralamat berdaftar di Level 17, Menara UEM, Tower 1, Avenue 7, The Horizon, Bangsar South City, No. 8, Jalan Kerinchi, 59200 Kuala Lumpur dan anak syarikatnya (“UEM EDGENTA BERHAD”) hanya akan mengumpul, menggunakan, memproses, merekod, memegang, menyimpan, berkongsi dan/atau menzahirkan (“proses”) mana-mana dan kesemua maklumat berkaitan dengan anda yang telah anda berikan kepada ataupun didapati oleh kami atau anak syarikat kami : - (a)!bagi perlaksanaan kontrak kami bersama anda di mana maklumat berkaitan dengan anda mungkin akan diserahkan kepada anak syarikat kami, kontraktor, sub-kontraktor dan penasihat profesional kami untuk tujuan tersebut;

(b)!bagi mematuhi mana-mana kewajipan undang-undang dan/atau peraturan yang kami di bawahnya, sebagai tambahan kepada mana-mana kewajipan yang dikenakan di bawah kontrak kami bersama anda;

(c)!bagi melindungi kepentingan-kepentingan utama (“vital interests”) anda; (d)!bagi mentadbirkan keadilan; atau (e)!bagi menjalankan apa-apa fungsi yang diberikan kepada mana-mana orang oleh atau di bawah mana-mana undang-undang.

2.! Sila ambil maklum juga bahawa U E M E D G E N T A B E R H A D mungkin akan memproses mana-mana dan kesemua maklumat berkaitan dengan anda bagi tujuan-tujuan berikut: -: - (a)!(menjemput anda untuk menghadiri perasmian projek kami pada masa hadapan);

(b)!(memproses transaksi pembayaran anda); (c)!(membalas sebarang pertanyaan anda); (d)!(mentadbir penyertaan anda dalam peraduan); (e)!(menjalankan aktiviti dalaman); dan (f)! (kaji selidik pasaran kelakuan dan analisis trend).

BORANG PERSETUJUAN

1.! Saya mengesahkan bahawa saya telah membaca dan memahami kenyataan ini mengenai pemprosesan mana-mana dan kesemua maklumat berkaitan dengan saya.

2.! Saya memberi persetujuan saya kepada UEM EDGENTA BERHAD untuk memproses mana-mana dan kesemua maklumat berkaitan dengan anda untuk maksud yang dinyatakan dalam borang ini.

3.! Saya juga memberi persetujuan saya kepada UEM EDGENTA BERHAD untuk memproses mana-mana dan kesemua maklumat berkaitan dengan saya bagi tujuan- tujuan berikut: -: - (a)!(menjemput saya untuk menghadiri perasmian projek kami pada masa hadapan); (b)!(memproses transaksi pembayaran saya); (c)!(membalas sebarang pertanyaan saya); (d)!(mentadbir penyertaan saya dalam peraduan); (e)!(menjalankan aktiviti dalaman); dan (f)! (kaji selidik pasaran kelakuan dan analisis trend).

!"#$!!!!

………………………………… Nama : No KP : Tarikh :

!"#$!!!!

ANNEXURE 2

SAMPLE - CONSENT FORM T O PRO CE SS IN DIVIDUAL ’S SENSITIVE PERSONAL INFORMATION (ENGLISH VERSION)

CONSENT FORM TO PROCESS SENSITIVE PERSONAL INFORMATION (SPECIFIC PURPOSE)

For the purpose of this Consent Form: "Sensitive Personal Information" means any of your personal information related to your physical or mental health or condition, your political opinions, your religious beliefs or other beliefs of a similar nature, the commission or alleged commission by you of any offence or any other personal information as determined by law.

“Company” means UEM EDGENTA BERHAD (5067-M).

CONSENT I, (Name) (NRIC No.)

authorise, (name of department or individual from the company)

to disclose to (name or title of person(s) or organization to which disclosure is to be made )

the following information about me and/or from my records with the Company

(specify the kind and amount of information to be disclosed)

the purpose or need for such disclosure is:

(specify the purpose of such disclosure)

This consent to disclose may be revoked by me at any time except to the extent that action has been taken by the Company relying on my consent under this form. Unless expressly revoked earlier, this consent is valid for as long as I am an employee of the Company.

Signature: …………………………….. Name: NRIC No.: Date:

!"#$!!!!

ANNEXURE 2

SAMPLE - CONSENT FORM T O PRO CE SS IN DIVIDUAL ’S SENSITIVE PERSONAL INFORMATION (BAHASA MALAYSIA VERSION)

BORANG PERSETUJUAN UNTUK MEMPROSES DATA PERIBADI SENSITIF (TUJUAN KHUSUS)

Bagi tujuan Borang Persetujuan ini, "Data Peribadi Sensitif" merangkumi maklumat diri anda berkaitan keadaan atau kesihatan fizikal atau mental, pendapat politik, kepercayaan agama atau kepercayaan lain yang bersifat seumpamanya, perlakuan atau pengataan perlakuaan untuk apa-apa kesalahan atau apa-apa Data Peribadi lain yang ditetapkan oleh undang-undang.

“Syarikat” bermaksud UEM EDGENTA BERHAD (5067-M).

KEBENARAN Saya, (Nama) (No.K/P)

memberikan persetujuan kepada,

(nama Jabatan atau individu daripada Syarikat)

untuk mendedahkan kepada

(nama atau gelaran pihak atau organisasi di mana pendedahan perlu dilakukan)

Data Peribadi Sensitif mengenai diri saya dan/atau daripada rekod saya yang berada dalam milikan Syarikat

(sila terangkan maklumat yang perlu didedahkan)

Tujuan pendedahan tersebut adalah untuk

(sila terangkan tujuan pendedahan)

Persetujuan saya untuk pendedahan Data Peribadi Sensitif ini boleh saya batalkan pada bila-bila masa kecuali bagi tindakan yang telah diambil oleh Syarikat berdasarkan atas persetujuan yang diberikan oleh saya melalui borang ini.

Persetujuan ini sah selagi saya adalah seorang Pekerja Syarikat, melainkan ianya telah saya batalkan dengan nyata terlebih dahulu.

Tandatangan: …………………………………….. Nama: No. Kad Pengenalan: Tarikh:

!"#$!!!!

E MPLO YEE S’ L IST O F DON ’T S PURSUA NT TO PERSON AL DA TA PROT E CT ION A CT 2010 (“PDPA” )

1)! Reveal any Personal Data to third parties without the Data Subject's permission. 2)! Disclose any Personal Data over the phone, in person or by email unless you are

certain of the identity of the requesting person. 3)! Hold Sensitive Personal Data about a person without explicit consent or advice

from the Human Resource & Administration Department. 4)! Upload any Personal Data about an individual on the Internet without his/her

permission, unless it is a condition of his/her employment. 5)! Transfer any Personal Data outside Malaysia without the approval of the Human

Resource & Administration Department. 6)! Leave any Personal Data insecure in any way, whether it is physical files or

information held electronically. 7)! Take any Personal Data home without authorization and particular care for its

security. 8)! Process Personal Data on a computer not owned or supplied by UEM EDGENTA

BERHAD. 9)! Modify, alter or install program or component of any electronic or other

information communication device owned or provided by UEM EDGENTA BERHAD unless duly authorized.

10)! Use email for sending confidential communications or unencrypted Personal Data,

as it is relatively insecure. 11)! Use Personal Data collected for a specific purpose for any other purposes without

permission from the Data Subject. 12)! Collect Personal Data especially Sensitive Personal Data too early before forming

a contract with the Data Subject. 13)! Mislead the Data Subject about his/her choices or about how his/her Personal

Data will be used. 14)! Keep unnecessary information you have collected which are unused for a long

period, not in compliance to the Data Retention and Destruction Policy. 15)! Give the Data Subject the impression that a deletion is absolute, when in fact it is

not. 16)! Be secretive or misleading when you collect Personal Data.

17)! Have poor security and fail to maintain responsibility for the Personal Data you

collect. 18)! Sell Personal Data without Data Subject’s consent.

19)! Forward email messages containing Personal Data without the Data Subject’s

consent.

!"#$!!"!!

20)! Ignore potential risks – report incidents or concerns to the relevant higher officer. 21)! Email Sensitive Personal Data unless you are sure it is encrypted.

22)! Reveal passwords and user ID’s to process Personal Data to unauthorized persons.

23)! Compel a Data Subject to provide the Identity Card or its particulars unless

authorized by law. 24)! Write any comment about any Data Subject that is unfair or untrue which you

would be unable to defend if challenged. 25)! Erase or alter any Personal Data after the Human Resource & Administration

Department has received a request to inspect and/or disclose that Personal Data by the Data Subject.

Failure to comply with UEM EDGENTA BERHAD’s Personal Data Protection Policy may result in possible disciplinary action.