1. Definitions

For the purposes of this Privacy Policy:

“applicable laws”

means all data protection, privacy, and related laws, regulations, subsidiary legislation, regulatory guidelines, or codes of practice in force in Malaysia, including the PDPA and any amendments thereto, and, where applicable, any laws governing cross-border transfer, disclosure, or processing of personal data.

“Client”

includes any natural person who is a data subject under the PDPA and whose personal data is processed by PFB. This includes, but is not limited to, prospective, current, and former clients of PFB’s services, representatives of corporate clients, website visitors, job applicants, and any other individual who interacts with PFB and provides personal data.

“personal data”

means any information in respect of commercial transactions that relates directly or indirectly to a person who is identified or identifiable from that information, or from that and other information in the possession of PFB, and which is processed wholly or partly by automated means, or where the processing is intended to form part of a filing system, in accordance with the Personal Data Protection Act 2010.

“processing”

includes any operation or set of operations performed on personal data, whether by automated or non-automated means, including the collection, recording, holding, storage, organisation, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, transfer or dissemination, alignment or combination, correction, erasure, or destruction of such data.

“sensitive personal data”

means any personal data relating to the physical or mental health or condition of an individual, political opinions, religious beliefs, or other beliefs of a similar nature, biometric data, the commission or alleged commission of any offence, or such other categories as may be prescribed under the PDPA.

2. Collection of Personal Data

2.1. PFB shall collect, receive, and process personal data through physical or digital means, or from authorised third parties, in connection with the establishment of any contractual relationship, provision of services, regulatory compliance, or the conduct of its operations. The categories of personal data may include, but shall not be limited to:

• (a) full name as per official identification documents;
• (b) identification numbers (e.g., National Registration Identity Card (NRIC), passport, or equivalent official identifiers);
• (c) date of birth, gender, nationality;
• (d) residential, business, registered, or correspondence addresses;
• (e) contact details such as telephone numbers and email addresses;
• (f) bank account and tax identification details;
• (g) employment and business information;
• (h) credit-related information and data from licensed credit reporting agencies as required under applicable laws;
• (i) risk intelligence data, including screening against sanctions lists, watchlists, or politically exposed persons (PEPs) databases;
• (j) financial profile data, including source of funds, source of wealth, and estimated net worth where applicable;
• (k) biometric data such as fingerprints or other physiological identifiers, subject to explicit consent; and
• (l) any other personal data required for regulatory or operational purposes.

2.2. Where a Client provides personal data relating to another individual (such as a nominee, beneficiary, or authorised representative), the Client shall ensure that such disclosure is lawful and that all necessary consents have been obtained. PFB shall process such data in accordance with this Privacy Policy and applicable laws.

2.3. PFB shall also process personal data of any third party who is related to or associated with any arrangement, transaction, or engagement involving the Client. Any third party granted access to personal data on behalf of PFB shall be contractually bound to comply with this Privacy Policy and all applicable legal requirements.

2.4. This Privacy Policy shall be read in conjunction with any other data protection provisions, statements, or notices issued or incorporated by reference by PFB from time to time, whether provided separately or as part of any document, instrument, or engagement.

3. Collection of Biometric Data

3.1. PFB may collect and process biometric data, including but not limited to fingerprint data, facial recognition data, or other physiological identifiers, where such data is reasonably required and lawfully permitted in connection with its services or operations. Biometric data shall only be collected upon obtaining the Client’s explicit consent.

3.2. As biometric data is categorised as sensitive personal data under applicable data protection laws, PFB shall implement appropriate safeguards, including encryption, secure storage, restricted access measures, and handling exclusively by authorised personnel who are subject to binding confidentiality obligations and shall ensure such data is retained only for as long as necessary for the purpose collected.

4. Purposes for Processing of Personal Data

4.1. PFB shall collect, use, disclose, and otherwise process personal data strictly for the following purposes:

• (a) to establish, administer, and maintain any form of business, legal, or contractual relationship with the Client;
• (b) to perform customer due diligence (CDD), enhanced due diligence (EDD), onboarding, and ongoing monitoring required under applicable anti-money-laundering and counter-terrorism-financing laws;
• (c) to issue service, contractual, or regulatory communications and to respond to Client queries or instructions;
• (d) to carry out internal administration including audits, risk management, record keeping, and business continuity planning;
• (e) to facilitate payments, billing, invoicing, and financial settlements;
• (f) to authenticate identity, verify authority, and maintain service security;
• (g) to investigate or prevent fraud, misconduct, or regulatory breaches;
• (h) to comply with legal obligations, regulatory directions, or statutory-reporting requirements;
• (i) to protect or enforce legal rights, resolve disputes, or obtain legal advice;
• (j) to conduct non-AML background checks or risk-profiling through independent or public sources, where permitted by law;
• (k) to validate personal data received from third-party sources;
• (l) to administer recruitment and hiring processes;
• (m) to deliver publications, market or regulatory updates, event invitations, or similar communications, subject to the Client’s prior consent and applicable opt-out rights; and
• (n) to fulfil any other purpose directly related to the purposes listed above, for which the Client’s consent has been obtained or is not required under the PDPA. PFB shall ensure that personal data is processed only to the extent necessary to achieve the above purposes.

4.2. The Client may withdraw consent at any time by written notice. Withdrawal does not affect prior lawful processing and may limit or prevent the provision of services where processing is necessary. Processing that is required or authorised by law may continue.

4.3. PFB shall implement proportionate technical, organisational, and administrative measures to protect any personal data it processes against unauthorised access, disclosure, misuse, loss, or alteration.

4.4. Contact numbers and email addresses may be used for authentication, operational, or verification purposes but shall not be used for unsolicited marketing without the Client’s prior explicit consent.

5. Retention of Personal Data

5.1. PFB shall retain personal data only for as long as necessary to fulfil the purposes for which it was collected. This includes retention for the provision of services, the fulfilment of contractual obligations, compliance with legal or regulatory requirements, enforcement of legal rights, or the resolution of disputes.

5.2. The applicable retention period shall depend on the nature of the personal data, the specific services provided, the legal or regulatory framework governing such data, and PFB’s operational or compliance requirements. When personal data is no longer required for these purposes, it shall be securely deleted, anonymised, or destroyed in accordance with applicable laws and recognised industry standards, except where continued retention is required or permitted by law or necessary for legitimate purposes, including without limitation:

• (a) compliance with statutory retention periods prescribed under the Companies Act 2016, Trust Companies Act 1949, Trustees Act 1949, or other applicable legislation;
• (b) the establishment, exercise, or defence of legal rights or claims under contract or law; and
• (c) compliance, audit, or governance requirements, including internal policy or regulatory directives.

6. Disclosure of Personal Data

6.1. Subject to applicable laws and the safeguards set out in this Privacy Policy, PFB may disclose personal data to the following categories of recipients, whether located within or outside Malaysia:

• (a) directors, officers, employees, and authorised personnel of PFB who require access to such data in the course of their duties;
• (b) entities within the PFB group of companies or affiliated entities for purposes consistent with this Privacy Policy;
• (c) any person acting under proper authorisation, including financial advisers, legal representatives, accountants, executors, administrators, or any party whom the Client has expressly authorised to communicate or transact with PFB;
• (d) third-party service providers, vendors, consultants, or professional advisers appointed to support PFB’s administrative, operational, compliance, legal, or data-processing functions;
• (e) government agencies, regulatory bodies, law enforcement authorities, or judicial entities, where required by law, directive, court order, or official request;
• (f) any actual or prospective party to a merger, acquisition, business transfer, corporate restructuring, or investment involving PFB;
• (g) licensed credit reporting agencies, to the extent permitted or required by law or internal due-diligence procedures;
• (h) any person or party to whom express written consent has been granted by the Client; and
• (i) any other party to the extent reasonably necessary to protect PFB’s legal rights, enforce obligations, or prevent fraud, misconduct, or regulatory breaches.

6.2. All disclosures shall be made on a strict “need-to-know” basis and, where applicable, subject to binding confidentiality and data protection obligations that are equivalent to the standards required under applicable laws and this Privacy Policy.

7. Access, Correction, and Other Rights

7.1. Subject to applicable laws, any individual whose personal data is processed by PFB shall be entitled to:

• (a) request access to a copy of personal data maintained by PFB;
• (b) request the correction of personal data that is inaccurate, incomplete, or outdated;
• (c) request the erasure or deletion of personal data that is no longer required for its original purpose, subject to any legal, regulatory, or contractual retention obligations;
• (d) withdraw any consent previously granted in respect of the processing of personal data; and
• (e) request data portability to the extent required by the PDPA and subject to technical feasibility and compatibility of data format.

7.2. All such requests shall be made in writing and addressed to the Data Protection Officer as specified in Section 14. PFB shall comply with data access and correction requests within the periods prescribed by applicable law or guidelines and, where an extension is permitted, shall notify the requester in writing within the initial period.

7.3. PFB reserves the right to impose a reasonable administrative fee for processing access and / or correction requests, and prior notice shall be provided where such fees apply.

8. Withdrawal of Consent

8.1. The Client may withdraw consent for the processing of personal data where such processing is exclusively based on consent. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

8.2. Upon receipt of a valid withdrawal notice, PFB shall assess the request and its operational implications. A reasonable period of time may be required to complete the withdrawal process, during which necessary communications relating to services, legal compliance, or administrative matters may continue. Requests for withdrawal of consent shall be made in writing to the Data Protection Officer. PFB shall not be responsible for any loss or limitation of services arising directly or indirectly from such withdrawal.

8.3. Many of PFB’s processing activities are necessary for the performance of a contract, to comply with legal obligations (including anti-money-laundering requirements), or for other legitimate interests. Withdrawal of consent shall not apply to such processing. Where withdrawal renders PFB unable to perform its contractual or legal duties, it may necessitate the limitation, suspension, or termination of the services provided to the Client.

8.4. Notwithstanding any withdrawal of consent, PFB shall be entitled to continue processing personal data to the extent such processing is required or authorised under applicable law, including but not limited to the following circumstances:

• (a) compliance with any legal or regulatory obligations;
• (b) performance of contractual obligations which survive the conclusion or termination of the relevant engagement;
• (c) establishment, exercise, or defence of legal rights or proceedings;
• (d) compliance with any lawful order, instruction, or requirement issued by a competent authority; and
• (e) retention of records for audit, governance, statutory, or operational purposes.

9. Administration and Management of Personal Data

9.1. PFB shall rely on the accuracy and completeness of personal data provided by the Client. The Client shall be responsible for informing PFB in writing of any updates, corrections, or changes to such data. PFB shall take reasonable steps to ensure that the personal data it processes is accurate, complete, and kept up to date.

9.2. PFB maintains documented retention schedules and controls to ensure timely disposal of personal data, including periodic reviews and secure deletion or anonymisation in accordance with applicable laws and recognised industry standards.

9.3. Employees and officers who handle personal data shall be trained on their responsibilities and operate under role-based safeguards consistent with legal and operational requirements.

9.4. Authorised third parties may access personal data only under written agreements imposing confidentiality and data-protection obligations no less stringent than PFB’s. Access is limited to the stated purpose on a need-to-know basis, with equivalent security controls, no onward disclosure or sub-processing without PFB’s prior written approval, and prompt notification of any suspected or actual personal data incident.

10. Cross-Border Transfers

10.1. Personal data may be transferred, shared, stored, or otherwise processed in jurisdictions outside Malaysia in the course of providing services, fulfilling contractual obligations, or complying with regulatory, operational, or governance requirements applicable to PFB.

10.2. Where personal data is transferred to a jurisdiction outside Malaysia not specified by the Minister, PFB shall take all reasonable precautions and exercise all due diligence to ensure an adequate level of protection. This shall include implementing appropriate safeguards, which may be achieved through binding and enforceable legal agreements with the recipient that impose data protection standards comparable to those under Malaysian law.

10.3. Personal data transferred to other jurisdictions may be subject to the legal and access requirements of those jurisdictions. While appropriate safeguards shall be implemented to maintain the confidentiality and integrity of such data, access or disclosure may nevertheless occur where required under foreign laws.

10.4. Where required under applicable law, the Client’s consent shall be obtained prior to any cross-border transfer. In circumstances where such consent is not required, the transfer shall be carried out based on lawful grounds, including where necessary for the performance of services or to meet contractual or legal obligations.

11. Data Breach Notification

11.1. PFB shall maintain procedures for identifying, managing, containing, and reporting any incident involving the unauthorised access, disclosure, loss, alteration, or destruction of personal data in its custody.

11.2. Where a data breach is likely to result in significant harm to the Client, PFB shall notify the affected Client and the relevant supervisory authority within the timeframe prescribed by applicable law and, in any event, as soon as practicable without undue delay. The notification shall include, where possible, the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach.

11.3. PFB shall maintain a record of all personal data breach incidents, whether notifiable or otherwise, in accordance with applicable legal and operational requirements.

12. Third-Party Disclosures and Responsibility

12.1. PFB may receive personal data from third parties acting on behalf of the Client or in connection with a relevant engagement. While PFB shall verify and secure such data upon receipt, it shall not be responsible for any processing activities that occurred prior to its receipt of such data.

12.2. The Client is responsible for ensuring that any third party from whom they instruct PFB to receive personal data has provided the necessary notices and obtained the required consents and authorisations for disclosure and processing by PFB. PFB processes such data on the assumption that such consents have been obtained.

12.3. Where third parties are granted access to personal data by PFB, such access shall be governed by binding confidentiality and data protection obligations, consistent with this Privacy Policy and applicable laws.

13. Third-Party Websites

13.1. PFB’s website or digital platforms may contain links to third-party websites, applications, or services provided for informational or convenience purposes only.

13.2. PFB does not control, operate, or endorse the content, products, services, or privacy practices of such third-party platforms. Accessing such platforms shall be at the Client’s own discretion and risk, and PFB shall not be responsible for any consequences arising from such access or use. Clients are encouraged to review the privacy policies of such third-party platforms before providing any personal data.

14. Contact Details

14.1. All queries, feedback, complaints, or requests relating to this Privacy Policy or to the processing of personal data, including any request for access, correction, data portability, or withdrawal of consent, shall be directed in writing to the following:

• (a) By email:
  [email protected] (Attention: Data Protection Officer)
• (b) By post:
  Data Protection Officer
  Provident Fiduciaries Berhad
  35.9, Level 35, Mid Zone, Exchange 106
  Lingkaran TRX, Tun Razak Exchange
  55188 WP Kuala Lumpur, Malaysia.

14.2. For verification and security purposes, PFB may require identification documents or supporting evidence prior to processing any request.

14.3. All such requests shall be reviewed and processed in accordance with applicable legal requirements. PFB reserves the right to decline or limit access where permitted by law or where the request may infringe the privacy rights of others or conflict with legal, regulatory, or operational obligations.

15. Updates to this Privacy Policy

15.1. This Privacy Policy may be reviewed, updated, or amended by PFB from time to time to reflect changes in legal, regulatory, operational, or internal policy requirements.

15.2. Where material changes are introduced that affect the manner in which personal data is collected, used, or disclosed, PFB shall take reasonable steps to notify the affected Clients. This may include notice on the official website or through other means deemed appropriate by PFB.

15.3. Unless otherwise specified, any updated version of this Privacy Policy shall take effect immediately upon publication. Continued engagement with PFB following such publication shall constitute acceptance of the revised terms.

15.4. The latest version of this Privacy Policy shall be made available on PFB’s official website at https://profidu.com/.