Personal Data Protection Policy Of Omniraise
1. INTRODUCTION
Omniraise Sdn. Bhd. (Company Registration No.: 201801033970 [1295997-M]), a company incorporated under the laws of Malaysia with a business address at Level 15-10, Q Sentral, 2A, Jalan Stesen Sentral 2, Kuala Lumpur Sentral, Kuala Lumpur 50470, Malaysia and its related companies (“Omniraise”, “we”, “us”, or “our”) is committed to protecting the confidentiality of information and privacy of our clients, donors, and other users that we process in our commercial dealings with them.
We help non-governmental organisations (“NGOs”) with their fundraising and marketing needs which include collecting and processing personal data of donors and prospective donors, and help them to achieve the most impact possible for their causes.
This Personal Data Protection Policy (“Policy”) is formulated in accordance with the Personal Data Protection Act 2010 (“PDPA”), which describes how personal data and confidential information is collected, used, and otherwise processed. When the data subject continues to communicate with us or voluntarily providing his or her personal data to us, the data subject warrants that he or she is at least 18 years of age and expressly consent to our collection, storage, use and disclosure of his or her personal data as described in this Policy.
All organisations that process personal data are required to comply with data protection legislation. The PDPA gives individuals (known as “data subjects”) certain rights over their personal data whilst imposing certain obligations on the organisations that process their data.
2. OUR COMMITMENT
We value the trust that our clients, donors, vendors and other data subjects place in us. We are committed to protecting the data subject’s privacy and will take all reasonable precautions to protect the personal data from misuse and keeping it secure by complying with all applicable data protection laws and regulations. This Policy aims to help the data subject to understand what personal data we collect, how we use, and protect the data subject’s Personal Data, and provide the data subject with information on the data subject’s rights and choices. This Policy will be reviewed from time to time to take into account of new laws and technology, changes to our operations and practices and to make sure it remains appropriate to the changing environment. Any information that we hold will be governed by the most current version of Omniraise’s Policy.
3. TYPES OF PERSONAL DATA WE COLLECT
The personal data that we may collect include but are not limited to:
- name;
- address;
- date of birth;
- a donor’s direct debit account, debit or credit card details (such as name, card number, start date, and expiry date);
- contact number;
- email address; and
- other information that we expressly mention to collect from the data subject’s interactions with us (collectively referred to as the “Personal Data”)
4. COLLECTION AND USE OF PERSONAL DATA
We may collect the data subject’s Personal Data in a number of ways, mainly via electronic means through our technology platforms, such as:
- when filling up the donor form(s);
- when verifying identity;
- when participating in any surveys or marketing campaigns;
Specifically for donor (including prospective donor), to ensure that the donor’s personal data is protected, we will not:
- take down the donor’s credit card details except via our technology platform that immediately encrypts the data. The donor’s data will only be captured by electronic means and keyed into our technology platform.
- take pictures with the computer screen showing the donor’s name;
- record the full name of donor anywhere else other than via our technology platform.
- reveal personal details of donor who has signed up with our clients to friends and family members.
The data subject is not required to provide the Personal Data that we request, but refusing to do so means that we may not be able to provide them with our services.
A data subject has the right to request access to his or her Personal Data, and to request us to make correction of, update or delete his or her Personal Data by writing to us. If the data subject lives in the European Union, he or she has certain additional rights to his or her Personal Data. Please refer to “The Rights as Data Subject” in paragraph 7 below.
Specifically, a donor’s or prospective donor’s Personal Data may be used for business and activities which may include but not limited to one or more of the following purposes (“Purposes”):
- to conduct a welcome call and follow up calls to the donor for regular donations;
- verifying the donor’s identity, where we reserve right to check the validity of the donor by welcome-calling or SMSing each donor;
- submitting the donor’s Personal Data to charities;
- facilitating and effecting the donations to the charities or NGOs that the donor has chosen to support;
- providing the donor with communications or updates authorised and provided by charities or NGOs;
- responding to, handling, and processing queries, requests, applications, complaints, and feedback from the donor;
- complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;
- conducting audits, reviews, and analysis of our internal processes, action planning, and managing commercial risks; and
- any other purposes that are required or permitted by any law, regulation, order and/or guidelines.
We only collect Personal Data that we actually need for or directly related to our specific Purposes. If we intend to use the Personal Data for purposes other than the above and/or for the legal bases expressly permitted under the PDPA, we will seek consent prior to using the data subject’s Personal Data.
We will process (including without limitation collect, store, hold, use, transfer, and disclose) the information that the data subject provides in a manner compatible with the required laws and regulations. We will endeavour to keep the data subject’s information secured, accurate, and up-to-date, and not keep it for longer than is necessary.
Omniraise is contractually obliged (entering into data protection agreements or similar legal instruments) with the charities and/or NGOs that all Personal Data will be destroyed, deleted or returned upon demand or upon termination of the contractual agreement(s) with the charities and/or NGOs. We may retain some information or Personal Data for accounting purposes, to complete the necessary accounting, tax, and other statutory submissions for the year, and for as long as the Personal Data is required for these purposes.
5. COOKIES
Cookies are small pieces of information that a user’s web browser stores on the user’s computer or other Internet-connected device when the user visits a website. One (1) of the primary purposes of cookies is to provide a convenience feature to save the user’s time. The purpose of a cookie is to tell the web server that the user has returned to a specific page. For example, if the user personalises the website’s pages, or register for services, a cookie helps us to recall the user’s specific information (such as user name, password, and preferences). We use the following cookies to enable us to improve the way our website functions:
- Strictly Necessary Cookies: These cookies are essential, as they enable the user to browse our website and use its features, such as accessing log-in or secured areas. These cookies cannot be switched off or otherwise the website would not work properly. However, these cookies do not store any Personal Data.
- Functionality Cookies: these cookies are used to enhance the user’s experience. The information these cookies collect may be anonymous, and they are not used to track the user’s browsing activity on other sites. They are optional to users.
- Targeting Cookies: many of these are provided by third parties. These cookies can remember that the user’s device has visited a site, and may also be able to track the user’s device’s browsing activity on other sites, such as Google Analytics and Adobe Analytics. Such information may be shared with other advertising networks to deliver the advertising. Again, the user can block these cookies.
If the user continues without changing his or her setting, the user has consented to use all of our cookies in our website or mobile app.
How to control and delete cookies
The user can set his or her browser to block some or all cookies. Please refer to the following links for the browser:
Chrome: https://support.google.com/chrome/answer/95647
Internet Explorer: https://support.microsoft.com/en-gb/help/17442/
Firefox: https://support.mozilla.org/en-U/kb/enable-and-disable-cookies-website-preferences
Safari: https://support.apple.com/kb/ph21411
Note that if the user set his or her browser to disable cookies, the user may not be able to access certain parts of our website and other parts of our service may not work properly or it may hinder performance and negatively impact the user’s experience on the website. Alternatively, the user may be able to modify his or her browser setting to notify the user each time a cookie is tendered and permit the user to accept or decline cookies on an individual basis.
Apart from cookies, we may also collect information by automated means when the user visits our website such as web server logs. Web server logs are records of activity created by the mobile device or computer that delivers the webpages the user requests to his or her browser. For example, a web server may record the search term the user entered or the link the user clicked to bring the user the webpage. The web server log also may record information about the user’s browser, such as the user’s IP address and the cookies set on the user’s browser by the server. Information collected from these automated means may be used for some of the Purposes.
6. DISCLOSURE AND TRANSFER OF PERSONAL DATA
We may disclose or transfer Personal Data to companies within the Omniraise group, the charity(ies) or NGOs that we or our agents mention that we represent, or to any third-party service providers or business partners, whether within or outside Thailand, Malaysia, Singapore and/or other overseas territory(ies) from time to time, as necessary on a need-to-know basis to fulfil any of the Purposes and for any other legitimate business purposes subject to the data subject’s express consent which is provided to us by the data subject’s access and continued use of our website and/or services.
We may store the data subject’s Personal Data in secure servers in countries outside of Malaysia, Singapore and/or other overseas territory(ies) and may transfer that such Personal Data to such countries from time to time. For transfer of Personal Data outside the aforementioned countries, we will adopt contractual or other appropriate measures to safeguard the data subject’s Personal Data, to provide a standard of protection at least comparable to that standard under the data protection laws in the data subject’s jurisdiction, and to use them only to fulfil the above Purposes on our behalf or otherwise in accordance with any other cross border data transfer mechanisms under the data protection laws of the data subject’s jurisdiction.
We may also disclose or transfer the data subject’s Personal Data to any other party when we believe such disclosure or transfer is required for legal or regulatory reasons or where it is necessary to protect our interests (as permitted by law), for example, to our insurers in cases of potential claims. We also reserve the right to transfer the data subject’s Personal Data with us in the event we are involved in any merger, acquisition or corporate reorganisation (as permitted by law).
7. THE RIGHTS AS DATA SUBJECT
Every data subject has the right to request a copy of the information that we hold about the data subject and to correct the Personal Data that we hold about the data subject that is inaccurate or incomplete. We will seek to deal with the data subject’s request without undue delay, and in any event within the applicable time period under the data protection laws in the data subject’s jurisdiction (subject to any extensions to which we are lawfully entitled).
Omniraise reserves the right to refuse the data subject’s requests to access and/or make any corrections to his or her Personal Data for the reasons permitted under the applicable laws, such as where the expense of providing access to the data subject is disproportionate to the risks to the data subject or another person’s privacy, then Omniraise may either refuse to act upon the request, or may charge a reasonable fee, taking into account the administrative costs involved.
For users in Malaysia, the data subject may exercise his or her statutory rights including to withdraw his or her consent to our processing of the data subject’s Personal Data, by contacting us via the contact details listed in the paragraph 13 below.
Right to Object
(a) The data subject has the right to object to us processing his or her Personal Data for one (1) of the following reasons:
(i) where it is within our legitimate interest;
(ii) to enable us to perform a task in the public interest or exercise official authority;
(iii) to send the data subject materials; and/or
(iv) for scientific, historical, research or statistical purposes.
(b) The “legitimate interests” category above is the one most likely to apply in relation to our relationship, and if the data subject’s objection relates to us processing his or her Personal Data because we deem it necessary for our legitimate interests, we will act on the data subject’s objection by ceasing the activity in question unless we:
(i) have compelling legitimate grounds for processing which overrides the data subject’s interests; or
(ii) are processing the data subject’s Personal Data for the establishment, exercise or defence of a legal claim.
Right to Withdraw Consent
Where we have obtained the data subject’s consent to process his or her Personal Data for certain activities (for example, for automatic profiling), the data subject may withdraw this consent at any time by emailing us directly, and we will cease to carry out the particular activity that the data subject previously consented to, unless we consider that there is an alternative legal basis to justify our continued processing of the data subject’s Personal Data for this purpose, in which case we will inform the data subject of the same.
Right to submit a data subject access request (“DSAR”)
The data subject may ask us to confirm what information we hold about the data subject at any time, and request us to modify, update or delete such information. We may ask the data subject for more information about his or her request. We may refuse the data subject’s request where we are legally permitted to do so, and we will inform the data subject of the reasons for our refusal. If we provide the data subject with access to the information we hold about the data subject, we will charge the data subject if his or her request is “manifestly unfounded or excessive”. If the data subject requests further copies of this information from us, we may charge the data subject a reasonable administrative cost where legally permissible.
Right to Erasure
(a) The data subject has the right to request that we erase his or her Personal Data in certain circumstances. Normally, the information must meet one (1) of the following criteria:
- the Personal Data is no longer necessary for the purpose for which we originally collected and/or processed them;
- where previously given, the data subject has withdrawn his or her consent to us processing his or her Personal Data, and there is no other valid reason for us to continue processing;
- the Personal Data has been processed unlawfully (i.e., in a manner which does not comply with the GDPR);
- it is necessary for the Personal Data to be erased in order for us to comply with our obligations as a data controller under EU or Member State law; or
- if we process the Personal Data because we believe it is necessary to do so for our legitimate interests, the data subject objects to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
(b) We would only be entitled to refuse to comply with the data subject’s request for erasure for one (1) of the following reasons:
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
(c) When complying with a valid request for the erasure of Personal Data, we will take all reasonably practicable steps to delete the relevant Personal Data.
Right to Restrict Processing
(a) The data subject has the right to request that we restrict our processing of his or her Personal Data in certain circumstances. Upon acceptance of the data subject’s request, we can only continue to store his or her Personal Data and will not be able to carry out any further processing activities with it until either the data subject consents or further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
(b) The circumstances in which the data subject is entitled to request that we restrict the processing of his or her Personal Data are:
- where the data subject disputes the accuracy of the Personal Data that we are processing about the data subject. In this case, our processing of the data subject’s Personal Data will be restricted for the period during which the accuracy of the Personal Data is verified;
- where the data subject objects to our processing of his or her Personal Data for our legitimate interests. Here, the data subject can request that the data be restricted while we verify our grounds for processing his or her Personal Data;
- where our processing the data subject’s Personal Data is unlawful, but the data subject would prefer us to restrict our processing of it rather than erasing it; and
- where we have no further need to process the data subject’s Personal Data but the data subject requires the Personal Data to establish, exercise or defend legal claims.
(c) If we have shared the data subject’s Personal Data with third parties, we will notify the third parties about the restricted processing unless this is impossible or involves disproportionate effort. We will notify the data subject before lifting any restriction on processing the data subject’s Personal Data.
Right to Rectification
The data subject also has the right to request that we rectify any inaccurate or incomplete Personal Data that we hold about the data subject, including by means of providing a supplementary statement. If we have shared this Personal Data with third parties, we will notify the third parties about the rectification unless this is impossible or involves disproportionate effort.
Right of Data Portability
(a) The right of data portability applies to:
(i) Personal Data that we process automatically (i.e., without any human intervention);
(ii) Personal Data provided by the data subject; and
(iii) Personal Data that we process based on the data subject’s consent or in order to fulfil a contract.
(b) The data subject has the right to transfer his or her Personal Data between data controllers which means that the data subject is able to transfer the details we hold on the data subject to other third party. We will provide the data subject with his or her Personal Data in a commonly used machine-readable format to allow the data subject to effect such transfer. Alternatively, we may directly transfer the data for the data subject.
Right to Lodge a Complaint with a Supervisory Authority
The data subject also has the right to lodge a complaint with his or her local supervisory authority.
If the data subject would like to exercise any of these rights, or withdraw his or her consent to the processing of his or her Personal Data (where consent is our legal basis for processing the data subject’s Personal Data), details of how to contact us can be found in the “Contact Us” section of this Policy. Please note that we may keep a record of the data subject’s communications to help us to resolve any issues which the data subject raises.
If the data subject considers that our processing of his or her Personal Data infringes data protection laws, the data subject has a legal right to lodge a complaint with a supervisory authority responsible for data protection in his or her habitual residence or to our representative whose contact details may be found at the “Contact Us” section below.
8. ACCURACY OF PERSONAL DATA
We generally rely on the Personal Data provided by the data subject. In order to ensure that the data subject’s Personal Data is current, complete, and accurate, the data subject has to update us if there are changes to his or her Personal Data by contacting our representative below.
9. RETENTION OF PERSONAL DATA
We will periodically review the Personal Data we hold. We may retain the data subject’s Personal Data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws.
We will cease to retain the data subject’s Personal Data, or remove the means by which the Personal Data can be associated with the data subject , as soon as it is reasonable to assume that such retention no longer serves the purpose for which the Personal Data was collected, and is no longer necessary for legal or business purposes.
10. PROTECTION OF INFORMATION
We will ensure that the data subject ‘s Personal Data is stored securely. To prevent any unauthorised access, disclosure or other similar risks, we endeavour to implement appropriate technical, physical, electronic and procedural security measures to safeguard against and prevent the unauthorised or unlawful access to or tampering of the data subject ‘s Personal Data.
However, the data subject should be aware that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of the data subject’s information and are constantly reviewing and enhancing our information security measures.
11. WEBSITES OF THIRD PARTIES
This Policy only applies to us, but not to any other third parties (including any website maintained by them). When the user clicks on links and/or ad banners that take the user to either third parties’ websites or websites of companies associated with us, the user will be subject to the privacy policies of those parties. Whilst we support the protections of privacy on the internet, we do not accept responsibility for any actions taken by third parties outside our web domain.
12. CHANGES TO THE POLICY
We may revise this Policy from time to time without any prior notice by informing the data subject directly (via email) or by providing the latest applicable version of this Policy available on our website: staging.omniraise.com. The data subject’s continued use of our services constitutes his or her acknowledgment and acceptance of such changes.
13. CONTACT US
If the data subject has any questions regarding this Policy or would like to exercise his or her rights to request access to or the correction of his or her Personal Data or if the data subject wishes to withdraw his or her consent to us collecting and processing his or her Personal Data, our representative can be contacted:
- by telephone:
- 012-250 1641
- by email: [email protected]
- by mail:
15-10, Q Sentral, 2A,
Jalan Stesen Sentral 2,
Kuala Lumpur Sentral, Kuala Lumpur 50470, Malaysia
In accordance with section 7(3) of the PDPA, this Policy is issued in both English and Bahasa Malaysia. In case of discrepancies between the English and Bahasa Malaysia versions, the English version shall apply and prevail.