The Roundtable on Sustainable Palm Oil (“RSPO”) wishes to express its commitment to ensuring that the privacy of the information and personal data which you provide to us is preserved and updated in line with the international standards for data protection.
This Policy forms an integral part of the framework governing the RSPO’s processing of the personal data (including sensitive personal data) and is applicable to our relationship with the classes of persons to which the PDPA and the GDPR apply, including but not limited to our members, employees, customers, clients, investors, sponsors, suppliers, event organizers, event managers, promoters, and contractors, contractual or otherwise. This Policy is a legally binding document to which adherence is ordinarily expected.
This Policy governs the manner in which RSPO collects, uses, processes, maintains and discloses personal details including names, telephone numbers, email address, office or residential addresses and all such personal identification information (hereinafter referred to as “Personal Data”) from each member or any other data provider in its database. This Policy also applies to the membership application Form, as well as to the usage of the RPSO website and any other social media websites.
The Policy is to be read together with the member’s Code of Conduct and/or the individual contracts entered into with RSPO, as the case may be. RSPO’s members and / or data providers are expected to have read and understood all the terms of this Policy.
B. Personal Data
The term “Personal Data” in line with the PDPA and the GDPR is defined as including any information relating to an identified or identifiable natural person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number, location data, online identifiers that refer to the person’s physical, physiological, mental, economic, cultural or social identity of the person.
Further to the generality of the terms as defined by the PDPA, Personal Data as referred to in this Policy may relate to any natural persons, including RSPO members and their representatives, RSPO employees, customers, clients, investors, suppliers, sponsors, contractors or other individuals not specifically mentioned (collectively, “Data Subject”).
Consent means any given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing means operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory Body is the authority whose primary responsibility is in the dealing with the cross-border data protection activity. The responsibilities include coordinating investigation into complaints by the data subject.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
The RSPO shall be at liberty to collect and process the following Personal Data from a Data Subject:
The processing of your Personal Data is deemed mandatory for certain purposes, wherein the RSPO will still be able to process your Personal Data in the absence of your consent if it is necessary for such a purpose. These include the processing of Personal Data:
C. Sensitive Personal Data
Sensitive Personal Data is any personal data consisting of information on your physical (racial or ethnic origin) genetic data or biometric data or mental health or condition, political opinions, religious beliefs or other beliefs of a similar nature, the commission or alleged commission of an offence or any such other information prescribed by the PDPA as Sensitive Personal Data.
It is our express Policy not to collect and process Sensitive Personal Data unless required by any applicable or relevant laws in carrying out specific obligations. You are advised NOT to submit any kind of sensitive personal data if you do not want the RSPO to collect or process such data.
In the event that you have submitted Sensitive Personal Data to us, it will be deemed to have been submitted on your own volition and with your explicit consent. The RSPO shall treat all Sensitive Personal Data as confidential and such data shall be subject to the terms and conditions of the Policy.
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from the RSPO website and stored in your web browser while you browse the RSPO website. Every time you access the RSPO website, the browser sends the cookie back to the server to notify the website of your previous activity. Cookies are designed to be a mechanism for the website to remember information or to record your browsing activity. Cookies do not collect personal data or any such information that is related to or deemed as personal identification information.
When you access the RSPO website, there will be certain information stored by the RSPO, albeit minor. By accessing the website and through your continuous or regular use of the website, you are deemed to have read and agree to be bound by the terms of this Policy. As such, the information collected therein will be processed accordingly.
If you do not wish to have your information stored, then you are advised to remove cookies from your hard drives after each browsing session.
E. Links / Related websites
F. How we collect your Personal Data
The RSPO will collect Personal Data from the Data Subject when such information is voluntarily submitted. By providing such Personal Data, the Data Subject is deemed to have voluntarily consented to the processing, storage and dissemination of their personal data in accordance with the PDPA and the terms and conditions of this Policy herein.
Generally, the RSPO will collect Personal Data from a Data Subject through a variety of sources, including but not limited to:
Purpose of Collecting Personal Data
The RSPO will collect and process your Personal Data (including Sensitive Personal Data) for the following purposes:
Disclosure and Sharing of Personal Data
The RSPO has the sole discretion in deciding whether to share any Personal Data with the following third parties for such limited purposes as necessary:
The RSPO will not sell, trade or rent out Personal Data to any unauthorized third parties.
By agreeing to the terms of this Policy, you are deemed to have given your unconditional permission and consent to allow the RSPO to disclose and share your Personal Data and the extent of such Personal Data with those third parties mentioned above.
If you attend any of the RSPO’s Seminars, Conferences, meetings, events or functions, you are deemed to have consented to the RSPO sharing your personal information, contact details and such other relevant data required or relevant for the event in question with any of RSPO’s associates, affiliates or event organizers.
If any associate, affiliate or event organizer is required to assist the RSPO for payment collection and registration of attendees for the RSPO’s respective Seminar, Conference, meeting, event or function, the said associate, affiliate or event organizer shall be fully responsible to ensure that the Personal Data collected is processed in accordance with the PDPA and that all safeguards are taken by them to ensure no breach on their part.
Personal Data Breach
In the event of a personal data breach, RSPO shall without undue delay, where feasible not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent (MCMC) unless the personal data breach is unlikely to affect the rights and freedom of the natural persons.
In the event that the personal data breach may affect the rights and freedom of the natural persons, RSPO shall communicate the data breach to the data subject. The contents of the notification shall be as follows;
G. Transfer of Personal Data outside the jurisdiction
From time to time, it may become necessary for the RSPO to transfer your Personal Data to a country, institution or jurisdiction outside Malaysia for the purposes for which the Personal Data is collected. In this regard, the RSPO has the sole discretion in deciding whether to transfer your Personal Data.
By acknowledging and agreeing to the terms of this Policy, you are deemed to have given your consent to allow us to transfer your Personal Data to any country or jurisdiction outside Malaysia that provides adequate or similar levels of protection
In the absence of adequate levels of protections, RSPO will only transfer personal data when the country, institution or organization provides appropriate safeguards and on condition that the enforceable data shall be subject to the rights and effective legal remedies for data subjects available. The RSPO shall not be liable for any breach of any of the personal data principles in the recipient country which receives the personal data.
H. Your Right to Opt-Out
If you do not wish to have your Personal Data shared, disclosed or transferred, you have a right to withhold your consent to such a transaction or at any time. Additionally, if at any time you do not want to receive any emails from the RSPO pertaining to promotions, surveys, advertisements, statistical analysis or other related marketing material, you have an option to unsubscribe from the RSPO’s mailing list. Additionally, the withdrawal of consent shall not affect the lawfulness of the processing before being withdrawn.
It shall be your responsibility to inform the RSPO by way of a written Notice if:-
Such a Notice must be in writing and must be sent either by email to firstname.lastname@example.org, or by post or hand to the RSPO Secretariat whose address is at Unit A-37-1, Menara UOA Bangsar, No.5 Jalan Bangsar Utama 1, 59000 Kuala Lumpur, Malaysia. In the event such a Notice is sent by post, it will be deemed to have been delivered effectively only if received by the RSPO.
If in the event that you do not send such a Notice to the RSPO, you shall be deemed to have given your consent to the RSPO to:
I. How we Store and Protect your Personal Data
As a responsible organization, the RSPO adopts appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, accidental loss, alteration, disclosure or destruction of your Personal Data.
The RSPO shall take all reasonable and necessary measures to ensure that all Personal Data stored in its records is secure and protected. By continuing your membership, you hereby agree and consent to giving the RSPO the sole prerogative in determining the manner in which your Personal Data is to be stored.
The RSPO websites are encrypted to ensure that the information collected therein is secure. All reasonable measures are taken to ensure such information is secure and to prevent any loss, alteration, theft or third party interference.
By agreeing to the terms of this Policy, you are deemed to understand that the RSPO shall not be liable in the event of any unforeseen events that result if the unauthorized publication and/or leakage of such personal data. By your continued membership in the RSPO, you hereby agree to indemnify the RSPO for any consequences resulting in such unauthorized publication or leakage of the Personal Data.
J. Retention of Personal Data
Your Personal Data will be kept only as long as necessary to fulfill the purpose for which it was collected. In the event Personal Data is no longer required to be used by the RSPO, it may delete and destroy such Personal Data from its records, unless the retention of such Personal Data is required to satisfy legal, regulatory or accounting requirements or for any other purpose which renders the retention necessary.
The data subject shall have the right to request to erase any data that has been made public, RSPO will take reasonable steps necessary (taking into account available technology and cost of implementation and unless otherwise required by law) to comply with the erasure request any links, copy or replication of the personal data.
In the event of termination or expiry of a membership or contract with a Data Subject:
K. Maintaining Data Integrity
You are personally responsible for providing the RSPO with accurate and updated information about yourself as well as any other Personal Data pertaining to third parties (for example attendees for RSPO events, meetings or seminars or office bearers in their organization and such relevant third parties) that you may submit to the RSPO.
In the event such information and Personal Data submitted is incorrect or becomes out dated, then you are duly responsible to make such corrections or to update such information by contacting the RSPO within a reasonable time frame.
If your membership has been terminated or has expired and you wish to resume membership with the RSPO, it is your responsibility to confirm the details of your Personal Data to be processed by the RSPO. Members shall be responsible for any changes or updates to their Personal Data and shall be responsible to inform the RSPO accordingly. The RSPO shall not be liable for any act or omission of any member in giving them full and complete personal data or to update them of any changes made.
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her in the event of an infringement.
L. Access to Personal Data
The data subject has the right to receive the data in a structured, commonly used manner. This may include option to request for a direct download of the data stored.
You may choose to inform the RSPO and:
Such requests shall be met by RSPO free of charge unless found to be excessive and/or repetitive where a reasonable fee shall be charged.
You will be required to provide a full set of credentials and identification to confirm your identity before any such request can be entertained. If you are unable to prove, confirm and verify your identity then the RSPO shall deny such access or request for rectification in order to safeguard the Personal Data in its records.
The RSPO may comply with or refuse such request to access or rectify such information. If in the event that we refuse your request, the reasons for such a refusal will be provided.
The RSPO has the sole prerogative as to whether to allow any changes or alterations to its data base in order to protect any false or fraudulent change or alteration made.
The RSPO shall not be responsible for any omission or delay or negligence on the Data Subject’s part in failing to update their Personal Data or to submit their request for rectification.
By accepting this Policy, you hereby signify your unconditional acceptance of this Policy and will be deemed to have given your complete consent to the RSPO to use, store, disseminate and process your Personal Data.
By continuing your membership with the RSPO, you are deemed to be bound by the rules and policies made by the RSPO and are subject to the terms and conditions of this Policy. Your continued membership in the RSPO will be deemed as continued acceptance of any future changes in the Policy as may be made from time to time.
N. Amendments to the Policy
Personal Data submitted to the RSPO will be processed in accordance with the terms and conditions in this Policy as may be amended from time to time. RSPO alone may amend any of the terms of this Policy. In the event of any such change, the amended Policy will be made available on the RSPO website. Members and data providers are advised to visit the RSPO website from time to time to gain access to the latest version of the Policy.
O. Contact Details
If you have any questions about our Policy, the practices on our website or any of our other pages in any social media website, or with regard to your dealings with us, as well as to update us or to inform us about any amendments in regards to your Personal Data, please contact us at the following email address: email@example.com.