The Roundtable on Sustainable Palm Oil (“RSPO”) wishes to express its commitment to ensuring that the privacy of the information and personal data which you provide to us is preserved and updated in line with the international standards for data protection.
This Policy forms an integral part of the framework governing the RSPO’s processing of the personal data (including sensitive personal data) and is applicable to our relationship with the classes of persons to which the PDPA and the GDPR apply, including but not limited to our members, employees, customers, clients, investors, sponsors, suppliers, event organizers, event managers, promoters, and contractors, contractual or otherwise. This Policy is a legally binding document to which adherence is ordinarily expected.
This Policy governs the manner in which RSPO collects, uses, processes, maintains and discloses personal details including names, telephone numbers, email address, office or residential addresses and all such personal identification information (hereinafter referred to as “Personal Data”) from each member or any other data provider in its database. This Policy also applies to the membership application Form, as well as to the usage of the RPSO website and any other social media websites.
The Policy is to be read together with the member’s Code of Conduct and/or the individual contracts entered into with RSPO, as the case may be. RSPO’s members and / or data providers are expected to have read and understood all the terms of this Policy.
B. Personal Data
The term “Personal Data” in line with the PDPA and the GDPR is defined as including any information relating to an identified or identifiable natural person. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number, location data, online identifiers that refer to the person’s physical, physiological, mental, economic, cultural or social identity of the person.
Further to the generality of the terms as defined by the PDPA, Personal Data as referred to in this Policy may relate to any natural persons, including RSPO members and their representatives, RSPO employees, customers, clients, investors, suppliers, sponsors, contractors or other individuals not specifically mentioned (collectively, “Data Subject”).
Consent means any given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing means operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory Body is the authority whose primary responsibility is in the dealing with the cross-border data protection activity. The responsibilities include coordinating investigation into complaints by the data subject.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
The RSPO shall be at liberty to collect and process the following Personal Data from a Data Subject:
- personal details such as name, identity card / passport/ social security number, age, gender, nationality, birthdates, residential and business addresses, social media website addresses, contact numbers, email address and such other relevant information that identifies the respective Data Subject;
- information about businesses, trade, or services that the Data Subject is engaged in;
- payment transactions – either via cheque, credit or debit card, PayPal or online bank transfers;
- all billing records for services, inclusive of any cancellations that have been made;
- any such other information that are, have been or will be collected by us in future, or such information which the Data Subject provides to the RSPO in connection to any services or contractual obligation, including data that is collected from any surveys, questionnaires, transactions or any correspondence with the RSPO;
- Individual personal preferences of the Data Subject such as to the language, product or content interest as well as and communication preferences;
- the Data Subject’s choice in regards to receiving future communication as to future meetings, events, conferences or seminars organized by the RSPO;
- any enquiries, comments or messages sent to the RSPO via the RSPO website or any other social media website; and
- IP address of a Data Subject who visits the RSPO website, applies and registers for membership, sends queries or uploads posts / comments in any RPSO-hosted forum.
The processing of your Personal Data is deemed mandatory for certain purposes, wherein the RSPO will still be able to process your Personal Data in the absence of your consent if it is necessary for such a purpose. These include the processing of Personal Data:
- for the performance of a contract to which you are a party;
- at your request, with a view to entering into a contract with the RSPO;
- for compliance with any legal obligation to which RSPO is subject, other than an obligation imposed by a contract;
- to protect your vital interests;
- for the administration of justice; or
- for the exercise of any functions conferred on any person by or under any law.
C. Sensitive Personal Data
Sensitive Personal Data is any personal data consisting of information on your physical (racial or ethnic origin) genetic data or biometric data or mental health or condition, political opinions, religious beliefs or other beliefs of a similar nature, the commission or alleged commission of an offence or any such other information prescribed by the PDPA as Sensitive Personal Data.
It is our express Policy not to collect and process Sensitive Personal Data unless required by any applicable or relevant laws in carrying out specific obligations. You are advised NOT to submit any kind of sensitive personal data if you do not want the RSPO to collect or process such data.
In the event that you have submitted Sensitive Personal Data to us, it will be deemed to have been submitted on your own volition and with your explicit consent. The RSPO shall treat all Sensitive Personal Data as confidential and such data shall be subject to the terms and conditions of the Policy.
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from the RSPO website and stored in your web browser while you browse the RSPO website. Every time you access the RSPO website, the browser sends the cookie back to the server to notify the website of your previous activity.
Cookies are designed to be a mechanism for the website to remember information or to record your browsing activity. Cookies do not collect personal data or any such information that is related to or deemed as personal identification information.
When you access the RSPO website, there will be certain information stored by the RSPO, albeit minor. By accessing the website and through your continuous or regular use of the website, you are deemed to have read and agree to be bound by the terms of this Policy. As such, the information collected therein will be processed accordingly.
If you do not wish to have your information stored, then you are advised to remove cookies from your hard drives after each browsing session.
E. Links / Related websites
F. How we collect your Personal Data
The RSPO will collect Personal Data from the Data Subject when such information is voluntarily submitted. By providing such Personal Data, the Data Subject is deemed to have voluntarily consented to the processing, storage and dissemination of their personal data in accordance with the PDPA and the terms and conditions of this Policy herein.
Generally, the RSPO will collect Personal Data from a Data Subject through a variety of sources, including but not limited to:
- applications for RSPO membership;
- updates received from a Data Subject with regards to their personal details or any change therein, including a change of address;
- enquiries and registrations for RSPO events, meetings, seminar or forums;
- visits to the RSPO website and/or any of the RSPO’s social media webpages;
- registrations with the RSPO and/or its event organizers for events whether online or manually;
- any transaction or inquiry or communication made with the RSPO;
- when such personal data is collected by promoters, event managers, event organizers or any associates of the RSPO in the course of any event, function, meeting or any marketing, expansion and promotional activities; and
- contracts for service or services entered into with the RSPO.
Purpose of Collecting Personal Data
The RSPO will collect and process your Personal Data (including Sensitive Personal Data) for the following purposes:
- to communicate with you about membership, inquiries or other requests;
- to facilitate your participation in RSPO events, future or promotional events;
- to respond to your queries;
- for administrative purposes, including but not limited to billing, payment, registration of new members and renewal of current memberships;
- to monitor and upgrade the RSPO’s services;
- for direct marketing services;
- to update and provide information on promotions and upcoming events to you;
- to conduct research, surveys and statistical analysis;
- to send emails on updates or on any event that may be of interest to you;
- for the performance of a contract to which you are a party;
- for compliance with any legal obligation to which RSPO is subject, other than an obligation imposed by a contract.
Disclosure and Sharing of Personal Data
The RSPO has the sole discretion in deciding whether to share any Personal Data with the following third parties for such limited purposes as necessary:
- RSPO’s partners, trusted affiliates, promoters, event organizers, researches, and advertisers as part of the efforts to conduct statistical analysis of current or future global trends as well for marketing, advertising and promotional purposes of future meetings, conferences and/or events;
- third party service providers which helps operate the RSPO and its website; as well as all other social media websites and/or administer activities on the RSPO’s behalf, such as to send out newsletters and/or emails, to conduct text messaging blasting and/or surveys; and
- RSPO’s lawyers, legal counsel, accountants, actuarists, auditors, consultants, promoters, event organizers and such other service providers in the conduct and administration of its affairs.
The RSPO will not sell, trade or rent out Personal Data to any unauthorized third parties.
By agreeing to the terms of this Policy, you are deemed to have given your unconditional permission and consent to allow the RSPO to disclose and share your Personal Data and the extent of such Personal Data with those third parties mentioned above.
If you attend any of the RSPO’s Seminars, Conferences, meetings, events or functions, you are deemed to have consented to the RSPO sharing your personal information, contact details and such other relevant data required or relevant for the event in question with any of RSPO’s associates, affiliates or event organizers.
If any associate, affiliate or event organizer is required to assist the RSPO for payment collection and registration of attendees for the RSPO’s respective Seminar, Conference, meeting, event or function, the said associate, affiliate or event organizer shall be fully responsible to ensure that the Personal Data collected is processed in accordance with the PDPA and that all safeguards are taken by them to ensure no breach on their part.
Personal Data Breach
In the event of a personal data breach, RSPO shall without undue delay, where feasible not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent (MCMC) unless the personal data breach is unlikely to affect the rights and freedom of the natural persons.
In the event that the personal data breach may affect the rights and freedom of the natural persons, RSPO shall communicate the data breach to the data subject. The contents of the notification shall be as follows;
- RSPO has implemented appropriate technical and organizational measures. Such measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
- It would involve disproportionate effort. In such a case, there shall instead be a public communication orsimilar measure whereby the data subjects are informed in an equally effective manner.
G. Transfer of Personal Data outside the jurisdiction
From time to time, it may become necessary for the RSPO to transfer your Personal Data to a country, institution or jurisdiction outside Malaysia for the purposes for which the Personal Data is collected. In this regard, the RSPO has the sole discretion in deciding whether to transfer your Personal Data.
By acknowledging and agreeing to the terms of this Policy, you are deemed to have given your consent to allow us to transfer your Personal Data to any country or jurisdiction outside Malaysia that provides adequate or similar levels of protection.
In the absence of adequate levels of protections, RSPO will only transfer personal data when the country, institution or organization provides appropriate safeguards and on condition that the enforceable data shall be subject to the rights and effective legal remedies for data subjects available. The RSPO shall not be liable for any breach of any of the personal data principles in the recipient country which receives the personal data.
H. Your Right to Opt-Out
If you do not wish to have your Personal Data shared, disclosed or transferred, you have a right to withhold your consent to such a transaction or at any time. Additionally, if at any time you do not want to receive any emails from the RSPO pertaining to promotions, surveys, advertisements, statistical analysis or other related marketing material, you have an option to unsubscribe from the RSPO’s mailing list. Additionally, the withdrawal of consent shall not affect the lawfulness of the processing before being withdrawn.
It shall be your responsibility to inform the RSPO by way of a written Notice if:
- you do not agree to have your Personal Data shared with such third parties; or
- to the transfer of your Personal Data outside of Malaysia; or
- you wish to unsubscribe from the RSPO’s mailing list.
Such a Notice must be in writing and must be sent either by email to [email protected], or by post or hand to the RSPO Secretariat whose address is at Unit 13A-1, Menara Etiqa, No.3 Jalan Bangsar Utama 1, 59000 Kuala Lumpur, Malaysia. In the event such a Notice is sent by post, it will be deemed to have been delivered effectively only if received by the RSPO.
If in the event that you do not send such a Notice to the RSPO, you shall be deemed to have given your consent to the RSPO to:
- disclose, share and transfer your Personal Data for the purposes above; and/or
- be included in its correspondence list and agree to receive such information from the RSPO and its affiliates, associates or any event organizer appointed by the RSPO.
I. How we Store and Protect your Personal Data
As a responsible organization, the RSPO adopts appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, accidental loss, alteration, disclosure or destruction of your Personal Data.
The RSPO shall take all reasonable and necessary measures to ensure that all Personal Data stored in its records is secure and protected. By continuing your membership, you hereby agree and consent to giving the RSPO the sole prerogative in determining the manner in which your Personal Data is to be stored.
The RSPO websites are encrypted to ensure that the information collected therein is secure. All reasonable measures are taken to ensure such information is secure and to prevent any loss, alteration, theft or third party interference.
By agreeing to the terms of this Policy, you are deemed to understand that the RSPO shall not be liable in the event of any unforeseen events that result if the unauthorized publication and/or leakage of such personal data.
By your continued membership in the RSPO, you hereby agree to indemnify the RSPO for any consequences resulting in such unauthorized publication or leakage of the Personal Data.
J. Retention of Personal Data
Your Personal Data will be kept only as long as necessary to fulfill the purpose for which it was collected. In the event Personal Data is no longer required to be used by the RSPO, it may delete and destroy such Personal Data from its records, unless the retention of such Personal Data is required to satisfy legal, regulatory or accounting requirements or for any other purpose which renders the retention necessary.
The data subject shall have the right to request to erase any data that has been made public, RSPO will take reasonable steps necessary (taking into account available technology and cost of implementation and unless otherwise required by law) to comply with the erasure request any links, copy or replication of the personal data.
In the event of termination or expiry of a membership or contract with a Data Subject:
- such Personal Data of the Data Subject shall be stored in the RSPO database; unless the Data Subject serves a written Notice to the RSPO requesting for such Personal Data to be destroyed and deleted from the RSPO database;
- the RSPO shall at all times take reasonable measures to ensure sufficient security measures are taken to protect the Personal Data; and
- the Data Subject has a choice as to whether they wish to receive any future correspondence from the RSPO in regard to future marketing information.
- It will be the responsibility of the Data Subject to inform the RSPO as to whether they wish to remain on the mailing list. Failure to give such notice will be deemed as consent to receiving future correspondence from the RSPO, its affiliates and associates.
K. Maintaining Data Integrity
You are personally responsible for providing the RSPO with accurate and updated information about yourself as well as any other Personal Data pertaining to third parties (for example attendees for RSPO events, meetings or seminars or office bearers in their organization and such relevant third parties) that you may submit to the RSPO.
In the event such information and Personal Data submitted is incorrect or becomes out dated, then you are duly responsible to make such corrections or to update such information by contacting the RSPO within a reasonable time frame.
If your membership has been terminated or has expired and you wish to resume membership with the RSPO, it is your responsibility to confirm the details of your Personal Data to be processed by the RSPO. Members shall be responsible for any changes or updates to their Personal Data and shall be responsible to inform the RSPO accordingly. The RSPO shall not be liable for any act or omission of any member in giving them full and complete personal data or to update them of any changes made.
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her in the event of an infringement.
L. Access to Personal Data
The data subject has the right to receive the data in a structured, commonly used manner. This may include option to request for a direct download of the data stored.
You may choose to inform the RSPO and:
- Request for a copy of the Personal Data kept by the RSPO;
- Request to update their respective Personal Data;
- Request to change, alter or amend their respective Personal Data.
Such requests shall be met by RSPO free of charge unless found to be excessive and/or repetitive where a reasonable fee shall be charged.
You will be required to provide a full set of credentials and identification to confirm your identity before any such request can be entertained. If you are unable to prove, confirm and verify your identity then the RSPO shall deny such access or request for rectification in order to safeguard the Personal Data in its records.
The RSPO may comply with or refuse such request to access or rectify such information. If in the event that we refuse your request, the reasons for such a refusal will be provided.
The RSPO has the sole prerogative as to whether to allow any changes or alterations to its data base in order to protect any false or fraudulent change or alteration made.
The RSPO shall not be responsible for any omission or delay or negligence on the Data Subject’s part in failing to update their Personal Data or to submit their request for rectification.
By accepting this Policy, you hereby signify your unconditional acceptance of this Policy and will be deemed to have given your complete consent to the RSPO to use, store, disseminate and process your Personal Data.
By continuing your membership with the RSPO, you are deemed to be bound by the rules and policies made by the RSPO and are subject to the terms and conditions of this Policy. Your continued membership in the RSPO will be deemed as continued acceptance of any future changes in the Policy as may be made from time to time.
N. Amendments to the Policy
Personal Data submitted to the RSPO will be processed in accordance with the terms and conditions in this Policy as may be amended from time to time. RSPO alone may amend any of the terms of this Policy. In the event of any such change, the amended Policy will be made available on the RSPO website. Members and data providers are advised to visit the RSPO website from time to time to gain access to the latest version of the Policy.
O. Contact Details
If you have any questions about our Policy, the practices on our website or any of our other pages in any social media website, or with regard to your dealings with us, as well as to update us or to inform us about any amendments in regards to your Personal Data, please contact us at the following email address: [email protected].