IHH MALAYSIA PERSONAL DATA PROTECTION NOTICE

1. This Personal Data Protection Notice (“Notice”) is revised on [1^st November 2023] (“Effective Date”)

2. Pantai Holdings Sdn Bhd and/or its related corporations, including but not limited to its Affiliates (“we”, “us”, “our”, “company” or “IHH MY”) is committed to protecting Data Subject’s (“your”, “you” and “yours”) personal data, responsibly and in compliance with applicable data protection related laws.
3. This Notice addresses how we Process your personal data by us when you interact with us.
4. This Notice may, however, be replaced or supplemented due to local requirements or to provide you additional information. We strongly encourage you to read this Notice.

5. Any supplement to this Notice may be found on either of the following webpage:
   https://www.pantai.com.my/pdpnotice,
   https://gleneagles.com.my/legal/pdpnotice, or
   https://princecourt.com/pdpnotice

1. For purposes of this Notice, Personal Data means any information or combination of information, relating, directly or indirectly to an identified or identifiable natural person.
2. Depending on the nature of your interaction with us, Personal Data may include your name, identification number, passport number, telephone number(s), mailing address, email address, network traffic data, online identifiers and/or any other information which have been provided to us or we may have access to, in the course of your interaction with us.

3. We may Process certain Personal Data about your Relatives⁴ but only when there is a legitimate business purpose related to your relationship with us, for instance, to administer employee benefits or in case of an emergency.

4. For certain reasons, it may be necessary for us to Process special categories of Personal Data (including “sensitive” Personal Data) (“Sensitive Personal Data”). We only Process Sensitive Personal Data where it is required or authorised under law (employment, social security, social protection or other applicable data protection related laws), or in case of legal claims. Sensitive Personal Data may include religious or philosophical beliefs, information about disabilities, medical history, racial or ethnic data and/or criminal data (behavior, records or proceedings regarding criminal or unlawful behavior).

We collect Personal Data from you in the following ways:

1. Directly:

   1. when you create an account, register with us and/or submit any form to provide us or benefit from our services;
   2. when you disclose Personal Data in face-to-face meetings, email messages, telephone conversations with our teams such as marketing or customer service officers;
   3. when you volunteer and consent to participate in any research conducted by us;
   4. when you sign up for our marketing and promotional communications and/or any initiatives;
   5. when you give your feedback, comments, questions, ratings and reviews on our website, social media or to our customer service officers;
   6. when you interact or communicate with us via our websites or on social media channels, pages, promotions and/or blogs;
   7. when you contact us and/or enter into an agreement to provide us services;
   8. when you visit and/or are within our premises and your images are captured by us via CCTV cameras, photographs or videos taken by us or our representatives when you attend any of our events;
   9. when you submit an employment application; and/or
   10. when you make available your Personal Data to us for any other reason.

2. Indirectly, from other data sources:

   1. when we seek and receive your Personal Data in connection with your relationship with us (including for our product and services or job applications). Example: business partners, public agencies, your ex-employer, referral intermediaries and the relevant authorities;
   2. if you act as an intermediary or are supplying us with information regarding a third-party/other individual (such as a Relative, friend, a colleague, an employee etc.), you undertake that you have obtained all necessary consents from such third-party/other individual for Processing of their Personal Data by us;
   3. as we are collecting third-party or other individual's Personal Data from you, you undertake to make such third-party or other individual aware of all matters listed in this Notice by referring them to our website or informing them of the contents of this Notice; and/or
   4. any other information which we may collect from other sources.

3. Personal Data of Vulnerable Persons [5]

   1. It is, our intention and policy to comply with law when it requires parent, guardian or legal representative’s permission before collecting, using or disclosing Personal Data of Vulnerable Persons.
   2. If a parent, guardian or legal representative becomes aware that Personal Data of a child or ward has been provided by that child or ward without the consent of the relevant parent, guardian or legal representative, please contact us (contact details provided below). Such Personal Data will be disposed of from our records.

   For more details on Personal Data which may be collected, please refer to Appendix 1.

Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:

1. Business Purposes: These are legitimate purposes as appropriate to conduct our business. These purposes address Processing of Personal Data necessary for activities such as:

   1. conclusion and execution of agreements with Data Subjects;
   2. marketing, sales, and promotions;
   3. account management of Data Subjects;
   4. customer service and support;
   5. finance and accounting;
   6. research and development, for instance, analytics to provide better products and services;
   7. purchasing/availing of our services;
   8. internal management and control;
   9. management of investor relations;
   10. external communications, interactions with authorised service providers. Our authorised service providers may use cookies, web beacons, and other similar technologies for collecting and storing information to help provide you with a better, faster, and safer web experience;
   11. government and legal affairs;
   12. alliances, ventures, mergers, acquisitions, and divestitures;
   13. Intellectual property and standards management;
   14. anonymising your Personal Data for further processing, aggregation, analysis and commercialisation (of anonymised data that no longer contains your Personal Data only), which may include transferring such anonymised data to members of the IHH Group and their business partners, in Malaysia, Singapore or other foreign countries for such purposes; and/or
   15. any other activity that is reasonably connected to the foregoing.
2. Human resources and personnel management: This includes Processing necessary for the performance of an employment or other contract with an employee (or to take necessary steps at the request of an employee prior to entering into a contract), or for managing the employment-at-will relationship, e.g. management and administration of recruiting and outplacement, compensation and benefits, payments, tax issues, career and talent development, performance evaluations, training, travel and expenses, and employee communications;
3. Business process execution and internal management: This includes Processing necessary for activities such as scheduling work, recording time, managing company assets, conducting internal audits and investigations, implementing business controls, managing and using customer database/employee directories;
4. Health, safety and security: Activities such as those involving occupational safety and health, the protection of our assets, your verification and your access rights and it’s status;
5. Organisational analysis and development and management reporting: Conducting surveys, managing mergers, acquisitions and divestitures, and Processing data for management reporting and analysis;
6. Compliance with legal obligations: For Processing necessary for compliance with a legal obligation to which we are subject;
7. Vital interests: For Processing necessary to protect your vital interests, for instance, situations that require us to protect your life or you from harm;

8. Sensitive Personal Data: Sensitive Personal Data may be Processed under one or more of the following circumstances:

   1. where you have explicitly consented to the Processing;
   2. where Sensitive Data are Processed in connection with the purchase of our service;
   3. where you voluntarily participate in a research project or product test;
   4. as required by or allowed under applicable data protection related laws;
   5. to establish, exercise or defend a legal claim;
   6. with regard to racial or ethnic data: to safeguard our assets, for site access and security reasons, and for the authentication/verification of your access rights, we may Process photos and video images (in some countries photo and video images of individuals qualify as racial or ethnic data);
   7. to prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, contract breaches, violations of law, or other breaches of the terms of access to our sites or assets;
   8. to protect your vital interest, but only where it is impossible to obtain your consent first; and/or
   9. where necessary to comply with an obligation of international public law (e.g. Treaties).

9. Direct Marketing: We may, when Processing Personal Data for making direct marketing communications, either:

   We may, when Processing Personal Data for making direct marketing communications, either:

   1. obtain your consent; and/or
   2. offer you opportunity to choose not to receive such communications.

   In every subsequent direct marketing communication that is made to you, you shall be offered the opportunity to opt-out of further marketing communication.

   If you object to receiving marketing communications from us, or withdraw consent to receive such materials, we will take steps to refrain from sending further marketing materials as specifically requested you. We will do so within the time-period required by applicable data protection related laws;

10. Secondary Purposes: Processing of Personal Data (including previously collected data) for secondary purposes such as:

    1. Maintaining the security of the Personal Data Processed;
    2. transferring the Personal Data to an Archive;
    3. conducting internal audits or investigations;
    4. implementing business controls;
    5. conducting statistical, historical or scientific research as required for our business operations;
    6. preparing or engaging in dispute resolution;
    7. using legal or business consulting services;
    8. managing insurance or other benefits related issues; and/or creating de-identified, aggregated and/or anonymised data from Personal Data from which relevant Data Subjects would not be identifiable, through removal of identifiable components, obfuscation, pseudonymisation, anonymisation, or any other means for purposes including, but not limited to (a) enhancing security; and/or (b) for further processing, aggregation, analysis (of the anonymised data that no longer contains your Personal Data only), for optimisation of patient care and improvement of healthcare services, products and research and developments which may include transferring such anonymised data to our affiliates and business partners in IHH MY or abroad, for such purposes."

1. Automated tools may be used by us to Process your Personal Data and/or make decisions about you. Some extent of human intervention may be involved in the automated decision-making.

2. Where permissible under law, we may undertake automated decision-making if:

   1. the decision is made by us for purposes of entering or performing a contract provided that the underlying request leading to a decision by us was made by you;
   2. you have provided explicit consent; and/or
   3. the use of automated tools is otherwise required.
3. We are mindful of safeguarding your rights and legitimate interests. To request a manual decision-making process, express your opinion or contest our decision based on automated processing, including profiling, please contact us (contact details provided below).

1. Your Personal Data may be shared with our Affiliates and the healthcare professional.
2. Access to Personal Data, will be limited to those who have a need to know the information for the purposes described in this Notice.

3. From time to time, we may need to share your Personal Data with authorised external parties, which may include the following:

   1. service providers, vendors, suppliers: we contract with authorised external parties or companies that provide products and services to us such as information technology security and support, customer survey, debt recovery, payroll and employee expense support, and benefits and rewards administration;
   2. public and governmental authorities: when required by law, or as necessary to protect our rights, we may share your Personal Data to public and governmental authorities that regulate or have jurisdiction over us;
   3. professional advisors and others: we work with and receive support from certain professional advisors such as banks, insurance companies, auditors, lawyers, accountants, and payroll advisors; and/or
   4. other parties in connection with corporate transactions: we may also, from time to time, share your Personal Data in the course of corporate transactions, such as during a sale of a business or a part of a business to another company, or any reorganisation, merger, joint venture, or other disposition of our business, assets, or stock.
4. As appropriate, we will contractually protect and safeguard your interests at a similar level of protection as provided by us.

1. Due to our international presence, your Personal Data may be transferred to or accessed by our Affiliates and authorised external parties from various countries around the world in order for us fulfil the purposes described in this Notice.
2. As a result, we may transfer your Personal Data to countries located outside of your country of residence, which may have data protection related laws and rules that are different from those of your country of residence.

3. Personal Data may be transferred to an authorised external party, located internationally only if, we believe it is necessary or appropriate to:

   1. ensure compliance with applicable data protection related laws which may include responding to requests from public and government authorities, cooperation with law enforcement agencies or other legal reasons; and/or
   2. satisfy purposes for which Personal Data has been collected by us or to enforce our terms and conditions.

1. We keep your Personal Data as long as we need to fulfil the purposes for which it has been collected. We retain Personal Data only:

   1. for the period required to serve applicable Business Purpose;
   2. to the extent necessary to comply with an applicable legal requirement; and/or
   3. as advised by local laws.

2. Promptly after applicable retention period has ended, your Personal Data will be appropriately:

   1. disposed;
   2. de-identified (through removal of identifiable components, obfuscation, pseudonymisation, anonymisation, or any other means); and/or
   3. transferred to an archive (unless this is prohibited by applicable data protection related law).

1. We are committed to maintaining the security of the Personal Data Processed and restrict the Processing of Personal Data to those data/information that are reasonable, adequate for, and/or relevant to applicable Business Purpose.
2. To protect your Personal Data, we take appropriate measures, and we also require our external parties to protect the confidentiality and security of your Personal Data. Depending on the state of the art, the costs of implementation and the nature of the data/information to be protected, we have put in place physical, technical and organisational measures to prevent risks such as destruction, loss, misuse, alteration, and unauthorised disclosure of or access to your Personal Data.
3. If you have any reason to believe that your interaction with us is no longer secure, please contact us (contact details provided below).

1. We strive to maintain your Personal Data in a manner that is accurate, complete and up-to-date. Personal Data you provide us with must be accurate, complete and up-to-date, and you must inform us of any significant changes to your Personal Data.
2. Furthermore, if you share Personal Data of other people with us (including your Relatives) please note that you need to ensure that this Personal Data is collected in compliance with applicable data protection related laws. For example, you should inform such other people about contents of this Notice.

3. With respect to Processing of your Personal Data, you may:

   1. obtain information on the Processing of your Personal Data;
   2. ask questions about how we handle Personal Data;
   3. request to review, correct, update, supress, or restrict the use of your Personal Data;
   4. request your Personal Data to be removed;
   5. withdraw your consent to use of your Personal Data, or to the use of your Personal Data for particular purposes;
   6. object to the use of Personal Data for our legitimate business interests; and/or
   7. request to receive an electronic copy of your Personal Data for purposes of transferring it to another company.

4. If you have any inquiries, requests or comments in relation to this Notice, please contact the Data Protection Office via the following channels:

   • Email: [email protected]
   • Written communication mailed to: Data Protection Officer, IHH Healthcare Malaysia Pantai Medical Centre Sdn Bhd, Level 6, Block A, Pantai Hospital Kuala Lumpur, 8, Jalan Bukit Pantai, 59100, Kuala Lumpur
5. We will do our best to address your requests and concerns within reasonable time. Upon receipt of your request, we may ask you to verify your identity before we can act on your request.

1. We may revise this Notice from time to time. Any changes will become effective as on the Effective Date, when we post the revised Notice on our website. You are strongly advised to review this Notice periodically for any changes.
2. The English language version of this notice shall prevail in the event of any inconsistencies with any translated versions.

[1] “Affiliates” is any entity that controls, is controlled by, or is under common control, in each case either directly or indirectly with either a subsidiary or related corporation of the Group, where “control” means the ownership of or the power to vote representing more than 50% of voting stock, shares or interests of the entity.

[2] “Data Subjects” are entities and individuals including our employees, job applicants, clients, customers, business partners, personnel, contractors, suppliers and other individuals

[3] “Process” (including references to “Processing” and “Processed”) is any operation or set of operations performed on the Personal Data including, but not limited to, collection, storage, use, disclosure, transfer or destruction.

[4] “Relatives” include spouses, next of kin, dependents, children, and partners.

[5] “Vulnerable Person” are persons deemed more vulnerable by applicable laws and regulations, and includes, but is not limited to, minors, elderly, persons with disabilities, and persons with diminished mental capacity.