Privacy and Personal Data Protection Policy

General policy

The Personal Data Protection Act (PDPA) is an act enacted by the Malaysian government in 2010 which came into effect on 15th November 2013 to protect individual’s personal data and it applies to any person who processes and any person who has control over or authorizes the processing of any personal data in respect of commercial transaction.

Brighton Group (“BG”, “we” or “us” or “our”) is required to comply with the Personal Data Protection Act 2010 (the “Act”) as amended by the Personal Data Protection (Amendment) Act 2024.

Definitions

For the purpose of this Policy, the following words shall have the following meanings assigned to them:

“Act”Means the Personal Data Protection Act 2010, as amended by the Personal Data Protection (Amendment) Act 2024.
“Notice”Means this Privacy Notice and any other amendments, supplements and/or additions as may be provided from time to time.
“Personal Data”Means any information or data or a combination of information or data that can be used to uniquely identify or contact an individual.
“Processing”Means collecting, recording, holding/storing or carrying out operations on any data including organization, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, transfer, dissemination or otherwise making available, or the alignment, combination, correction, erasure or destruction of Personal Data.
“Sensitive Personal Data”Shall includes an individual’s mental or physical health or condition, political opinions of an individual, religious beliefs or other beliefs of similar nature, the commission or alleged commission of any offence or any other information to be gazetted under the Act. It now includes biometric data for identity verification, as per the Amendment.

In case of discrepancies between the English and Bahasa Malaysia versions of this Notice, the English version shall prevail.

Responsibilities for Handling Personal Data

3.1 Key Roles and Responsibilities for Protection and Management of Personal Data:

  • Data Protection Officer (DPO):
    The DPO is responsible for ensuring BG’s compliance with data protection laws, including overseeing the collection, processing, storage, and sharing of personal data. The DPO’s responsibilities include:
    • Advising on data protection obligations and best practices.
    • Conducting Data Protection Impact Assessments (DPIAs) as required.
    • Monitoring compliance with internal policies and legal requirements related to data protection.
    • Serving as the primary contact point for data subjects to address their rights and concerns under data protection laws.
    • Managing and resolving data security incidents, including data breaches.
    • Ensuring staff and contractors are trained on data privacy practices and policies.
    • Ensuring the company is ready for any new regulations under the PDPA Amendment 2024.
    • If a new processing activity is identified that could impact the rights and freedoms of data subjects, a Data Protection Impact Assessment (DPIA) will be conducted to assess and mitigate risks associated with the processing.
  • Data Controllers and Processors:
    • Data Controllers are responsible for ensuring that personal data is collected and processed lawfully, fairly, and transparently. This includes ensuring that proper consent is obtained and that personal data is used for the specified purposes outlined in this policy.
    • Data Processors (internal or external parties who process personal data on behalf of BG) must ensure that personal data is handled according to the organization’s instructions and data protection regulations. They are required to implement appropriate technical and organizational measures to safeguard the data.

3.2 Data Protection Responsibilities Within the Organization:

  • Security and Confidentiality: Employees who access personal data are required to implement security measures, such as using encryption and strong passwords, to ensure that personal data is not exposed to unauthorized access.
  • Training and Awareness: All relevant employees receive ongoing training on their responsibilities for handling personal data, including how to process personal data securely, recognize phishing attempts, and respond to data breaches. This training must now include awareness of new rights under the PDPA Amendment 2024, such as the right to object to processing.

3.3 Rights of Access and Correction

  • The DPO will oversee the process for responding to data subject rights requests, including the right to access, correct, or delete personal data, as well as the new right to data portability introduced under the PDPA Amendment 2024.

3.4 Security Measures

  • The DPO ensures that appropriate technical and organizational measures are in place to protect personal data, including ensuring the encryption of sensitive data, securing networks, and regularly reviewing access controls.

Source of your personal data

Registration is not required for you to use our Website. If you are merely a visitor, we do not collect any personal information about you. However, there may be circumstances in which you choose to register to ongoing updates from us or wish to send us an enquiry or feedback.

Your personal data may also be collected from various sources, including information you have provided us in our application form or other means, information from third parties, information in the public domain, social networks, in-person seminars and staff’s personal contacts. We may verify or source personal information about you from third party sources (both public and private) such as world check, credit bureaus or credit reference agencies, Registrar of Companies, Insolvency Department, legal representatives, industry / financial related associations and social networks.

As per the PDPA Amendment 2024, explicit consent is required for certain types of third-party data sourcing. BG will seek explicit consent from data subjects when collecting personal data from third-party sources, and will ensure that such data collection is transparent and clearly communicated to the data subject.

Personal data processed by us

This may include your name, occupation, identity card or passport number, race or ethnic origin, nationality, residential and business addresses, company’s name, telephone and fax numbers, email address, wealth information and any other personal data required for the purposes set out below. In some situation, we may request for a resume or curriculum vitae which include your work experience, academic qualification, professional membership and references.

We do not intentionally collect any sensitive personal data unless legally required to do so, for example recruitment purposes. Sensitive personal data includes physical or mental health, political opinions, religious or other beliefs of a similar nature, criminal records, personal income tax file number, social security numbers, employee provident fund numbers and in some cases financial information.

Sensitive personal data now includes biometric data and genetic information, as introduced by the PDPA Amendment 2024. If biometric data is collected for identity verifications or other purposes, explicit consent will be obtained from data subjects. This data will be retained for no longer than necessary and protected using appropriate technical and organizational measures.

Such personal data will remain confidential. We will not share your information for commercial purposes with third parties unless you give us your prior permission to do so. We will take such reasonable steps to protect the confidentiality of your information and to safeguard your privacy.

Information use and Purpose

BG collects processes and retains such of your personal data that is necessary to perform its functions and activities which include:-

  1. Provide information about our services and solutions as requested by you;
  2. Processing any applications that you have submitted to us;
  3. Providing you our services and/or solutions which you have subscribed for and notifying you about important changes or development to the features;
  4. Communicating with you on confirmation of your personal data, updating and managing the accuracy of our records;
  5. Notifying you of any developments, updates, training, seminar and other events from time to time;
  6. To communicate with you and respond to your enquiries or complaints;
  7. Marketing, promotional materials or communications regarding services and solutions provided by us or our Network that we feel may be of interest to you;
  8. Feedback on our services or for market or other research purposes;
  9. Protect our interests and that of our users and where appropriate, to comply with legal process;
  10. Prevention, detention or prosecution of crime, and complying with legal and regulatory obligations;
  11. Such other administrative purposes which relate to the above.

If you receive a marketing e-mail from BG, you will be provided with an automated way to opt out (unsubscribe) (Appendix I) from that particular communication or from all marketing e-mails sent by us. Please follow the instructions on the e-mail you received.

Disclosure of information

BG may share your personal information among companies with the Group, our Network, third party service providers, banks or financial institutions or other third parties in order to provide you with information that could be of interest to you and conduct market or other research. We may also in limited circumstances share personal information with regulatory bodies, government agencies, the police, law enforcement bodies and courts and such persons or bodies to whom we are legally required to disclose.

In compliance with the PDPA Amendment 2024, BG will also conduct a Data Protection Impact Assessment (DPIA) before transferring personal data to third parties outside Malaysia.

All of these disclosures may involve the transfer of personal information to countries or regions without data protection rules similar to those in effect in your area of residence. By providing your personal information to us, you represent and warrant that you had or have consent to the disclosures described above or are otherwise entitled to provide the information to us.

No personal information should be disclosed to third party (except for disclosure for the original purpose(s) intended at the point of collection) without consent from you (Appendix II).

Security Measures

BG have in place reasonable commercial standards of technical and organizational security measures to protect the security of your personal information against destruction, misuse, unauthorized access, disclosure or alteration.

To safeguard against unauthorized access to Personal Data by third parties, all electronic Personal Data held by BG is maintained on systems that are protected by secure networks. BG limits access to internal systems that hold Personal Data to a select group of authorized users who are given access to such systems through the use of a unique identifier and password. Access to personal data will now also be restricted to those with legitimate business needs, as per the PDPA Amendment 2024. Access to Personal Data is limited to and is provided only to relevant users for the purpose of performing their official duties.

Links to Other Web Sites

The privacy practices set forth in this Policy are for our Website only. This Website may contain links to other sites. BG is not responsible for the privacy practices or the content of such sites. If you link to or otherwise visit any other site, please review the privacy policies posted at that site.

Cookies and Passive Tracking

A “cookie” is an element of data that can be sent to your browser. Your browser may then store it on your system based on the preferences you have set on your browser. Cookies gather information about your operating system including, but not limited to, browser type, and Internet Protocol (IP) address. BG Website uses this information to analyze the traffic on our Website, and better serve you when you return to our Website. It is not our intention to use such information to personally identify a user. You have the option to configure your Internet browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it. Further, you have the option to block all cookies. Please note, however, that if you refuse or otherwise block cookies you may not be able to use all of the functionality available on our Website.

You may wish to participate in the various blogs, forums, wikis and other social media platforms hosted by BG (“Social Media Platforms”) which we make available to you. The main aim of these Social Media Platforms is to facilitate and allow you to share content. However, we cannot be held responsible if you share personal information on Social Media Platforms that is subsequently used, misused or otherwise appropriated by another user.

BG may also provide links to other social media platforms maintained on separate servers by individuals or organizations over which we has no control. We make no representations or warranties regarding the accuracy or any other aspect of the information located on such servers.

A link to a third party’s website should not be construed as an endorsement by either BG or that third party of the other or its products and services. We make no representations or warranties regarding how user data is stored or used on third-party servers. We recommend you to review the privacy policy of each third-party site linked from our Website to determine their use of your personal data.

Rights of Access and Correction

If you have registered for any of our updates via email blasts, newsletters or marketing materials, you may request for access to, correct and update your personal information or limit the processing thereof. If you do not wish to receive future updates from us, you may unsubscribe it at any time.

As per the PDPA Amendment 2024, you now also have the right to request data portability, which allows you to obtain your personal data in structured, commonly used, and machine-readable format.

There are also cases where the personal data that we request from you is necessary for us to perform our functions and services in relation to the purpose for which your data is collected. Failure or refusal to provide the data or wish to limit the personal data you disclose may render us unable to carry out the purposes for you. Also, the extent in which we can comply with your request without affecting our mutual rights and obligations in relation to the transaction, depend on the stage of the transaction. If such rights or obligations are impacted for, we may not be able to stop processing your personal data.

We are committed to ensure that the personal data we hold about you is accurate, complete, not misleading and up-to-date. If there are any changes to your personal data or if you believe that the personal data we have about you is inaccurate, incomplete, misleading or not up-to-date, please contact us so that we may take steps to update your personal data.

You have the right to access your personal data. If you would like to request access to your personal data, please fill in the Access Request Form (Appendix III) and send to us via email to the Personal Data Protection Officer listed at the bottom of the page. Please note that depending on the information requested we may have the right to charge a small fee for the processing of any data requested in accordance with the Act. We may also take steps to verify your identity before fulfilling your request for access to your personal data per the PDPA Internal Control Process Flow as illustrated in Table 1.

PDPA Chart
Table 1: Access Request Flow Chart

Retention

BG will keep your personal data for the duration of time to carry out the purpose for which your personal data was collected and also for the other purposes set out in this Privacy Policy, including handling enquiries, audit, complaints or legal proceedings and marketing purposes. We will also abide by legal, tax and other regulatory and industry requirements/guidelines for keeping records including our retention of record policy i.e. for not less than six (6) years.

As per the PDPA Amendment 2024, the retention period for the personal data should now be periodically reviewed to ensure it is still necessary for the purpose it was collected.

Changes to our policy

BG may modify or amend this Privacy Policy from time to time at our discretion. Please check this page periodically to be informed about how we are protecting your information. We also display the effective date of the policy at the bottom of this page.

Questions or Comments

If you have any questions or concerns regarding your privacy or if you need assistance accessing or updating your personal information, please contact us via email:

Notices and Communications

In the event you have any enquiries, please contact:

Personal Data Protection Officer
Brighton Management Limited
Brighton Place
Lot U0213 – U0215,
Jalan Bahasa,
P.O. Box 80431,
87014 FT Labuan, Malaysia
Telephone No. : +6087 442899
Fax No. : +6087 451899
E-mail :

All communications to BG must be made in writing, legible and contain your full name, current address, NRIC number and contact particulars. BG reserves the right not to entertain any notices or communications which do not contain the foregoing particulars, are illegible, incomprehensible or where the party concerned cannot be contacted or where contact particulars are found to be incomplete, inaccurate or in error.

Brighton Group
19 December 2025 (Updated)