In view of the implementation of the Personal Data Protection Act 2010 (“Act“), Lacuna Labs Sdn. Bhd., via our product, Ombré App (Ombré) recognizes the need to process all personal data obtained in a lawful and appropriate manner. Ombré is committed in protecting the personal data supplied by a data subject to ensure compliance with the legal and regulatory requirements in accordance with the Act. This policy covers the processing of all personal data and sensitive personal data whose use is controlled by Ombré.
Roles and Responsibilities
The legal responsibility for compliance with the Act lies with Ombré who is the “data user” under the Act. Compliance with this Policy and the Act is the responsibility of all users and/or data subject of Ombré.
Data Collected & Purposes
During the course of Ombré‘s business and activities, Ombré may be required to process information of a data subject, including but not limited to the name of the individual, address, phone number, email address, pictures and/or any other information that may be from time to time determined by Ombré. Information identifying in combination with other information even if such information cannot identify such individual on its own. Such information may be collected online or offline.
The personal data collected by Ombré may be used inter alia for the following purpose*:-
- Providing customer care and enhancing customer satisfaction, including but not limited to, resolving complaints, dealing with and/or responding to requests and enquiries and other services;
- Promoting, advertising and enhancing Ombré’s products and services;
- Human resources, employment and recruitment purposes;
- Storing and processing of personal data relating to the clients of Ombré in the data storage systems;
- Updating and managing the accuracy of the Ombré‘s internal record, including but not limited to administration, processing and matching any personal data held which relates to data subject for any of the purposes listed herein;
- Billing, taxation and/ or auditing purposes;
- Information and security purposes, including but not limited to managing and administering e-mail, handling and investigating any security related issues, vulnerability, and/or incidents;
- Facilitating business asset transactions (which may extend to any merges, acquisitions or assets sales) invoicing any of the related corporations or affiliates of Ombré;
- Legal purposes (including but not limited to obtaining legal advice and dispute resolution);
- Disclosing personal data to the government authorities and/or authorised third party(ies) as required by law and/or within the responsibility of Ombré; and
- As reasonably contemplated by the nature of any transaction.
*This list is not exhaustive.
Consent of Individual
Ombré may only process personal data with the consent of the data subject whom the personal data concerns and/or if the processing of the personal data is for the performance of Ombré’s duty to which the data subject is a party.
Disclosure of Information
Ombré requires all data subject to be vigilant and exercise reasonable caution when asked to provide any personal data to a third party. In particular, Ombré must ensure that personal data is not disclosed either orally or in writing to any third party(ies) without express prior consent of the authorized individual.
However, as and when it is reasonably required, the personal data in the possession of Ombré may be only disclosed to the following third party(ies):-
- Authorised agents, contractors and third party service providers who provide services to Ombré;
- External professional advisors and auditors;
- Governmental departments and authorities; and/or
- Any affiliated companies of Ombré.
Personal data will not be transferred outside Ombré and in particular not a country outside of Malaysia unless:-
- Consent from the data subject is obtained;
- The country’s personal data protection laws provide an adequate level of personal data protection; and/or
- Adequate safeguards have been put in place in consultation with Ombré‘s authorised individual.
Ombré will ensure that any personal data which is collected, stored and processed, is stored securely and the practical steps are adopted to ensure the following:-
- Source documents are well kept;
- Paper-based records must not be left where third party(ies) can gain access to them; and
- Computerized personal data is protected by passwords.
When physical files or any forms relating to the data subject are no longer required, they will be shredded or bagged destroyed securely, and the hard drives consisting of those records will be erased off via secure electronic deletion pursuant to such standard procedure by the administration department.
Any employee of Ombré will not process any personal data belonging to any data subject, whether in softcopy or hardcopy, outside of the premises of Ombré unless prior approval is provided by the authorised individual.
Personal data obtained should not be kept longer than it is required for its purposes. Ombré has an obligation to ensure that the personal data of the data subject are destroyed and/or permanently deleted after a specified period of time.
Rights of Data Subject
A data subject has the following rights under the Act:-
- Request for access to personal data held on the individual, the purpose for which the personal data is being used and those to whom it has, or can be disclosed to;
- Prevent data processing that is likely to cause distress or damage;
- Take reasonable action to stop the use of, rectify, erase, and/or dispose of inaccurate personal data; and
- Withdraw their consent given to Ombré.
Any individual who intends to exercise the abovementioned rights shall make a written request to Ombré. Ombré may, upon further reviews and considerations, comply with the request and/or take reasonable steps not later than 21 days from the date of receipt of such request.
Changes to this Policy
Ombré has the right to change this policy at any time. Ombré will announce any changes on the app and/or website from time to time. This policy is not a contract, nor does it suggest any obligation on our part with another party.