About This Privacy Policy and PDPA
Global Enrichment Programme Sdn. Bhd. (“GEP”, “we”, “us” or “our”) is committed to complying with the Personal Data Protection Act 2010 and the Personal Data Protection (Amendment) Act 2024 (collectively, the “PDPA”) in protecting personal data processed by us. This Privacy Policy explains our policies and practices in relation to the collection, use, disclosure, storage and protection of personal data before you provide such data to us through https://thegep.com (the “Website”) or in connection with our programmes, services, events or communications (collectively, the “Services”). The term “You” refers to the owner of the personal data, including a parent or legal guardian where the data relates to a minor.
Definition of Personal Data
“Personal Data” means any information that identifies or can be used to identify, contact or locate an individual, including but not limited to name, address, contact details, email address, identification information, financial or payment-related information and other information associated with an identifiable individual. Personal Data does not include information collected anonymously or aggregated information not connected to an identified individual.
Source of Personal Data
Most personal data processed by us is provided directly by you through enquiries, registrations, applications, programme participation forms, communications or other requests relating to our Services. In some circumstances, personal data may also be obtained from third parties, including programme partners, service providers, publicly available sources, or parents or legal guardians where the data relates to minors. Personal data may also be collected automatically through cookies and similar technologies when you access or use the Website.
Personal Data Collected
We may collect basic user profile and usage information from all visitors to the Website. In addition, we may collect further Personal Data from users who register for, enquire about, or participate in our Services, including names, addresses, contact numbers, email addresses, information relating to the nature and size of a business or organisation (where applicable), programme or event participation details, billing or payment-related information, marketing preferences, communication records, and other information relevant to the Services that you intend to access, purchase, participate in, evaluate, or receive updates about.
Where certain Personal Data is required to process a request, administer a programme, communicate with you, or provide Services (including marketing or informational communications), failure to provide such data may result in our inability to proceed with the relevant matter or to keep you informed of relevant programmes, events, or opportunities.
Sensitive Personal Data
In limited circumstances, we may collect or process Sensitive Personal Data as defined under the PDPA, which may include information relating to health, physical or mental condition, religious beliefs, biometric data, or other categories prescribed under applicable laws. Such data may be provided voluntarily by you, or by a parent or legal guardian in the case of minors, for purposes connected with programme participation, safety, accessibility, or compliance with legal or regulatory requirements. Sensitive Personal Data will only be processed where necessary, for lawful purposes, and with your explicit consent unless otherwise permitted or required by law. Enhanced safeguards are applied, access is restricted on a strict need-to-know basis, and such data will not be used for marketing purposes.
Payment and Financial Information
Where applicable, we may collect and process payment-related information for the purpose of processing programme fees, event charges or other payments in connection with our Services. Such information may include payer name, billing details, transaction reference numbers, payment status and other information necessary to facilitate payment, reconciliation and record-keeping.
Payments may be processed directly by us or through third-party payment processors, banks or financial institutions appointed by us. Where third-party payment service providers are used, such providers may collect and process payment information in accordance with their own privacy policies and security standards. We do not control the independent data practices of such third parties.
We do not store complete credit card numbers or sensitive payment authentication data on our systems unless expressly required and permitted by law. Any payment-related information processed by us is handled using appropriate security measures and is accessed strictly on a need-to-know basis. Payment information will be used solely for payment processing, compliance, reconciliation and related administrative purposes, and will not be used for marketing.
Parties Collecting Personal Data
In addition to Personal Data collected directly by us, third-party service providers engaged by us, such as payment processors, financial institutions, technology providers, analytics providers or other vendors, may collect Personal Data in the course of providing their services. Please note that we do not control the independent data practices of such third parties.
Use of Personal Data
Personal Data is processed to administer, operate, maintain, and improve the Website, manage and deliver our Services, process registrations, applications, and participation, respond to enquiries, provide requested information, and communicate programme-related updates or operational notices.
Where applicable and subject to applicable laws, Personal Data may also be used to:
- inform you about programmes, opportunities, events, promotions, or initiatives relevant to our Services;
- conduct internal administration, record-keeping, reporting, audit, analytics, and service improvement;
- support marketing, outreach, engagement, and communications activities; and
- comply with legal, regulatory, audit, security, and risk-management requirements.
- Marketing and promotional communications will be carried out in accordance with applicable laws, and you may opt out of receiving such communications at any time.
Disclosure of Personal Data
We keep Personal Data confidential unless disclosure is permitted or required by law or you have given consent. Personal Data may be disclosed, shared, transferred or otherwise made available, on a need-to-know or appropriate basis, to our employees, service providers, professional advisers, programme partners, our holding companies, subsidiaries, affiliated entities, related companies (whether within or outside Malaysia), shareholders, joint-venture partners, strategic partners, and any entity within the same corporate group, as well as to regulators, statutory bodies, government authorities or law enforcement agencies, where such disclosure is necessary or appropriate for the provision, administration, operation, management, improvement or restructuring of our Services, internal administration, risk management, audit, compliance, corporate transactions, or any other purpose consistent with this Privacy Policy or permitted under applicable laws.
We may also disclose Personal Data where reasonably necessary to protect our rights, property or safety, or the rights, property or safety of our users or others, or in connection with any merger, acquisition, reorganisation, sale of assets or business transfer involving us or any of our related entities. Aggregated or anonymised information that does not identify individuals may be shared without restriction.
Mandatory and Optional Information
Provision of Personal Data requested for the purpose of delivering our Services is generally mandatory unless stated otherwise. Failure to provide such information may prevent us from processing your request or providing the relevant Services. Provision of Personal Data for marketing or optional purposes is voluntary, and consent may be withdrawn at any time.
Cookies and usage Information
We use cookies and similar technologies to enhance functionality, analyse usage, understand user preferences and maintain security. Further information on how we use cookies, the types of cookies deployed, and how you may manage your cookie preferences is set out in our Cookies Policy, which forms part of this Privacy Policy and is available on our Website.
In addition, we may collect usage and login information such as IP addresses, browser types, device information, access times and pages visited to administer the Website, analyse trends, improve user experience and maintain security. You may disable cookies through your browser settings; however, certain features or functions of the Website may not operate properly if cookies are disabled.
Data Storage and Security
Personal Data is stored securely with appropriate administrative, technical and organisational safeguards in place. Access is restricted to authorised personnel on a need-to-know basis. Sensitive and payment-related information is protected using encryption and secure transmission protocols. While we take commercially reasonable measures to safeguard Personal Data, no system is completely secure and we cannot guarantee absolute security.
Data Retention
Personal Data will be retained only for as long as necessary to fulfil the purposes stated in this Privacy Policy or to comply with legal, regulatory or contractual obligations, after which it will be securely deleted or anonymised where practicable.
Rights of Data Subjects
You have the right under the PDPA to request access to, correction of, or withdrawal of consent for the processing of your Personal Data, subject to applicable legal limitations. Requests may be subject to verification and an administrative fee. Where requests are excessive, unreasonable, technically infeasible or require disproportionate effort, we may limit or decline such requests in accordance with the PDPA (Amendment) Act 2024. Requests for data portability will be considered where applicable and technically feasible.
Cross-Border Transfer of Personal Data
Your Personal Data may be transferred to service providers or partners located outside Malaysia where necessary for the performance of our Services. Such transfers will only take place where adequate safeguards are in place or with your explicit consent, in accordance with the PDPA.
Data Breach Notification
We take data protection seriously and have measures in place to safeguard Personal Data. In the event of a data breach that may pose a risk of harm, including identity misuse, fraud or significant distress, we will notify affected individuals and, where required, the Personal Data Protection Commissioner, in accordance with the PDPA (Amendment) Act 2024. Reasonable steps will be taken to investigate, mitigate and prevent recurrence.
Deletion or Deactivation of Personal Data
You may request deletion or deactivation of your Personal Data. Due to backup, archival and legal retention requirements, complete deletion may not always be possible. Where deactivated, Personal Data will be functionally removed from active use and will not be used except as required by law.
Changes to This Privacy Policy
This Privacy Policy may be reviewed and amended from time to time. Updates will be published on the Website and will take effect upon publication. You are encouraged to review this Policy periodically.
Links to Other Websites
The Website may contain links to third-party websites not operated or controlled by us. We are not responsible for their privacy practices and encourage you to review their respective privacy policies.
Contact
For enquiries, access requests, corrections, consent withdrawal or other data protection matters, please contact us at hello@thegep.com.