Privacy Statement

Gentari Sdn. Bhd. (“Gentari”, “we”, “our” “us”) are committed to protecting and respecting your privacy.

This Gentari Privacy Statement (“Privacy Statement”) explains what personal data we collect about you, when and why we collect it, how we use it, the conditions under which we may disclose it to others, your rights to your personal data and how we keep it secure.

This Privacy Statement covers both our online and offline collection activities, including personal data that we collect through online platforms such as websites, applications, third party social networks or our online and physical events, or through other third parties that we work with.

Please read this Privacy Statement carefully to understand our views and practices regarding your personal data.

‍

WHO WE ARE

Gentari is focused on delivering the solutions required to put clean energy into action today, to transform how we live tomorrow.

‍

INFORMATION GATHERING AND USAGE

If you are an employee or work for Gentari and/or Petroliam Nasional Berhad and its group of companies, including its subsidiaries and controlled companies (“PETRONAS”), we shall provide a separate statement to inform you how your personal data is used.

Your personal data may be collected directly from you or from other sources such as our customers, clients, their counterparties and representatives, third parties such as regulatory authorities, government agencies, credit reporting agencies, recruitment agencies, providers of pre-engagement screening services, your employer or other referees, social network information, publicly available records, or other third parties that we work with. We may aggregate personal data from different sources such as online and offline collection points, though in relation to personal data that you have provided, we will only do so for purposes which are consistent with the purposes for which you have provided that personal data.

Aggregated data which may be derived from your personal data but is anonymized is not considered personal data in law, as this data will not directly or indirectly reveal your identity. For example, we may aggregate data related to usage of our website to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data in a way which does directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Statement. If you are an existing customer or vendor of ours, or a representative of an existing customer of ours, further details about how we use your personal data are set out in your/ your employer’s customer contract with us. We may provide further notices to you at the point we collect your personal data, which will highlight any further information relating to our use of that personal data, and, where applicable, provide you with the ability to opt in or out of selected uses.

If you are based in the European Economic Area (“EEA”) or United Kingdom (“UK”) during your interactions with us (other than solely for travel purposes whereby you are not resident in the EEA or UK), the laws in those countries require us to provide you with additional information about our processing activities. We have included this information in Appendix A.

If you are based in a country or territory outside the EEA or UK during your interactions with us (other than solely for travel purposes whereby you are not resident in the EEA or UK), then subject to the applicable data protection laws, by providing us with your personal data, you agree and consent to the collection, use and disclosure of your personal data by us for some or all of the purposes mentioned in this Privacy Statement, where applicable.

1. Types of Personal Data Collected and How we collect it

We will collect and process all or some of the personal data as follows. We describe certain kind of data (defined below) as Special Category Data.

• Personal data that you provide to us, such as when using the contact form on our website, providing feedback, your correspondence with us or when you interact with any of our social media channels (which may include when you like or comment on a post);

We may collect current and historical personal data including your name (including any prefix or title), contact information (such as your address, email address, telephone number, nationality, identification number such as passport number, birth date, gender, organization, business interest, employment, position held), social media identifiers, Special Category Data (as defined below), billing and financial information (such as billing address, bank account and payment information) and enquiry or complaint details and such other information depending on the nature of business relationship or dealings you have with Gentari. “Special Category Data” means sensitive personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, health, sexuality or sexual orientation, or relating to criminal convictions or offences. Special Category Data receives a higher level of protection in some jurisdictions such as EEA and UK. Collection and processing of Special Category Data will entail different requirements from jurisdiction to jurisdiction in accordance with applicable local laws.

• Information you provide when applying for a role, work placement which include internship or during open day or recruitment event or as a beneficiary

In any of the above circumstances, we collect your CV or résumé which may include your contact details (such as name, address, email address and telephone number), education information (such as field of study, university and country of study, academic scores and achievements, personal certifications), employment history, racial or ethnic origin, nationality, financial information (such as parents or beneficiaries income, bank account name and number), photographs or profile picture and any other supporting documents or information as submitted by you or on your behalf during the application process.We carry out pre-screening of applicants to whom we intend to make an offer of employment, scholarship, or internship or to receive grants as beneficiaries (as appropriate). We may also undertake criminal records or financial probity checks or other independent searches to assess your suitability for the position were permitted by, and in accordance with, applicable law. Special Category Data may be processed strictly in accordance with applicable local laws.

• You (or someone you act for) have a relationship with us

If you are or act for or are related to our customers and clients, where you are our counterparty or provide services to our counterparty and where you or the organization you work for is a regulator, government agency, judiciary, legislative or other law enforcement agency, we may collect and process your personal data based on your relationship with us. The types of personal data include contact information (such as name, address, email address and telephone number); identification information (such a national identification number, passport number, date of birth); business information (such as name of organization, job title, department, business address, organization structure, shareholding or directorship); any recordings captured through our communication platform (such as Microsoft Teams or Zooms, etc.), details in business registration documents, third party due diligence, documents, credit checks, financial details including bank account details and bank account statement; demographic information and interests which will include any information that describe your demographic and behavioral characteristics (such as date of birth, age or age range, geographic location, personal preferences (e.g. food), medical condition (e.g. allergies), hobbies or interests and household or lifestyle information).

• Website and Online communication usage

Details of your visits to our website and information collected through cookies and other tracking technologies including, but not limited to, your log-in information, IP address and domain name, your browser version and operating system, information about your device, traffic data, location data, web logs and other communication data, and the resources that you access. We use the following cookies:

• Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

If any part of our website links you to external websites, those websites do not operate under this Privacy Statement, and we do not accept any responsibility or liability arising from those websites. We recommend that you read the privacy/personal data protection statement/policy posted on those external websites in order to understand their procedures for collecting, processing, using and disclosing personal data and before submitting your personal data to those websites.

We may also collect information you provide in completing online subscriptions or registration and any online application forms or when you report a problem, raise a query, or provide feedback on our online services.

• Visitors to any of our offices, premises, or events

When you visit our offices or premises, we may collect and process your personal data in connection with your visit. Such personal data will include your contact information (such as name, address, email address and telephone number), identification information (such as national identification number, passport identification number or driver’s license information); business information such as name of organization, reason for visit, date and time of visit, biometric and facial recognition, and access limitations.

Where we have installed CCTV in our offices, your image may be captured and recorded when you visit our premises that are protected by CCTV. Additionally, your image may be captured via photographs or videos taken by us or our representatives when you attend our events.

Our CCTV use is not intended to target or monitor any individuals but to provide a safe and secure workplace environment in the relevant premises.

During a health crisis or disease outbreak we may collect Special Category Data on your health and physical condition, health condition of individuals in your household, results of your health assessment, quarantine, and hospitalization information and any other information required or recommended to be held in connection with control or management of such health crisis or disease outbreak.

2. The Purposes for Collection of Personal Data

We may use personal data that we obtain for any of the following purposes:

• To communicate effectively with you and conduct our business

To conduct our business, including to respond to your queries or resolve any disputes, which may arise in connection with any dealings with us, to otherwise communicate with you, or to carry out our legal obligations arising from any agreements entered into between you and us, or to maintain and update internal contact lists to effectively communicate with you.

• To update you on contests, marketing information and promotions

To provide you with updates and offers including facilitating your participation in any technology challenges, contests, roadshows, promotions, campaigns, and events. We may also use your information for marketing our own or our partner’s products and services to you by post, email, and phone calls. Where required by applicable data protection laws, we will ask for your consent at the time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out in the “Contacting Us” section below.

• Personalization (offline and online)

With your consent (where required), we use your personal data to (i) analyse your preferences and habits; (ii) to anticipate your needs based on our analysis of your profile; (iii) to improve and personalize our online and offline interaction with you; (iv) to ensure that the contents from our websites or applications are optimized for your computer and device; (v) to provide you with targeted marketing content; (vi) to better understand our business and pattern and trends relating to our products; (vii) to develop or further improve our product and services; and (vii) allow you to participate in interactive features when you chose to do so.

• To assess your application for a role in the organization or as beneficiary

To assess your application and pursuant to laws to which Gentari is subject (e.g., in relation to equal opportunities). This processing is a necessary pre-condition of entering into any future contract with you and for Gentari to fulfil its employment duties with respect to other employees and you yourself (should you be employed by Gentari). This could also include using your personal data to: carry out background and reference checks, communicate about the application process, keep records and comply with legal and regulatory requirements, and may also include use of Special Category Data in accordance with applicable laws.If you are unable to provide us with the information we request for this purpose, we may be unable to assess your appropriateness for the relevant application or to communicate with you. If your application is unsuccessful, we will keep your personal data in accordance with our internal policies and procedures and for administration and statistical analysis purposes.

• To carry out due diligence or Know Your Customer screening activities

To carry out due diligence assessment prior to entering into legal relationship with us, in accordance with legal and regulatory obligations or risk management procedures that may be required by law or may have been put in place by us.

• To monitor certain activities

To monitor queries and transactions to ensure service quality, compliance with procedures and to combat fraud, and to process any payments related to your commercial transaction with us.

• To ensure the physical security and safety of visitors to our offices or premises

To prevent loss, fraud, theft, injuries, terrorism, and other such events which may have an impact on health, safety and security from taking place at any of our premises.

• To notify you of changes

To notify you about changes to our services and products.

• To ensure that our website content is relevant

To ensure that content from our websites and any other microsites are presented in the most effective manner for you and for your device (which may include passing your data to business partners, suppliers and/or service providers).

• To re-organise or make changes to our business

In the event that we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation, we may need to transfer some or all of your personal data to the relevant third party (and its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. We may also need to transfer your personal data to that re-organised entity or third party after the sale or reorganisation for them to use for the same purposes as set out in this Privacy Statement.

• In connection with legal or regulatory obligations

We may process your personal data to comply with our regulatory requirements or dialogue with regulators as applicable which may include disclosing your personal data to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings, or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, we will generally direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.

• Other circumstances

In other circumstances, such purposes that are necessary or directly related to your relationship with us or where it is permitted under the applicable laws.

Where we collect personal data from you, we will only do so for fulfilment of the purposes set out above. Failure to provide your personal data may mean that we are not able to effectively provide you with our products and/or services or to carry out any of the abovementioned purposes, if at all.

PROCESSING YOUR PERSONAL DATA, AND OBTAINING YOUR CONSENT

Where we rely on your consent for processing your personal data, you may withdraw your consent to this processing at any time, by contacting us by using the contact details below. Please note, however, that withdrawing your consent will not affect the lawfulness of processing based on your previously given consent (prior to withdrawal).

Where we process your personal data for direct marketing purposes, we will log any objection you make, and stop processing your data for direct marketing purposes.

There may be instances where we process your personal data for our legitimate interests or on the basis of other lawful grounds (i.e., because we have established a relationship with you and need to process your personal data in order to provide you with the information and/or services you have requested), without having obtained your consent – this applies where our processing activities are governed by the applicable laws of certain jurisdictions in which we operate that do not require consent to have been obtained where there are legitimate and/or other lawful grounds to process the relevant personal data.

We do not seek your consent in such cases largely so that we can provide you with services in an efficient way (or where in some cases it might not be possible for us to seek your consent because we must process personal data, for example, for the detection of fraud). Before processing your personal data, we will consider your rights and freedoms and will only commence such processing where we do not think your rights will be infringed.

The collection of your personal data by us may be mandatory or voluntary in nature depending on the purposes for which your personal data is collected. Where it is mandatory for you to provide us with your personal data, and you fail or choose not to provide us with such data, or do not consent to the above or this Privacy Statement, we will not be able to provide our products and/or services or otherwise deal with you and/or to assess and process your application.

PERSONAL DATA FROM MINORS AND OTHER INDIVIDUALS

To the extent that you have provided (or will provide) personal data about your family members, spouse, other dependents and/or other individuals, you confirm that you have explained to them that their personal data will be provided to, and processed by, us and where required by law, you represent and warrant that you have obtained their consent to the processing (including disclosure and transfer) of their personal data in accordance with this Privacy Statement.

In respect of minors or individuals not legally competent to give consent, you confirm that they have appointed you to act for them, to consent on their behalf to the processing (including disclosure and transfer) of their personal data in accordance with this Privacy Statement.

‍

INFORMATION SHARING

We may share the personal data that you provide to us to other entities in the PETRONAS group of companies for the purposes described above. Such affiliates may be located in a jurisdiction that may not provide a level of protection equivalent to that provided by the laws of your home country. Where such transfers occur, PETRONAS will reasonably protect personal data and address data privacy and other privacy requirements in accordance with applicable laws.

Information may also be shared with our service providers or third parties, in each case to the extent necessary for the purposes described above. Such third-party who we reasonably believe need to have access to your information to provide you with the information or services you request from us may include:

• our approved sub-contractors, business partners, suppliers, or other third-party organizations providing administrative, IT or other services to Gentari or any member of the PETRONAS group of companies;
• analytics and search engine providers that assist us in the improvement and optimization of our website;
• advertisers and advertising networks that require the data to select and serve relevant adverts to you and others;
• third parties in connection with the transfer of all or any part of our business or assets;
• our auditors, consultants, lawyers, accountants or other financial or professional advisers appointed in connection with our business on a strictly confidential basis, appointed by us to provide services to us;
• any party in relation to legal proceedings or prospective legal proceedings; or
• government agencies, law enforcement agencies, courts, tribunals, regulatory/professional bodies, industry regulators, ministries, and/or statutory agencies or bodies, offices, or municipality in any jurisdiction, if required or authorized to do so, to satisfy any applicable law, regulation, order or judgment of a court or tribunal or queries from the relevant authorities.

We will not otherwise use, share, disseminate, publish, or disclose your personal data except as may be required in response to litigation, investigations, or other legally required disclosures or or to protect our rights, property, or safety or of our customers, or others.

Transfers out of the EEA and UK

As part of the services offered to you either through the website or otherwise, the information which you provide to us may in some instances be transferred to countries outside of the EEA and UK. The data protection laws in such countries may not provide the same level of protection for your personal data as provided for under European and UK data protection laws. However, when we transfer your information outside of the EEA or UK in this way, we take steps to ensure that appropriate safeguards, required by law, are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Privacy Statement. You can obtain further details about the transfer safeguards we use by contacting us at the contact details set out below.

If we transfer your personal data, we will always do so under strict conditions of confidentiality and similar levels of security safeguards.

WHERE WE STORE YOUR PERSONAL DATA

All information you provide to us is stored on secure servers or on the servers of third party IT service providers. We maintain appropriate administrative, technical, and physical safeguards to protect against loss, misuse or unauthorized access, disclosure, alteration, or destruction of the personal data you provide to us in accordance with applicable laws.

We may transfer your personal data to, or store it in, a destination outside of the jurisdiction of the entity to which you provided it. This is because Gentari and PETRONAS group of companies is a global business, with operations located in various jurisdictions, which uses third party service providers based in a number of locations worldwide.

Where we have to transfer your personal data to third countries, we will use appropriate approved safeguards in accordance with applicable laws.

PERIOD FOR WHICH WE STORE YOUR PERSONAL DATA

We will store your personal data for no longer than is necessary for the purposes for which it was collected or provided to us (unless a legal or insurance obligation requires us to keep it for longer period such as operational, legal, regulatory, tax or accounting requirements).

YOUR RIGHTS TO YOUR PERSONAL DATA

Please note that you have the following rights:

• Access. You may contact us at any time in order to request access to the personal data we hold about you. We will confirm whether we are processing your personal data, provide details of the categories of personal data concerned and the reasons for our processing. We can also provide you with a copy of your personal data on request though we will have to be mindful of the rights of others within any relevant records when doing so.
• Rectification. You can ask us to correct or complete your personal data by contacting us at any time. To the extent reasonably possible, we will inform anyone who has received your personal data of any corrections we make to it.
• Restriction. In certain circumstances, it may be possible to require us to limit the way in which we process your personal data (i.e. require us to continue to store your personal data, but not otherwise process it without your consent).
• Erasure. You may ask to have the information on your account deleted or removed, in certain circumstances. We will try to do so promptly, and, to the extent reasonably possible, we will inform anyone who has received your personal data of your request. However, we must keep track of certain transaction information, such as past purchases and similar information, for legal or tax compliance purposes, to satisfy insurance obligations or in the event of legal claims, so we may not be able to fully delete your information in certain circumstances.
• Receiving/transferring your personal data. In certain circumstances (where we process your data based on consent or pursuant to a contract with you, and the processing is carried out by automated means), you may ask us to send you the personal data we hold on you in an electronic, structured and user-friendly format, or you may ask us to send this data to another entity.
• Object. Where we are processing your personal data without your consent to pursue our legitimate interests, you may object to us processing your personal data. Where we are using your personal data to contact you for marketing purposes, you may object to such processing at any time.

• Automated decision-making. You have the right to be informed of any automated decision-making, including profiling, used in connection with your personal data, and we will provide information about the logic we apply, as well as the significance and consequences of such processing.

• Complaints. You have the right to lodge a complaint with the relevant data protection supervisory authority in the country where you are based or any place where you believe an infringement of your personal data has occurred. We encourage you to contact us before making such complaint to the relevant authorities, so that we can try to resolve any concerns you have.

SECURITY

We have security measures in place to help protect against the loss, misuse, and alteration of the information under our control. While we cannot guarantee that loss, misuse, or alteration to data will not occur, we ensure that our systems adhere to market security standard so as to help safeguard against such occurrences.

CHANGES TO OUR PRIVACY STATEMENT

Any changes we make to our Privacy Statement in the future will be posted on this page. Please check back frequently to see any updates or changes to our Privacy Statement.

LANGUAGE

In accordance with the requirement of Malaysian data protection and privacy law, this Privacy Statement is issued in both English and Bahasa Malaysia. In the event of any inconsistencies or discrepancies between the English version and the Bahasa Malaysia version, the English version shall prevail.

CONTACT DETAILS

If you have any questions, comments or request regarding this Privacy Statement or your personal data, or if you wish to contact a data protection officer for any of companies within our group, you may reach out to us at legal.compliance@petronas.com.my.

STAKEHOLDER RELATIONS

INFORMATION GATHERING AND USAGE FOR STAKEHOLDER RELATIONS PURPOSE

We may collect your personal data which you voluntarily provide to us such as your name, salutation, date of birth, gender, your business contact information such as your designation, organization, address, email address, telephone number, and such other information depending on the nature of business relationship you have with Gentari.

We may also collect your personal data from third party sources where your personal data has been made publicly available by yourself or by third parties (e.g. information published on your personal or official website, business card, online publications such as news reporting, corporate profiles, autobiographies, annual reports, social media postings) and from such other sources where you have given your consent for the disclosure of personal data relating to yourself (e.g. formal and informal engagements such as meetings, conferences, events organised by Gentari or third parties), or where otherwise lawfully permitted. From the aforesaid sources, we may derive further information such as your personal and professional profile, interests, preferences, persons related to yourself (e.g. family members, relatives, connected persons), publicly known political affiliations, insights or opinions, etc., all of which will be processed by us strictly for internal use by Gentari and/or PETRONAS group of companies for the purpose of managing our relationship with you only.

We may use personal data that we obtain for any of the following purposes (including but not limited to):

• Managing relationship and engagements with you as our stakeholder in general, and in particular to store basic stakeholder data, identify, assess and monitor stakeholders’ expectations and the issues that you may raise with us in one centralized stakeholder management system which records and monitors stakeholder and organisation profiles, engagements, issues, grievances and social investment activities.
• Assessing our engagements with you in order to improve our interactions.
• Personalising relevant communications with you in respect of personal details and contact information which you have provided to us for example sending out festive greetings and event invitation, ensuring appropriate protocol arrangement, distributing Gentari collaterals (e.g. annual report), providing business updates (e.g. updates on CSR activities).
• Providing corporate hospitality as part of enhancing stakeholder experience.
• Carrying out surveys, research, and feedback to help us better understand your requirements, interests, and concerns to help improve our business delivery to you and gauge brand/reputation perception and sentiments.
• In other circumstances, such purposes that are necessary or directly related to your relationship with us or where it is permitted under the applicable laws.

Where we collect personal data from you for stakeholder relation purpose, we will only do so strictly needed for fulfilment of one of the purposes set out above. In the event we do not receive your personal data, this may mean that we are not able to effectively address your requirements, interests, and concerns or to carry out any of the abovementioned purposes, if at all.

CONTACT DETAILS FOR STAKEHOLDER RELATIONS PURPOSE

Any questions and requests regarding this Privacy Statement or your personal data should be addressed to:

Address : Gentari Sdn. Bhd.

Tower 1, PETRONAS Twin Towers,

Kuala Lumpur City Centre,

50088 Kuala Lumpur,

Malaysia.

Email Address : enquiries@gentari.com

ANNEX A: United Kingdom / European Appendix

This Appendix applies if you are based in the EEA or UK during your interactions with us (other than solely for travel purposes).

It sets out the additional information that we are required to provide to you under UK and European Union (“EU”) data protection law.

Under EU and UK law, we are required to inform you of the “lawful bases” on which we rely to process your personal data. Below, we set out the “lawful bases” that we use as the basis for our use of your personal data for each of the purposes mentioned in the main Privacy Statement. You can find an explanation of each of the grounds relied on below:

How we use Special Category Data

Under EU and UK data protection laws, Special Category Data has greater protections.

Typically for UK/EEA-resident individuals, we will use your Special Category Data in the following ways:

• We will use information about your health status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview or other meetings with you. We process this personal data in connection with our rights and obligations under employment, social security or social protection laws, or in compliance with our legal obligations;
• We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. We process this personal data in connection with our rights and obligations under employment, social security or social protection laws, or in compliance with our legal obligations;
• We may request certain health data from you when visiting our offices in the event of a health crisis or disease outbreak. We process this personal data on the basis of your consent; and/or
• We may collect information about your criminal convictions history if we would like to offer you a position at Gentari. We carry out criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history, which may make you unsuitable for the role. In particular, we may carry out background checks when required by law or because the role requires a high degree of trust and integrity. We process this personal data for the following reasons:

• Compliance with a legal obligation;
• Our legitimate interest to ensure those engaged by Gentari are fit to serve and kept safe;
• In connection with our rights and obligations under employment, social security, or social protection laws; and/or
• It is necessary for reasons of substantial public interest (such as detecting or preventing unlawful acts).

We have in place an appropriate policy document and safeguards, which we are required by law to maintain when processing such data.

Last updated: September 2022