GKASH PRIVACY POLICY

(ENGLISH VERSION)

INTRODUCTION

GKASH Sdn Bhd (Company No. 1014333-T) is a private limited company incorporated under the laws of Malaysia and is primarily in the business of providing internet payment services and other online payment methods including credit cards, debit cards, online and mobile payment solutions to electronic commerce (e-commerce) merchants. Given the nature of our business, we appreciate the importance of data protection and our team is at all times committed to ensure compliance with all relevant laws as well as this privacy policy (“Privacy Policy”).

Any reference to “GKASH”, “we”, “us” or “our” shall be a reference to GKASH Sdn Bhd and/or our data processor. If you are a corporate entity/partnership/organisation, references to “you” and “your” shall also include your shareholders, directors, employees, managers, officers, representatives, agents and partners, respectively.

This Privacy Policy serves as a notice pursuant to the Personal Data Protection Act, 2010 (“PDPA”) in respect of and during your use of any of the services on the platforms made available by GKASH. It explains the manner in which GKASH records, stores, processes, discloses, transfers and otherwise uses Data collected through its Platforms during the course of your use of the Services as well as the rights available to you as a data subject, on the handling of Data.

Reference to “Services” in this Privacy Policy includes (i) the GKASH eWallet, being an electronic wallet service offered by GKASH which allows its users to perform and conduct payment transactions using e-money stored in the GKASH eWallet; (ii) the GKASH business account which enables its
merchants to receive payments from their customers for goods and/or services provided to their customers; and (iii) such other services and functionality as GKASH may at any time from time to time offer and made available through the Platforms.

Data” for purposes of this Privacy Policy means any information collected by GKASH in relation to the use of the Services and it relates directly or indirectly to a data subject that is identified or identifiable from that information. Such Data may include name, electronic mail address, residential address, contact number, NRIC No./Passport No., date of birth, occupation, bank account details, etc. The types of Data collected depends on the purpose for the collection.

HOW DOES GKASH COLLECT YOUR DATA

Your Data will be collected vide our “Platforms”, which refers to (i) our website, www.gkash.my and the mobile version of the same operated and maintained by GKASH; and (ii) any of our smartphone and mobile application(s) (whether for businesses or users) developed, owned and made available by GKASH. By collecting, recording, storing, disclosing, transferring, transmitting or otherwise using the Data constitute an act of us “processing” your Data.

By using the Services and providing us your Data, it is deemed that you have read and understood this Privacy Policy and have agreed to our processing of your Data in accordance with this Privacy Policy. We would require the Data collected from you for the creation of your account with GKASH for our provision of the Services to you. Please note that, in addition to the Data obtained at the point of your registration with us, we may request and obtain additional Data about you during the course of your use of the Services.

We may also collect Data from you in any manner during your course of dealing with us as well as from your engagement with our customer support team or during events, seminars, conferences, talks, road shows, surveys organised by us and other publicly available resources. We may also collect your Data from our business partners (e.g. banking and financial institutions) and service providers (e.g. software support and maintenance service provider), during the course of processing your application for an account with GKASH or through cookies and web server logs. In doing so, we will exercise reasonable diligence and require the third party to confirm with us that your Data was obtained and provided to them legally.

Please take note that if you visit our Platforms as a guest without subscribing to the use of the Services, we may obtain your Data in a limited manner based on the technology associated to / available on our Platforms.

You are responsible for the accuracy and completeness of all Data provided by you to us (for which we have assumed), and that none of such Data is misleading or out of date. Should there be any changes/updates to your Data, you will promptly update us in writing in the manner indicated in this Privacy Policy.

In the case where Data of another data subject is provided by you (e.g. Data related to your family members, spouse or other dependent for emergency contact purposes), you confirm that you have explained or will explain to them the processing of their Data in accordance with this Privacy Policy and you represent and warrant the accuracy, truthfulness and completeness of their Data.

WHAT IS THE PURPOSE AND HOW DOES GKASH PROCESS YOUR DATA

The registration process in respect of the setting up of an account for the use of the Services requires the processing of the following information, as applicable:
(a) full name (as per NRIC for individual and as per company certificate for companies);
(b) NRIC number or company registration number;
(c) correspondence address;
(d) business address;
(e) nature of business;
(f) occupation and place of work;
(g) contact number and email address;
(h) credit card details or details of other payment method(s);
(i) bank account details (including name of bank and bank account number);
(j) password and user name created for your account in respect of the use of the Services;
(k) your IP address, browser type, other forms of online activity identifiable by your use of the Services; and
(l) any such information as our due diligence process would require.

The purpose for which GKASH may use your Data include amongst others the following and such purposes may be carried out by any means or methods as GKASH may deem fit, subject to the laws of the relevant jurisdictions:
(a) for the registration and opening of an account with GKASH for purposes of the Services;
(b) facilitating, dealing with, administering, managing and/or maintaining the provision of the Services to you;
(c) processing your payment request;
(d) receiving payment made into your account with GKASH, if applicable;
(e) as applicable, with your authority, to hold onto the amount credited into your business account with GKASH until you instruct us to release such amount into your nominated bank account;
(f) release of your money from your business account with GKASH into your nominated bank account;
(g) effecting the transmission of electronic funds from your eWallet with GKASH to the respective recipients of the electronic funds;
(h) receiving of payment of electronic funds made in your favour;
(i) responding, addressing or attending to your queries and/or requests and to take actions related to such queries and/or requests;
(j) topping up of your eWallet with GKASH;
(k) verifying the authenticity of your identity with a third party data holder or authorised verification body;
(l) in the case of any refunds, chargeback or investigation into the veracity of a payment made into your GKASH business account;
(m) carrying out rectification works on your GKASH eWallet and/or business account (when required);
(n) completing any transactions requested by you or carried out in your favour on any of the Platforms using your GKASH eWallet and/or business account;
(o) meeting any billing requirements and service charges;
(p) complying to any requirements or obligations of the laws of the relevant jurisdictions;
(q) adhering to any rulings, guidelines and orders imposed by Bank Negara Malaysia or any other regulatory body;
(r) subject to your consent given at the time of registration or at any time thereafter, provide any updates, promotions, or any activities or information in relation to the Services and/or GKASH, or through any of our appointed third party agencies, by way of text messages, phone calls, electronic mails, social media and/or any other appropriate channels of communication;
(s) carrying out any due diligence, background checks, or any other monitoring or scrutinising activities in accordance with relevant legal requirements or for purposes of risk management as may be required by the relevant laws;
(t) analysing customers feedback to identify user behaviours and customers’ profiling to improve and enhance our level and standard of services to you;
(u) sharing of your Data for purposes of seeking legal and/or financial advice and/or for purposes of commencing legal action (including for purposes of preparing such legal documentation);
(v) sharing of any of your Data with a third party business partner or service provider for purposes of a potential joint development of services or products;
(w) to detect and subsequently report to the relevant authority, a suspicious activity (such as activities which are fraudulent, illegal or prohibited) or to undertake any of our other reporting obligations imposed on GKASH as an electronic money issuer;
(x) to evaluate the functionality of our Services or any of its Platforms and to carry out upgrading works;
(y) for our storage, hosting back-up (whether for disaster recovery or otherwise) of your Data, whether within or outside of Malaysia; and/or
(z) other purposes required to maintain, administer and better manage provision of the Services to you.

DISCLOSURE AND TRANSFER OF DATA

Subject to the laws of the relevant jurisdictions, GKASH may disclose your Data to the following persons under any of the circumstances set out below:
(a) our shareholders, directors, employees, staff, subsidiaries (local or foreign), related entities (local or foreign), independent contractors, service providers, business associates, agents and any other agent who assists GKASH in processing the Data and manages the operation and
maintenance of the Services;
(b) the merchants or vendors that partner with GKASH in order to provide the Services to you;
(c) payment channels or entities such as banking, financial institutions, payment network or service providers or any other party involved in the process of assessing, verifying, effecting, facilitating and completing your payment transactions using the Services. This may include but is not limited to service providers providing credit services, processing services, logistics, data protection or management services;
(d) if required to do by operation of law or by regulatory or compliance bodies in order to identify risks or threats relating to fraud, money laundering, terrorism financing and/or any other illegal or criminal activities;
(e) auditors, accountants and/or solicitors in the preparation of documents of GKASH for statutory filing purposes or any other document required to be submitted to adhere to the statutory or regulatory compliance owed by GKASH to governmental authorities or compliance bodies;
(f) to the extent permitted by any relevant laws, any third parties (including financial advisers / legal advisers / professional advisers) carrying out due diligence review in connection with any proposed merger, acquisition, sale, reorganisation, joint venture or any other corporate activity related to GKASH or any of its subsidiaries, related or associated companies;
(g) any third party data processor or authorised verification body;
(h) data centres and/or servers, storage facilities and/or records managements companies located within or outside of Malaysia for purpose of storing your Data;
(i) government agencies, law enforcement agents, courts, tribunals, regulatory / professional bodies, if required to do so in satisfaction of any applicable law, regulation, order or judgement; and/or
(j) any other person which requires your Data in order to operate and maintain the Services. 

If required to provide the Services, GKASH may process your data to or with:
(a) our subsidiaries, related and/or associated companies abroad in order to process your payment or to effect, operate, maintain any part of the Services; or
(b) third party service providers who provides information technology storage facilities and services where your Data may be stored and managed.

We will take reasonable measures to procure compliance to this Privacy Policy by any foreign entities handling your Data to adequately protect the confidentiality and privacy of your Data. Except as indicated in this Privacy Policy, we will not sell, rent, transfer or disclose any of your Data to any third party without your consent.

RETENTION AND DESTRUCTION OF YOUR DATA

We will only process your Data in accordance with the PDPA and the applicable regulations, guidelines, orders and any statutory amendments or re-enactments made pursuant thereto as well as this Privacy Policy.

We will retain your Data for as long as any of the purpose indicated in this Privacy Policy subsists notwithstanding the termination of your account with us or the cessation of your use of our Services. Thereafter, we will delete from or keep anonymous your Data in our records and system unless otherwise required to be retained for legal, regulatory, tax or accounting requirements.

Notwithstanding the representations made in this Privacy Policy, you acknowledge that transmissions over the internet (e.g. emails/webmails/data transmission) are not secure unless they have been encrypted. As your internet communications may be routed through different countries before being delivered, we cannot guarantee a risk-free transmission and do not accept responsibility for any unauthorised access or interception or loss of Data that is beyond our reasonable control.

SECURITY OF DATA

In order to ensure adequate protection and measures are in place to protect your Data, we utilise various software, hardware, programming systems and/or servers and other information technology equipment which we deem reasonably suitable and fit for the purpose of storing and securing your Data.

Against compliance with the PDPA, we endeavour to take reasonable and practical measures to mitigate and reduce the risks of unauthorised exposure, destruction, accidental loss, damage and alteration, to your Data by restricting the access of any unidentified or unauthorised third parties to your Data. We may from time to time implementing appropriate and improve our technical, electronic and procedural security measures to safeguard your Data.

We caution that you keep your password safe and secure, and please do not share it with any third party. We do not accept responsibility for any unauthorised access to any of our Platforms and any interception or loss of Data that is beyond our reasonable control. If you have reasons to believe that your password has been compromised, please contact us immediately at any of our mode of contact provided in this Privacy Policy.

Our Platforms may contain links to external websites. GKASH is not responsible for the veracity of such websites and does not substantiate or endorse the content, information, services or any other details contained or featured on such external websites. You are advised to read the terms of use and/or privacy policy of such third party website(s) before accessing or using these websites.

YOUR RIGHTS TO ACCESS YOUR DATA

To the extent permitted under the PDPA and applicable laws, you have the right to request for access to or request for a copy of, your Data for purposes of checking, correcting or updating such Data.

Subject to the payment of a minimal fee as permitted under the PDPA, access to your data or correction of such data can be effected and processed (i) vide interactive services available on our Platforms; (ii) electronic mail to cs@gkash.my; (iii) by contacting our customer support team at 03-2242 4255; or (iv) by visiting our headquarters at Penthouse, Level 11, Tower 3, Avenue 3, The Horizon Bangsar South, No 8 Jalan Kerinchi, 59200 Kuala Lumpur during office hours.

Upon receipt of a request for correction of Data from you, we reserve the right to reject and demand that you resubmit your request if such correction cannot be effected due to insufficient information or such correction cannot be verified against the documents requested (as the case may be).

Please be informed that, subject to any legal restrictions and/or contractual conditions, you have the right to withdraw your consent to our processing of your Data with reasonable notice by sending an email to us at cs@gkash.my, indicating your intention to withdraw your consent. Upon such withdrawal of consent, GKASH reserves the right to cease provision of the Services and close your account with GKASH.

IF YOU REFUSE TO PROVIDE GKASH WITH YOUR DATA

The Services provided by GKASH to you fall within the ambit of Bank Negara Malaysia and related legislations and GKASH as the provider of the Services is subject to regulatory compliance in this regard. The processing of your Data may be mandatorily required to comply with applicable laws or voluntarily required to provide the best service level. In this respect, if you fail or refuse to provide and/or do not provide on the basis of not willing to consent to this Privacy Policy, we may not or will not (as the case may be) be able to register your account with GKASH and/or activate the Services or otherwise deal with you.

UPDATES TO OUR PRIVACY POLICY

We have the absolute right to modify, vary, update and/or amend all or any part of this Privacy Policy at any time from time to time with reasonable notice to you by publishing an updated version of this Privacy Policy on our respective Platforms. Any such modification, variation, update and/or amendments shall be effective at the end of the twenty one (21) days’ notice provided by GKASH to you and by continuing use of the Services and/or communication with us, you shall be deemed to have agreed and accepted our modified, varied, updated and/or amended Privacy Policy.

This Privacy Policy is prepared and issued in accordance with Section 7(3) of the PDPA in both the English and Malay language. In the event of any inconsistency or discrepancy between the versions, the English version shall prevail.

HOW TO REACH US

If you have any queries or concerns relating to this Privacy Policy or if you wish to have access to or correct your Data or make a complain, you may contact us at:

Address : Penthouse, Level 11, Tower 3, Avenue 3, The Horizon Bangsar South, No 8 Jalan
Kerinchi, 59200 Kuala Lumpur
Contact No : 03-2242 4255
Email Address : cs@gkash.my

Last Updated: [4 April 2019]