GENERAL PRIVACY NOTICE
- This General Privacy Notice (“Notice”) explains how we may collect and use information that Keppel Corporation Limited, its related corporations and/or associated companies (“Keppel“) obtains about you, and your rights in relation to that information.
- Please read this Notice to understand how we will collect, use and process your personal data and the rights you have in relation to your personal data. This Notice may be amended from time to time. Please visit this page if you want to stay up to date, as we will post any changes in our approach to data privacy here.
- By visiting our website, by using our products and/or services and/or by your provision of information to us, you acknowledge the terms of this Notice and the use and disclosure of your personal data as set out in this Notice.
- If you have any questions in relation to this Notice, please contact us at the contact details found in Annex 3.
2. SCOPE OF NOTICE
This Notice applies to our processing of personal data in relation to the provision of any of our products and/or services, including:
- when you request information from us;
- when you engage our services and/or purchase our products;
- as a result of your relationship with one or more of our clients;
- where you apply for a job or work placement; and
- your use of our websites (including our associated sites) and online services (including our mobile apps, if any).
3. HOW YOUR PERSONAL DATA IS COLLECTED
- We generally collect your personal data directly from you when you are one of our customers. When you enter into a contract with us, you will be asked to provide personal data. This information is likely to include your name, address, date of birth, email address, phone number, financial and credit card information (this is not an exhaustive list).
- We may also collect personal data from you when you make transactions or otherwise interact with us, for example by contacting our customer service personnel or reporting a problem on our website.
- The categories and range of personal data we collect and hold will vary from customer to customer. However, our policy is to collect only the personal data necessary for the particular work or services.
Business contacts and suppliers
We collect certain limited personal data about our business contacts, including subcontractors and individuals associated with our suppliers and subcontractors, and service providers (including professional advisors and individuals associated with our service providers). Personal data collected in this context usually includes (but may not exclusively be limited to) name, employer name, contact title, phone, email and other business contact details.
- When you use our online services or visit our website, we may collect the following information from you directly and/or automatically:
- information you provide to us if you contact us, for example to report a problem with our online services or raise a query or comment; and
- details of visits made to our website such as the volume of traffic received, logs (including, the internet protocol (IP) address and location of the device connecting to the online services and other identifiers about the device and the nature of the visit) and the resources accessed.
Careers and Recruitment
- If you apply for a job or work placement you may need to provide information about your education, employment, nationality, and state of health. Your application will constitute your express consent to our use of this information to assess your application and to allow us to carry out both recruitment analytics and any monitoring activities which may be required of us under applicable law as an employer. We may also carry out screening checks (including reference, background, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks) and consider you for other positions. We may disclose your personal data (including diversity and equal opportunities data) to academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, recruitment analytics and diversity research providers, referees and your current and previous employers. We may also collect your personal data from these parties in some circumstances. Without your personal data we may not be able to progress considering you for positions with us.
Visitors to our offices and facilities
- We have security measures in place at our offices and facilities, including CCTV and building access controls.
- There are signs in our premises showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident).
- CCTV recordings are typically automatically overwritten after 90 days unless an issue is identified that requires investigation (such as a theft).
- We require visitors to our offices or facilities to sign in at reception or security guard house and keep a record of visitors for 1 year. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to look into an incident).
- In some cases, we require visitors to our offices or facilities to scan biometrics (for example thumbprints) at reception or security guard house and keep a record of the same for 1 year. Such records are securely stored and only accessible on a need to know basis (e.g. to look into an incident).
4. HOW YOUR PERSONAL DATA IS USED
We may use your personal information if:
- it is necessary for the performance of a contract with you;
- necessary in connection with a legal or regulatory obligation;
- you have provided your consent to such use;
- we consider such use of your information as not detrimental to you, within your reasonable expectations, having a minimal impact on your privacy, and necessary to fulfil our legitimate interests; or
- we are otherwise required or authorised by law.
We use your information to:
- provide and improve our services and products to you (including auditing and monitoring use of those services and products);
- maintain and develop our relationship with you;
- monitor and analyse our business;
- facilitate our internal business operations;
- fulfil our legal requirements (including in relation to anti-money laundering) and professional obligations;
- send you marketing materials;
- establish, exercise or defend legal rights.
We may not be able to do these things without your personal information.
We also use your personal data for the non-exhaustive list of purposes as set out in Annex 1 herein.
5. WHY WE COLLECT YOUR PERSONAL DATA
We collect, use and disclose your personal data for a number of reasons, including:
- to carry out our obligations as a result of any contract entered into between you and us and to provide you with the information and services that you request from us;
- to notify you about changes to the products and/or services that we offer and (where you have indicated your consent) to directly market these products and/or services to you;
- to administer our websites for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to allow you to participate in interactive features of our products and services;
- as part of our efforts to keep our products and/or services safe and secure;
- to measure or understand the effectiveness of our advertising and marketing;
- for statistical and research purposes (including market research, marketing and data analysis purposes);
- to analyse your credit risk (if applicable);
- to handle payment and collection processes to and from customers;
- to ensure the effective operation of software and IT services procured by us (including disaster recovery);
- for anti-money laundering, prevention of terrorist financing, and identity verification purposes;
- to comply with licensing and regulatory requirements that are applicable to us;
- to carry out both recruitment analytics and any monitoring activities, screening checks (including reference, background, directorship, financial probity, identity, eligibility to work, vocational suitability and criminal record checks) on you as a job applicant;
- to disclose your (a job applicant’s) personal data (including diversity and equal opportunities data) to academic institutions, recruiters, screening check providers, health service providers, professional and trade associations, law enforcement agencies, recruitment analytics and diversity research providers, referees and your current and previous employers and to collect your personal data from these parties in some circumstances. and
- for other reasons with your consent.
We (and permitted third parties) may contact you for direct marketing purposes via social media, direct messages, post, telephone, email and SMS/MMS.
This marketing may relate to:
- Products and services we (or permitted third parties) feel may interest you;
- Information about other goods and services we offer that are similar to those that you have already used or enquired about;
- Upcoming events, promotions and new products and/or services or other opportunities as well as those of selected third parties; and
- If you no longer wish to receive marketing communications from us, you may click on the unsubscribe link on any marketing communication that you receive from us.
For clarity, any telephone calls that you make to us may be recorded for training or security purposes and may be stored and used to verify your instructions to us.
For information about the legal basis which allow us to do this, please see section  below.
6. WHO DO WE SHARE YOUR PERSONAL DATA WITH
We may share your personal data, in various ways and for various reasons, with the categories of entities or people listed in Annex 2 herein.
7. HOW WE SAFEGUARD YOUR PERSONAL DATA
- We care about protecting your information and put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data. These include measures to deal with any suspected data breach.
- We are committed to taking all reasonable and appropriate precautions and steps to protect the personal data that we hold from misuse, interference and loss, unauthorised access, modification or disclosure.
- We do this by having in place a range of appropriate technical and organisational measures, including, for example, the protection of passwords using industry standard encryption, measures to preserve system security and prevent unauthorised access and back-up systems to prevent accidental or malicious loss of data.
- We have a password policy to govern the use of the password. The storage of password in the system and the data-base are encrypted. We store important working data/files in our centralised Share Folder with access control and regular back up.
- We may use third party data storage providers to store personal data electronically. We take reasonable steps to ensure this information is held as securely as information stored on our own equipment.
- Unfortunately, there is always risk involved in sending information through any channel over the internet. If you send information over the internet, this will be entirely at your own risk. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.
- If you suspect any misuse or loss of or unauthorised access to your personal data please let us know immediately. Details of how to contact us can be found in Annex 3.
8. HOW LONG WE KEEP YOUR PERSONAL DATA
- We will not keep your personal data for longer than is necessary for the purposes for which we have collected it, unless we believe that the law or other regulation requires us to keep it (for example, because of a request by a tax authority or in connection with any anticipated litigation) or if we require it to enforce our agreements. The precise length of time will depend on the type of data, our legitimate business needs and other legal or regulatory rules that may require us to retain it for certain minimum periods. For example, we may be required to retain certain data for the purposes of tax reporting or responding to tax queries or where it might be relevant to any potential litigation.
- In general, we will retain your personal data for as long as we provide products and/or services to you and following that period, for as long as we provide you directly with any other products and/or services. In determining the appropriate retention period for different types of personal data, the amount, nature, and sensitivity of the personal data in question, as well as the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we need to process it and whether we can achieve those purposes by other means are considered.
- Once we have determined that we no longer need to hold your personal data, we will Delete it from our Systems. While we will endeavour to permanently erase your personal data once it reaches the end of its retention period, some of your personal data may still exist within our Systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again.
9. RIGHT TO ACCESS, AMEND OR TAKE BACK THE PERSONAL DATA THAT YOU HAVE GIVEN
Under the GDPR, you have various rights in relation to your personal data which we hold, as set out below.
If you wish to exercise any of these rights, please contact us (see Annex 3). We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
The GDPR gives you the following rights in relation to your personal data:
9.1 Right to object
- You have the right to object to us processing your personal data for one of the following reasons: (i) where it is within our legitimate interest; (ii) to enable us to perform a task in the public interest or exercise official authority; and/or (iii) to send you direct marketing materials; and/or (iv) for scientific, historical, research, or statistical purposes.
- The “legitimate interests” category above is the one most likely to apply in relation to our relationship, and if your objection relates to us processing your personal data because we deem it necessary for our legitimate interests, we will act on your objection by ceasing the activity in question unless we:
- have compelling legitimate grounds for processing which overrides your interests; or
- are processing your data for the establishment, exercise or defence of a legal claim.
9.2 Right to withdraw consent
- Where we have obtained your consent to process your personal data for certain activities (for example, for automatic profiling), you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to, unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of the same.
9.3 Right to submit a data subject access request (DSAR)
- You may ask us to confirm what information we hold about you at any time, and request us to modify, update or Delete such information. We may ask you for more information about your request. We may refuse your request where we are legally permitted to do so, and we will inform you of the reasons for our refusal. If we provide you with access to the information we hold about you, we will charge you if your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible.
9.4 Right to erasure
- You have the right to request that we “erase” your personal data in certain circumstances. Normally, the information must meet one of the following criteria: the data is no longer necessary for the purpose for which we originally collected and/or processed them;where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
- the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
- it is necessary for the data to be erased in order for us to comply with our obligations as a data controller under EU or Member State law; or
- if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
- We would only be entitled to refuse to comply with your request for erasure for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
- When complying with a valid request for the erasure of data, we will take all reasonably practicable steps to Delete the relevant data.
9.5 Right to restrict processing
- You have the right to request that we restrict our processing of your personal data in certain circumstances. Upon acceptance of your request, we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
- The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
- where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
- where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
- If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will notify you before lifting any restriction on processing your personal data.
9.6 Right to rectification
- You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you, including by means of providing a supplementary statement. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
9.7 Right of data portability
- The right of data portability applies to: (i) personal data that we process automatically (i.e. without any human intervention); (ii) personal data provided by you; and (iii) personal data that we process based on your consent or in order to fulfil a contract.
- You have the right to transfer your personal data between data controllers which means that you are able to transfer the details we hold on you to another employer or a third party. We will provide you with your data in a commonly used machine-readable format to allow you to effect such transfer. Alternatively, we may directly transfer the data for you.
9.8 Right to lodge a complaint with a supervisory authority
- You also have the right to lodge a complaint with your local supervisory authority. Details of how to contact them can be found in Annex 4.
If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), details of how to contact us can be found in Annex 3. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.
10. WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA
- You can find out which Keppel entity is responsible for processing your personal data and where it is located by following Annex 3.
11. STORAGE AND TRANSFER YOUR DATA INTERNATIONALLY
- In order for us to carry out the purposes described in this Notice, your data may be transferred to the following recipients located outside of your jurisdiction:
- between and within Keppel entities;
- to third parties (such as advisers and suppliers to the Keppel business or providers of benefits);
- to overseas candidates and clients;
- to clients within your country who may, in turn, transfer your data internationally;
- to a cloud-based storage provider; or
- to other third parties, as referred to in this Notice.
- We want to make sure that your data are stored and transferred in a way which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example (where applicable):
- by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by data controllers in the EEA to data controllers and processors in jurisdictions without adequate data protection laws;
- by signing up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions;
- where we are transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation;
- where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract; or
- where you have consented to the data transfer.
- To ensure that your personal information receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure that your personal information is treated by those third parties in a way that is consistent with the law on data protection.
Cookies are small data files sent by a website to your computer that are stored on your hard drive when you visit certain online pages of our website.
13. LEGAL BASIS FOR USING YOUR PERSONAL DATA
There are a number of different ways that we are lawfully able to process your personal data. We have set these out below.
Where using your data is in our legitimate interests, except where such interests are overridden by your interests or fundamental rights or freedoms which require protection of personal data1
- We are allowed to use your personal data where it is in our interests to do so, and those interests are not outweighed by any potential prejudice to you.
- We believe that our use of your personal data is within a number of our legitimate interests, including but not limited to:
- To help us satisfy our legal obligations and compliance with any law and regulations that may be applicable to us or our businesses (for example, in relation to prevention of money laundering and anti-terrorism);
- To help us understand our customers better and provide better, more relevant services to them;
- To ensure that our service and/or our relationship runs smoothly;
- To help us keep our systems secure and prevent unauthorized access or cyber attacks; and
- To drive commercial value for the benefit of our shareholders.
- You have the right to object to us processing your personal data on this basis. We have set out details regarding how you can go about doing this in section  above.
Where you give us your consent to use your personal data2
- We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
- It has to be given freely, without us putting you under any pressure;
- You have to know what you are consenting to – so we will give you enough information;
- You are asked to consent to one processing activity at a time – we therefore avoid “bundling” consents together so that you know exactly what you agree to; and
- You need to take positive and affirmative action in giving us your consent – we are likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
- When you engage our services and/or purchase our products, enter into a relationship with us, apply for a job or work placement, use our websites or online services or register for an account with us (as may be applicable), we may ask you for specific consents to allow us to use your data in certain ways. If we require your consent for anything else in the future, we will provide you with sufficient information so that you can decide whether or not you wish to consent.
- You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this in section  above and in Annex 3.
Where using your personal data is necessary for us to carry out our obligations under our contract with you3
- We are allowed to use your personal data when it is necessary to do so for the performance of our contract with you. For example, we need to collect your credit card and bank account details in order to be able to process your payments for the services and/or products we provide you.
Where processing is necessary for us to carry out our legal obligations4
- As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your personal data when we need to in order to comply with those other legal obligations. For example, we may be required to carry out anti-money laundering checks about our customers and we need to collect and use certain information about you in order to do
1Article 6(1)(f) of the GDPR
2Article 4(11) of GDPR
3Article 6(1)(b) of the GDPR
4Article 6(1)(c) of the GDPR
ANNEX 1 – PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA
Providing products and/or services
We provide a range of product and/or services. Some of our products and/or services require us to process personal data in order to provide such products, services, advice and deliverables and to carry out our obligations arising from our contracts with you.
We process personal data in relation to our suppliers, service providers and their staff as necessary to receive the services in question. For example, where a supplier is providing us with facilities management or other outsourced services, we will process personal data about those individuals that are providing services to us.
Administering, managing and developing our businesses and services
We process personal data in order to run our business, including:
- managing our relationship with customers;
- developing our businesses and services (such as identifying customer needs and improvements in service delivery);
- promoting our goods and services;
- career and recruitment related activities;
- maintaining our own accounts and records;
- maintaining and using IT systems;
- hosting or facilitating the hosting of events; and
- administering and managing our website and systems and applications.
Security, quality and risk management activities
We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake. For example, automated scans to identify harmful emails.
We monitor the services provided to customers for quality purposes, which may involve processing personal data stored on the relevant customer file.
We collect and hold personal data as part of our client engagement and acceptance procedures. As part of those procedures we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organisations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).
Providing our clients with information about us and our range of services
We use client business contact details to provide those individuals with information that we think will be of interest about us and our services.
Complying with any requirement of law, regulation or a professional body of which we are a member
We may be subject to legal, regulatory and/or professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
ANNEX 2 – CATEGORIES OF ENTITIES OR PEOPLE WE SHARE YOUR PERSONAL DATA WITH
We may share your personal data with the following categories of recipients:
Your personal data will be used by us and disclosed to our group companies (including our Keppel headquarter in Singapore and all of its subsidiaries).
We may disclose your personal data:
- to regulators and law enforcement agencies (including those responsible for enforcing anti-money laundering legislations);
- in response to an enquiry from a government agency;
- to data protection regulatory authorities; and
- to other regulatory authorities with jurisdiction over our activities.
We may disclose your personal data to third party service providers who require access to such information for the purpose of providing specific services to us. These third parties will generally only be able to access your data in order to provide us with their services and will not be able to use it for their own purposes.
Professional advisors and Auditors
We may disclose your personal data to professional advisors (such as legal advisors and accountants) or auditors for the purpose of providing professional services to us.
In the event that we sell or buy any business assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.
If Keppel or substantially all of its assets are acquired by a third party, personal data held by us about our clients will be one of the transferred assets.
ANNEX 3 – OUR CONTACT DETAILS
|Country||Relevant Keppel Entity||How you can get in touch with us:
You can write to us at the following address:
Alternatively, you can send an email to: [email protected]
|Singapore||Keppel Data Centres Holding Pte Ltd||
You can write to us at the following address:
Alternatively, you can send an email to: [email protected]
|Germany||Keppel Data Centres Germany Holdings GmbH||
You can write to us at the following address:
Alternatively, you can send an email to: [email protected]
- Delete – In this day and age it is virtually impossible to guarantee the permanent and irretrievable deletion of electronic data. In addition, as we have explained to you in this General Privacy Notice, sometimes we may be obliged by law or regulation, or need for risk-management reasons, to retain the ability to access certain elements of personal data. However, once your personal data reaches the end of its nominal retention period, or where we receive a valid request from you to erase it, we will put in place specific operational and Systems measures to ensure that your data is “put beyond use”, i.e. while the data will still technically exist on an archive system, we will ensure that it cannot be accessed by any of our operational Systems, processes or staff. Only a very small number of senior staff, in very limited and carefully prescribed situations, be able to restore your personal data so that it can be viewed for those legitimate purposes. Once we are clear that all relevant legally mandated retention periods have expired (which, for present purposes, we expect to be the period of  years), we will go the additional final step of undertaking a “hard delete”, whereby not even that very limited number of senior staff would be able to restore your personal data.
- General Data Protection Regulation (the “GDPR”) – a European Union statutory instrument which aims to harmonise European data protection laws. It has an effective date of 25 May 2018, and any references to it should be construed to include any national legislation implementing it.
- Systems – include telephone, computer, internet and Wi-Fi systems, software and portals, accounts and/or networks belonging, controlled or used by Keppel that are used to transmit, undertake and/or receive communications or are otherwise used in the course of Keppel’s business, including candidate portal software and CRM systems.