Privacy Policy PRIVACY POLICY PRIVACY POLICY 1. DEFINITIONS AND KEY TERMS 2. NAME AND ADDRESS OF THE DATA CONTROLLER 3. NAME AND ADDRESS OF DATA PROTECTION OFFICER 4. SSL OR TLS ENCRYPTION 5. SERVER LOG FILES 6. LEGAL BASIS FOR PROCESSING 7. PERIOD FOR WHICH PERSONAL DATA ARE STORED 8. CONTACT FORM 9. CONTACT 10. DATA PROTECTION FOR APPLICATIONS AND IN APPLICATION PROCESSESS 11. COOKIES 12. ANALYTICS WITH GOOGLE ANALYTICS 13. YOUR RIGHTS Privacy Policy Fäth Asia is committed to protecting the privacy of our website visitors, service users, individual customers, and customer personnel as one of our main priorities. This policy explains how the personal data of such persons is collected, stored, used, and disclosed by Fäth Asia. This Privacy Policy applies in this website where we are acting as a data controller and a data processor for the personal data of such persons; in other words, where we determine the purposes and means of the processing of that personal information. We use cookies on our website to enhance the performance and functionality of our website. It is used to identify your browser, provide analytics, and remember information about you such as your cookie and language preference. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask for your consent to our use of cookies when you first visit our website as compliance with GDPR, CCPA, PDPA, and other similar legislations. You can find more information regarding Cookie or manage your cookie preference in our Cookie Policy. For website visitors and Service users from Singapore, kindly refer to this Privacy Policy. Faeth Singapore Pte. Ltd. External Privacy Policy 1. Definitions and Key Terms To help explain things as clearly as possible in this Privacy Policy, each time any of these terms are referenced, they are strictly defined as: 1. Company When this Privacy Policy mentions “the Company”, “we”, “us”, or “our”, it refers to Faeth Asia Pacific Sdn. Bhd. as the Data Controller and the Data Processor that determines the purpose and means of the processing of your personal data as defined in GDPR and PDPA. Faeth Asia Pacific Sdn. Bhd. 2464, Tingkat Perusahaan 6 Free Industrial Zone Perai 13600 Penang Malaysia 2. Cookies Cookies are small pieces of data designed to be a reliable mechanism for websites to remember stateful information or to record the user’s browsing activity that is generated by a website and stored on your device by the web browser. 3. Country Where Faeth Asia Pacific Sdn. Bhd. is based, in this case, in Malaysia. 4. Device Any internet-connected device such as a smartphone, tablet, computer, or any other device can be used to visit the website. 5. IP Address Every device connected to the Internet is assigned a number known as an Internet Protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP Address can often be used to identify the location from which a device is connecting to the Internet. 6. Personnel Refers to individuals who are employed by Fäth Asia or are under contract to perform a service on behalf of one of the parties. 7. Personal Data Any information that directly, indirectly, or in connection with other information that allows for the identification of a natural person. 8. Service Refers to the services provided by Fäth Asia as described in the relative terms (if available) in this website and the website itself. 9. Third-Party Service Refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you. 10. Website Fäth Asia’s website, which can be accessed via this URL: https://www.faethasia.com 11. You An individual or entity accessing and using the Service provided on the website. 2. Name and address of the Data Controller The Data Controller and Data Processor for the purposes of the GDPR, CCPA, PDPA, and other data protection laws applicable is: Faeth Asia Pacific Sdn. Bhd. 2464, Tingkat Perusahaan 6 Free Industrial Zone Perai 13600 Penang Malaysia Tel.: +60 (4) 380 0777 E-mail: faethasia.dpo@faeth.com Website: www.faethasia.com Mailing Address and Contact Number for Website Visitors and Service Users from Singapore: Faeth Singapore Pte. Ltd. 3 International Business Park #04-25 Nordic European Centre 609927 Singapore Tel.: +65 6355 0081 E-mail: faethasia.dpo@faeth.com Website: www.faethasia.com 3. Name and address of Data Protection Officer Faeth Asia Pacific Sdn. Bhd. 2464, Tingkat Perusahaan 6 Free Industrial Zone Perai 13600 Penang Malaysia Tel.: +60 (4) 380 0777 E-mail: faethasia.dpo@faeth.com Website: www.faethasia.com Mailing Address and Contact Number for Website Visitors and Service Users from Singapore: Faeth Singapore Pte. Ltd. 3 International Business Park #04-25 Nordic European Centre 609927 Singapore Tel.: +65 6355 0081 E-mail: faethasia.dpo@faeth.com Website: www.faethasia.com 4. SSL or TLS encryption Our website uses SSL or TLS encryption to protect transfers of confidential content you send us via this website, and for security reasons. That prevents third parties reading the data you send via this website. You can tell that the connection is encrypted by the ‘https:/’ in the address bar or the lock icon in your browser. 5. Server log files The website provider automatically collects and saves information that your browser automatically sends to us in server log files. They are: The date and time when you accessed the website The website from which the accessing system accesses our website (‘referrer’) The sub-pages an accessing system visits on our website The access method/function called by the requesting computer The input values sent by the requesting computer (e.g. file name) Access status of the web server (file sent, file not found, command not executed etc.) Browser types and versions used An Internet Protocol (IP) address, anonymised where applicable Other similar data and information to protect against hazards in the event of attacks on our IT systems. These data are not combined with other sources of information. Data are processed on the basis of Section 6 Subsection 1 b of GDPR, which permits processing of data to fulfil a contract or precontractual measures. This information is technically necessary to deliver the content of websites you requested correctly and are essential when using the Internet. We also use data to identify and track illegal access attempts and access to our web servers. The data are otherwise used only for anonymised access statistics to optimise the website. No access profiles are produced. This is only information that does not permit personal identification, as your IP address is not saved or is anonymised. The logged data are stored for 426 days and then deleted unless a detected web attack results in a civil or criminal prosecution of the attacker. 6. Legal basis for processing Section 6 I a of GDPR provides data controllers with a legal basis to process data for which the data subject gave consent to use such data for a specific purpose. If personal data must be processed to perform a contract in which the data subject is a contracting party, for example as is the case for processing that is necessary to deliver goods or provide miscellaneous services or consideration, processing shall be based on Section 6 I b of GDPR. The same applies for processing necessary precontractual measures, for example in cases of inquiries about products or services. If the data controller is subject to a legal obligation that requires processing of personal data, for example to fulfil taxation obligations, processing shall be based on Section 6 I c of GDPR. In rare cases, it may be necessary to process personal data to protect vital interests of the data subject or another natural person. For example, this would be the case if a visitor were injured on our premises, in which case we would have to inform a doctor, hospital or other third party of their name, age, health insurance data and other vital information. Processing would then be based on Section 6 I d of GDPR. Processing could ultimately also be based on Section 6 I f of GDPR. Processing not covered by any of the above legal grounds shall be based on these legal grounds if the processing is required to uphold legitimate interests of the data controller or a third party, provided the interests, fundamental rights and freedoms of the data subjects do not outweigh such interests. Processing of this kind is permitted in particular because it was specifically mentioned by European Legislator. Accordingly it took the view that a legitimate interest could be assumed if the data subject is a customer of the data controller (Recital 47 Subsection 2 of GDPR). 7. Period for which personal data are stored The criterion for duration of storage of personal data is the respective legal storage period. After expiry of the period, the corresponding personal data are deleted unless it is required to fulfil the contract or to prepare a contract. 8. Contact form We save the data sent in the contact form along with your contact details to enable us to answer your inquiry or to respond to any further concerns you may have. Your data are not passed on to third parties without your consent. Data are processed on the basis of Section 6 Subsection 1 a of GDPR, which permits processing of data based on consent. However, you can revoke your consent at any time without stating grounds. Informal notification by e-mail is sufficient to revoke consent. The legitimacy of data processing procedures prior to the revocation remains unaffected by the revocation. Data sent via the contact form shall be stored until you ask us to delete it, revoke your storage consent or storage is no longer necessary. Mandatory legal provisions or archiving periods remain unaffected. 9. Contact If you contact us (by e-mail or telephone), your user details are used to handle the contact request and process it in accordance with Section 6 Subsection 1 b of GDPR. The user details may be stored in our Customer Relationship Management System (CRM system) or similar inquiry organisation method. User details shall be stored until you ask us to delete them, revoke your storage consent or storage is no longer necessary. Mandatory legal provisions or archiving periods remain unaffected. 10. Data protection for applications and in application processes When you send us your application documents, we process your personal data to handle the application process. If you send us your application documents electronically, for example by e-mail or in a web form, we also process them electronically. The personal data you send shall only be used to handle your application for the position advertised. Only persons involved in the application process shall have access to your personal data. All employees entrusted with processing your data are obliged to treat your data as confidential. We do not pass your data on to third parties unless you consent to data forwarding or we are obliged to pass on data by law and/or official or court orders. If you share personal data with us as part of the application process, we divide them into the following data types and categories for collection, processing and/or use: Personal data (e.g. first name and surname, date of birth, address) Communication data (e.g. telephone number, e-mail address) Data on evaluation or assessment in the application process Data on education and previous professional career (e.g. school, vocational training, university degrees, doctorate, certificates) Information on other qualifications (e.g. language skills, PC skills, volunteer work) Application photo Information on salary expectations Application history If we conclude an employment contract with you, the data you sent will be stored for the purpose of the employment relationship in accordance with the legal regulations. If no employment contract is concluded with you, the data shall be deleted automatically 6 months after announcement of the rejection decision, unless the data controller has other legitimate interests that prevent deletion. Other legitimate interests in this sense include a burden of proof in a case pursuant to the German General Equal Treatment Act (AGG). 11. Cookies Our website uses cookies. You can learn more about the cookies we use in our Cookie Policy. 12. Analytics with Google Analytics This website uses various web analytics tools (such as Google Analytics) and other measurement tools (like MonsterInsights) to help analyze how users use the site. These tools use cookies, to collect standard internet log information and visitor behavior information in an anonymous form. The information generated by the cookie about your use of the website (including your IP address) is transmitted to Google and sometimes other vendors. This information is then used to evaluate visitors’ use of the website and to compile statistical reports on website activity for faethasia.com. We will never (and will not allow any third party) use the statistical analytics tool to track or collect any personally identifiable information of visitors to our site. The Web Analytics vendors do not associate your IP address with any other data held by them. Neither we nor the web analytics Vendors will link, or seek to link, an IP address with the identity of a computer user. We will not associate any data gathered from this site with any personally identifying information from any source unless you explicitly submit that information via a fill-in form on our website. 13. Your rights Right to confirmation You have the right to request confirmation from the data controller whether the corresponding personal data has been processed. Right to restrict processing You have the right to demand that the data controller restricts processing if one of the following conditions is met: The accuracy of the personal data is disputed by the data subject, for a period that allows the data controller to assess the accuracy of the personal data. Processing is not legitimate, the data subject rejects erasure of the personal data and instead requests restriction of the use of the personal data. The data controller no longer requires the personal data for processing, but the data subject requires it to assert, exercise or reject legal claims. The data subject has objected to processing per Section 21 Subsection 1 of GDPR and it has not yet been stipulated whether the data controller’s legitimate grounds supersede those of the data subject. Right to object You have the right to object to processing of your personal data in accordance with Section 6 Subsection 1 e or f of GDPR at any time. This shall also apply to profiling based on these provisions. The data controller will then no longer process your personal data unless it can prove compelling legitimate reasons for processing, which supersede the data subject’s interests, rights and freedoms or the processing serves to assert, exercise or reject legal claims. If the data controller processes personal data for direct advertising purposes, the data subject is entitled to object to the processing personal data for the purposes of such advertising. The same also applies for profiling, where it is linked to such direct advertising. If the data subject objects to the data controller processing for direct advertising purposes, the data controller shall no longer process the personal data for these purposes. The data subject is also entitled to object to processing of their personal data by the data controller for scientific or historical research purposes, or statistical purposes in accordance with Section 89 Subsection 1 of GDPR for reasons arising from their particular situation, unless such processing is essential to fulfil an obligation in the public interest. The data subject is also entitled to object using automatic procedures in which technical specifications are used in conjunction with the use of information society services, irrespective of Directive 2002/58/EC. Right to complain to the responsible supervisory authority As a data subject you have the right to complain to the responsible supervisory authority in the event of violations of data privacy law. The responsible supervisory authority in data privacy matters is the state data protection officer of the Federal State in which our company has its registered office. The following link provides a list of the data protection officers and their contact details: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html. Right to data portability You are entitled to have data we process automatically based on your consent or to fulfil a contract forwarded to you or third parties. Your data are provided in a machine-legible format. If you demand direct transfer of the data to another data controller, this shall only be done if it is technically feasible. Right to information, correction, erasure, blocking You shall be entitled, within the scope of the applicable statutory provisions, to receive information free of charge on any data stored relating to you personally as well as on their origin, their recipient and the purpose of data processing. You may also be entitled to claim the correction, erasure or blocking of such data. Revoking your consent to process your data Some data processing procedures are only possible with your express consent. You can revoke your consent at any time after granting it. Informal notification by e-mail is sufficient to do so. The legitimacy of the data processing prior to the revocation remains unaffected by the revocation. Automated decisions including profiling You are entitled not to be subjected to a decision made exclusively based on automated processing – including profiling – with legal effect on you, or that significantly impacts you in a similar way, provided the decision: (1) is not required to conclude or fulfil a contract between the data subject and the data controller or (2) is permitted in accordance with the laws of the Union or Member States to which the data controller is subject, and these laws contain appropriate measures to uphold the rights and freedoms and legitimate interests of the data subjects or (3) is made with the express consent of the data subject. If the decision is necessary to conclude or fulfil a contract between the data subject and the data controller, or if it is made with the express consent of the data subject, the data controller shall take appropriate measures to uphold the rights and freedoms and legitimate interests of the data subject, which shall include at least the right to procure the intervention of a person on the part of the data controller, representation of a personal point of view and to object to the decision. Questions on data protection If you have questions on data protection, please send us an e-mail or contact us directly (see above for contact details). Last amended: 25/05/2021