Personal Data Protection


1.1 EP Engineering Sdn Bhd (Co. No. 271041-A), its shareholders, affiliated, associated or  related companies (‘the EP Group’ or ‘we’, ‘our’ or ‘us’) is committed to the protection of your personal data provided and shared with us by you, whether in the course of our business and transactions, and/or in compliance with applicable laws. Personal data are processed by us in accordance with and pursuant to the provisions and principles of the Personal Data Protection Act 2010 (“the PDPA”), an Act of Parliament to regulate the processing of your personal data, and any amendments made thereto, from time to time.

1.2  This Personal Data Protection Notice (‘Privacy Notice’) applies to personal data currently in our possession, or obtained by us in the future, about you, who are our present or potential clients, principals, contractors, sub-contractors, consultants, directors, employees, service providers, manpower agencies, business associates and partners, vendors, distributors, etc., and/or individuals provided by you. We will communicate any amendments or revisions of this Privacy Notice through our website at (‘EP Group Website’), and by continuing to use our products and/or services, you agree to be bound by such revision and/or amendment.

1.3 This Privacy Notice issued by us contains crucial information on how we process and use your personal data. We encourage you to take some time and read this Privacy Notice, as it will assist you to better understand the reasons for the processing and disclosure of your personal data, and your and our obligations and limitations.

1.4 This Privacy Notice is prepared in the English language and Bahasa Malaysia. In the event of an inconsistency between the two, the English language version shall prevail.


2.1 Unless stated otherwise, words used in this Privacy Notice shall bear the same meaning as they do in the PDPA. For the purposes of this Privacy Notice, the following definitions shown in open and close quotation marks, have been extracted from the PDPA for your easy reference:

(i) ‘personal data’ is defined in the PDPA as ‘any information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010’.

(ii) ‘data subject’ is defined in the PDPA as ‘an individual who is the subject of the personal data’.

(iii) ‘sensitive personal data’ is defined in the PDPA as ‘any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette‘.

(iv) ‘processing’ is defined in the PDPA as ‘collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including (a) the organization, adaptation or alteration of personal data; (b) the retrieval, consultation or use of personal data; (c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or (d) the alignment, combination, correction, erasure or destruction of personal data’.


3.1 The personal data that we may collect from you will include your name, identification number such as your NRIC number, driver’s license and/or passport number, contact details such as your home address, landline telephone number, cell phone number, email address and fax number, your occupation, employment history, gender, age, race, religion, education, hobbies and personal interests, date of birth, images such as photographs and closed-circuit television., bank account and financial details such as income range, marital status where applicable and details of your immediate family members, and sensitive personal data such as your mental, and physical health, global sanctions you may have faced or are facing, or offences you may have committed.

3.2 The above list of personal data set forth in Item 3.1 above is not exhaustive, and the type and extent of personal data we collect will depend on the nature of the business dealings between us. The EP Group may from time to time, request for personal information from you in relation to any applications, arrangements, enquiries, and registrations that may be relevant to any dealings or transactions between us. It may also be necessary for us to request for your next-of-kin’s personal data such as their contact details and relationship with you. You are obligated to obtain the consent of your spouse, children, directors, shareholders, office bearers and other third parties before providing us with any personal information relating to such third parties.

3.3 Strictly for the provision of our products and/or services, we may, where reasonable and appropriate, collect your personal data directly from you, or indirectly through third party sources, such as your employer, agent, other service providers, suppliers, vendors, credit reference agencies, or, through any registration forms, job applications or enquiries on our products and/or services made by you to us through the EP Group Website or via email.

3.4 Please be advised that your personal data will be collected only as required to better enable, and improve on, the provision of products and/or services as between us, and to third parties. We may be unable to process your request for, or provide you with our services or products, or limit such provision, if you fail to provide us the obligatory personal data. You have an obligation to ensure that all personal data provided to us are accurate, complete and current. It is your responsibility to ensure that your personal data is updated in a timely manner. The EP Group will not be responsible for any incorrect, incomplete or misleading information pertaining to your personal data. We will only collect your personal data in a manner compliant with the law, and adequate for our mutual purpose, and not collect excessive personal data, or do so in an intrusive, or unlawful manner.


The following is a non-exhaustive list of purposes (‘Purposes’) for which we process, i.e. collect, record, hold or store your personal data as required, within the law and to give effect to your dealings with the EP Group:-

i. To provide, and improve on, our products and/or services to you;

ii. To evaluate and process your request and/or application for our products and/or services;

iii. To facilitate participation in tenders that a member of the EP Group is invited to by clients or end-users;

iv. To evaluate the suitability, capability, and promote and market your products and/or services to our clients and other end-users or third parties;

v. To facilitate the provision of products and/or services to you by us solely, or jointly with our business partners and/or associates;

vi. To administer and manage contractual documents such as agency and consultancy agreements, contracts for services, tenancy agreements, reseller agreements, etc.;

vii. To facilitate the registration and licensing processes of the EP Group to enable us, and you, where applicable, to participate in upstream and downstream oil and gas activities.

viii. Once a tender is awarded, to facilitate your participation in the provision of your products and/or services to EP Group’s clients or end-users;

ix. To facilitate the management, administration and maintenance of our internal operations, policies, contact lists, records, filing systems, and our manpower and products database;

x. To communicate through appropriate communications channels, and provide information to you on our existing and any new services and/or products, and on any upcoming or ongoing events we have knowledge of pertaining to the oil and gas industry, the retail business new developments, talks, seminars, promotional events and workshops organized by us and/or a third party;

xi. To conduct credit checks, credit worthiness, and identify any fraudulent activities, existing breaches of financial agreements with third parties, including financial institutions and regulatory authorities;

xii. To process invoices, payments and receipts in respect of payments to and by us;

xiii To process visas, permits, travel and hotel or other living arrangements;

xiv To undertake audit exercises;

xv. To address enquiries or resolve complaints or disputes pertaining to our products and/or services and/or about any ongoing or future projects;

xvi. To undertake due diligence or other background checks in accordance with contractual, legal or regulatory requirements, or at the direction of any enforcement or regulatory agencies;

xvii. To comply with our contractual, legal and regulatory obligations in the conduct of our business, and dealings with you;

xviii. To conduct market analysis, and surveys in relation to our products and services, and where applicable or where required by you, in relation to your products and services;

xix. To obtain, maintain or increase insurance coverage, where applicable;

xx. To conduct training of our employees to facilitate the promotion and marketing of your goods and services, and after sales service;

xxi. To enable us to undertake the necessary risk and security assessments, and establish controls, including the safety and security of our premises, and all persons on said premises; and for other related or associated purposes not specifically stated above, to facilitate better management of our business, and our relationship with you.


In conformance to Item 4 above, or pursuant to a contractual obligation, or as required by law, your personal data provided to us may be shared, transferred or disclosed to the following third parties:-

i. Statutory bodies, governmental agencies or regulatory bodies, including but not limited to the, Immigration Department, Inland Revenue Board of Malaysia, Employees Provident Fund, Social Security Organization, Employment Insurance System, and the Companies’ Commission of Malaysia;

ii. Law enforcement agencies or regulatory authorities in respect of offences committed or in the interests of national security;

ii. Oil and gas companies, and their subsidiaries which are clients and end-user, including to obtain relevant licenses and registrations;

iii. Banks, finance houses and other types of financial institutions, in respect of any credit checks, credit applications, funding exercise or payment mechanisms;

iv. Insurance companies for the purpose of applying for, obtaining, maintaining or increasing insurance policies or coverage;

v. Hotels, travel agencies, manpower agencies we partner with, and other service providers;

vi. Foreign embassies and consulates and/or their representatives;

vii. Internal and external auditors and accountants for accounting, auditing and reporting exercises;

viii. Legal firms for preparation of contractual documents, seeking legal advice, and/or instituting legal proceedings;

ix. Other professional advisors appointed by us for purpose of providing advice to us;

x. Such other third parties, where required or permitted under Malaysian law, including but not limited to the PDPA, or under the laws of any other country.


6.1 Your personal data will be treated with the utmost confidentiality, with access only to our staff who will process your personal data for any one or more of the Purposes stated in Item 4 above. We will only disclose your personal data to persons or entities on a ‘need to know’ basis, or as required by law.

6.2 By providing your personal data to us and/or by continued usage of our services, you have given us your consent to process your personal data for the Purposes stated in Item 4 above, and disclosed to third parties stated in Item 5 above.

6.3 If you do not wish to have access to our products and/or services, and do not consent to us processing your personal data, you are to send us a written notice of withdrawal of consent to process and handle your personal data, to the address provided at Item 11 below and we shall take all necessary steps to cease the processing of your personal data, subject to the extent that your withdrawal of consent does not conflict with our other legal obligations.


7.1 You have the right (with certain exceptions as stated in Item 8 below) to request access to your personal data held and processed by us, and which is under our control. Upon a written request from you sent to our contact details below at Item 11 for access to your personal data, we shall, within the timeframes prescribed in the PDPA, convey a copy of your personal data to you in an intelligible form and via email.

7.2 You also have the right (with certain exceptions as stated in Item 8 below) to request for a correction of your personal data that is processed by us. Upon your written request sent to our contact details below at Item 11 to make corrections to any incomplete, misleading, inaccurate and/or outdated personal information, and we shall take the necessary steps to make the corrections, within a reasonable time.


8.1 As prescribed in the PDPA, there are exceptions to your right to access and correct your personal data. We have the right to refuse to comply with any request for access to, or correction of, personal data on the following grounds:-

i. If we are not supplied with adequate and/or sufficient information as we may reasonably require to satisfactorily identify you as the owner of the personal data, or

ii. Where the person making the request is your authorized person or legal guardian, if we are not supplied with adequate and/or sufficient information as we may reasonably require to satisfactorily identify you as the owner of the personal data requested for or to satisfactorily confirm that the requestor is actually your authorized person or legal guardian.

iii. If we are not supplied with adequate and/or sufficient information as we may reasonably require to locate the personal data to which the request relates.

iv. If the expense or trouble of providing access is disproportionate to the risks to your privacy in relation to the personal data.

v. If personal data of a third party is disclosed in the event we comply with your request for access, unless said third party has consented to the disclosure or it is reasonable for us to agree to your request notwithstanding no consent was obtained from the third party.

vi. If providing access would be a violation of a court order or disclose confidential commercial information or is regulated by another law.

8.2 In the event of a refusal by us to comply with a request for access to personal data, you will be given a written notice of refusal within the prescribed timeframes in the PDPA, of the refusal and the reasons for the refusal.


9.1 The EP Group, when processing your personal data, will take all practical measures to ensure that your data is secure and protected from misuse, and/or unauthorized access and/or disclosure and/or modification, loss or destruction. We shall however nor be held responsible for any loss, damage, destruction, loss or unauthorized disclosure (of information not within the public domain) that happens despite our best efforts to ensure the safety and security of your personal data.

9.2 We shall store or retain your personal data only for as long as it is required for the purpose for which it was collected, or pursuant to any legal obligation by us to do so, or if required by law. Subject to the aforementioned, we shall take reasonable measures to destroy or delete your personal data once they are no longer required.

9.3 We shall ensure that your personal data kept by us is accurate, current and complete, and not misleading, both in relation to the Purpose for which your personal data was collected and processed by us, as well as for any related purpose.


10.1 Our website may include links to third party websites, and you as a user should observe these third parties’ data protection policies/privacy policies contained in their respective websites. The EP Group shall not be responsible for any content in these third party websites.

10.2 Our Website uses cookies which may passively collect your information when you visit the EP Group Website. The usage of cookies helps us to improve our service to you, and provide you with a more complete and easier experience. To better understand our usage of cookies, you may visit our EP Group Website to view our Cookies Policy.


Notices for access and correction, requests to withdraw consent, enquiries and complaints in respect to your personal data should be sent to the following address:-

EP Engineering Sdn Bhd
Unit 203, 205 & 206, 2nd Floor
Wisma TKT,
2/4, Jalan Dang Wangi
50100 Kuala Lumpur
Email: [email protected]
Tel.: 603-2693 2255; Fax: 603 2693 7550

This page is also available in Bahasa Malaysia version