-
WHO WE ARE
MESRA is a company registered in Malaysia and subsidiary to PETRONAS Dagangan Berhad. The registered
address is Tower 1, PETRONAS Twin Towers, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia.
-
INFORMATION GATHERING AND USAGE
If you are an employee or work for MESRA, we shall provide a separate statement to inform you how your
personal data is used.
Your personal data may be collected directly from you or from other sources such as our customers,
clients, their counterparties and representatives, third parties such as regulatory authorities,
government agencies, credit reporting agencies, recruitment agencies, providers of pre-engagement
screening services, your employer or other referees, social networks information, publicly available
records, or other third parties that we work with. We may aggregate personal data from different sources
such as online and offline collection points and we combine personal data which are collected by MESRA,
though in relation to personal data that you have provided, we will only do so for purposes which are
consistent with the purposes for which you have provided that personal data.
Aggregated data which may be derived from your personal data but is anonymized is not considered
personal data in law, as this data will not directly or indirectly reveal your identity. For example, we
may aggregate data related to usage of our website to calculate the percentage of users accessing a
specific website feature. However, if we combine or connect aggregated data with your personal data in a
way which does directly or indirectly identify you, we treat the combined data as personal data which
will be used in accordance with this Privacy Statement. If you are an existing customer or vendor of
ours, or a representative of an existing customer of ours, further details about how we use your
personal data are set out in your/ your employer’s customer contract with us. We may provide further
notices to you at the point we collect your personal data, which will highlight any further information
relating to our use of that personal data, and, where applicable, provide you with the ability to opt in
or out of selected uses.
-
A. Types of Personal Data Collected and How We Collect It
We will collect and process all or some of the personal data as follows. We describe certain kinds of
data (defined below) as Sensitive Personal Data.
-
Personal data that you provide to us, such as when using the contact form on our website,
providing feedback, your correspondence with us or when you interact with any of our social
media channels (which may include when you like or comment on a post).
We may collect current and historical personal data including your name (including any
prefix or title), contact information (such as your address, email address, telephone
number, nationality, identification number such as passport number, birth date, gender,
organization, business interest, employment, position held), social media identifiers,
Sensitive Personal Data (as defined below), billing and financial information (such as
billing address, bank account and payment information) and enquiry or complaint details and
such other information depending on the nature of business relationship or dealings you have
with MESRA.
“Sensitive Personal Data” means certain types of personal data, such as
health, biometric, or identification information that may be considered sensitive or high
risk in nature in accordance with applicable data protection laws and will be subject to
enhanced security and access controls.
-
Information you provide when applying for a role, work placement which include internship
or during open day or recruitment event or as a beneficiary.
In any of the above circumstances, we collect your CV or résumé which may include your contact
details (such as name, address, email address and telephone number), education information (such
as field of study, university and country of study, academic scores and achievements, personal
certifications), employment history, racial or ethnic origin, nationality, financial information
(such as parents or beneficiaries income, bank account name and number), photographs or profile
picture and any other supporting documents or information as submitted by you or on your behalf
during the application process.
We carry out pre-screening of applicants to whom we intend to make an offer of employment, or
internship. We may also undertake criminal records or financial probity checks or other
independent searches to assess your suitability for the position where permitted by, and in
accordance with, applicable law. Sensitive Personal Data may be processed strictly in accordance
with applicable local laws.
-
You (or someone you act for) have a relationship with us
If you are or act for or are related to our customers and clients, where you are our
counterparty or provide services to our counterparty and where you or the organization you
work for is a regulator, government agency, judiciary, legislative or other law enforcement
agency, we may collect and process your personal data based on your relationship with us.
The types of personal data include contact information (such as name, address, email address
and telephone number); identification information (such as national identification number,
passport number, date of birth); business information (such as name of organization, job
title, department, business address, organization structure, shareholding or directorship);
any recordings captured through our communication platform (such as Microsoft Teams or Zoom
etc.), details in business registration documents, third party due diligence, documents,
credit checks, financial details including bank account details and bank account statement;
demographic information and interests which will include any information that describe your
demographic and behavioural characteristics (such as date of birth, age or age range,
geographic location, personal preferences (e.g. food), medical condition (e.g. allergies),
hobbies or interests and household or lifestyle information).
-
Website and Online communication usage
Details of your visits to our website and information collected through cookies and other
tracking technologies including, but not limited to, your log-in information, IP address and
domain name, your browser version and operating system, information about your device,
traffic data, location data, web logs and other communication data, and the resources that
you access.
You can block cookies by activating the setting on your browser that allows you to refuse
the setting of all or some cookies. However, if you use your browser settings to block all
cookies (including essential cookies) you may not be able to access all or parts of our
website.
If any part of our website links you to external websites, those websites do not operate
under this Privacy Statement, and we do not accept any responsibility or liability arising
from those websites. We recommend that you read the privacy/personal data protection
statement/policy posted on those external websites in order to understand their procedures
for collecting, processing, using and disclosing personal data and before submitting your
personal data to those websites.
We may also collect information you provide in completing online subscriptions or
registration and any online application forms or when you report a problem, raise a query or
provide feedback on our online services.
-
Visitors to any of our offices, premises, or events
When you visit our offices or premises, we may collect and process your personal data in
connection with your visit. Such personal data will include your contact information (such
as name, address, email address and telephone number), identification information (such as
national identification number, passport identification number or driver’s license
information); business information such as name of organization, reason for visit, date and
time of visit, biometric and facial recognition and access limitations whenever
applicable.
Where we have installed CCTV in our offices, your image may be captured and recorded when
you visit our premises that are protected by CCTV. Additionally, your image may be captured
via photographs or videos taken by us or our representatives when you attend our events.
Our CCTV use is not intended to target or monitor any individuals but to provide a safe and
secure workplace environment in the relevant premises.
During a health crisis or disease outbreak we may collect Sensitive Personal Data on your
health and physical condition, health condition of individuals in your household, results of
your health assessment, quarantine, and hospitalization information and any other
information required or recommended to be held in connection with control or management of
such health crisis or disease outbreak.
-
B. The Purposes for Collection of Personal Data
We will collect and process all or some of the personal data as follows. We describe certain kind of data
(defined below) as Sensitive Personal Data. We may use personal data that we obtain for any of the following
purposes:
-
To communicate effectively with you and conduct our business
To conduct our business, including to respond to your queries or resolve any disputes, which may arise in
connection with any dealings with us, to otherwise communicate with you, or to carry out our legal
obligations arising from any agreements entered into between you and us, or to maintain and update internal
contact lists to effectively communicate with you.
-
To update you on contests, marketing information and promotions
To provide you with updates and offers including facilitating your participation in any technology
challenges, contests, roadshows, promotions, campaigns and events. We may also use your information for
marketing our own or our partner’s products and services to you by post, email, and phone calls. Where
required by applicable data protection laws, we will ask for your consent at the time we collect your data
to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further
communication on any electronic marketing communication sent to you or you may opt out by contacting us as
set out in the “Contacting Us” section below.
-
Personalization (offline and online)
With your consent (where required), we use your personal data to (i) analyse your preferences and habits;
(ii) to anticipate your needs based on our analysis of your profile; (iii) to improve and personalize our
online and offline interaction with you; (iv) to ensure that the contents from our websites or applications
are optimized for your computer and device; (v) to provide you with targeted marketing content; (vi) to
better understand our business and pattern and trends relating to our products; (vii) to develop or further
improve our product and services; and (viii) allow you to participate in interactive features when you chose
to do so.
-
To assess your application for a role in the organization
To assess your application and pursuant to laws to which MESRA is subject (e.g., in relation to equal
opportunities). This processing is a necessary pre-condition of entering into any future contract with you
and for MESRA to fulfil its employment duties with respect to other employees and you yourself (should you
be employed by MESRA). This could also include using your personal data to: carry out background and
reference checks, communicate about the application process, keep records and comply with legal and
regulatory requirements, and may also include use of Sensitive Personal Data in accordance with applicable
laws.
If you are unable to provide us with the information we request for this purpose, we may be unable to assess
your appropriateness for the relevant application or to communicate with you. If your application is
unsuccessful, we will keep your personal data in accordance with our internal policies and procedures and
for administration and statistical analysis purposes.
-
To carry out due diligence or Know Your Customer screening activities
To carry out due diligence assessment prior to entering legal relationship with us, in accordance with legal
and regulatory obligations or risk management procedures that may be required by law or may have been put in
place by us.
-
To monitor certain activities
To monitor queries and transactions to ensure service quality, compliance with procedures and to combat
fraud, and to process any payments related to your commercial transaction with us.
-
To ensure the physical security and safety of visitors to our offices or premises
To prevent loss, fraud, theft, injuries, terrorism, and other such events which may have an impact on
health, safety and security from taking place at any of our premises.
-
To notify you of changes
To notify you about changes to our services and products.
-
To ensure that our website content is relevant
To ensure that content from our websites and any other microsites are presented in the most effective
manner for you and for your device (which may include passing your data to business partners, suppliers
and/or service providers).
-
To re-organise or make changes to our business
In the event that we: (i) are subject to negotiations for the sale of our business or part thereof to a
third party; (ii) are sold to a third party; or (iii) undergo a re-organisation, we may need to transfer
some or all of your personal data to the relevant third party (and its advisors) as part of any due
diligence process for the purpose of analysing any proposed sale or re-organisation. We may also need to
transfer your personal data to that re-organised entity or third party after the sale or reorganisation for
them to use for the same purposes as set out in this Privacy Statement.
-
In connection with legal or regulatory obligations
We may process your personal data to comply with our regulatory requirements or dialogue with regulators as
applicable which may include disclosing your personal data to third parties, the court service and/or
regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such
parties anywhere in the world or where compelled to do so. Where permitted, we will generally direct any
such request to you or notify you before responding unless to do so would prejudice the prevention or
detection of a crime.
-
Other circumstances
In other circumstances, such purposes that are necessary or directly related to your relationship with
us or where it is permitted under the applicable laws.
Where we collect personal data from you, we will only do so for fulfilment of the purposes set out above.
Failure to provide your personal data may mean that we are not able to effectively provide you with our products
and/or services or to carry out any of the above-mentioned purposes, if at all.
-
PROCESSING YOUR PERSONAL DATA, AND OBTAINING YOUR CONSENT
Where we rely on your consent for processing your personal data, you may withdraw your previous consent to this
processing at any time, by contacting us by using the contact details below. Please note, however, that
withdrawing your consent will not affect the lawfulness of processing based on your previous consent (prior to
withdrawal).
Where we process your personal data for direct marketing purposes, we will log any objection you make and stop
processing your data for direct marketing purposes.
There may be instances where we process your personal data for our legitimate interests or on the basis of other
lawful grounds (i.e., because we have established a relationship with you and need to process your personal data
in order to provide you with the information and/or services you have requested), without having obtained your
consent – this applies where our processing activities are governed by the applicable laws of certain
jurisdictions in which we operate that do not require consent to have been obtained where there are legitimate
and/or other lawful grounds to process the relevant personal data.
We do not seek your consent in such cases largely so that we can provide you with services in an efficient way
(or where in some cases it might not be possible for us to seek your consent because we
must process personal data, for example, for the detection of fraud). Before
processing your personal data, we will consider your rights and freedoms and will only commence such processing
where we do not think your rights will be infringed.
The collection of your personal data by us may be mandatory or voluntary in nature depending on the purposes for
which your personal data is collected. Where it is mandatory for you to provide us with your personal data, and
you fail or choose not to provide us with such data, or do not consent to the above or this Privacy Statement,
we will not be able to provide our products and/or services or otherwise deal with you and/or to assess and
process your application.
-
PERSONAL DATA FROM MINORS AND OTHER INDIVIDUALS
To the extent that you have provided (or will provide) personal data about your family members, spouse, other
dependents and/or other individuals, you confirm that you have explained to them that their personal data will
be provided to, and processed by, us and where required by law, you represent and warrant that you have obtained
their consent to the processing (including disclosure and transfer) of their personal data in accordance with
this Privacy Statement.
In respect of minors or individuals not legally competent to give consent, you confirm that they have appointed
you to act for them, to consent on their behalf to the processing (including disclosure and transfer) of their
personal data in accordance with this Privacy Statement.
-
INFORMATION SHARING
We may share the personal data that you provide to us to other companies within the PDB Group for the purposes
described above. Where such transfers occur, MESRA will reasonably protect personal data and address data
privacy and other privacy requirements in accordance with applicable laws.
Information may also be shared with our service providers or third parties, in each case to the extent necessary
for the purposes described above. Such third-party who we reasonably believe need to have access to your
information to provide you with the information or services you request from us may include:
-
Our approved sub-contractors, business partners, suppliers, or other third-party organizations providing
administrative, IT or other services to MESRA .
-
Analytics and search engine providers that assist us in the improvement and optimization of our website;
-
Advertisers and advertising networks that require the data to select and serve relevant adverts to you
and others;
-
Third parties in connection with the transfer of all or any part of our business or assets;
-
Our auditors, consultants, lawyers, accountants or other financial or professional advisers appointed in
connection with our business on a strictly confidential basis, appointed by us to provide services to
us;
-
Any party in relation to legal proceedings or prospective legal proceedings; or
-
Government agencies, law enforcement agencies, courts, tribunals, regulatory/professional bodies,
industry regulators, ministries, and/or statutory agencies or bodies, offices or municipality in any
jurisdiction, if required or authorized to do so, to satisfy any applicable law, regulation, order or
judgment of a court or tribunal or queries from the relevant authorities.
We will not otherwise use, share, disseminate, publish or disclose your personal data except as may be required
in response to litigation, investigations or other legally required disclosures or to protect our rights,
property or safety or of our customers, or others.
-
WHERE WE STORE YOUR PERSONAL DATA
All information you provide to us is stored on our secure servers or on the servers of third-party IT
service providers. We maintain appropriate administrative, technical and physical safeguards to protect
against loss, misuse or unauthorized access, disclosure, alteration or destruction of the personal data you
provide to us in accordance with applicable laws.
We may transfer your personal data to, or store it in, a destination outside of the jurisdiction of the
entity to which you provided it.
Where we have to transfer your personal data to third countries, we will use appropriate approved safeguards
in accordance with applicable laws.
-
PERIOD FOR WHICH WE STORE YOUR PERSONAL DATA
We will store your personal data for no longer than is necessary for the purposes for which it was collected or
provided to us (unless a legal or insurance obligation requires us to keep it for longer period such as
operational, legal, regulatory, tax or accounting requirements).
-
YOUR RIGHTS TO YOUR PERSONAL DATA
Please note that you have the following rights. Additional rights will apply only where required or permitted by
applicable law:
-
Access. You may contact us at any time in order to request access to the personal data we
hold about you. We will confirm whether we are processing your personal data, provide details of the
categories of personal data concerned and the reasons for our processing. We can also provide you
with a copy of your personal data on request though we will have to be mindful of the rights of
others within any relevant records when doing so.
-
Rectification. You can ask us to correct or complete your personal data by contacting us at
any time. To the extent reasonably possible, we will inform anyone who has received your personal
data of any corrections we make to it.
-
Restriction. In certain circumstances, it may be possible to require us to limit the way in
which we process your personal data (i.e. require us to continue to store your personal data but not
otherwise process it without your consent).
-
Erasure. You may ask to have the information on your account deleted or removed, in certain
circumstances. We will try to do so promptly, and, to the extent reasonably possible, we will inform
anyone who has received your personal data of your request. However, we must keep track of certain
transaction information, such as past purchases and similar information, for legal or tax compliance
purposes, to satisfy insurance obligations or in the event of legal claims, so we may not be able to
fully delete your information in certain circumstances.
-
Receiving/transferring your personal data. In certain circumstances (where we process your
data based on consent or pursuant to a contract with you, and the processing is carried out by
automated means), you may ask us to send you the personal data we hold on you in an electronic,
structured and user-friendly format, or you may ask us to send this data to another entity.
-
Object. Where we are processing your personal data without your consent to pursue our
legitimate interests, you may object to us processing your personal data. Where we are using your
personal data to contact you for marketing purposes, you may object to such processing at any time.
-
Automated decision-making. You have the right to be informed of any automated
decision-making, including profiling, used in connection with your personal data, and we will
provide information about the logic we apply, as well as the significance and consequences of such
processing.
-
Complaints. You have the right to lodge a complaint with the relevant data protection
supervisory authority in the country where you are based or any place where you believe an
infringement of your personal data has occurred. We encourage you to contact us before making such
complaint to the relevant authorities, so that we can try to resolve any concerns you have.
-
SECURITY
We have security measures in place to help protect against the loss, misuse and alteration of the information
under our control. While we cannot guarantee that loss, misuse or alteration to data will not occur, we ensure
that our systems adhere to market security standard so as to help safeguard against such occurrences.
-
CHANGES TO OUR PRIVACY STATEMENT
Any changes we make to our Privacy Statement in the future will be posted on this page. Please check back
frequently to see any updates or changes to our Privacy Statement.
-
LANGUAGE
In accordance with the requirement of Malaysian data protection and privacy law, this Privacy Statement is
issued in both English and Bahasa Malaysia. In the event of any inconsistencies or discrepancies between the
English version and the Bahasa Malaysia version, the English version shall prevail.
-
COOKIES
Information Collected by Us Through IP Addresses and Cookies
Your IP address is a number that is assigned by the Internet Service Provider (ISP) to your computing devices to
identify its location. We use your IP address to help administer and diagnose problems relating to our website
and digital platforms. We also sometimes use IP addresses to communicate with our customers and possibly ban any
customers who are not complying with our Terms and Conditions.
We use a feature of your Internet Web browser called a cookie to assign a unique identification to your
computer. Cookies are files that your web browser places on your computing devices. These cookies are used to
tell us whether you have previously visited our website and to help us determine if you came from a particular
Internet link. This information is then used to improve the website and digital platforms as well as our
services. We do not use cookies to retrieve personal data from your computing devices unless your browser is set
to allow such retrieval.
-
CONTACT DETAILS
If you have any questions, comments or request regarding this Privacy Statement or your personal data, or if you
wish to contact a data protection officer, you may reach out to us at:
Head of Compliance / Data Protection Officer (DPO) - MESRA
Address: Tower 1, PETRONAS Twin Towers, Kuala Lumpur City Centre, 50088 Kuala Lumpur, Malaysia.
Contact No.: 03-77173078
Email Address:
data.privacy.mesra@mesraretail.com
Alternative Email Address: mesralink@petronas.com
Effective Date : 01 April 2026