Effective as of June 2024
Introduction
ROCKWOOL Malaysia Sdn. Bhd. (“ROCKWOOL”) is committed to safeguarding your privacy. The protection of personal data is important to us and we only process personal data in compliance with the applicable data protection requirements, in particular the Personal Data Privacy Act 2010 (“PDPA“). For that reason ROCKWOOL has implemented a set of Binding Corporate Rules (“BCRs“), introducing data protection requirements to be complied with by the ROCKWOOL Group worldwide.
In connection with our business activities we, as data controller, process the personal data of our customers, suppliers, users of our websites and apps as well as visitors and other third parties as described further in Section C.
This Privacy Statement will inform you on what personal data we process, the legal basis, the purpose of our processing, and the retention period. Furthermore, we will inform you about your rights as data subject.
This Privacy Statement is provided in a layered format so you can navigate to the specific areas set out below.
Lot 4, Solok Waja 1, Bukit Raja Industrial Estate, 41050 Klang, Selangor, Malaysia
A. The data controller
ROCKWOOL Malaysia Sdn. Bhd.
Lot 4, Solok Waja 1, Bukit Raja Industrial Estate, Klang,
41050, Selangor, Malaysia.
E-mail: mindy.ooi@rockwool.com
Company reg. no.: 199901020734 (495634-V)
In case of any questions regarding this Privacy Statement and/or our processing of your personal data please feel free to contact us on:
T: +6012-6399331
Email: mindy.ooi@rockwool.com
Depending on your relationship with entities from the ROCKWOOL Group, we will process different categories of your personal data for various purposes. Below you will find an overview of what kind of personal data we process, for which purposes, on what legal grounds and for how long we keep it in our systems.
Who? | Categories of personal data | Purposes of processing | Legal basis | Retention periods |
Customers and their employees
| First and last name, gender, address, phone number, e-mail address, job title, and place of work. | To carry out ordinary customer relationship i.e.: administration of payments, general communication, management of day-to-day operations in accordance with legitimate and fair business practice (incl. planning, execution and management of the cooperation; statistics, analyses) | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns
| Seven (7) years after end of employment or indefinitely if it concerns a criminal offence or statutory breach.
|
To provide general customer service and support (including follow-up surveys). | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | |||
To gain customer insights and knowledge of how our products and services are used (e.g., by sending satisfaction | ||||
To prevent fraud. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | |||
To establish, defend or assert legal claims. | ||||
Prospective Customers and their employees | First and last name, gender, address, phone number, e-mail address, title, and place of work. | To create business leads.
| Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | 7 years from obtained or your last interaction
|
For statistical purposes. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | |||
To pursue business leads. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | |||
Suppliers and their employees | First and last name, company phone number, e-mail address, title, and place of work | To carry out ordinary supplier relationship, i.e. administration of payments, general communication, management of day-to-day operations in accordance with legitimate and fair business practice (incl. planning, execution, and management of the cooperation, performing credit ratings, as well as carry out statistics, and analyses). | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | 7 years from the end of the financial year to which the data relate if the data is considered accounting material. 7 years from obtained for non-accounting materials if there was no activity with the supplier |
To source suppliers. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | |||
Visitors to physical locations | First and last name, phone number, e-mail address, place of work, license plate, if applicable, date and time of your visit. | To ensure the safety of our physical locations and to prevent and solve crime in our physical locations. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | 30 days from the registration |
CCTV recordings (photos and videos) | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | 30 days from the day of the visit | ||
Website visitors / app users | IP-address, MAC address, type of browser and devices, webpage that led you to our website or app, search terms entered in a search engine which led you to our website, browsing history, click-behaviour and use and navigation of websites and apps
| To run marketing activities, especially to facilitate your use of the websites and apps; for service development, statistics, and analysis; to deliver personalised content and search | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | Personal data obtained through cookies, pixels, similar technologies, and social media tools are deleted as described in the cookie declaration |
Users of contact forms | First and last name, email address, phone number, what your inquiry is about, date of your inquiry. | To communicate with you to market, promote and sell ROCKWOOL products and services, as well as to provide support. |
Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns
| 2 years after obtained or from your last interaction if your personal data has not been used in connection with a purchase of our products or services. |
Account users | First and last name, e-mail address, username, digital footprints, password as well/and as your profile activity. | To deliver our services on the/our websites or apps to you. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | Until closing of the account. |
To manage created user accounts; for statistical and analytical purposes. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | Until closing of the account. | ||
Visitors of social media profiles | Information available on your profile, including your name, gender, civil status, workplace, interests, image, and your city; whether you “like” or have applied other reactions to our profile; comments you leave on our posts; content your shared with ROCKWOOL with intention of interacting; | To improve our products and services, including our social media profiles and pages; * platform providers may process your personal data for their own purposes – please keep in mind this is outside of our control | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns | Retention periods are set out by social media platform providers and can be found in their privacy policies: Meta (Instagram, Facebook) Google (YouTube) X (formerly Twitter) |
Description | When? | Categories of personal data | Purposes of processing | Legal basis | Retention periods |
Cookies, pixels, social media tools and other technologies | When you visit our websites or apps and have provided us with your cookie consent. | IP-address, MAC address, type of browser and devices, webpage that led you to the website or app, search terms entered in a search engine which led you to our website, browsing history, click-behaviour and use and navigation of websites and apps* * the categories depend on the consent given in the cookie banner. This can be changed at any time here | To run marketing activities, especially to facilitate your use of the websites and apps; for service development, statistics, and analysis; to deliver personalised content and search | Legitimate interests in providing a website and app that works, marketing, developing, and providing statistics, evaluating, promoting and selling our products and services through first-party cookies, (Article 6 (1) (f) GDPR). Consent for the processing of personal data in relation to marketing cookies and third-party statistical cookies (Article 6 (1) (a) GDPR). In addition, we always obtain a valid cookie consent with exemption of strictly necessary cookies and other technologies. | Personal data obtained through cookies, pixels, similar technologies, and social media tools are deleted as described in the cookie declaration. |
Facebook custom / lookalike audiences | When you sign up for our newsletters, create a user account and accept our cookies, pixels, or similar technologies, we will in some cases send non-reversible hashed information to Facebook (Meta). | E-mail address and in some cases, information about your interest in one or more of our products | To create audiences for subsequent advertising via Facebook. | Legitimate interest in spreading awareness of our products and services, including to other persons who may have similar interests in our products and services (Article 6 (1) (f) GDPR). | Until you object to the processing of your personal data. You can change settings in your Facebook account here. |
Tracking of e-mail | E-mails that we forward for marketing purposes based on your marketing consent or for events you have signed-up for may include tracking technologies that tell us whether you have received or opened the email or clicked a link in the e-mail. | Tracking information on your interaction with our e-mail. | To deliver personalised content, analysis, and statistics. | Performance of the employment contract (Section 6(2)(a) PDPA) Legal obligation stemming from employment law and accounting (Section 6(2)(c) PDPA) Consent (Section 6(1) PDPA Performance of the contract (Section 6(2)(a) PDPA) Consent (Section 6(1) PDPA) for minor campaigns |
If you consented to marketing: until the marketing consent has been withdrawn. A copy of the marketing consent will be stored 2 years after withdrawal for evidentiary purposes If you did not consent to marketing: 2 years after the/your last interaction (e.g., from participating in the event or when clicking on email)
|
Personal data collected may be transferred internationally between entities in the ROCKWOOL Group for the purposes for which they were gathered, provided that such transfer is not prohibited or restricted by law. All transfers between EU/EEA and non-EU/EEA ROCKWOOL entities are legalised by the ROCKWOOL Binding Corporate Rules.
An overview of the ROCKWOOL Group is available at https://www.rockwool.com/group/privacy-Statement/rockwool-group-companies/
To achieve the purposes described above, we may give third parties, who provide services to ROCKWOOL entities based on a contractual relationship, access to your personal data. Those service providers include:
• IT suppliers,
• Social media suppliers,
• Email suppliers,
• Hosting suppliers,
• Cookie suppliers,
• Webinar vendors,
• Customer learning platform vendors,
• Customer support platform vendors,
• Customer relation platform vendors,
• Website vendors.
In addition to what is described above, your personal data is generally not transferred to third parties without your consent. However, in certain circumstances and under the law, it may be necessary to disclose your personal data to e.g.,:
• Public authorities,
• Law enforcement authorities,
• Courts,
• Lawyers,
• External Auditors.
Personal data may also be transferred to third parties with your prior consent as set out in our Cookie Policy and the cookie consent wording.
If we transfer your personal data to recipients whose registered offices are located in a third country, for which the European Commission has not adopted an adequacy decision, such transfer is based on the Data Privacy Framework (for companies based in the USA) or the EU Commission’s Standard Contractual Clauses (for other countries), which you may obtain a copy of by contacting us as stated above.
ROCKWOOL commits to have in place the appropriate security measures to safeguard the security of your personal data and our website has security measures in place to protect against the loss, misuse and/or alteration of the personal data under our control.
Cooperation with social media platform providers.
For Facebook and Instagram (owned by Meta), ROCKWOOL together with the social media providers is a joint data controller for the processing of personal data collected in connection with your interactions with the profiles, including the profiles' postings. Facebook acts as data processor on behalf of ROCKWOOL when Facebook processes your personal data for the purpose of creating target groups (lookalike and custom audiences).
For LinkedIn, ROCKWOOL together with the platform provider is a joint data controller/s for the processing of personal data for statistical purposes.
ROCKWOOL and the providers of LinkedIn, Instagram and Facebook have entered into agreements on the allocation of the data protection tasks. According to these agreements, the entities and social media providers are each responsible for the tasks associated with the processing undertaken. The overview of the division of responsibilities can be found here:
• LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum
• Meta: https://www.facebook.com/legal/controller_addendum/.
ROCKWOOL also uses Google as data processor in connection with its use of YouTube and in this connection also shares certain information about your interactions, interests, etc. with YouTube for the purposes of optimizing marketing and the service, including our videos, on YouTube.
ROCKWOOL is the controller for the processing of personal data in the context of the management of its account on X (Twitter), and X (Twitter) is a separate controller for the personal data which it processes. However, in certain situations X (Twitter) will be acting as data processor for ROCKWOOL, for example when uploading custom audiences to the platform.
Due to technical developments, new processing activities, and/or amendment of legal requirements we reserve the right to adjust this Privacy Statement. To the extent the changes of the Privacy Statement are regarded as material and significant, you will be informed hereof on our website or/and through our e-mail signatures when corresponding with one of ROCKWOOL’s employees. An up-to-date version of this Privacy Statement will always be available at www.rockwool.com/group/privacy-statement.