Legal Document

Data Protection Policy

Personal Data Protection Policies & Procedures — Agensi Pekerjaan Premier Talent Sdn Bhd (formerly, PA Recruitment Sdn Bhd)

Version 1.0

Effective: May 2026

Premier Talent Sdn. Bhd. ("Premier Talent" or the "Company") operates a digital hiring platform connecting employers and jobseekers. The Platform integrates a job board with an AI-assisted interview tool to provide end-to-end hiring solutions for employers and career opportunities for jobseekers.

Purpose

The purpose of this policy is to set out the Company's approach to ensuring compliance with the Personal Data Protection Act 2010 ("PDPA"), which governs the collection, processing, and storage of personal data in Malaysia. This policy establishes the principles, responsibilities, and procedures that all employees and data users of Premier Talent must follow when handling personal data.

Scope

This policy applies to all personal data collected, processed, and stored by Premier Talent, regardless of the medium or location in which it is held. It applies to all employees, contractors, data users, and any third parties acting on behalf of the Company.

All employees and data users who process personal data on the Company's behalf are required to read, understand, and comply with this policy. Non-compliance may result in disciplinary action, up to and including dismissal, in cases of significant or deliberate breaches.

Our Commitment

Premier Talent is committed to ensuring the confidentiality, security, and accuracy of all personal data in our possession. In carrying out our business operations, the Company shall endeavour to:

  • Protect the privacy rights of data subjects, including jobseekers, employers, and all individuals whose data we process
  • Comply with the PDPA and follow industry best practices in data protection
  • Be open and transparent about how we collect, use, and store personal data
  • Ensure all personal data in the Company's possession is kept safe and secure
  • Support employees in meeting their legal responsibilities as set out in this policy
  • Provide ongoing awareness and support on PDPA compliance through the Data Protection Officer

1Definitions

1.1 What is Personal Data?

"Personal Data" refers to any information that identifies or could reasonably be used to identify an individual. This includes but is not limited to the individual's name, NRIC, passport, contact details, date of birth, gender, employment details, bank account information, payment details, photograph, resume, and any other data that can directly or indirectly identify an individual.

Personal data may also include sensitive information such as health information, religion, criminal records, physical and mental health conditions, political beliefs, genetic and biometric data, and sexual orientation, where required by law or necessary for specific purposes.

1.2 Key Definitions

Data Subject

Any individual whose personal data is collected or processed by the Company, including jobseekers, employers, employees, contractors, and business partners.

Data User

An individual who has been granted access to personal data as part of their assigned duties, roles, or functions within the Company.

Data Protection Officer (DPO)

The designated individual responsible for overseeing Premier Talent's data protection strategy and ensuring compliance with the PDPA.

Joint Data Controller

Where Premier Talent and an Employer both exercise control over the processing of a Jobseeker's personal data in connection with a job application or profile review, both parties are joint data controllers in respect of that processing.

Platform

The Premier Talent digital hiring platform, comprising the job board and the AI-assisted interview tool.

1.3 Data Protection Officer

Email: dpo@parecruitment.com.my

Unit 5.04A, Level 5, Amoda, No. 22, Jalan Imbi, 55100 Kuala Lumpur

Tel: 03-2143 5655


2What We Collect

2.1 Jobseekers

  • Identification details: Full name, NRIC or passport number, date of birth, gender, nationality, and photograph
  • Contact information: Residential or mailing address, telephone number, and email address
  • Professional information: Resume or CV, academic qualifications, certifications, employment history, salary expectations, references, and preferred job classifications
  • Interview data: Responses submitted through the AI-assisted interview tool, including recordings where applicable
  • Platform activity: Login credentials, search history, application status, and usage data

2.2 Employers

  • Company details: Company name, registration number, and business address
  • Contact person details: Name, job title, email address, and telephone number of authorised representatives
  • Billing and payment information: Required for subscription and platform fee processing
  • Job posting content: Role descriptions, hiring criteria, and screening questions
  • Platform activity: Account credentials, login records, and candidate interaction data

2.3 Employees, Contractors & Business Partners

  • Identification details: Full name, NRIC or passport number, date of birth, gender, and nationality
  • Contact information: Address, telephone number, and email address
  • Employment-related information: Job title, employment history, qualifications, and certifications
  • Financial information: Bank account details, EPF, SOCSO, and income tax numbers
  • Emergency contact information: Names and contact details of nominated individuals

2.4 General Website Visitors

  • Technical data: IP address, browser type, device type, and operating system
  • Usage data: Pages visited, time spent on the Platform, referral sources, and search queries
  • Cookie data: Session identifiers and preference data

3Why We Collect — Purposes of Processing

3.1 Platform Operations

  • To operate the hiring platform: Including facilitating job postings, enabling Jobseekers to apply for roles, and allowing Employers to search and evaluate candidate profiles.
  • To enable AI-assisted interview processing: The AI tool processes Jobseeker interview responses and CV data to generate holistic candidate profiles and best-fit recommendations for Employers. No hiring decision is made solely on the basis of automated processing.
  • To match candidates to opportunities: Using profile and preference data to surface relevant job recommendations to Jobseekers and suitable candidates to Employers.
  • To facilitate group company access: During the initial deployment phase, Jobseeker profiles and CV data may be made accessible to a defined group of participating companies.

3.2 Employment & Business Relationships

  • To manage employment relationships: Including onboarding, contract administration, performance management, payroll, benefits administration, and offboarding.
  • To manage business relationships: Including engagement with clients, service providers, vendors, and suppliers.
  • To facilitate communication: Including responding to enquiries, sending account-related updates, and sharing relevant information about platform services.

3.3 Legal, Compliance & Security

  • To comply with legal and regulatory obligations: Including audits, statutory reporting, EPF and SOCSO contributions, and anti-money laundering requirements.
  • To detect and prevent fraud and security incidents: Including monitoring for unauthorised access, misuse, or other prohibited activities.
  • To respond to legal claims: Including establishing, exercising, or defending the Company's legal rights.

3.4 Marketing & Service Improvement

  • For marketing and promotional purposes: To inform data subjects about Platform services, job opportunities, and events, where consent has been obtained.
  • To improve and develop the Platform: Including conducting internal analytics, user research, and system enhancements.

4General Principles

  • Consent must be obtained from the data subject prior to collection, except where an alternative legal basis applies
  • Data subjects must be informed openly and transparently about how their personal data is collected, used, and stored
  • Data must be obtained fairly, lawfully, and with transparency
  • Data must be collected only for specified, explicit, and lawful purposes
  • Only the minimum personal data necessary to fulfil the stated purpose shall be held
  • Personal data must be processed in a manner that ensures appropriate security
  • Personal data must be kept accurate, complete, and up to date
  • Personal data shall be retained only for as long as is necessary in accordance with business, legal, and regulatory requirements

5Data User Guidelines

5.1 Consent & Processing

  • Determine whether consent is required for the processing of personal data before collection
  • Explain to data subjects the purpose for which their personal data is being collected and how it will be processed
  • Obtain appropriate consent for the processing of sensitive personal data
  • Provide a copy of the relevant Notice and Consent Form to the data subject upon request
  • Ensure personal data is processed only through authorised software and hardware systems

5.2 Data Handling & Access Controls

  • Retain personal data only for as long as is necessary for the specified purpose
  • Ensure personal data is accurate and up to date
  • Keep personal data confidential and protect the rights of the data subject at all times
  • Disclose personal data only to authorised persons or third parties, and only where permitted by law
  • Prior to disclosing personal data to any third party, ensure a confidentiality and non-disclosure agreement is in place
  • Ensure that only authorised employees have access to personal data, strictly on a need-to-know basis
  • Do not reveal passwords or user credentials to any unauthorised person
  • Use only anonymised or unidentifiable data for analytical or research purposes
  • Do not transfer personal data outside Malaysia unless the data subject's consent has been obtained

5.3 Destruction of Personal Data

  • Permanently destroy personal data — both in soft copy and physical form — that is no longer required
  • Maintain a record of all destroyed personal data
  • Use secure destruction methods: shredding or incineration for physical records; reformatting or overwriting for electronic data

6Disclosure & Processing of Personal Data

6.1 Authorised Disclosures

  • EmployersWhen a Jobseeker submits an application or their profile is accessed through the Platform in the course of the hiring process.
  • Group CompaniesSubsidiaries and affiliated entities, including participating companies during the initial deployment phase.
  • Authorised Service ProvidersThird-party vendors, technology providers, and subcontractors engaged to support the Company's platform operations.
  • Professional AdvisorsAuditors, legal counsel, accountants, and consultants engaged by the Company.
  • Regulatory & Government AuthoritiesGovernment agencies, law enforcement bodies, and statutory authorities, as required by law.
  • Business TransfereesIn the event of a merger, acquisition, or sale of assets, subject to equivalent data protection obligations being imposed on the transferee.

6.2 Joint Data Controller Arrangement

Where a Jobseeker submits a job application or their profile is accessed by an Employer through the Platform, Premier Talent and the relevant Employer act as joint data controllers in respect of the personal data processed in connection with that application or profile review. Premier Talent is responsible for the lawful collection and initial processing of personal data. Each Employer is independently responsible for their own subsequent use of such personal data.

6.3 Cross-Border Data Transfers

Personal data may be transferred to and processed in countries outside Malaysia, including Singapore and the United States of America, where the Company's technology infrastructure and third-party service providers are located. Appropriate contractual safeguards are implemented to ensure personal data remains protected in accordance with the PDPA.

6.4 Consent Requirements

Consent must be obtained before collecting or processing personal data. Consent may be obtained by written consent, verbal consent, or consent by conduct. Consent is not required where processing is necessary:

  • At the data subject's own request, in connection with entering into a contract
  • For the performance of a contract to which the data subject is a party
  • To comply with a legal obligation
  • To protect the vital interests of the data subject
  • For the administration of justice

7Data Integrity

All data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date, having regard to the purpose for which it was collected.

  • Data subjects are responsible for informing the Company of any changes to their personal data.
  • Any updates or corrections to personal data must be made only upon written request or email from the data subject.
  • The Company is not obligated to update or correct personal data based on information provided by any party other than the data subject themselves.

8Rights of Data Subjects

8.1 Right of Access

Data subjects have the right to request access to their personal data held by the Company. Requests must be submitted in writing or by email to the Data Protection Officer. The Company shall provide a copy of the requested personal data within 21 days of receiving the request.

8.2 Right of Correction

Data subjects have the right to request correction of inaccurate, incomplete, or misleading personal data. Correction requests must be submitted in writing or by email to the Data Protection Officer.

8.3 Right to Withdraw Consent

Data subjects may withdraw previously given consent for the processing of their personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

8.4 Right to Opt Out of Marketing

Data subjects may opt out of receiving marketing communications at any time by contacting the Data Protection Officer or by using the opt-out mechanism provided in any marketing communication.


9Security Principle

The Company and all data users must take practical steps to safeguard the confidentiality, integrity, and availability of personal data against unauthorised access, alteration, disclosure, destruction, accidental loss, or misuse.

9.1 Technical Security Measures

  • Access to IT servers and systems is restricted to authorised personnel in secure, controlled environments
  • All computer systems are password-protected with appropriate authentication mechanisms
  • Anti-virus and anti-malware software, and backup and recovery procedures, are maintained
  • All data transmitted between the Platform and users is encrypted using industry-standard protocols (TLS/HTTPS)
  • Personal data held on cloud infrastructure is secured in accordance with the service provider's data protection standards

9.2 Physical Security Measures

  • Physical records containing personal data are stored in securely locked cabinets or rooms with restricted access
  • Storage keys are kept in a secure location with movement recorded
  • CCTV surveillance is maintained at premises where personal data is stored
  • Door access systems are in place at entry and exit points of areas where personal data is held

9.3 Portable Devices & Remote Working

  • Personal data must not be stored on portable devices except in essential and approved circumstances
  • Information stored on portable devices must be fully deleted immediately after use
  • The transport of personal data in any format outside Company premises should be avoided wherever possible

10Retention & Deletion of Personal Data

The Company shall not retain personal data for any longer than is necessary in light of the purpose for which it was originally collected, stored, and processed. When personal data is no longer required, all reasonable steps will be taken to securely erase, anonymise, or otherwise dispose of it without undue delay.

Approved Methods of Destruction:

  • Physical records: Shredding or incineration, including physically archived documents.
  • Electronic data: Reformatting or secure overwriting, particularly when devices are being transferred, repurposed, or decommissioned.

11Breach Reporting Policy

Any suspected or confirmed data breach must be reported to the relevant Line Manager within 24 hours of becoming aware. The Line Manager must immediately notify the Data Protection Officer and Management.

11.1 What Constitutes a Data Breach

  • Loss or theft of equipment on which personal data is stored
  • Inappropriate access controls allowing unauthorised access
  • Equipment failure leading to data loss or exposure
  • Human error, such as misdirected emails or incorrect data entry
  • Unforeseen circumstances such as flood, fire, or natural disaster
  • Cyber attacks, hacking, or malicious software

11.2 Incident Recording

All incidents must be accurately recorded by the Line Manager, capturing:

  • Description of the incident
  • Date and time the incident occurred and was detected
  • Who reported the incident and to whom
  • Type of data involved and its sensitivity classification
  • Number of individuals whose personal data may have been affected
  • Any IT systems involved in the incident

11.3 Post-Incident Review

Following any data breach, the Company will conduct a thorough review to assess the appropriateness of steps taken, record measures implemented to prevent recurrence, identify areas requiring improvement, and document and implement any recommended changes as soon as practicable.


12Awareness Training & Support

The Company is committed to supporting all employees who process personal data through ongoing training and accessible support mechanisms.

  • Data protection training will be provided to all new employees as part of the induction process
  • Refresher training will be conducted at regular intervals throughout an employee's tenure
  • Training will cover the requirements of the PDPA, this policy, and the employee's specific responsibilities as a data user
  • All employees may seek guidance and support from the Data Protection Officer at any time

13Compliance Audits

An annual internal compliance audit will be undertaken by the Data Protection Officer and/or Management to assess whether the Company is operating in accordance with the PDPA and to identify existing or potential risks.

Where the audit identifies areas of non-compliance, immediate remedial action may be prescribed. This policy may be amended and reviewed from time to time in accordance with changes to the PDPA and applicable legislation. All employees will be notified of material changes to this policy.

This policy is governed by and construed in accordance with the laws of Malaysia.

Agensi Pekerjaan Premier Talent Sdn Bhd (formerly, PA Recruitment Sdn Bhd) · Reg. No.: 201201038317 (Co.No.1022799-H) (JTKSM 755A)

Unit 5.04A, Level 5, Amoda, No. 22, Jalan Imbi, 55100 Kuala Lumpur · Tel: 03-2143 5633 / 03-2143 5655