PERSONAL DATA PROTECTION ADDENDUM

This Data Protection Addendum (Addendum), which shall be read together with the Malaysia Airlines Berhad Privacy Policy, forms part of the Merchant Agreement and sets out additional rights and obligations of the parties, which apply when the Merchant acts as a Processor of Malaysia Airlines’ Personal Data. This Addendum consists of:

  • the main body of this Addendum, being clauses 1 to 10; and
  • Annex 1 (Personal Data Processing Details).

  1. Processing of Malaysia Airlines’ Personal Data

    1. The parties agree that Malaysia Airlines is the Controller of Personal Data and that the Merchant will Process Malaysia Airlines’ Personal Data on behalf of Malaysia Airlines as its Processor.

    2. To the extent that the Merchant provides Services and/or Products, and Processes Malaysia Airlines’ Personal Data provided by or on behalf of Malaysia Airlines or its group of companies under Malaysia Aviation Group (“MAG”) through Journify platform or by any other means pursuant to or in connection with the Agreement, then in such circumstances, that group of companies under MAG will be the Data Controller of the Personal Data provided to the Merchant and the group of companies under MAG will have the same rights that Malaysia Airlines has under this Addendum.

    3. Malaysia Airlines instructs the Merchant to process Malaysia Airlines’ Personal Data within Journify platform or any other means to the extent necessary for the provision of Services or Products under the Agreement and in a manner consistent with the Agreement.

    4. The Merchant must:

      1. comply with all applicable Data Protection Laws in the Processing of Malaysia Airlines’ Personal Data;
      2. not Process Malaysia Airlines’ Personal Data other than for the purpose of performing obligations under the Agreement or on Malaysia Airlines’ documented instructions, unless Processing is required by the relevant authorities or European Union or Member State law to which the Merchant is subject, in which case the Merchant shall to the extent permitted by such law inform Malaysia Airlines of that legal requirement before the relevant Processing of Malaysia Airlines’ Personal Data;
      3. notify Malaysia Airlines immediately if, in the Merchant’s reasonable opinion, the Merchant believes that any documented instructions issued by Malaysia Airlines infringe any Data Protection Laws;
      4. comply with its obligations under Data Protection Laws and must not provide the Services or Products in a manner that causes Malaysia Airlines to violate any Data Protection Laws; and
      5. not transfer any Malaysia Airlines’ Personal Data to any country or territory other than on Malaysia Airlines’ documented instructions and in accordance with the Data Protection Laws.

    5. Annex 1 sets out certain information regarding the Merchant’s Processing of Malaysia Airlines Personal Data. Malaysia Airlines may, by giving written notice to the Merchant, amend Annex 1 from time to time as Malaysia Airlines considers reasonably necessary to meet those requirements.

  2. Data Subject Request and other complaints and requests

    1. The Merchant must, to the extent permitted by law, promptly notify Malaysia Airlines if the Merchant receives a Data Subject Request in respect of any Malaysia Airlines’ Personal Data. The Merchant must not respond to any such Data Subject Request without Malaysia Airlines’ prior written instructions.

    2. The Merchant must provide such assistance and take such action as Malaysia Airlines may reasonably request ( including assistance by appropriate technical and organisational measures) to allow Malaysia Airlines to fulfil its obligations to clients or under Data Protection Laws in respect of Data Subject Requests, including meeting any deadlines imposed by such obligations.

    3. The Merchant must, to the extent permitted by law, promptly notify Malaysia Airlines upon receipt of any complaint or request (other than Data Subject Requests or enquiries of Regulators described in clause 9) relating to:

      1. Malaysia Airlines’ obligations under Data Protection Laws; or
      2. Malaysia Airlines Personal Data.

    4. The Merchant must promptly provide such cooperation and assistance as Malaysia Airlines may request in relation to such complaint or request.

  3. Merchant’s Personnel

    1. The Merchant must ensure that any personnel of any Contracted Processor engaged in the Processing of Malaysia Airlines Personal Data are informed of the confidential nature of Malaysia Airlines Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements in respect of the Malaysia Airlines Personal Data that survive termination of the engagement of the personnel.

  4. Subprocessors

    1. The Merchant may engage Subprocessors to Process Malaysia Airlines Personal Data to the extent necessary for providing the Services or Products through Journify platform or any other means hosted by Malaysia Airlines and to perform the obligations stipulated in the Agreement.
    2. Where Merchant engages a Subprocessor, the Merchant must ensure that the arrangement between the Merchant and the Subprocessor is governed by a written agreement including terms which offer at least the same level of protection for Malaysia Airlines Personal Data as those set out in this Addendum.
    3. Upon request, Merchant shall provide Malaysia Airlines with a current list of the names and contact information of any Subprocessors (Subprocessor List). Merchant shall provide sixty (60) days' prior notice by email to Malaysia Airlines of any addition of a new Subprocessor to the Subprocessor List.
    4. If Malaysia Airlines objects in writing to the Merchant's proposed use of a new Subprocessor, the Merchant will use reasonable efforts to refrain from permitting such proposed Subprocessor to Process Malaysia Airlines Personal Data without adversely impacting the offering of Services or Products or/and Malaysia Airlines. If the Merchant determines that it cannot avoid such an adverse impact despite such reasonable efforts, the Merchant shall notify Malaysia Airlines of such determination. Upon receipt of such notice, Malaysia Airlines may terminate all or any part of the Agreement without penalty or liability (other than for fees due and owing to the Merchant for Services or Products offered prior to such termination) effective immediately upon written notice of such termination to the Merchant. The Merchant shall refund Malaysia Airlines any prepaid fees for the period following the effective date of termination.
    5. The Merchant will be responsible and liable for the acts, omissions, or defaults of its Subprocessors in connection with the Agreement or otherwise, as if they were the Merchant's own acts, omissions, or defaults.

  5. Security

    1. The Merchant must take, and must ensure that each Contracted Processor takes, all appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of systems used for Processing Malaysia Airlines Personal Data and protect against the unlawful destruction, loss, alteration, unauthorised disclosure of or access to Malaysia Airlines Personal Data transmitted, stored or otherwise Processed.
    2. Without limiting clause 5(a), the Merchant must comply at a minimum with the requirements set out in accordance with the reasonable and acceptable industry standard of technical and organisational security measures, as well as its obligation to notify Malaysia Airlines of any Security Incidents.

  6. Audits

    1. Where requested by Malaysia Airlines, the Merchant must:

      1. permit Malaysia Airlines (or its nominated personnel) to inspect and audit the Merchant's data processing activities (and / or those of its agents and / or Subprocessors which Process Malaysia Airlines Personal Data);
      2. cooperate with, and comply with all reasonable requests or directions by, Malaysia Airlines to enable it to verify and / or procure that the Merchant is in full compliance with its data protection obligations under the Agreement and this Addendum, including making available all information necessary to demonstrate such compliance; and
      3. take such remedial actions as are reasonably required by Malaysia Airlines following such audit.

    2. Where requested by Malaysia Airlines, the Merchant must provide Malaysia Airlines with such assistance and information as may be reasonably required in order for Malaysia Airlines to comply with any obligation under Data Protection Laws to carry out an assessment of the impact Merchant's Processing operations may have on the protection of Malaysia Airlines Personal Data or consult with a Regulator.

  7. Security Breach Management and Notification

    The Merchant must:

    1. notify Malaysia Airlines immediately upon becoming aware of the occurrence of any incident which has resulted, or is reasonably likely to result, in a breach of security, including any accidental or unlawful loss, theft, deletion, disclosure or corruption of Malaysia Airlines Personal Data and / or any unauthorised use or access to Malaysia Airlines Personal Data (a Security Incident);
    2. provide all cooperation and information reasonably requested by Malaysia Airlines in respect of a Security Incident, including, as soon as possible following, and in any event within 48 hours of, the detection of the Security Incident by the Merchant:
      1. full details of the Security Incident, including the categories and approximate number of Data Subjects concerned;
      2. full details of the Malaysia Airlines Personal Data compromised, including the categories and approximate number of Malaysia Airlines Personal Data records concerned;
      3. where known, details of the likely consequences of the Security Incident;
      4. full details of how the Security Incident is being investigated and mitigation and remedial steps already put in place and to be put in place; and
      5. whether any Regulator, the Data Subjects themselves and / or the media have been informed or is otherwise already aware of the Security Incident, and their response;
    3. provide all such other cooperation and information reasonably requested by Malaysia Airlines on an ongoing basis to assist in the investigation, mitigation, and remediation of a Security Incident, including providing regular updates to Malaysia Airlines in respect of the Security Incident and the matters described in clause 7(b); and
    4. not communicate details of a Security Incident to any Regulator, Data Subjects and / or the media without Malaysia Airlines’ prior consent.

  8. Restricted Transfer

    1. If the Merchant is a Non-EEA Entity, the parties agree that the Standard Contractual Clauses will apply in respect of any Restricted Transfer from Malaysia Airlines, or any group of companies under Malaysia Aviation Group, to the Merchant. The Merchant must, if required by Malaysia Airlines, do all further things necessary in order to give effect to this clause, including executing the Standard Contractual Clauses as between:

      1. Malaysia Airlines on behalf of itself and (if applicable) as agent for each group of companies under MAG ( as “data exporter”); and
      2. Merchant (as “data importer”).

    2. If the Merchant is an EEA entity, and the Merchant engages a Subprocessor who is a Non-EEA Entity in accordance with clause 4, then the Standard Contractual Clauses will apply in respect of any Restricted Transfer to the Subprocessor. In order to give effect to this clause, the parties agree that the Standard Contractual Clauses will be executed by:

      1. Malaysia Airlines, on behalf of itself and (if applicable) as agent for each group of companies under MAG ( as “data exporter”); and

      2. either:

        1. the Subprocessor (as “the data importer”), in which case the Merchant must procure that the Subprocessor executes such an agreement; or
        2. the Merchant as agent for and on behalf of the Subprocessor (as “the data importer”), in which case Merchant must warrant that it has authority to execute the agreement as agent for and on behalf of the Subprocessor and ensure that it can, upon request, provide evidence of such authority to Malaysia Airlines.

    3. The parties agree that:

      1. for the purposes of the Standard Contractual Clauses:
        1. the instructions to the applicable “data importer” will be the instructions set out in clause 1 and any other documented instructions issued by Malaysia Airlines in accordance with this Addendum; and
        2. the references to Member State in which the data exporter is established (including clauses 7 and 9 of the Standard Contractual Clauses) will refer to the jurisdiction where Malaysia Airlines appointed its representative; and
      2. the Standard Contractual Clauses for the transfer of Malaysia Airlines Personal Data outside of the EEA to data processors established outside the EEA as set out in the Commission Decision of 5 February 2010 (C (1010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016 are hereby incorporated into and form part of this Addendum.

    4. Malaysia Airlines warrants that it is duly authorised to act on behalf of each group of companies under MAG for the purposes of clauses 8(a)(i) and 8(b)(i).

  9. Cooperation with Regulators and conduct of claims

    1. The Merchant must promptly notify Malaysia Airlines of all enquiries from a Regulator that the Merchant receives which relate to the Processing of Malaysia Airlines Personal Data, the provision of the Agreement, or either party’s obligations under this Addendum, unless prohibited from doing so at law or by a Regulator.

    2. Subject to clause 9(d), the Merchant acknowledges that Malaysia Airlines will handle all communications and correspondence with a Regulator relating to Malaysia Airlines Personal Data and the provision of the Agreement.

    3. Malaysia Airlines will have the sole discretion to assume control of the defence and settlement of any third-party claims that relate to the Processing of Malaysia Airlines Personal Data, including claims against the Merchant, its personnel or its Subprocessors, provided that Malaysia Airlines will not enter into any settlement of such claim or compromise without the Merchant’s prior written consent if such settlement or compromise would assert any Liability against the Merchant, increase the Liability (including under an indemnity) of the Merchant, or impose any obligations or restrictions on the Merchant (such as imposing an injunction or other equitable relief upon the Merchant).* Where required, such consent shall not be unreasonably withheld or delayed. Malaysia Airlines' exercise of such right will:

      1. not be construed to require Malaysia Airlines to bear the costs of such defence and settlement; and
      2. be without prejudice to its contractual, legal, equitable or other rights to seek recovery of such costs.

    4. The Merchant will be responsible for handling a particular communication or correspondence with a Regulator if:

      1. Malaysia Airlines notifies the Merchant that the Merchant will be responsible for such communication correspondence; or
      2. a Regulator request in writing to engage directly with the Merchant.

    5. Where the Merchant interacts directly with a Regulator in accordance with clause 9(d), the Merchant must at its own expense, consult and cooperate with Malaysia Airlines throughout the entire interaction process. Any interactions with a Regulator will require the Merchant, its personnel and any Subprocessor to:

      1. make itself readily available for meetings with the Regulator as reasonably requested;
      2. answer the Regulator’s questions truthfully and promptly;
      3. subject to clause 9(e)(iv), provide the Regulator with such information and cooperation as the Regulator may require; and
      4. where permitted by law, notify Malaysia Airlines of any Regulator’s request for information relating to Malaysia Airlines Personal Data and before disclosing such requested information, the Merchant must fully cooperate with Malaysia Airlines to prevent the disclosure of, or obtain protective treatment for such information, and comply with Malaysia Airlines’ instructions regarding the response to such a request.

  10. General

    1. Deletion or return of Malaysia Airlines Personal Data

      1. Subject to clause 10.1(b), on expiry or termination of the Agreement, or upon request from Malaysia Airlines at any time, the Merchant must immediately cease Processing any Malaysia Airlines Personal Data and return to Malaysia Airlines, or destroy (at Malaysia Airlines’ direction), any Malaysia Airlines Personal Data in the Merchant’s possession or control.
      2. The Merchant may retain Malaysia Airlines Personal Data only to the extent and for such period as required by applicable laws, provided that the Merchant at all times ensures the confidentiality of such Malaysia Airlines Personal Data and ensures that any retained Malaysia Airlines Personal Data is only Processed as necessary for the purposes specified in such laws requiring its retention and for no other purpose.

    2. Indemnity

      Notwithstanding any limitation or exclusion of liability set out in the Agreement, the Merchant must, at all times during and after the term of the Agreement, indemnify Malaysia Airlines and each group of companies under MAG against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by Malaysia Airlines and each group of companies under MAG arising out of or in connection with:

      1. any breach of Merchant's obligations under this Addendum;
      2. the Merchant's negligence or wilful misconduct in relation to any Processing of Personal Data; or
      3. any Security Incident.

    3. Liability

      The parties agree that no limitations of liability set out in the Agreement will apply to any party's liability to Data Subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent limitation of such rights is prohibited by Data Protection Laws.

    4. Exclusion of third-party rights

      Malaysia Aviation Group will have third-party rights in accordance with clause 1(b) and Data Subjects are granted third-party rights under the Standard Contractual Clauses. All other third-party rights are excluded.

    5. Governing Law

      To the extent required by applicable Data Protection Laws (e.g., in relation to the governing law of the Standard Contractual Clauses), this Addendum shall be governed by the law of the applicable jurisdiction. In all other cases, this Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.

    6. Order of precedence

      1. The Merchant’s obligations under this Addendum are in addition to and not in lieu of its obligations under any other provisions of the Agreement. If there is an inconsistency between this Addendum and any other part of the Agreement, the terms that afford Malaysia Airlines the greater protection shall apply.
      2. If there is an inconsistency between this Addendum and any agreement with the Merchant incorporating the Standard Contractual Clauses, then that agreement will prevail.

    7. Changes in Data Protection Laws

      1. If any variation is required to this Addendum as a result of a change in Data Protection Laws, including any variation which is required to the Standard Contractual Clauses, then either party may provide written notice to the other party of that change in law.
      2. On receipt of a notice under clause 10.77(a), the parties shall discuss the change in Data Protection Laws and negotiate in good faith with a view to agreeing any necessary variations to this Addendum, including the Standard Contractual Clauses, to address such changes.

    8. Counterparts

      This Addendum may be executed in any number of counterparts. All counterparts together will be taken to constitute one instrument.

    9. Definitions & interpretation

      In this Addendum, unless the context requires otherwise, a reference to a clause or Annex is a reference to a clause in, or Annex to, in this Addendum.

      In this Addendum:

      Agreement means the agreement between Malaysia Airlines and the Merchant to which this Addendum is attached and includes any statements of work entered into under that Agreement and this Addendum.

      Malaysia Airlines means Malaysia Airlines Berhad.

      Malaysia Aviation Group means the group constituted by the following entities:

      1. Malaysia Airlines Berhad;
      2. all companies under Malaysia Aviation Group Berhad; and
      3. all bodies corporate, trusts, unincorporated joint ventures, incorporated joint ventures or other business associations in which Malaysia Airlines Berhad or its group of companies under Malaysia Aviation Group Berhad has a shareholding or participation interest.

      Malaysia Airlines Personal Data means any Personal Data Processed by a Contracted Processor on behalf of Malaysia Airlines and each company under Malaysia Aviation Group pursuant to or in connection with the Agreement.

      Contracted Processor means the Merchant or a Subprocessor.

      Data Protection Laws means all laws and regulations applicable to the Processing of Personal Data under the Agreement including the GDPR and the PDPA 2010 and any other applicable laws in any other jurisdiction which may be applicable to the Processing of Malaysia Airlines Personal Data.

      Data Subject Request means a Data Subject's request to exercise that person's rights under Data Protection Laws in respect of that person's Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the processing of, block or delete such Personal Data.

      EEA means the European Economic Area.

      EEA Entity means an entity that is located and operating in a country or territory that:

      1. is within the EEA; or
      2. is covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Data (including but not limited to Binding Corporate Rules or the EU-US Privacy Shield Framework).

      GDPR means the EU General Data Protection Regulation 2016/679.

      Non-EEA Entity means an entity that is located and operating in a country or territory that:

      1. is outside the EEA; and
      2. is not covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for Person Data (including but not limited to Binding Corporate Rules or the EU-US Privacy Shield Framework).

      PDPA 2010 means the Malaysia Personal Data Protection Act 2010.

      Regulator means the data protection authority or other regulatory, governmental or Supervisory Authority with authority over all or any part of (a) the provision of the Agreement, (b) the Processing of Malaysia Airlines Personal Data in connection with the Agreement or (c) the Merchant's business or personnel relating to the provision of the Agreement.

      Restricted Transfer means:

      1. a transfer of Malaysia Airlines Personal Data from Malaysia Airlines or any companies under Malaysia Aviation Group ( as applicable) to a Contracted Processor; or
      2. an onward transfer of Malaysia Airlines Personal Data from a Contracted Processor to (or between two establishments of) a Contracted Processor,

      in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under clause 8.

      Security Incident is defined in clause 7(a).

      Services and Products mean the services or/and products to be provided by Merchant to Malaysia Airlines and its customers under the Agreement.

      Standard Contractual Clauses means the contractual clauses set out in the form annexed to the European Commission’s decision of 5 February 2010 on the Standard Contractual Clauses for the transfer of Personal Data to Processors established in third countries.

      Subprocessor means any third party (including the Merchant’s subcontractor but excluding any of their employees or Merchant’s employees) appointed by or on behalf of the Merchant to Process Malaysia Airlines Personal Data on behalf of Malaysia Airlines and its customers pursuant to or in connection with the Agreement.

      Merchant has the meaning given in the Agreement.

      The terms, "Commission", "Controller", "Data Subject", "Member State", “Personal Data”, “Processor”, "Processing" and "Supervisory Authority" have the same meaning as in the GDPR, and their other grammatical forms shall have a corresponding meaning.

  11. Legal Effect

    This Addendum shall take effect between and become legally binding on the parties and the Standard Contractual Clauses shall take effect between and become legally binding between the data importer and data exporter on the date the Agreement of which this Addendum is attached to is signed.

ANNEX 1 – PERSONAL DATA PROCESSING DETAILS

This Annex 1 includes certain details of the Processing of Malaysia Airlines Personal Data.

Item No.

Data Processing requirement

Details of the Processing of Malaysia Airlines Personal Data

1

Subject matter and duration of the Processing of Malaysia Airlines Personal Data

The subject matter and duration of the Processing of Malaysia Airlines Personal Data are set out in the Agreement and this Addendum.

2

The nature and purpose of the Processing of Malaysia Airlines Personal Data

The nature and purpose of the Processing of Malaysia Airlines Personal Data are set out in the Agreement and this Addendum.

3The types of Malaysia Airlines Personal Data to be Processed

  1. name (first name, middle name(s) and surname), birth name, maiden name or any additional names, address, title, preferred salutation;

  2. business contact information (company, telephone number, email address, business address), personal contact information (company, telephone number, email address, address), social media username or alias and other contact information;

  3. professional life data including occupation, employer, employment status, income, and other occupation or income related data;

  4. personal life data including marital status, lifestyle, hobbies and interests, and other background data and relationship management information;

  5. unique account or customer numbers, or other internal identifiers;

  6. bank account numbers, names and transaction descriptions, along with other transaction details;

  7. your employee numbers or other of your internal identifiers and names, job titles and email address;

  8. instant message or live chat logs;

  9. meeting, telephone or attendance notes, emails, letters or other data relating to communications, calls and meetings;

  10. ongoing monitoring data in connection with compliance and / or fraud prevention;

  11. IP address, browser generated information, device information, geo-location markers and other digital identifiers used for tracking, profiling or location purposes;

  12. end-user usage information of Malaysia Airlines’ online and / or mobile applications; and

  13. other metadata relating to the use of Malaysia Airlines’ systems and applications.

4

The categories of Data Subject to whom Malaysia Airlines Personal Data relates

  1. current, prospective and former clients and customers of Malaysia Airlines and employees, agents, advisors and other authorized representatives of Malaysia Airlines;

  2. suppliers, subcontractors, vendors and business partners of Malaysia Airlines and employees, agents, advisors, and other authorized representatives of Malaysia Airlines;

  3. users authorized by Malaysia Airlines to use Journify platform or other means hosted by Malaysia Airlines to access Malaysia Airlines Personal Data and any employees, agents, advisors and other authorized representatives of Malaysia Airlines;

  4. visitors to Malaysia Airlines’ Journify platform or websites or any other means hosted by Malaysia Airlines and persons connecting, or attempting to connect or gain access to Malaysia Airlines’ network or systems;

  5. current, prospective and former employees, contractors, agents, officers, directors and other representatives of Malaysia Airlines (Staff);

  6. relatives, dependents, and beneficiaries of Staff; and

  7. professional advisors and consultants to Malaysia Airlines.

5Malaysia Airlines’ obligations and rights

Malaysia Airlines’ obligations and rights as the Data Controller are set out in the Agreement.