32

Maybank Sustainability Report

2014

Corporate

Governance

Competition

The

Competition Act 2010

(the Act) came into force on 1 January 2012.

To facilitate Group-wide adherence, the Joint Secretariat to the Maybank

Group Antitrust Steering Committee (Joint Secretariat), which consists of

key representatives from Group Corporate and Legal Services, and Group

Compliance, developed a guide to the

Competition Act 2010

, which has

been disseminated to all staff via the Group’s e-portal.

The guide is intended to assist all staff in understanding the basic

elements of the Act and competition law issues, and to ensure that our

business operations and conduct continue to be in compliance with the

provision of the Act competition. It highlights two key prohibitions under

the Act, namely anti-competitive agreements (horizontal and vertical) and

abuse of dominant position.

G4-56

Personal Data Protection

The Group has embarked on a project to implement the requirements

specified under

Personal Data Protection Act 2010 (PDPA)

. This project,

which started in 2012, is jointly led by Group Compliance and Group Tax to

ensure that the entire Group complies with the requirements of the Act.

PDPA was introduced to regulate the processing of personal data used

during commercial transactions by data users (for example, Maybank

Group) to safeguard the interests of data subjects (for example, Maybank

Group’s customers). The Act defines commercial transactions as any

transaction of a commercial nature, whether contractual or not. This

includes any matters relating to supply or exchange of goods and services,

agency, investments, financing, banking, and insurance. The Act was

gazetted on 10 June 2010 and came into force on 15 November 2013.

The first step in complying with the PDPA is to register with the Jabatan

Perlindungan Data Peribadi Malaysia (JPDPM), the governing body under

the Ministry of Communications and Multimedia regulating personal data

protection. We take pride in being the first organisation in Malaysia to

register with JPDPM.

An example of the activities undertaken by the PDPA project team include:

• Issued Privacy Notice to all customer touch points to spell out

customer’s rights and the Group’s obligation under the Act;

• Incorporated Maybank Group PDPA Policy and other internal policies

necessary to Maybank’s internal processes and procedures to ensure

that all staff adheres strictly to the requirements of PDPA;

• Strengthened the Group’s internal systems to ensure that customers’

consent is well managed;

• Enhanced our internal systems to provide customers access to their

personal data in our systems. This exercise will comply with the

Access Principle under the PDPA.

We have taken steps to comply with the requirements of the PDPA,

including the publication of the Bank’s Privacy Notice on the bank’s

website and the notification to our customers through the message portal

on the bank’s ATM machines and customers’ statements of account that

the Bank’s Privacy Notice is available on its website.