Privacy notice

Notice Under the Personal Data Protection Act 2010

This written notice (“Notice”) is issued by AEON Bank (M) Berhad (Formerly known as ACS Digital Berhad) and on behalf of its subsidiaries and related corporations (collectively “our”, “us” or “we”) to you. For the purpose of this Notice, the terms “personal data”, “sensitive personal data” and “processing” shall have the same meaning as prescribed in the Personal Data Protection Act 201 (“Act”).




1. This Notice serves to inform you that your personal data is being processed by us or on our behalf and you agree to the processing of your personal data in accordance with this Notice.


Description of Personal Data


2. We may collect a variety of personal data (including sensitive personal data) from you from time to time including but not limited to name, date of birth, age, Malaysian Identification Card number, passport number or such other personal identification number, nationality, race, religion, biometrics, preferences, signatures, e-mail address, address, contact number, marital status, photographs, bank account details, credit card details, and other personal data which is submitted or made available by you to us from time to time and all other personal data we collect again from you on any subsequent occasion. Where relevant, we may be required by laws, including without limitation the Financial Services Act 2013 and Islamic Financial Services Act 2013, to collect certain personal data from you.




3. Your personal data is being or is to be collected and further processed by us for the following purposes (where relevant):


  1. performing pre-contractual activities and our contractual obligations with you (such as assessing your application(s)/request(s) for our products and services, to establish your financial standing, employment details, creditworthiness and/or suitability for any of our products/services applied for (if required) and to administer your account with us);

  2. ensuring the performance by you of your pre-contractual activities and contractual obligations to us;

  3. for purposes relating to your use of our services and products;

  4. internal administration and management purposes, including without limitation for purposes related to data storage and management;

  5. to access any online platforms or sites owned, operated or managed by us or on our behalf (“Platform”) and/or, where relevant, allowing you to connect to the wifi facilities provided by us or our service provider;

  6. communicating with you, dealing with your inquiries or complaints, resolving any issues/disputes and enforcing our rights, including but not limited to obtaining professional advice;

  7. the operation, management and/or maintenance of our system and our premises;

  8. business development purposes, market surveys/research and trend analysis such as evaluating the effectiveness of our marketing or advertising content, statistics compilation, reporting, audit, compliance, risk management and assessment, data analytics to improve our services/products and for the purpose of assisting us in any future dealings with you, for example, by identifying your requirements and preferences;

  9. organising, participating in, managing and/or carrying out duties in connection with our events, contests, tournaments, competitions, programmes and other activities organised or sponsored by us or on our behalf (“Events”) and advertising and providing you with information (such as Events, offers or promotions) relating to our and our related corporations’ and business partners’ products and/or services, including without limitation sending you e-newsletters, promotional marketing materials, seasonal/birthday greetings and messages, gifts and/or vouchers;

  10. publishing photographs or video footages of you, which are captured during your participation in any of the Events (with or without your name), on our Platform or social media or at our premises;

  11. complying with applicable laws, contractual, and/or regulatory obligations and related purposes including but not limited to financial or regulatory reporting, audit, and record keeping purposes;

  12. preventing or investigating any illegal or criminal activities, breaches and complying with any legal or regulatory requirements and/or directions and instructions from any law enforcement officer or governmental and regulatory bodies;

  13. ascertaining your status or to facilitate us in making any decisions, for example, checking details in applications for credit-related services or other facilities, managing credit-related accounts or facilities (which include conducting reviews of your portfolios), recovering debts;

  14. contemplated or actual corporate restructuring or corporate transaction involving us including without limitation any merger, acquisition, restructuring and/or reorganization and/or acquisition, disposition, sale, assignment and/or transfer of any or all portion of our business, rights, obligations, assets or stock (“Corporate Transaction”); and/or

  15. such other purposes authorised by you or directly related or ancillary to the foregoing purposes,


(collectively, the “Purposes”).


Source of Personal Data


4. Your personal data is being or is to be collected from a variety of sources, including without limitation:


  1. from the forms submitted or filled in by you or on your behalf to us through the AEON Bank Application, AEON Bank Website, and/or any other method;

  2. when you visit our premises in person or use our products and/or services;

  3. via any Platforms and/or cookies;

  4. when you participate in our Events

  5. from any information or document submitted or provided by you to us for any of the Purposes (such as your Identity Card or passport);

  6. when you contact us through various methods such as telephone calls, emails and/or the Platform;

  7. from any third parties (including without limitation credit reference agencies, regulatory and law enforcement authorities and other third party sources); and/or

  8. from all other communications between you and us and all other information that you may provide to us from time to time.


Access to, Correction of and Limiting the Processing of Personal Data


5. Subject to provisions of the Act, you have the right to request access to and to request correction of your personal data. We may refuse to comply with your data access request or a data correction request and shall, by notice in writing, inform you of our refusal and the reasons for our refusal.


6. You may limit the processing of your personal data or to request us to cease or not begin processing your personal data for purposes of direct marketing. You have the right to withdraw your consent previously given to us (in full or in part) by providing us with a notice in writing subject to any applicable legal restrictions and a reasonable duration of time for the withdrawal of consent to be effected. If you limit the processing or withdraw your consent to any or all use of your personal data, it may result in: (i) us being unable to continue to administer any arrangement or contractual relationship in place between you and us; (ii) us being unable to (continue to) perform any of our contractual obligations to you (if any); (iii) us being unable to process your personal data for any of the Purposes; and/or (iv) the termination of any arrangements or agreements/contracts between you and us, without any liability on our part (“Consequences”).


7. You may contact us with any inquiries or complaints in respect of your personal data via the methods below:

E-mail address


Disclosure of Personal Data


8. We may disclose/transfer your personal data to the following third parties (who may be located within or outside Malaysia) in connection with or for the fulfilment of any of the Purposes:


  1. our related corporations, subsidiaries, affiliates and/or our group companies (“Related Companies”);

  2. our business partners, contractors and service providers, including without limitation our data centre service providers, storage facility and records management service providers, cloud service providers, Information Technology service providers and/or data analytics and marketing agencies;

  3. credit reporting/reference agencies and background check agencies which include Central Credit Reference Information System (CCRIS), CTOS Data Systems Sdn Bhd, Credit Bureau Malaysia Sdn Bhd, Experian Information Services (Malaysia) Sdn Bhd or any other agencies that are not mentioned or specified herein;

  4. our financial and other professional advisors;

  5. banks, takaful/insurance companies, credit card verification providers and payment processors;

  6. governmental (including without limitation semi and quasi governmental) departments and/or agencies, regulatory and/or statutory bodies and law enforcement officer;

  7. such third party as requested for or authorised by you or as required by law;

  8. your nominee, immediate family members and/or contact person (in case of emergency) as may be notified to us in writing from time to time;

  9. safety and security personnel;

  10. our actual or potential assignee, assignor, transferee, transferor, acquirer or acquiree in respect of our rights, interests and properties;

  11. third parties due to any Corporate Transaction; and/or

  12. other third parties for any of the Purposes.


9. Pursuant to clause 8(c) above, you agree that you will be linked by the credit reporting/reference agencies to any other names that you use or may have used, and any joint and several applicants. You also agree that we may share your information and how you manage your accounts or facilities with the relevant credit reporting/reference agencies, and for any of these credit reporting/reference agencies to disclose your credit information to its subscribers.


Intra-Group Data Sharing


10. Your personal data may be shared with our Related Companies through an intra-group data sharing arrangement, for the following purposes:


  1. to onboard you and any other relevant actions related to the services and/or businesses of our Related Companies (where applicable); and

  2. allowing us and our Related Companies to provide you any related services, businesses, and/or customer service, improve such services and/or businesses, and promote such related services and businesses through special promotions, offers or rewards (where applicable).


11. Where you have given consent to the sharing of your personal data with our Related Companies, you also provide consent for us to send any correction of Personal Data that you have requested to our Related Companies, to allow them to update their records.


Security Measures


12. We take personal data security seriously when processing your personal data. We will put in place practical steps to protect your personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction as required by law, including but limited to:

  1. control and limit our employees’ access to personal data system;

  2. terminating user ID and password immediately when our authorised employees are no longer handling the personal data;

  3. keeping all physical files containing personal data in a locked place; and

  4. ensuring that all our employees involved in processing personal data always protect the confidentiality of your personal data.


Personal Data Retention Period


13. We retain your personal data for as long as is required in order to fulfil the primary Purposes as set out in this Notice. It is our standard practice to retain personal data for no longer than seven (7) years unless permitted or otherwise required by laws. We will take all reasonable steps to ensure that your personal data is destroyed or permanently deleted once it is no longer required based on the retention principle and practices set out above.


Personal Data of Minors and Others


14. In respect of personal data relating to: (i) a minor (i.e. individuals under 18 years of age, “Minor”), please note that consent is required from the Minor’s parent or guardian or person who has parental responsibility over the Minor; and (ii) an individual who is deemed incapable of managing his/her own affairs (“Special Person”), please note that we require consent from the person appointed by a court to manage the Special Person’s affairs or the person who has been legally or validly authorised to act on the Special Person’s behalf. Where applicable, you hereby confirm that you are authorised to act on the Minor’s or the Special Person’s behalf as described above and that you consent, on the Minor’s or the Special Person’s behalf, to the processing (including disclosure and transfer) of the Minor’s or the Special Person’s personal data in accordance with this Notice. In the event that you submit any of your Personal Data to us (in addition to the Minor’s personal data or the Special Person’s personal data), you also consent to the processing of your Personal Data in accordance with this Notice.


Third Party Personal Data


15. We may require your assistance if the personal data relating to other persons is required to process your personal data for the Purposes and you hereby agree to use your best endeavours to assist us when required.

16. In the event that personal data of any third party is supplied by you to us, you shall ensure that such third party has read this Notice and consented to us collecting his/her personal data for any of the Purposes prior to the supply of his/her personal data to us.


17. Where another person is providing/submitting any of your personal data to us, you agree that you have authorised the disclosure of your personal data to us and consented to the processing of your personal data by us in accordance with this Notice.


Obligatory Personal Data


18. It is obligatory that you supply us the details marked or specified as compulsory in our forms (collectively, “compulsory personal data”). If you fail to supply us with any of the compulsory personal data, it may result in any of the Consequences.


Transfer of Personal Data to Places Outside Malaysia


19. We may, where necessary, transfer your personal data to a place outside of Malaysia and you hereby give your consent to such transfer.


Accuracy of Your Personal Data


20. You are responsible for ensuring that the information you provide to us is accurate, complete, not misleading and kept up to date. You are required to inform us promptly and accurately of any changes of your personal data in writing to us. Your records will be updated upon receipt of such notice from you.




21. In the event of any conflict between the English version and the Bahasa Malaysia version of this Notice, the English version shall prevail over the Bahasa Malaysia version.




22. We may update and amend this Notice from time to time. We will notify you of any amendments to this Notice via notices on our Platform, through internal email or other appropriate means. Any such amendments will be effective upon such notification. By continuing to engage with us or accessing our Platform after the issuance of such amendment notice, you will be considered as having agreed to this Notice (as amended and updated).