NS BlueScope Pte Ltd
Data Protection Policy
NS BlueScope Pte Ltd and its related corporations as well as its representatives and/or agents (collectively, “NSB”, “us”, “we” or “our”) are committed to protecting your privacy.
Purpose of this policy
The purpose of this Data Protection Policy (“DPP”) is to inform you of how NS BlueScope Pte Ltd and its related corporations manage Personal Data which is subject to the Singapore Personal Data Protection Act (No. 26 of 2012) or equivalent local data protection laws (“PDPA”). Please take a moment to read this DPP so that you know and understand the purposes for which we collect, use and disclose your Personal Data.
How this Policy applies
By interacting with us, submitting information to us (directly or through authorized third parties), purchasing or procuring any goods or services offered by us, you agree and consent to our collecting, using, disclosing and sharing amongst ourselves your Personal Data, and disclosing such Personal Data to our authorised service providers and relevant third parties in the manner set forth in this DPP. This DPP applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
Updates – Date of last update: February 2022
We may from time to time update this DPP to ensure that the DPP is consistent with our future developments, industry trends and/or any changes in legal or regulatory requirements. Subject to your rights at law, you agree to be bound by the prevailing terms of this DPP as updated from time to time on our website. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
1. Personal Data
1.1. In this document, Personal Data includes ‘personal data’ as defined by Singapore, Malaysia, Indonesia, Thai, Brunei and Myanmar privacy laws and ‘personal information’ as defined by Vietnamese privacy law.
1.2. Examples of such Personal Data you may provide to us include (depending on the nature of your interaction with us) your name, passport or other identification number, telephone number(s), mailing address, email address and any other information relating to any individuals which you have provided us in any forms you may have submitted to us (including in the form of biometric data), or via other forms of interaction with you.
2. Collection of Personal Data
2.1. How do we collect your Personal Data?
Depending on the specific capacity which you might interact with us, and the method that you do so, we collect Personal Data in the following ways:
(a) when you submit any forms to us;
(b) when you enter into any agreement or provide other documentation or information in respect of your interactions and transactions with us, or when you procure goods or services from us;
(c) when you respond to surveys and research initiatives conducted by us or on our behalf;
(d) when you complete and submit any forms to us;
(e) when you interact with our staff, for e.g. via telephone calls (which may be recorded), letters, fax, face-to-face meetings and email;
(f) when you interact with us via our websites;
(g) when you respond to our request for additional Personal Data;
(h) when your images are captured by us via CCTV cameras while you are within our premises, or via photographs or videos taken by us or our representatives when you attend events hosted by us;
Marketing, customer outreach, and benefits
(i) when you request that we contact you, be included in an email or other mailing list;
(j) when you enrol with a customer or marketing programme or participate in a marketing or customer relationship management programme;
(k) when you participate in or take up customer benefits; and
(l) when you submit your Personal Data to us or authorized third parties for any other reason.
When third parties provide us with your Personal Data. Such third parties include:
(m) users of our websites and forms who provide information to us;
(n) authorized dealers, retailers, roll formers, distribution centres and hardware stores, who purchase goods available from us and provide such goods to you;
(o) developers, contractors, sub-contractors, builders, consultants that we work with to provide our goods and services;
(p) vendors and service providers that we work with; and
(q) other third parties that have obtained or collected information about you and have the right to provide that Personal Data to us.
2.2 What about Personal Data that we receive through third parties and Personal Data of third parties that you give us?
Where practicable, we will collect Personal Data directly from you. If we receive information about you from someone else, we may (where appropriate) take reasonable steps to ensure you have consented to the collection of Personal Data about you and the circumstances of the collection.
Please note that if you provide us with any Personal Data relating to a third party (e.g. information of your spouse, children, parents), you should have first obtained the consent of that third party before providing their Personal Data to us. If you are unsure, please let us know. By submitting such information to us, you represent to us that you have obtained their consent to you providing us with their Personal Data for the respective purposes.
2.3. What Personal Data do we collect?
The nature of Personal Data we collect from you will depend on the circumstances in which that information is collected. It may include: your name, contact details, transaction-related information (such as may be necessary to process or administer your transactions or dealings with us). We may collect Personal Data about you through a variety of sources and we may also combine it with information we receive from other sources, such as publicly available information sources and other third parties.
2.4. Please ensure the Personal Data you give is complete, accurate & true
You should ensure that all Personal Data submitted to us is complete, accurate, true and correct. If there is a change to your Personal Data, please promptly update us. Failure on your part to do so may result in our inability to provide you with goods and services you have requested or to process your applications or requests.
2.5. What if you refuse to provide us with your Personal Data?
For the Personal Data we collect, we do so where we are either entitled to do so under applicable law or where we must do so in order to facilitate and support our interactions with you and/or the transactions which you engage us in. Where so, we are entitled to and need your Personal Data to perform our roles or fulfil the purposes stated further in this DPP.
If you refuse to provide us with such Personal Data or withdraw your consent to our use of such Personal Data, we may not be able to perform our role or fulfil the applicable purposes and functions for which we use your Personal Data, and we may be entitled to cancel or cease proceeding further in our interactions and transactions. We would be entitled to apply the legal consequences of this, and reserve our rights in such situations.
3. Purposes for the Collection, Use and Disclosure of your Personal Data
3.1. Generally, we collect, use and disclose your Personal Data for the following purposes:
Communicating and handling your requests
(a) responding to, processing and handling your queries, complaints, feedback, suggestions and requests;
(b) verifying your identity by carrying out security / due-diligence checks;
(c) matching any Personal Data held which relates to you for any of the purposes listed in the DPP;
Complying with the law and managing incidents / investigations
(d) preventing, detecting and investigating crime, including fraud and money-laundering or terrorist financing, and analysing and managing commercial risks;
(e) managing the safety and security of our premises and services (including but not limited to carrying out CCTV surveillance and conducting security clearances);
(f) in connection with any claims, investigations, actions or proceedings (including but not limited to drafting and reviewing documents, transaction documentation, obtaining legal advice, and facilitating dispute resolution), and/or protecting and enforcing our contractual and legal rights and obligations;
(g) monitoring or recording phone calls and customer-facing interactions for quality assurance, fulfilment of requests, administering legal rights, and identity verification purposes;
(h) managing and preparing reports on incidents;
(i) complying with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities (including but not limited to disclosures to regulatory bodies, conducting audit checks, surveillance and investigation or conducting customer due diligence);
Carrying out our business operations
(j) managing our administrative and business operations and complying with our internal policies and procedures;
(k) performing obligations and facilitating operations in the course of or in connection with our provision of goods and/or services;
(l) facilitating communications in the course of or in connection with our provision or receipt of goods and/or services;
(m) processing payment or credit transactions;
(n) facilitating business asset transactions (which may extend to any merger, acquisition or asset sale) involving NSB;
(o) requesting feedback or participation in surveys, as well as conducting market research and/or analysis for statistical, profiling or other purposes for us to design and improve our goods and services, understand preferences and market trends, and to review, develop and improve the quality of our goods and services;
(p) researching and analysing the effectiveness of our websites and the marketing, advertising and sales efforts of us and our authorized dealers, retailers, roll formers, distribution centres and hardware stores;
(q) promote our goods and/or services, or promote goods and/or services of third parties which we think may be of interest to you;
(r) administering, managing and facilitating participation in the customer engagement programmes (e.g. loyalty and reward programmes, customer relationship management programmes) (collectively, “Customer Engagement Programmes”) such as, but not limited to the GROOVE retail loyalty programme, retail business platform, TrueBlue Program, the TrueBlue benefits cards, customer membership programmes and so on;
(s) transmitting to any third parties including our third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the purposes set out in this DPP;
(t) managing your relationship with us;
(u) verifying and processing your personal particulars to maintain accurate records;
(v) any other purposes for which you have provided the information;
(w) any other incidental business purposes related to or in connection with the purposes set out in this DPP;
and any purposes which are reasonably related to any of the above.
3.2. In addition, we collect, use and disclose your Personal Data for the following purposes:
If you are our customer, an employee, officer or director of our customers, or a customer of our authorized dealers, retailers, roll formers, distribution centres and hardware stores
(a) communicating with you to inform you of changes and developments to our policies, terms and conditions and other administrative information;
(b) creating and maintaining profiles of our customers in our system database;
(c) fulfilling your requests or transactions relating to customer outreach and communications (e.g. direct mailing or advertisement programmes, etc);
(d) analysing your profile, transactions or history of dealings with us to determine ways in which we can improve our support or interactions with you, including enhancing our relationship with you as our customer;
(e) organising and facilitating customer meetings;
(f) conducting internal analysis for segmentations in potential rollout of training events, customer gatherings, invitation for store launches, marketing communications, and related activities;
(g) managing any warranties in relation to our goods and services;
(h) dealing with service requests and following up on any arrangements or engagement with us;
and any purposes which are reasonably related to any of the above.
If you are an employee, officer or owner of an external service provider or vendor providing services to us
(a) assessing your organisation’s suitability as an external service provider or vendor;
(b) managing project tenders and quotations, processing orders or managing the supply of goods and services;
(c) creating and maintaining profiles of our service providers and vendors in our system database;
(d) communicating with you to inform you of changes and developments to our policies, terms and conditions and other administrative information;
(e) processing and payment of vendor invoices and bills;
(f) facilities management (including but not limited to issuing visitor access passes and facilitating security clearance);
and any purposes which are reasonably related to any of the above.
If you are attending any events, conferences, seminars, retreats or customer trips (“Events”)
(a) organising and facilitating Events which you have chosen to attend, enrol or join;
(b) arranging for travel and accommodation in connection with the Events;
(c) taking or filming photographs and videos for corporate publicity or marketing purposes, and including photographs and videos featuring you in our publications and videos in such Events (subject to appropriate notifications at the Events);
(d) executing, administering and facilitating any Event-specific programme agenda and activities;
(e) handling your queries or arranging for communications in connection with the Event;
and any purposes which are reasonably related to any of the above.
Do note further that any Customer Engagement Programmes and Events may be subject to terms & conditions and may include privacy policies or data protection policies of their own. If so, such policies will apply in conjunction with, and in addition to the DPP here though any conflict between the two will be resolved in favour of the Customer Engagement Programmes or Event policy (whichever is applicable). In such Events, the Personal Data of any travelling companions or persons who attend with you may also be collected, used or disclosed and handled under this DPP.
3.3. In relation to the procurement of particular goods or services, or in your interactions with us, we may also have specifically notified you of other purposes for which we collect, use or disclose your Personal Data. If so, we will collect, use and disclose your Personal Data for these additional purposes as well, unless we have specifically notified you otherwise.
4. Disclosure of Personal Data
4.1. We will take reasonable steps to protect your Personal Data against unauthorised disclosure. Subject to the provisions of any applicable law, your Personal Data may be provided, for the purposes listed above (where applicable), to the following entities or parties, whether they are located in your country or overseas:
(a) our related corporations, subsidiaries and affiliates;
(b) companies providing services relating to insurance;
(c) agents, contractors, sub-contractors or third party service providers who provide operational services to us, such as courier services, telecommunications, information technology, payment, printing, billing, debt recovery, processing, technical services, transportation, training, travel, market research, call centre, security, or other services to us;
(d) customers, vendors or third party service providers in connection with goods and services offered by us (directly or through our business partners);
(e) vendors or third party service providers and our marketing and business partners in connection with marketing promotions, goods and services;
(f) our business partners including but not limited to BlueScope authorized dealers, retailers, roll formers, distribution centres and hardware stores;
(g) credit reporting agencies;
(h) any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale) involving us;
(i) our business partners;
(j) external banks, credit card companies, other financial institutions and their respective service providers;
(k) external business and charity partners in relation to corporate promotional events;
(l) our professional advisers such as our auditors and lawyers;
(m) relevant government regulators or authority or law enforcement agency to comply with any laws, rules and regulations or schemes imposed by any governmental authority; and
(n) any other party to whom you authorise us to disclose your Personal Data to.
4.2. Overseas transfers of your Personal Data
Where you consent to us doing so, Personal Data collected in one country may be disclosed or transferred to another. In the conduct of our business, we transfer to, hold or access Personal Data from various countries including but not limited to ASEAN countries (Brunei, Indonesia, Malaysia, Philippines, Singapore, Thailand, Myanmar, Cambodia, Laos, and Vietnam), Japan, China, Australia, Ireland, South Korea, and the Netherlands.
The data protection laws in these countries may not be comparable to those in your home country. However, when we transfer your Personal Data to another country, we will take appropriate steps to protect that Personal Data, for example by imposing appropriate contractual obligations of security and confidentiality on the recipient of your Personal Data. That said, we are entitled under the PDPA to make transfers of your Personal Data without your consent where we have certain legal and operational safeguards in place.
For Personal Data collected in Indonesia, we report any disclosure of Personal Data overseas to the Ministry of Communication and Information Technologies before and after such transfer occurs in accordance with the legal requirements. By agreeing to this DPP, you consent to any overseas transfer of your Personal Data in accordance with this DPP.
5. IT Matters:
5.2. When you interact with us on our websites, we automatically receive and record information on our server logs from your browser. We may employ cookies in order for our server to recognise a return visitor as a unique user including, without limitation, monitoring information relating to how a visitor arrives at the website, what kind of browser a visitor is on, what operating system a visitor is using, a visitor’s IP address, and a visitor’s click stream information and time stamp (for example, which pages they have viewed, the time the pages were accessed and the time spent per web page).
5.3. Cookies are small text files placed in the ‘Cookies’ folder on your computing or other electronic devices which allow us to remember you. The cookies placed by our server are readable only by us, and cookies cannot access, read or modify any other data on an electronic device.
5.4. Cookies can be disabled or removed by tools that are available in most commercial browsers. The preferences for each browser you use will need to be set separately and different browsers offer different functionality and options. Should you wish to disable the cookies associated with these technologies, you may do so by changing the settings on your browser. However, you may not be able to enter certain part(s) of our website.
5.5. Our website may contain links to other websites operated by third parties, including for example, our business partners. We are not responsible for the data protection practices of websites operated by third parties that are linked to our website. We encourage you to learn about the data protection practices of such third party websites. Some of these third party websites may be co-branded with our logo or trade mark, even though they are not operated or maintained by us. Once you have left our website, you should check the applicable data protection policy of the third party website to determine how they will handle any information they collect from you.
6. Retention of Personal Data
Personal Data that we collect will be retained for 7 years or for as long as it is necessary for the purpose for which it was collected or processed (whichever is later), subject to applicable legal and/or regulatory requirements.
Personal data that we collect in Indonesia shall be retained (and encrypted) for at least 5 years, unless regulated otherwise by applicable sectoral regulations in Indonesia.
When the information is no longer required, it will be destroyed or permanently deleted (unless otherwise required by law) within a reasonable time period.
7. Managing Consents
7.1. The purpose of this DPP is to not only inform you of the purposes and business contact information of the Data Protection Officer, but to also provide you with further information which is relevant to the way in which we may also manage your consent arrangements in respect of your personal data where such consents are required or not subject to an exception.
7.2 Deemed Consent by Conduct
Without prejudice to other consents or rights we may have under the PDPA or at law, and in the daily course of our dealings with you both in the past, now and in the future, you may have provided us with your personal data in connection with the purposes which have already been notified to you either in this current or earlier version of this DPP. Where so, your consent to the collection, use or disclosure of your personal data for such purposes would have been deemed by your provision of your personal data except where we have explicitly indicated a separate consent is required.
7.3 Deemed Consent for Contractual Necessity
Where we have entered into a contract with you under which we are to execute contractual obligations owed to you, without prejudice to other consents or rights we may have under the PDPA or at law, your personal data will be collected, used or disclosed by other organisations with whom we collaborate in accordance with the DPP to the extent it is reasonably necessary for us to fulfil our contractual obligations or to exercise our contractual rights, in relation to you.
These other organisations may in turn collect, use or disclose your personal data in order to carry out these necessary purposes and that may in turn include further disclosures to third party organisations. In each case the collections, uses and disclosures of such personal data are limited to the necessary purposes.
In the event that your contract with us is terminated or expires for any reason whatsoever, such reasonably necessary purposes will continue to apply to allow us to discharge our obligations and exercise our rights in accordance with the termination or expiry of the contract employment but also to manage our rights and obligations which survive such termination or expiry, including our duties at law that apply beyond your contract of employment with us.
7.4 Deemed Consent by Notification
Without prejudice to other consents or rights we may have under the PDPA or at law, we may, having first taken measures (including conducting relevant assessments, identify reasonable measures to eliminate, mitigate or avoid any identified adverse effects, and apply or other requirements as prescribed by law) choose to manage additional or future further consents required of you under this DPP, by issuing a notice to you (“Notice”), providing you with information on:
(a) our intention to collect, use or disclose your personal data; and
(b) the purposes for which the personal data will be collected, used or disclosed.
Where so, this Notice will be issued to you via email against your last known and updated email address (or, alternatively, any other mode which we reasonably consider is most likely to result in your receiving the Notice), and you will be given thirty (30) days (or such longer period as we may reasonably deem appropriate) within which to let us know if you do NOT consent. In the event that we do not receive a response to that effect, we will proceed on the basis that such consent is deemed pursuant to the PDPA.
Kindly note that your response should be unambiguous so we are able to apply your instructions and that we may seek verification of such instructions and your identity to confirm the instructions are duly authorised.
In the event that you act through representatives, including your office, agents, or other intermediary, we will send the Notice using the particulars last updated with us.
You agree that you will let us know if you would prefer another mode by which such a Notice or communications in connection with this would be preferred failing which we will proceed on the basis as outlined above.
8. Legitimate interests
In compliance with the PDPA, we may collect, use or disclose your personal data without your consent for our legitimate interests or another person. In relying on the legitimate interests exception of the PDPA, we will assess the likely adverse effects on the individual and determine that the legitimate interests outweigh any adverse effect.
9. Your Rights in the Collected Personal Data
You are entitled to (i) withdraw your consent to any use or disclosure of any Personal Data, (ii) object to any collection, use, processing or disclosure of any Personal Data, (iii) request a suspension of the use of any Personal Data, (iv) request an access to, or a provision, correction, updating or deletion of any Personal Data, and (v) make a complaint regarding any violation or non-compliance of the DPP by us. If at any time you would like to do so, please contact us at address provided in section 10 below. In certain circumstances, including when required by applicable law, we will comply with your request. Before we are able to provide you with any information or correct any inaccuracies, we may ask you to verify your identity and/or provide other details to help us respond to your request.
10. Contacting Us – Feedback, Withdrawal of Consent, Access and Correction of your Personal Data
10.1. If you:
(a) have any questions or feedback relating to your Personal Data or our DPP;
(b) would like to withdraw your consent to any use of your Personal Data as set out in this DPP;
(c) would like to obtain access and make corrections to your Personal Data records; or
(d) would like to exercise any other rights under section 9 above,
please contact the Data Protection Officer at [email protected].
10.2. Please note that if your Personal Data has been provided to us by a third party, you should contact that organisation or individual to make such queries, complaints, and access and correction requests to us on your behalf.
11. Language of this DPP
In the event of any inconsistencies or discrepancies between the English version and the local language version (if any), the English version shall prevail.