MALAYSIA SUPPLEMENTAL PROVISIONS

Last Updated and Effective Date: October 19th, 2024

If the Citi legal entity for which you work for or to which you provide services is established/located in Malaysia, the Privacy Notice will be supplemented/amended by the following:

1. DEFINITIONS

   For the purpose of this Supplemental:

   “PDPA” means the Personal Data Protection Act, 2010 of Malaysia, including any statutory modification or re-enactment.

2. CHANGES TO THE PRIVACY NOTICE

   2.1 References to “data controller” in the Privacy Notice means the “Data User” as defined in the PDPA.

   2.2 “personal data” means any information that relates to a person and that could be used, either directly or indirectly, to identify the person, or other information that constitutes “personal data” under the PDPA.

   2.3 “Processing” shall in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including (a) the organization, adaptation or alteration of personal data; (b) the retrieval, consultation or use of personal data;(c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or(d) the alignment, combination, correction, erasure or destruction of personal data.

   2.4 A new Section 5A as follows is inserted into the Privacy Notice:
   
   “Security Measures”
   
   We take the following measures to protect your personal data:

   1. by ensuring your personal data is kept as required by the PDPA;

   2. by using reasonable endeavours to ensure that our affiliates and third party service providers will, implement reasonable and appropriate technical and organizational security measures to protect personal data that is within its or their custody or control against unauthorized or unlawful Processing and accidental destruction or loss; and

   3. by performing contract/agreement with system vendor. Nevertheless, you must take care of your Citi issued identification number, PIN, password, including, but not limited to, information, codes or identifiers provided to you by or on behalf of Citi and not disclose it to others so that your data will not be breached.”

   2.4 Section 6 (Retention of Personal Information) shall be replaced entirely with the following: “We retain Personal Information in connection with the App only for the length of time that is necessary to carry out the purposes for which the Personal Information was gathered, including the length of time in which you are engaged under a contract of employment or services with Citi; as well as for legal, regulatory, audit and internal compliance purposes to the extent that it is permissible under applicable laws and regulations, but shall otherwise securely destroy or delete such personal data.”

   2.5 The third paragraph of Section 9 is replaced entirely by the following: “You have the right to access and correct personal data relating to you that is inaccurate, incomplete, misleading or not up-to-date. To learn more about methods for exercising your rights, please refer to the Contact Us section (Section 10) below.”