Data Protection Policy

1. Purpose

This Policy establishes the principles, controls, and responsibilities Optimum International Holding Group (“OIHG,” “the Group,” “we,” “our”) follows to protect personal data processed in the course of its global activities—including subsidiaries in Oil & Gas, Gold & Jewellery, Cosmetics, Food & Agriculture, and Investment. It complements (not duplicates) our public‑facing Privacy Policy and applies to all directors, officers, employees, contractors, and third‑party processors who handle personal data on OIHG’s behalf

2. Scope
  • Territorial: All jurisdictions in which OIHG or its subsidiaries operate or from which we collect personal data.
  • Regulatory coverage: EU/UK GDPR, UAE Personal Data Protection Law PDPL (Federal Decree‑Law No. 45 of 2021), Thailand Personal Data Protection Act PDPA B.E. 2562, and any local laws that apply (e.g., CCPA when dealing with California residents).
  • Data: Personal data of customers, prospects, employees, contractors, suppliers, and website users, whether in electronic or paper form.
3. Definitions

Term

Meaning

Personal Data

Any information relating to an identified or identifiable natural person (data subject).

Special‑Category Data

Data revealing racial/ethnic origin, health, biometric identifiers, etc.

Processing

Any operation on personal data (collection, storage, use, disclosure, deletion, etc.).

Controller

The entity that determines the purposes and means of processing (normally OIHG HQ or relevant subsidiary).

Processor

A party processing personal data on behalf of a controller (e.g., cloud host, payroll provider).

DPO

Data Protection Officer—function responsible for overseeing compliance (appointed centrally).

Data Subject

The individual to whom the personal data relate.

4. Principles of Data Protection

OIHG adheres to the principles set out in Article 5 GDPR and mirrored in the UAE PDPL and Thai PDPA:

  1. Lawfulness, Fairness, Transparency
  2. Purpose Limitation
  3. Data Minimisation
  4. Accuracy
  5. Storage Limitation
  6. Integrity & Confidentiality (Security)

Accountability (explicit under GDPR Art. 5 (2) & UAE PDPL).

5. Roles & Responsibilities

Role

Key Duties

Board/Group Executive Committee

Approve policy; allocate resources; champion data‑protection culture.

Data Protection Officer (DPO)

Advise, monitor, train, conduct DPIAs, liaise with regulators; independent reporting line.

Business Unit Heads / Subsidiary MDs

Implement controls within their operations; ensure local compliance.

IT & Security

Apply technical safeguards (access control, encryption, logging, patching, backups).

HR

Incorporate data‑protection clauses in employment contracts; manage employee data subject rights.

All Employees & Contractors

Follow this Policy, complete annual training, report incidents immediately.

Third‑Party Processors

Comply with contractually mandated security, confidentiality, and sub‑processing restrictions.

6. Lawful Bases for Processing

Processing must rely on at least one lawful basis (GDPR Art. 6 / UAE PDPL Art. 4 / Thai PDPA Sec. 24):

  • Contractual necessity (e.g., fulfil purchase orders).
  • Legal obligation (e.g., tax, employment laws).
  • Legitimate interests (balanced against data‑subject rights).
  • Consent (clear, informed, and withdrawable).
  • Vital interests or public interest where applicable.

Special‑category data require an additional condition (e.g., explicit consent or employment law necessity).

7. Data Subject Rights

We enable and document the exercise of all statutory rights, including: access, rectification, erasure, restriction, portability, objection (including marketing opt‑out), and automated‑decision review. Response within 30 days (extendable where allowed). UAE residents gain analogous rights under PDPL Art. 12; Thai individuals under PDPA Sec. 30.

8. Data Protection by Design & Default
  • Conduct Data Protection Impact Assessments (DPIAs) for high‑risk projects.
  • Implement privacy‑friendly default settings (minimal data fields, opt‑in marketing).
  • Use pseudonymisation or anonymisation where identification is unnecessary.
9. Information Security Measures
  1. Technical controls: firewalls, endpoint protection, encryption at rest/in transit, MFA, secure coding, regular penetration tests.
  2. Organisational controls: role‑based access, clean‑desk, visitor logs, supplier due‑diligence, segregation of duties.
  3. Monitoring & logging: centralised SIEM, audit trails retained ≥ 12 months.
  4. Back‑ups & BCP/DR: daily encrypted backups, tested quarterly.

Security standards align with ISO 27001 and NIST SP 800‑53 frameworks.

10. International Data Transfers
  • Adequacy / SCCs / BCRs / PDPL‑compliant contracts used when exporting data from EEA, UK, UAE, or Thailand to jurisdictions lacking an adequacy decision.
  • Maintain a Transfer Impact Assessment (TIA) for recurring transfers.
  • For intra‑Group flows, OIHG relies on an internal Data‑Transfer Agreement binding all subsidiaries.
11. Third Party Management
  • Onboard processors only after security & privacy due‑diligence.
  • Sign data‑processing agreements covering subject‑rights assistance, confidentiality, breach‑notification < 72 hours, restricted sub‑processing, audit rights, and secure deletion at end‑of‑service.
  • Maintain a supplier register reviewed annually.
12. Data Breach Response
  1. Notify DPO immediately (within 2 hours of discovery).
  2. DPO classifies severity: low / medium / high.
  3. Contain, eradicate, recover, document root cause.
  4. Regulator notification: within 72 hours for GDPR / “without undue delay” for PDPL Art. 9 & PDPA Sec. 37.
  5. Data‑subject notification where risk is high.
  6. Post‑incident review; update controls.
13. Retention & Disposal
  • Personal data kept no longer than necessary (see Retention Schedule).
  • Secure disposal: certified shredding, crypto‑wipe, or de‑identification.
  • HR records: 6 years after end of employment (or longer if law requires).
  • CVs: 12 months unless consent renewed.
  • Website analytics: 14 months (aggregated thereafter).
14. Training & Awareness
  • Mandatory induction training within first 30 days; annual refresher e‑learning (≥ 80 % pass).
  • Role‑specific workshops for HR, IT, Legal, and Marketing.
  • Phishing simulations conducted quarterly; results reported to the Board.
15. Record Keeping & Audits
  • Maintain Records of Processing Activities (RoPA) per GDPR Art. 30 / PDPL Art. 18 / PDPA Sec. 39.
  • Internal audits at least annually; external audit every 3 years or upon regulator request.
  • DPO issues compliance report to the Board each Q4.
16. Non Compliance & Disciplinary Action

Violations of this Policy may lead to disciplinary measures up to and including dismissal, contract termination, or legal action. Third‑party breaches may result in contract suspension, penalties, or termination.

17. Policy Review

This Policy is reviewed annually or sooner if:

  • New data‑protection regulations emerge;
  • Significant changes to business processes, IT systems, or risk profile occur;
  • Regulatory guidance or supervisory authority feedback prompts updates.
    Next scheduled review: Q3 2026.
18. Contact & Questions

For questions about this Policy or to exercise data‑subject rights:

Data Protection Officer (DPO)
Optimum International Holding Group