GROUP PRIVACY NOTICE
Introduction
This Group Privacy Notice explains how Baiduri Bank Sendirian Berhad, Baiduri Finance Berhad, and Baiduri Capital Sendirian Berhad (collectively, the “Baiduri Bank Group” or “Group”) collect, use, disclose, retain, and protect Personal Data in accordance with the Personal Data Protection Order of Brunei Darussalam (“PDPO”).
This Group Privacy Notice is issued on behalf of the Baiduri Bank Group and applies across all entities within the Group. It provides a consistent and consolidated explanation of the Group’s Personal Data handling practices.
1. What is Personal Data
“Personal Data” means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the Group has or is likely to have access.
This may include, but is not limited to, data relating to an individual, such as an individual’s name, identity card or passport number, contact details, residential address, occupation, and financial information.
2. Whose Personal Data we collect
We may collect Personal Data relating to:
3. How we collect Personal Data
We may collect Personal Data from a variety of sources, including but not limited to:
Personal Data may also be collected through the Group’s websites or digital platforms, including through the use of cookies or similar technologies, where such information constitutes Personal Data under the PDPO. Such collection is generally limited to what is reasonably necessary for the operation, security, or use of the relevant website or digital service, and is subject to applicable PDPO requirements.
4. Purposes for collecting and using Personal Data
We collect and use Personal Data for purposes that include, but are not limited to:
5. Disclosure of Personal Data
We may disclose Personal Data in the following circumstances:
Any disclosure of Personal Data is limited to what is necessary and proportionate for the relevant purpose.
6. Cross-border transfers
Where Personal Data is transferred, stored, processed, or accessed outside Brunei Darussalam, the Group will take reasonable measures to ensure that the recipient provides a standard of protection comparable to that required under the PDPO.
7. Retention of Personal Data
We retain Personal Data for as long as necessary to:
When Personal Data is no longer required, it will be securely destroyed, deleted, or anonymised, in accordance with the Group’s retention and disposal policies.
8. Protection of Personal Data
We place great importance on ensuring the security and confidentiality of Personal Data. Accordingly, the Group implements reasonable administrative, technical, physical, and organisational safeguards to protect Personal Data against unauthorised access, use, disclosure, loss, or misuse.
9. Your rights under the PDPO
Subject to the PDPO, you have the right to:
Requests may be made in writing through our official contact channels and will be handled in accordance with the PDPO and applicable exceptions. We may require verification of your identity before processing such requests.
Please note that where you withdraw consent, the Group will cease processing your Personal Data for the relevant consent-based purposes. However, such withdrawal will not affect processing that is necessary to perform or administer an existing contractual relationship with you, or to comply with legal or regulatory obligations.
10. Updates to Group Privacy Notice
This Group Privacy Notice may be updated from time to time to reflect changes in applicable laws, regulatory requirements, or the Group’s Personal Data processing practices. Where required under the PDPO, individuals will be notified of material changes or where additional consent is required.
The latest version of this Group Privacy Notice will be made available through the Group’s official channels.
11. Contact us
If you have questions, requests, or concerns about how your Personal Data is handled, or if you wish to exercise your rights under the PDPO, please contact the Group’s Data Protection Officer at [email protected] or through other official contact channels published by the Group.
This document was last updated on 1 April 2026.
This Group Privacy Notice explains how Baiduri Bank Sendirian Berhad, Baiduri Finance Berhad, and Baiduri Capital Sendirian Berhad (collectively, the “Baiduri Bank Group” or “Group”) collect, use, disclose, retain, and protect Personal Data in accordance with the Personal Data Protection Order of Brunei Darussalam (“PDPO”).
This Group Privacy Notice is issued on behalf of the Baiduri Bank Group and applies across all entities within the Group. It provides a consistent and consolidated explanation of the Group’s Personal Data handling practices.
1. What is Personal Data
“Personal Data” means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the Group has or is likely to have access.
This may include, but is not limited to, data relating to an individual, such as an individual’s name, identity card or passport number, contact details, residential address, occupation, and financial information.
2. Whose Personal Data we collect
We may collect Personal Data relating to:
- customers and prospective customers;
- employees, former employees, job applicants or prospective employees, interns, and trainees;
- vendors, service providers, business contacts, and counterparties; and
- other individuals whose Personal Data is collected by the Group in the course of its business or Group-organised activities.
3. How we collect Personal Data
We may collect Personal Data from a variety of sources, including but not limited to:
- directly from you, for example, when you apply for a product or service, contact us, or interact with our staff;
- through your use of our products, services, websites, digital platforms, or applications;
- from other Group entities, service providers, regulators, or business partners, where permitted by law;
- from publicly available or other lawful sources; and
- through images, photographs, video recordings, or footage captured via closed-circuit television (CCTV) or other security and recording systems, when you visit or attend our offices, branches, or premises, or when you participate in Group-organised or Group-supported events, campaigns, roadshows, or activities (including at third-party premises where our ATMs, self-service terminals, or events are located).
Personal Data may also be collected through the Group’s websites or digital platforms, including through the use of cookies or similar technologies, where such information constitutes Personal Data under the PDPO. Such collection is generally limited to what is reasonably necessary for the operation, security, or use of the relevant website or digital service, and is subject to applicable PDPO requirements.
4. Purposes for collecting and using Personal Data
We collect and use Personal Data for purposes that include, but are not limited to:
- providing and administering banking, financing, investment, or other financial services;
- verifying identity and conducting customer due diligence, sanctions screening, and related assessments;
- managing accounts, transactions, and contractual relationships;
- organising, administering, and documenting events, campaigns, promotions, competitions, or similar activities;
- sending you marketing, promotional, or informational communications (where permitted under applicable laws);
- complying with legal, regulatory, supervisory, and reporting obligations;
- preventing, detecting, and investigating fraud, financial crime, and security incidents;
- handling enquiries, complaints, and customer support matters;
- improving our products, services, systems, and operations; and
- enforcing contractual and legal rights, including credit management, debt recovery, restructuring, and the transfer or assignment of rights and obligations, where applicable.
5. Disclosure of Personal Data
We may disclose Personal Data in the following circumstances:
- within the Group, on a need-to-know basis, for legitimate business, operational, compliance, risk management, audit, regulatory, or product and service referral purposes;
- to service providers and third parties who process Personal Data on our behalf (such as payment networks, technology providers, merchants, event partners, and professional advisers), subject to appropriate contractual arrangements and reasonable security safeguards;
- to regulators, law enforcement agencies, or authorities, where required or authorised by law for the performance of their functions; or
- to other parties, with your consent or where such disclosure is otherwise permitted under the PDPO.
Any disclosure of Personal Data is limited to what is necessary and proportionate for the relevant purpose.
6. Cross-border transfers
Where Personal Data is transferred, stored, processed, or accessed outside Brunei Darussalam, the Group will take reasonable measures to ensure that the recipient provides a standard of protection comparable to that required under the PDPO.
7. Retention of Personal Data
We retain Personal Data for as long as necessary to:
- fulfil the purpose for which it was collected; and
- meet legal, regulatory, business, or operational requirements.
When Personal Data is no longer required, it will be securely destroyed, deleted, or anonymised, in accordance with the Group’s retention and disposal policies.
8. Protection of Personal Data
We place great importance on ensuring the security and confidentiality of Personal Data. Accordingly, the Group implements reasonable administrative, technical, physical, and organisational safeguards to protect Personal Data against unauthorised access, use, disclosure, loss, or misuse.
9. Your rights under the PDPO
Subject to the PDPO, you have the right to:
- request access to your Personal Data held by us;
- request correction of Personal Data that is inaccurate or incomplete; and
- withdraw consent where processing is based on consent.
Requests may be made in writing through our official contact channels and will be handled in accordance with the PDPO and applicable exceptions. We may require verification of your identity before processing such requests.
Please note that where you withdraw consent, the Group will cease processing your Personal Data for the relevant consent-based purposes. However, such withdrawal will not affect processing that is necessary to perform or administer an existing contractual relationship with you, or to comply with legal or regulatory obligations.
10. Updates to Group Privacy Notice
This Group Privacy Notice may be updated from time to time to reflect changes in applicable laws, regulatory requirements, or the Group’s Personal Data processing practices. Where required under the PDPO, individuals will be notified of material changes or where additional consent is required.
The latest version of this Group Privacy Notice will be made available through the Group’s official channels.
11. Contact us
If you have questions, requests, or concerns about how your Personal Data is handled, or if you wish to exercise your rights under the PDPO, please contact the Group’s Data Protection Officer at [email protected] or through other official contact channels published by the Group.
This document was last updated on 1 April 2026.
