WILMAR GROUP EXTERNAL PRIVACY POLICY

1. About this Policy

Introduction

1.1 The Wilmar Group (as defined hereinafter) is committed to safeguarding your personal data.

1.2 We value your right to privacy and strive to protect your personal data in accordance with applicable

data protection legislation and, more specifically, the GDPR (as defined hereinafter).

1.3 In this Privacy Policy (“Policy”), we set forth how we collect your personal data, how and for what

purposes we may use your personal data and to whom your personal data may be disclosed by

us. Further, this Policy includes important information regarding your rights with respect to the

processing of your personal data. Therefore, we encourage you to read this Policy very carefully.

1.4 We do not ask for your consent to the processing of your personal data by means of this Policy. As

we will further clarify in this Policy, we have other legal grounds to process your personal data.

Nonetheless, in certain circumstances, we may require your consent for specific processing

activities envisaged by us. Even if we have your consent, you may choose to withdraw it at any

time.

Definition

1.5 In this Policy, the following terms shall have the meanings set out below and cognate terms shall

be constructed accordingly:

“Applicable Data

Protection Law”

means the legislation protecting the fundamental rights and freedoms of

individuals and, in particular, their right to privacy with respect to the

processing of personal data, including the GDPR and the PDPA (as defined

hereinafter);

“Data Subject” means a living individual who can be identified on the basis of his or her

personal data;

“GDPR” means the Regulation (EU) 2016/679 of 27 April 2016 on the protection of

natural persons with regard to the Processing of Personal Data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data

Protection Regulation);

This is the external privacy policy of Wilmar International Limited and its subsidiaries (as defined in the

Companies Act 1967), to the exclusion of Wilmar Europe Holdings B.V. and its subsidiaries and Yihai

Kerry Arawana Holdings Co., Ltd and its subsidiaries.

Each Wilmar Group Entity (as defined hereinafter) which holds or processes your personal data shall

herein be referred as the “Data Controller”.

Our personal data protection officer can be contacted at pdpo@wilmar.com.sg and/or at Wilmar

International Limited, 28 Biopolis Road, Singapore 138568 (Attention: Personal Data Protection

Officer).

Our EU Representative is Wilmar Europe Holdings B.V.

1.6 When we use “we”, “us” or “our” in this Policy, we mean the Wilmar Group.

1.7 This Policy applies to your personal data that we collect, use and otherwise process regarding your

relationship with us as a job applicant, business contact or anyone who has an interest (for

whatsoever reason) in the Wilmar Group.

1.8 A reference to “Clause” or “Schedule” refers to a clause or schedule in this Policy.

Policy update

1.9 This Policy applies in conjunction with any other policies, notices, contractual clauses and consent

clauses that apply in relation to our collection, use and disclosure of your personal data. The latest

version is available at http://www.wilmar-international.com/contact-us/. This Policy was last

updated on 6 October 2022.

1.10 We may revise this Policy from time to time without prior notice. If you are a job applicant, your

continued participation in our recruitment process constitutes your acknowledgment and

acceptance of such changes (if any). Your continual usage of our Websites constitutes your

acknowledgement and acceptance of such changes (if any).

1.11 We encourage you to regularly review this Policy. You may also ask us to send you a copy of the

most recent version of this Policy at your cost.

Your acknowledgment and consent

1.12 By using our services and/or our Website and by sharing your personal data with us, you

acknowledge that your personal data will be processed in the manner as described in this Policy.

1.13 Nonetheless, Clause 1.10 does not constitute your consent to the processing of your personal data.

We do not process your personal data on the basis of your consent, unless specifically indicated.

2. What is personal data

Personal data is information about an individual who can be identified from that information or from

that information and other information to which we have access.

3. Which type of personal data do we collect

“PDPA” means the Personal Data Protection Act 2012;

“PDPO”

means Personal Data Protection Officer who is an employee of the Wilmar

Group who oversees the Wilmar Group’s data protection responsibilities and

ensure Wilmar Group’s compliance with the PDPA;

“Websites” means collectively (a) Wilmar International Limited’s official website at

www.wilmar-international.com; (b) websites of any Wilmar Group Entity

which the official website redirects; and (c) other websites belonging to any

Wilmar Group Entity. “Website” shall mean any of the aforementioned

websites; and

“Wilmar Group” means Wilmar International Limited and each of its subsidiaries (to the

exclusion of Wilmar Europe Holdings B.V.), and “Wilmar Group Entity”

means any one of them.

Whose personal data do we collect

3.1 We only collect personal data that is relevant to our relationship with you.

3.2 In the context of our services, we may collect personal data relating to our customers, suppliers,

representatives of the authorities or non-governmental organizations or visitors of our Website. If

you are a shareholder, director, corporate officer, manager, employee or appointed contractor of

any business entity, we may collect your personal data if it is relevant to our business relationship

with you in that entity.

Types of personal data

3.3 The personal data we collect, if you are a job applicant, includes but is not limited to:

(a) personal particulars (e.g. name, gender, date of birth, nationality, identity card / passport

details);

(b) contact information (e.g. mailing address, telephone numbers, email address, facsimile

numbers);

types of qualification);

(d) medical and health details (e.g. prior medical history);

(e) financial details (e.g. income, expenses, credit card information);

(f) employment details (e.g. employment history, salary, benefits, title, tenure);

(g) photographs and other audio-visual information;

(h) personal opinions that you make known to us;

(i) marital status and spousal information; and/or

(j) information about next-of-kin.

3.4 If you are not a job applicant, the personal data we collect includes but is not limited to:

(a) personal particulars (e.g. name, gender, date of birth, identity card, passport details);

(b) contact information (e.g. address, telephone numbers, email address, facsimile numbers);

and/or

3.5 The personal data we collect generally, when you browse our Websites, includes but is not limited

to:

(a) information about your use of our Websites, contact centres; and/or

(b) information about your device and your geographical location (e.g. your Internet Protocol

(IP) address or unique device identification).

4. How do we collect your personal data

4.1 We may collect personal data:

(a) directly from you;

(b) through third party when they are duly authorized by you to collect and thereafter provide

your personal data to us;

organisations or publicly available resources such as telephone or business directories)

without your involvement; and/or

(d) through CCTV we use in and around our premises at our production facilities or other

(monitoring) technologies.

4.2 Collection of personal data may be done in person when you meet our staff or representatives,

over the telephone, by email or through our Websites. To the extent allowed under applicable law,

we may also collect your personal data from third party sources without directly involving you.

5. When do we collect your personal data

We collect personal data about you, when:

(a) you apply for a job with us;

(b) you enter into a business relationship with us;

(d) you visit our Websites;

(e) you seek access to our business premises;

(f) you attend our general meetings or results briefing sessions;

(g) you contact us with feedback, queries or complaints; or

(h) you request us to send you information or notify you of developments in the company via

post, emails or telephone calls.

6. Why do we collect your personal data and how do we use your personal data

6.1 Our key purpose in collecting your personal data is to process your application or request, to

proceed with any business relationship with you or to contact you so as to provide you with

information pertaining to the Wilmar Group. Further non-exhaustive examples of what personal

data we collect and for what purposes we use your personal data may be found in Schedule 1

attached hereto.

6.2 If you are not a job applicant, we collect and use your personal data to:

(a) facilitate the business or contractual relationship between you and us and where

applicable, the performance of the contract between us;

(b) facilitate the performance of the provision and performance of services to us;

attendance at our annual general meetings or results briefing sessions; or

(d) handle your feedback, queries or complaints.

6.3 If you are a job applicant, we collect and use personal data to process your job application.

6.4 We also use your personal data for other purposes connected to or relevant to our businesses,

such as:

(a) complying with our legal and regulatory obligations and requirements; or

(b) accounting, risk management and record keeping.

7. Special category of personal data – Sensitive personal data

7.1 Certain data category such as information on your health is considered “sensitive personal data”

as defined under the GDPR. Generally, we try to limit the circumstances where we would collect

and process sensitive personal data.

7.2 If you are both an EU resident and a job applicant, we collect sensitive personal data, in particular,

your medical details, your marital status and information on your spouse and next-of-kin, when you

apply for a job with us.

7.3 We collect sensitive personal data to process your job application.

8. Legal basis for using your personal data

8.1 If you are an EU resident, we are required, under the GDPR, to disclose the legal basis for

processing your data. We will only process your personal data when we have a legal basis to do

so.

8.2 The following are our legal basis for processing your personal data:

(a) you work for a business entity with whom we have a business relationship or with whom

we are exploring a business relationship;

(b) you applied for a job with us and we have to use your personal data to assess and evaluate

your suitability for the job;

(d) we have received your deemed consent, as defined under the PDPA, to use your

information for a particular purpose;

(e) we have a legitimate interest to do so; or

(f) we are required by legal or regulatory obligations and requirements.

9. Where do we process your personal data

9.1 Your personal data will be collected and processed by the relevant Wilmar Group Entity.

9.2 If you are a job applicant, your personal data will be processed by the relevant Wilmar Group Entity

to which you submitted your job application and such personal data may thereafter be transferred

and processed by the relevant Wilmar Group Entity.

10. Confidentiality

10.1 Subject to the provisions in this Clause 10, we shall keep secret and strictly confidential by not

disclosing or divulging to any person or to enabling or causing any person besides you, without

your consent, to become aware of the contents of your personal data.

10.2 Notwithstanding Clause 10.1, each Wilmar Group Entity may disclose your personal data to other

Wilmar Group Entities for business improvement purposes, for purposes consistent with the

purpose of that collection and/or for any other purposes allowed under Applicable Data Protection

Law.

(a) For more details on our Wilmar Group, please visit our Website.

(b) We may from time to time disclose your personal data to any Wilmar Group Entity’s

directors, officers, employees, agents and advisers, including accountants, legal counsels

and other advisers (it being understood that the persons to whom such disclosure is made

will be informed of the confidential nature of such information and instructed to keep such

information confidential) if such personal data is necessary to be disclosed to such persons

on a need-to-know basis.

10.3 Notwithstanding Clause 10.1, we may disclose information to you upon you submitting a valid

request in accordance with Clauses 14.

Transfer of information to third parties

10.4 Notwithstanding Clause 10.1, we may disclose or share your personal data with the following third

parties for the following purposes:

(a) third parties which provide products and services requested by you;

(b) our third-party service providers, such as our IT systems maintenance provider who

perform services that may involve data processing;

(d) accountants and auditors who maintain or are required to audit our financial records;

(e) bankers, credit reference agencies and anti-fraud screening service providers to process

payments or carry out fraud screening;

(f) law enforcement agencies to enforce our rights and protect our properties;

(g) regulatory, governmental and tax authorities to comply with any legal or regulatory

obligations or industry requirements;

(h) requirement by applicable laws or regulations, including the Applicable Data Protection

Law, or by any subpoena or similar legal process; or

(i) your representatives (such as your lawyer or the executor, administrator or trustee of your

estate).

We will ensure that, where relevant, contractual safeguards are implemented to ensure the

protection of your personal data when we disclose your personal data to a third party.

10.5 We shall make reasonable efforts to ensure that your personal data is accurate and complete

before we transfer your personal data to any of the aforementioned third party.

Transfer of information overseas

10.6 The parties to whom we may disclose your personal data with a legal basis may be located in

countries outside the European Economic Area, which may offer a lower level of data protection

than the country where you are located.

10.7 In such situations, the relevant Wilmar Group Entity shall ensure that the international transfer of

your personal data shall comply with Applicable Data Protection Law.

11. Our obligations to you

We agree and warrant that:

(a) we do not provide your personal data to third parties for purposes other than or related to

those set out above;

(b) we do not sell your personal data to any third parties;

provisions of Applicable Data Protection Law; and

(d) we will be processing your personal data only on behalf of the Wilmar Group and in

accordance with Applicable Data Protection Law and this Policy.

12. Technical and organizational security measures

12.1 When each Wilmar Group Entity processes your personal data, the processing activity is subject

to adequate technical and organisational security measures in order to safeguard your personal

data. Please contact our PDPO, details as set forth in Clause 18, if you would like to find out more

about the security measures that we have put in place.

12.2 These technical and organisational security measures are appropriate to protect personal data

against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or

access, in particular where the processing involves the transmission of data over a network, and

against all other unlawful forms of processing, and that these measures ensure a level of security

appropriate to the risks presented by the processing and the nature of the data to be protected

having regard to the state of the art and the cost of their implementation as per Group IT’s secuity

policies.

13. How long we will retain your personal data

Subject to Clause 14, we will retain your personal data for as long as necessary to fulfil the purpose

(such as those stated in Clause 6 and Schedule 1) for which it was collected, or for any commercial

or legal purposes required by any Wilmar Group Entity.

14. Rights of Data Subjects

Non-EU Data Subjects

14.1 Right of Access

(a) You have the right to request to be provided with your personal data in our possession.

(b) You have the right to ask for details on how we have (or may have) used your personal

data in the one-year period preceding your request.

14.2 Right to request for correction

(a) You have the right to make corrections to your inaccurate or outdated personal data in our

possession.

(b) We will respond to your request for access as soon as reasonably possible. If we are

unable to provide you with the requested personal data, we will inform you why we are not

able to do so (except where we are not required to do so by applicable laws).

14.3 Right to withdraw consent

You have the right to withdraw your consent to our usage of your personal data. Withdrawal of

consent may be made in writing to your usual contact person from the relevant Wilmar Group Entity

or our PDPO at the address stated below.

EU Data Subjects

14.4 If you are an EU resident, you may have certain rights in relation to personal data in our possession.

14.5 Right of Access

(a) You have the right to:

(i) know whether we process your personal data, and if we do, to request for a copy

of your personal data in our possession; and

(ii) request for a summary description of security measures we have implemented

when processing your personal data.

(b) Exceptions to your right of access include situations where:

(i) your request also relates to other persons who have not consented to the

disclosure of their personal data; and

(ii) your requested information is legally privileged.

than one copy of your personal data.

14.6 Right to request for correction

You have the right to make corrections to your inaccurate, outdated or incomplete personal data in

our possession. While we assess whether your personal data in our possession is inaccurate,

outdated, or incomplete, you may exercise your right to restrict our processing of the applicable

data (as described below).

14.7 Right to restrict processing

Other than for storage purposes, you have a right to stop us from processing your personal data.

Please note however that if there are valid grounds, we may continue the processing of such

personal data if it is necessary for us to do so (e.g. for defending legal claims or for the protection

of another person).

14.8 Right to withdraw consent

Where the legal basis of our processing of your personal data is consent, you have the right to

withdraw your consent to our usage of your personal data. Withdrawal of consent may be made in

writing to the any of your contact person in the Wilmar Group Entity or our PDPO at the address

below.

14.9 Right to deletion

(a) Upon your request for the deletion of your personal data, we shall delete or procure for the

deletion of such personal data promptly from our records, and to certify to you that we have

done so. To delete your personal data, we will remove information that identifies you from

the data we hold in our active systems.

(b) In some circumstances, deletion of your personal data may mean that we will not be able

to provide you with your requests for information.

(i) a separate and restricted copy of your personal data may be retained for any period

required by Applicable Data Protection law, law enforcement, national authorities

and legal proceedings; and

(ii) certain elements that relate to a contract between you and Wilmar Group Entity

may be retained, for our own legal and auditing purposes,

and we shall ensure the confidentiality of such personal data as required by Clause 10 and

shall ensure that such personal data is only retained or processed as necessary for the

purpose(s) specified above.

(d) Notwithstanding Clause 14.9(a), we cannot delete your personal data:

(i) so long as you have a contractual relationship with us; and

(ii) if you have made a complaint and the complaint is still open or we are required to

keep such personal data for a certain period after a prior complaint.

14.10 Data Portability

(a) You have the right to request for a presentable softcopy of any data, that you have provided

to us and/or generated by your activities in using our product and/or services, in our

possession or under our control.

(b) You also have a right to request for a transfer of such personal data to a third party with a

Singapore presence. We have no obligation, but may however choose to do so voluntarily,

to transfer such personal data to a third party if the third party is based overseas.

the form of a commonly used machine-readable format), you have provided details of the

party to whom you wish the personal data to be transferred and our provision of such data

will not interfere with the rights of another person.

(d) Appropriate technical and organisational security measures will be imposed to ensure the

security of your data transferred to the third-party.

(e) Once transferred, we will not be responsible for the security of the data or how it will be

processed.

15. Exercising your rights

15.1 To exercise any of your rights, such as those provided in Clause 14, please write to the PDPO at

the address below, with sufficient particulars to enable us to verify your identity, setting out your

request and the grounds for your request.

15.2 In many circumstances, we may need to process your personal data in order to proceed with your

application or request. If you do not provide us with the required personal data, or if you withdraw

your consent to our usage of your personal data for such purposes, it may be impossible for us to

proceed further with your application or respond to your request.

16. Cookies Policy

16.1 Our Websites implant cookies, which are the small text files placed on your computer or mobile

device, on your computer or mobile device when you visit our Websites.

16.2 By using our Website, you consent to our use of cookies to collect and process your personal data

for the purposes of collecting website usage data and to facilitate your internet sessions, track

visitor’s use of our websites and compile statistics on website activities.

16.3 The personal data we collect from visitors of our Websites include but are not limited to your IP

address, how you arrived at the Website (e.g. through a search engine or from an external website),

how you navigate within the Website, what device you use to access our Website and your

geographical location.

16.4 In the event that you do not wish for our placement of cookies on your computer or mobile device,

you can change the settings in your web browser to block cookies, or you may manually remove

cookies stored on your computer or mobile device. In addition, you may set up your mobile or

browser settings such that you receive a notification every time you receive a cookie on your

computer or mobile device, so that you can decide whether you wish to accept this cookie.

However, please note that if you decide to block cookies, you may not be able to use certain

features and functions of our Websites.

16.5 By continuing your visit to our Websites, you agree to this Clause 16 and any other relevant Clauses

in this Policy.

17. Other matters

Third party Websites

17.1 Our Websites may contain links to other websites which are not maintained by the Wilmar Group.

This Policy only applies to our Websites, and not third-party websites.

Other rules and processes

17.2 In certain cases, there may be specific rules or processes that govern our use of your personal

data, which are not stated in this Policy. If any such rules or processes apply, we will make them

known to you in advance.

18. How to contact us

18.1 To contact us on any aspect of this Policy or your personal data in our possession, you can e-mail

the PDPO at pdpo@wilmar.com.sg or write in to the Personal Data Protection Officer at Wilmar

International Limited, 28 Biopolis Road, Singapore 138568.

18.2 All requests, complaints and feedback will be evaluated by the PDPO in a timely manner. After the

PDPO has completed his or her evaluation, he or she will respond to you in writing.

Schedule 1

We collect the following non-exhaustive personal information for the following non-exhaustive purposes:

Personal data Purposes

your identification and contact information (name,

address, telephone number, email address or

other contact details)

 customer administration

 supplier administration

 administration and management

intermediaries

 to deliver the services or products that the

company you represent or are employed with

ordered

 for administrating payment of invoices and

collecting debts

 for marketing purposes

 to raise your awareness on our sustainability

programs or market developments

(newsletters)

 to handle disputes and ensure our legal

position herein

 to comply with legal obligations

 in the context of a possible business

transaction

identification and contact information obtained from

external databases which we have purchased and

thereafter combined with the data that we have

collected from you in order to obtain a more

complete or accurate set of information

for making decisions about selecting you as a

vendor/customer

camera images collected at production sites for compliance with safety and security concerns

in the production sites