In this Data Protection Policy, "Personal Data" refers to any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.

Examples of such Personal Data you may provide to us include (depending on the nature of your interaction with us) your name, passport or other identification number, telephone number(s), mailing address, email address and any other information relating to any individuals which you have provided us in any forms you may have submitted to us, or via other forms of interaction with you.

Generally, we collect Personal Data in various ways such as:

• (a)when you submit forms or applications to us;
• (b)when you submit queries, requests, complaints or feedback to us;
• (c)when you interact with our staff, which may include customer service officers and other representatives, e.g. via telephone calls (which may be recorded), letters, fax, face–to–face meetings and email;
• (d)when your images are captured by us in the form of photographs or videos, including via our CCTV cameras while you are within our premises or when you attend our events;
• (e)when you use any of our services;
• (f)when you ask to be included in an email or other mailing list;
• (g)when we receive your personal data from business partners, public agencies, your employer and other third parties in connection with your relationship with us, including without limitation, for the provision of IT and other business process outsourcing services, or job applications; and/or
• (h)when you submit your Personal Data to us for any other reasons.

When you browse our website, we do not at our website automatically collect Personal Data unless you provide such information to us through our designated email address.

If you provide us with any Personal Data relating to a third party (e.g. information concerning employees, directors, authorised persons, and/or family members), by submitting such information to us, you represent and warrant to us that you have obtained the consent of that third party to the disclosure of their Personal Data to Mizuho, and to Mizuho collecting, using, disclosing and/or processing their Personal Data for the purposes for which we are collecting and processing such third party's Personal Data.

You shall ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with our services, and/or fulfil your requests and/or applications. Please also update us of any changes in your personal data that you had initially provided us with. We will not be responsible for relying on inaccurate or incomplete Personal Data arising from you not updating us of any changes in your Personal Data that you had initially provided us with.

An IP address is a number that is assigned by your Internet Service Provider to your device when you connect to the internet.

When you visit our website, your IP address is automatically recorded in our server. We use your IP address to help diagnose problems with our server, and to administer our website. From your IP address, we may identify the general geographic area from which you are accessing our website. However, we will not be able to pinpoint the exact geographic location from which you are accessing our website. Generally we do not link your IP address to anything that can enable us to identify you unless it is required by applicable laws and regulations.

A cookie is an element of data that a website can send to your browser, which may then store it on your system. We use cookies in some of our pages to store visitors' preferences and record session information.

Our website uses "cookies" for the purpose of ensuring security and providing appropriate information when visitors access the website. Cookies are a technology that enables the identification of repeat access and visits to the website by the same visitor through the storage of certain text files (information) on the visitor's terminal via the web browser. However, the cookies used on our website contain no information that identifies the visitor. Also, ordinarily a visitor can change the browser settings to refuse to accept cookies or to display an alert when a cookie has been accepted. (Ordinarily, browsers are configured to accept cookies.) As a result, however, part of the services on the website may become unavailable. Refer to the section Cookie Settings for information on changing browser settings.

Please refer to your browser documentation to check if cookies have been enabled on your computer or to request not to receive cookies.

Generally, Mizuho collects, uses, discloses, and/or processes your Personal Data for the following purposes:

• (a)providing you, or Mizuho's customers (which may be your employer), with any of our products and/or services, including but not limited to the provision of information technology and/or other business process outsourcing services;
• (b)facilitating, processing, dealing with, administering, managing and/or maintaining your relationship and/or your employer's relationship with us;
• (c)responding to your queries, requests, complaints and feedback;
• (d)processing your instructions;
• (e)contacting you or communicating with you via phone/voice call, text message and/or fax message, email and/or postal mail for the purposes of administering and/or managing your relationship and/or your employer's relationship with us such as but not limited to communicating information to you related to the existing relationship between yourself or your employer, and us. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents or notices to you, which could involve disclosure of certain Personal Data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;
• (f)managing the administrative and business operations of Mizuho and complying with internal policies and procedures;
• (g)verifying your identity;
• (h)matching any Personal Data held which relates to you for any of the purposes listed herein;
• (i)preventing, detecting and investigating crime, including terrorist financing, fraud and money–laundering, and analysing and managing commercial risks, and whether or not there is any suspicion of the aforementioned;
• (j)maintaining the security of Mizuho premises (including but not limited to CCTV surveillance);
• (k)generating reports and analytics in relation to our business;
• (l)conducting research, analysis and development activities (including but not limited to data analytics, surveys and/or profiling) to improve our services and facilities in order to enhance your relationship and/or your employer's relationship with us or for your benefit, or to improve any of our products or services for yours or your employer's benefit;
• (m)caring out due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations or our risk management procedures that may be required by law or that may have been put in place by us
• (n)storing, hosting, backing up (whether for disaster recovery or otherwise) of your Personal Data, whether within or outside Singapore;
• (o)internal and/or external audit of our or our related corporation's business;
• (p)meeting or complying with any applicable rules, laws, regulations, codes of practice or guidelines issued by any legal or regulatory bodies (whether Singapore or a foreign country) which are binding on Mizuho or which Mizuho is expected to comply with, or to assist in law enforcement and investigations by relevant authorities (whether Singapore authorities or a foreign country's authorities) (including but not limited to disclosures to regulatory bodies, conducting audit checks, surveillance and investigation);
• (q)complying with or as required by any request or direction of any governmental authority (whether Singapore or a non–Singapore authority); or responding to requests for information from public agencies, ministries, statutory boards or other similar authorities (whether Singapore or a non–Singapore authority). For the avoidance of doubt, this means that we may/will disclosure your Personal Data to the aforementioned parties upon their request or direction;
• (r)legal purposes (including but not limited to drafting and reviewing documents, obtaining legal advice and facilitating dispute resolution); and
• (s)purposes which are reasonably related to the aforesaid.

In addition, Mizuho collects, uses, discloses and processes your Personal Data for the following purposes depending on the nature of our relationship with you:

• (a)If you are a customer, or an employee of a customer, Mizuho collects, uses, discloses and/or processes your Personal Data for the following purposes:
  • (i)establishing or providing our products and/or services and facilitating the continuation or termination of the customer relationship (including but not limited to customer onboarding);
  • (ii)facilitating the daily provision and operation of our products and/or services;
  • (iii)providing customer servicing (including but not limited to IT and other business process outsourcing services and providing customer satisfaction services);
  • (iv)facilitating data migration and testing; and/or
  • (v)purposes which are reasonably related to the aforesaid;
• (b)If you are a business partner of Mizuho, or an employee of business partner of Mizuho, or if you are an employee, officer or owner of an external service provider which has been engaged, outsourced or prospected by Mizuho, Mizuho collects, uses, discloses and processes your Personal Data for the following purposes:
  • (i)facilitating the continuation or termination of the relationship;
  • (ii)managing and evaluating project tenders;
  • (iii)updating contact details and processing and payment of invoices; and
  • (iv)purposes which are reasonably related to the aforesaid.
• (c)If you submit an application to us as a candidate for an employment or representative position or independent contractor position, Mizuho collects, uses, discloses and/or processes your Personal Data for the following purposes:
  • (i)conducting interviews;
  • (ii)processing and/or dealing with your application (including pre–recruitment or pre–engagement checks involving your qualifications);
  • (iii)providing or obtaining employee or other references and for background screening;
  • (iv)processing employment pass applications, visa applications and offer of employment;
  • (v)evaluating and assessing your suitability for the position applied for; and/or
  • (vi)any other purposes reasonably related to any of the above.
• (d) If you are a visitor to Mizuho office:
  • (i)Facilitating, dealing with and/or managing your visit to our premises, including verifying your identity;
  • (ii)facilitating and organising training events and seminars held on our premises; and/or
  • (iii)any other purposes reasonably related to any of the above

In relation to particular products or services or in your interactions with us, we may also have specifically notified you of other purposes for which we collect, use, disclose and/or process your Personal Data. If so, we will collect, use, disclose, and/or process your Personal Data for these additional purposes as well.

As the purposes for which we may/will collect, use, disclose and/or process your Personal Data depend on the circumstances at hand, such purpose may not appear above. However, we will notify you of such other purpose at the time of obtaining your consent, unless such collection, use, disclosure and/or processing of your Personal Data without your consent is permitted by the Act or by any other written law.

The above purposes set out in this paragraph 3 shall be collectively referred to as the "Purposes" .

Due to one or more of the Purposes, or in order to conduct our business operations more smoothly, we may also be disclosing the Personal Data you have provided to us to our third party service providers, agents and/or our affiliates or related corporations, and/or other third parties whether sited in Singapore or outside of Singapore, for one or more of the above–stated Purposes. Such third party service providers, agents and/or affiliates or related corporations and/or other third parties would be processing your personal data either on our behalf or otherwise, for one or more of the above–stated Purposes.

Your Personal Data held by us shall be kept confidential. Without prejudice to the generality of paragraph 4.1, your Personal Data may be disclosed to the following:

• (a)our related corporations;
• (b)agents, contractors or third party service providers who provide operational services to Mizuho;
• (c)our professional advisers such as financial advisors, auditors and lawyers;
• (d)relevant government regulators, government ministries, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority including but not limited to the Inland Revenue Authority of Singapore, the Monetary Authority of Singapore, the Accounting and Corporate Regulatory Authority, the Ministry of Manpower, and the Insolvency and Public Trustee Office;
• (e)any other party to whom disclosure of personal data is reasonably necessary for one or more of the Purposes; and
• (f)any other party to whom you authorise us to disclose your Personal Data to.

We will also put in place reasonable security arrangements to ensure that your Personal Data is adequately protected and secured. Appropriate security arrangements will be taken to prevent any unauthorized access, collection, use, disclosure, copying, modification, leakage, loss, damage and/or alteration of your Personal Data. However, we cannot assume responsibility for any unauthorized use of your Personal Data by third parties which are wholly attributable to factors beyond our control.

We will also put in place measures such that your Personal Data in our possession or under our control is destroyed and/or anonymized as soon as it is reasonable to assume that (i) the purpose for which that Personal Data was collected is no longer being served by the retention of such Personal Data; and (ii) retention is no longer necessary for any other legal or business purposes.

Where your Personal Data is to be transferred out of Singapore, we will comply with the PDPA in doing so. In this regard, this includes us obtaining your consent unless an exception under the PDPA or law applies, and taking appropriate steps to ascertain that the foreign recipient organisation of the Personal Data is bound by legally enforceable obligations to provide to the transferred Personal Data a standard of protection that is at least comparable to the protection under the Act. This may include us entering into an appropriate contract with the foreign recipient organisation dealing with the Personal Data transfer or permitting the Personal Data transfer without such a contract if the Act or law permits us to.

If you:

• (a)have any questions, compliant or feedback relating to your Personal Data or our Data Protection Policy;
• (b)would like to withdraw your consent to any use of your Personal Data as set out in this Data Protection Policy; or
• (c)would like to obtain access and/or make corrections to your Personal Data records in our possession and/or under our control,

or such other email address, telephone number or address as we may notify you, whether by email, letter, or fax.

If you withdraw your consent to any or all use of your Personal Data, depending on the nature of your request, Mizuho may not be in a position to continue to provide its products or services to you, administer any contractual relationship in place, and this may be considered a termination by you of any contractual relationship which you may have with Mizuho.

You may request to access and/or correct your Personal Data currently in our possession or control by submitting a written request to us. We will need enough information from you in order to ascertain your identity as well as the nature of your request, so as to be able to deal with your request. Hence, please submit your written request to our data protection officer at the abovementioned contact email address.

For a request to access personal data, once we have sufficient information from you to deal with the request, we will seek to provide you with the relevant Personal Data within 30 days. Where we are unable to respond to you within the said 30 days, we will notify you of the soonest possible time within which we can provide you with the information requested. Note that the PDPA exempts certain types of Personal Data from being subject to your access request.

For a request to correct Personal Data, once we have sufficient information from you to deal with the request, we will :

• (a)correct your Personal Data within 30 days. Where we are unable to do so within the said 30 days, we will notify you of the soonest practicable time within which we can make the correction. Note that the PDPA exempts certain types of Personal Data from being subject to your correction request as well as provides for situation(s) when correction need not be made by us despite your request; and
• (b)subject to paragraph 6.6, we will send the corrected personal data to every other organisation to which your Personal Data was disclosed by us within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.

Notwithstanding paragraph 6.5(b), we may, if you so consent, send the corrected Personal Data only to specific organisations to which your Personal Data was disclosed by us within a year before the date the correction was made.

We will/may also be charging you a reasonable fee for the handling and processing of your requests to access your personal data. We will provide you with a written estimate of the fee we will be charging. Please note that we are not required to respond to or deal with your access request unless you have agreed to pay the fee.