Privacy Policy

NIPPON PAINT HOLDINGS SG PTE. LTD.

PRIVACY POLICY

This Privacy Policy ("Policy") sets out the basis which Nippon Paint Holdings SG Pte. Ltd. (unique entity number: 199102568R) ("NIPSEA", "we, "us" or "our") may collect, use, disclose or otherwise process personal data from a person in accordance with the Personal Data Protection Act 2012 as may be amended from time to time ("PDPA") and such other data protection legislation as may be applicable. This Policy applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes.

Where applicable, we shall comply with the European Union's General Data Protection Regulation (the "GDPR") and data protection laws in China when dealing with the personal data of data subjects from those jurisdictions.

By continuing to use our website and/or services, you signify that you have read and understood this Policy. You provide your consent to us collecting, using, storing and disclosing your personal data in accordance with this Policy.

DEFINITIONS

  1. As used in this Policy:

"GDPR" means the European Union's General Data Protection Regulation;

"PDPA" means the Personal Data Protection Act 2012;

"personal data" means data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access;

  1. All references to "personal data" shall:

  1. if you are an individual, refer to your personal data; and

  1. if you are an organisation, refer to personal data of individuals which you provide to us for which you warrant and confirm that you have the requisite consent to provide to us.

COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

  1. We generally do not collect your personal data unless (a) it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your "authorised representative") after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by the PDPA or other applicable laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).

  1. Where you disclose personal data of another person to us, you undertake to ensure that the individual whose personal data is supplied to us has, where required under applicable data protection laws, authorised the disclosure, is informed of, and agrees to the provisions of this Policy.

Types of personal data we collect

  1. The type of personal data we collect depends on the circumstances of collection and the nature of the interaction with us. The data we collect includes but is not limited to:

  1. Personal information that can be used to identify an individual, such as name, gender, date of birth, nationality;

  1. Contact information, such as mailing address, phone number, email address;

  1. Information on your other activity with us, such as on our website;

  1. Information about your interactions with our staff whether online or in-person;

  1. Information you choose and/or consent to submit when you use features on our website, or other online facilities, including, but not limited to:

        

  1. information in the queries you enter into our Contact Us page, on our social media pages or website;

  1. your location information.

  1. Information we receive from other sources, e.g. our page on social media websites and our contractual partners;

  1. Business contact information, including your information and information of your organisation's employees;

        

  1. Customer preferences, such as dietary requirements and other preferences you provide;

  1. Technical information, such as internet protocol addresses, device information, and other technical data collected when you use our website or mobile applications; and

  1. Technical data, including device and technical information you give us when using our website or mobile application, such as internet protocol addresses or other unique identifiers, cookies, mobile carrier, time zone setting, operating system and platform, and information about your customer journey on the website or mobile application. Please note that in limited circumstances, this technical data may be linked with your personal data in order to identify you.

Forms that you choose to complete will indicate whether information requested is mandatory or voluntary.

How we collect your personal data

  1. We collect personal data whenever you use our services, including when you use our website, or when you interact with us via email, social media, our contact centres or any other channels such as our office counters.

  1. We may collect your data from the following sources:

Categories of personal data

Source

Role of the individual in the relevant organisation

  • Public registries of companies and businesses

Whether an individual is the subject of a sanction

  • Lists of sanctioned individuals published by the United Nations, states and their agencies

Full name

  • User interaction when submitting enquiries from contact us form, or any other form of queries through email;

  • User interaction when creating an account on the website;

  • User interaction when participating a contest by submitting their entries online;
  • When you attend any of our corporate events, marketing campaigns or third-party open day

Country of user

Organisation name

Gender

Nationality

Phone number

Electronic mail address

All information (including but not limited to any of my personal data) provided during the job application

  • When you apply for a job with us

Photographs, videos and audio recordings
  • When you attend any of our corporate events, marketing campaigns or third-party open day;

  • User interaction when creating an account on the website

Hotel membership number

Dietary preferences

How we use your personal data

  1. We may collect and use your personal data for any or all of the following purposes:

Type of personal data

Purpose of use

Legal basis under Article 6 of the GDPR or other laws applicable in your jurisdiction

Data retention period under Article 5 of the GDPR or other laws applicable in your jurisdiction

Information on membership

(profession, country, full name, email address)

Membership management and administration

Necessary for the performance of a contract

During membership; and up to 7 years after termination

 

Communication and service updates

Necessary for the performance of a contract

Handling inquiries and complaints

Necessary for the performance of a contract

Marketing and promotional purposes (with consent)

Consent

Legal and compliance purposes

Necessary for compliance with a legal obligation

Analytics and service improvement

Necessary for the legitimate interests

Compliance with any anti-money laundering laws, sanctions imposed by countries and similar rules

Necessary for compliance with a legal obligation

Information on inquiries and provision of information

(full name, email address, country, phone number, company name, position)

Handling inquiries and complaints

Necessary for complying with NIPSEA's legal obligations or, as the case may be, it is necessary for the purposes of NIPSEA's legitimate interests in providing information to customers and potential customers or abiding by NIPSEA's election to voluntarily comply with certain more stringent privacy standards stemming from the GDPR

7 years

Marketing and promotional purposes (with consent)

Consent

7 years

Analysis for improving the quality and services of our group companies

Necessary for the purposes of the legitimate interests pursued by NIPSEA and its affiliates in gaining insight on their markets and improving their goods and services

7 years

Browser used, city location of IP address, web pages visited

Operating NIPSEA's websites with strictly necessary cookies

Necessary for the purposes of the legitimate interests pursued by NIPSEA in operating its websites

7 years

Improving NIPSEA's websites including through audience measurements

Consent

7 years

Tailoring the marketing seen on applications and other websites

Consent

7 years

Company-hosted events

(full name, email address, photographs, videos and audio recordings, hotel membership number, dietary preferences)

Event participation and coordination

Consent

7 years

Communication and service updates

Necessary for the performance of a contract

Handling inquiries and complaints

Necessary for the performance of a contract

Marketing and promotional purposes (with consent)

Consent

Analytics and service improvement

Necessary for the legitimate interests

Information on internships, recruitment and employment

(full name,
job, title,
industry,
company,
contact,
education level,
email address, country of residences,
country of employment/ business, IP address, BSSIDD/SSID,
facial recognition, residence address, Singapore identity card (NRIC),
foreign identification number (FIN), photographs)

Providing information and contacting applicants for internships and recruitment

Necessary for the performance of a contract; or in order to take steps prior to entering into a contract

7 years

Questionnaires on employment activities and making statistical information

Necessary for the performance of a contract; necessary for compliance with a legal obligation

Responding to inquiries

Necessary for the performance of a contract; or in order to take steps prior to entering into a contract

Employment procedures after hiring decision and employment management after joining

Necessary for the performance of a contract; necessary for compliance with a legal obligation

Where personal data is processed based on consent, for the purposes of Article 6 of the GDPR, Section 16 of the PDPA or the data protection laws in China, such consent may be withdrawn at any time, with reasonable notice, without affecting the lawfulness of processing based on consent before its withdrawal. Upon such notice being given, we will inform you of the likely consequences of withdrawing your consent, but withdrawal will not affect NIPSEA's right to continue to collect, use and disclose personal data where such collection, use and disclosure without consent is permitted under the applicable laws.

  1. We may also collect and use your personal data for any or all of the following purposes:

  1. complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;

  1. any other purposes for which you have provided the data, as indicated at the time of collection;

  1. transmitting to any unaffiliated third parties including our third-party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes; and

  1. any other incidental purposes related to or in connection with the above.

  1. Subject to the conditions of lawfulness, legitimacy and necessity, the purposes listed in the above paragraphs may continue to apply even in situations where your relationship with us has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you). The reasonable period referred to hereunder shall mean the period necessary to achieve the aforementioned purposes or the period stipulated by applicable laws, regulations, or regulatory authorities. Upon the expiration of the reasonable period, we will delete or anonymize your personal data as required by applicable laws. However, if the deletion of your personal data is technically difficult or there are other circumstances under which deletion is not advisable pursuant to the applicable laws, we will cease the processing of your personal data, save for storage and necessary security protection and verification measures.

Personal data of children

  1. We are aware that various jurisdictions have special rules for the protection of personal data of children. The following will apply in relation to personal data collected from children:

The following shall apply specifically to personal data of children in Singapore

A child based in Singapore under 13 years old must not create a NIPSEA account without the consent of a parent or guardian. Additionally, NIPSEA may determine that, even for individuals between the ages of 13 and 17 based in Singapore, the consent of such individual's parent or guardian may nonetheless be required. NIPSEA also accords children's personal data a higher standard of protection pursuant to the PDPA.

The following shall apply specifically to personal data collected from children (individuals under 14 years old) within the territory of China

A child under 14 years old must not create a NIPSEA account without the consent of a parent or guardian. If the child's personal data is collected with prior parental consent, we will only use or disclose the data as permitted by the Chinese law, with the explicit consent of the child's parents or guardians, or when necessary for the protection of the child. If we accidentally collect a child's personal data without verified prior consent from the child's parents, we will attempt to delete the data as soon as possible. We also treat children's personal data as sensitive personal data and complies with the specific rules for sensitive personal data in accordance with the Chinese law.

The following shall apply specifically to personal data of children in the European Union  

A child under 16 years old must not create a NIPSEA account without the consent of the holder of parental responsibility. Where the child is below the age of 16 years, the controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology. If we accidentally collect a child's personal data without verified prior consent from the child's holder of parental responsibility, we will attempt to delete the data as soon as possible.  

Disclosure of personal data 

  1. We may disclose your personal data:

  1. where NIPSEA has obtained the prior consent of the person concerned;

  1. where such disclosure is required for, or in connection with, the provision of the services and/or goods requested by you;

  1. to third party service providers, agents and other organisations we have engaged to perform any of the purposes listed above for us;

  1. to comply with any applicable laws, regulations, codes of practice, guidelines, rules or requests by public agencies, or to assist in law enforcement and investigations;

  1. any other party to whom you authorised us to disclose your personal data to, or where necessary to undertake any action requested by you;

  1. in the event that we or our affiliates' business have recourse to investors or lenders, including in the context of an invoice discounting facility;

  1. in the event that the business is succeeded to and personal data is provided through a merger, spin-off, or transfer of business, under which circumstance we will notify the individual concerned of the name and contact information of the recipient and require the recipient to process the personal data in accordance with this Policy. If the recipient changes the original purpose and method of processing, it shall obtain the individual’s fresh consent in accordance with the law (except as otherwise provided by applicable data protection laws);

  1. where the handling of personal data is entrusted to an outside business operator or other third party within the scope necessary for the achievement of the purpose of use. For third parties with whom we entrust to process the personal data, we will require them to process personal data in accordance with the processing agreement, this Policy as well as the applicable data protection laws;

  1. when it is necessary to protect the life, body, or property of an individual and it is difficult to obtain consent of the person concerned;

  1. cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a consent of the person concerned;

  1. in the event that it is necessary to cooperate with a national agency, local government, or a party entrusted by the said agency in executing the affairs prescribed by laws and regulations, and there is a risk that obtaining the consent of the person concerned may interfere with the execution of the affairs concerned; and

  1. in addition to the above, cases where the information is permitted to be provided pursuant to the PDPA and other laws and regulations.

  1. We may therefore share the personal data of individuals who are or represent potential or actual clients of NIPSEA with the following categories of recipients:

  1. NIPSEA's affiliates as necessary for the management of its group's activities;

  1. NIPSEA's service providers as much as it is necessary for them to provide the relevant services in line with the above-mentioned purposes;

  1. NIPSEA's and its affiliates' investors and lenders, including any purchaser of all or part of their business;

  1. law enforcement and other government agencies and authorities;

  1. courts and parties to court proceedings; and

  1. information collected through cookies may be shared with service providers.

  1. In order to achieve the purpose of use, we may share personal data as follows:

  1. Scope of joint use: NIPSEA group companies (https://nipsea.group)

  1. Categories of the jointly used personal data: Name, address, telephone number, e-mail address, affiliation/department name, position, and other information obtained in accordance with this Policy.

  1. Purposes for the joint use: To achieve the purposes listed in the 'How we use your personal data' section above.

  1. Name of person responsible for joint use: NIPSEA Group Data Protection Officer.

  1. NIPSEA shall ensure that any service provider or other organisation to which it sends personal data of website visitors and individuals who are or represent potential or actual clients of NIPSEA is established either in Singapore, Japan, the European Economic Area or another country or territory that ensures, at least for the relevant sector, an adequate level of protection within the meaning of article 45 of the GDPR (such as organisations in Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, the United Kingdom, Uruguay and South Korea). Where this is not the case, unless one of the exemptions of article 49 of the GDPR avails, NIPSEA shall implement safeguards NIPSEA deems to be adequate in line with applicable privacy laws

  1. We may, from time to time, provide you with links to other websites for your convenience and information. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. You access these websites at your own risk and we are not responsible for these websites. Whilst we will protect your personal data on our websites, we cannot control or be responsible for the policies of other sites we may link to, or the use of any personal data you may share with them. Please note that this Policy does not cover these other websites, and we would recommend that you are apprised of their specific policies.

WITHDRAWING YOUR CONSENT

  1. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you or your authorised representative in writing. You or your authorised representative may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request via email or otherwise in writing to our Data Protection Officer at the contact details provided below. If you are unable to submit your request in writing or if you require any assistance with the submission of your request, you can ask to speak to or meet with our Data Protection Officer.

Upon receipt of your written request to withdraw your consent or other means which is similar to the manner in which we obtained your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request without delay, and in any case within ten (10) business days of receiving it.

  1. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods and/or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in the manner described in paragraph 17 above.

  1. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

DATA SUBJECT RIGHTS

  1. Subject to certain conditions, if you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data; (b) a correction request to correct or update any of your personal data which we hold about you; (c) a request to obtain erasure of the personal data which we hold about you; or (d) a request to restrict our processing of the personal data which we hold about you, you may submit your request via email or otherwise in writing, to our Data Protection Officer at the contact details provided below. You may also have the right (e) to object to the processing of the personal data which we hold about you, based on your legitimate interests; and (f) to request to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format (right to data portability). If you require assistance with the submission of your request, you can ask to speak to or meet with our Data Protection Officer.

  1. Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

  1. We will respond to your request as soon as reasonably possible. In general, our response will be within thirty (30) business days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under applicable laws).

PROTECTION OF PERSONAL DATA

 

  1. To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as minimised collection of personal data, authentication and access controls (such as good password practices, need-to-basis for data disclosure, etc.), encryption and de-identification of data, up-to-date antivirus protection, regular patching of operating system and other software, securely erase storage media in devices before disposal, and web security measures against risks.

  1. You should be aware, however, that no method of transmission over the internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

ACCURACY OF PERSONAL DATA

  1. We generally rely on personal data provided by you or your authorised representative. In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer at the contact details provided below.

RETENTION OF PERSONAL DATA

  1. We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws. For more information on data retention periods, please refer to paragraph 8 above.

  1. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes.

TRANSFERS OF PERSONAL DATA OUTSIDE OF SINGAPORE

  1. Where we transfer your personal data outside of Singapore, we will take steps to ensure that the transfer is carried out in accordance with the requirements of the PDPA, including by assessing the recipient's data protection framework and/or implementing appropriate contractual safeguards where necessary. We are in the process of implementing appropriate safeguards to ensure that your personal data, when transferred outside Singapore, will be protected in a manner consistent with the PDPA. These safeguards may include contractual obligations or transfers only to jurisdictions with comparable legal protections.

DATA BREACH 

  1. In the event of a data breach which requires notification, we will comply with all requirements prescribed under the PDPA and other applicable laws including but not limited to: (a) notifying the Personal Data Protection Commission of Singapore or other relevant authorities (if any) and providing all prescribed information within the prescribed time period; and (b) if required, notifying the individuals affected by the data breach containing all prescribed information.

DATA PROTECTION OFFICER

  1. You may contact our Data Protection Officer if you have any enquiries or feedback on our personal data protection policies and procedures, or if you wish to make any request, in the following manner:

Address

:

20 Pasir Panjang Rd, #13-26 Mapletree Business City,
Singapore 117439

Name of DPO  

:

NIPSEA Group DPO

Contact no.

:

(65) 63115130

Email address

:

dpo@nipsea.com.sg

UPCOMING UPDATES

  1. This Privacy Policy will be updated in phases. Sections relating to children’s data and detailed cookie usage will be expanded in subsequent updates once implementation is completed.

EFFECT OF POLICY AND CHANGES TO POLICY

  1. This Policy applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.

  1. We may revise this Policy from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Policy was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.

Effective date        :         18 March 2026

Last updated        :         1 November 2025