1. Data Protection Principles
We adhere to the following fundamental data protection principles:
- Lawfulness, Fairness, and Transparency: We process data legally, fairly, and with clear communication
- Purpose Limitation: Data is collected only for specific, legitimate purposes
- Data Minimization: We collect only necessary information
- Accuracy: We keep data accurate and up-to-date
- Storage Limitation: Data is retained only as long as necessary
- Integrity and Confidentiality: Data is protected against unauthorized access and loss
- Accountability: We are responsible for demonstrating compliance
2. Legal Framework
2.1 Compliance Standards
Our data protection practices comply with:
- Personal Data Protection Act (PDPA) Malaysia: National data protection legislation
- General Data Protection Regulation (GDPR): Where applicable for EU residents
- Educational Privacy Standards: FERPA and institutional policies
- ISO 27001: Information security management standards
2.2 Data Controller
Breyer Educational Services acts as the data controller responsible for your personal information. Your educational institution may also be a joint data controller for academic records.
3. Security Measures
🔒 Technical Security
Encryption
All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security). Sensitive data at rest is encrypted using AES-256 encryption.
Password Protection
Passwords are hashed using bcrypt with salt, making them virtually impossible to reverse-engineer. We never store plain-text passwords.
Intrusion Detection
Real-time monitoring systems detect and alert us to suspicious activities, unauthorized access attempts, and potential security breaches.
Regular Backups
Automated daily backups with encryption ensure data can be recovered in case of system failure or data loss. Backups are tested regularly.
Firewall Protection
Multi-layered firewalls protect our infrastructure from external threats and unauthorized network access.
Security Audits
Regular security assessments, penetration testing, and code reviews identify and address vulnerabilities.
4. Organizational Security
4.1 Access Controls
- Role-Based Access: Staff can only access data necessary for their role
- Multi-Factor Authentication: Available for administrator accounts
- Access Logs: All data access is logged and monitored
- Regular Reviews: Access permissions are reviewed quarterly
4.2 Staff Training
- Mandatory data protection training for all staff
- Regular security awareness updates
- Confidentiality agreements signed by all employees
- Clear protocols for handling personal data
4.3 Third-Party Management
- Vendor security assessments before engagement
- Data processing agreements with all third parties
- Regular audits of third-party security practices
- Limited data sharing with vetted partners only
5. Data Breach Response
5.1 Prevention
We employ multiple layers of security to prevent data breaches, but we also maintain a comprehensive incident response plan.
5.2 Detection
- 24/7 security monitoring
- Automated threat detection systems
- Regular security scans and assessments
5.3 Response Protocol
In the unlikely event of a data breach:
- Immediate Containment: Isolate affected systems within 1 hour
- Assessment: Evaluate the scope and impact within 24 hours
- Notification: Inform affected individuals within 72 hours
- Remediation: Fix vulnerabilities and restore security
- Documentation: Complete incident report and lessons learned
- Authority Notification: Report to relevant data protection authorities as required
5.4 User Notification
If a breach affects your data, we will notify you via:
- Email to your registered address
- In-app notification
- Notice on our website
6. Your Responsibilities
While we implement strong security measures, you also play a crucial role in protecting your data:
6.1 Account Security
- Create a strong, unique password (minimum 8 characters with mixed case, numbers, and symbols)
- Never share your password with others
- Don't reuse passwords from other websites
- Log out after each session, especially on shared devices
- Enable "Remember Me" only on personal devices
6.2 Device Security
- Keep your device's operating system and browser updated
- Use antivirus software and keep it current
- Avoid accessing your account on public Wi-Fi without VPN
- Lock your device when not in use
6.3 Suspicious Activity
Report immediately if you notice:
- Unauthorized login attempts
- Unexpected password reset emails
- Changes to your account you didn't make
- Suspicious emails claiming to be from us
7. Data Subject Rights
Under data protection laws, you have the following rights:
7.1 Right to Access
Request a copy of all personal data we hold about you. We will provide this within 30 days in a commonly used electronic format.
7.2 Right to Rectification
Request correction of inaccurate or incomplete data. We will update records within 14 days of verification.
7.3 Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data, subject to legal retention requirements (e.g., academic records).
7.4 Right to Restrict Processing
Request temporary restriction on how we use your data while disputes are resolved.
7.5 Right to Data Portability
Request transfer of your data to another service in a machine-readable format.
7.6 Right to Object
Object to processing of your data for specific purposes. We will cease unless we have compelling legitimate grounds.
7.7 How to Exercise Your Rights
Contact our Data Protection Officer:
Email: dpo@breyerstudentleave.edu
Subject Line: "Data Subject Rights Request"
Include: Your name, student ID, and specific request
Response Time: Within 30 days
8. International Data Transfers
Your data may be processed in Malaysia or other countries. We ensure adequate protection through:
- Standard Contractual Clauses approved by data protection authorities
- Adequacy decisions for countries with equivalent protection
- Privacy Shield certification (where applicable)
- Binding corporate rules for internal transfers
9. Children's Data Protection
For students under 18:
- Parental consent may be required per institutional policy
- Enhanced protection measures are in place
- Parents/guardians can request access to their child's data
- Age-appropriate communication and consent processes
10. Automated Decision Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects. All leave request decisions are made by human administrators.
11. Data Retention Periods
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of enrollment + 5 years |
| Leave Request Records | 7 years (academic record keeping) |
| Login History | 12 months |
| Uploaded Documents | Duration of related leave request + 2 years |
| Communications | 3 years |
12. Contact Information
Data Protection Officer
Name: Chief Data Protection Officer
Email: dpo@breyerstudentleave.edu
Phone: +603-6185 4643 ext. 101
Address: No 1C, Jalan SG 3/19, Taman Sri Gombak, 68100 Batu Caves, Selangor D.E. Malaysia
Supervisory Authority
You have the right to lodge a complaint with:
- Personal Data Protection Department Malaysia
- Website: www.pdp.gov.my
13. Updates to This Policy
We review and update this Data Protection policy annually or when significant changes occur. You will be notified of material changes via email and in-app notification.
14. Questions and Concerns
If you have any questions about how we protect your data or wish to report a security concern, please don't hesitate to contact us using the information provided above.