TUI International Holiday Malaysia Sdn. Bhd Privacy Notice
This Privacy Notice (“Notice”) is issued to you by TUI International Holiday Malaysia Sdn. Bhd (referred to in this Notice as “we” or “us”). As part of the TUI Group, we are committed to doing the right thing when it comes to how we collect, use and protect your personal data. Your privacy matters to us, so please take the time to read this Notice.
We have aimed o keep this Notice as simple and easy to understand as possible. Please refer to the “Key Terms” section for explanations of any technical terms we use in this Notice, such as “data controller” or “special categories of data”.
1. Scope of this Notice
This Privacy Notice describes how we collect and use your personal data in relation to our websites, applications, products, services, events, and experiences that reference this Privacy Notice (together, “our Services”).
This Privacy Notice does not apply to the “content” processed, stored, or hosted by our customers using our Services. See the agreement governing your access to our Services for more information about how we handle content and how our customers can control their content through our Services. This Privacy Notice also does not apply to any products, services, websites, or content that are offered by third parties or have their own privacy notice.
2. Who is responsible for the processing of your personal data?
The controller of your personal data is TUI International Holiday Malaysia Sdn. Bhd. As controller, we are responsible for the processing of your personal data as described in this Notice. We are part of the TUI Group, incorporated under the laws of Malaysia and has its offices at A-38-11 & A-39-11, Level 38, Menara Uoa Bangsar, Jalan Bangsar Utama 1, Bangsar, 59000 Kuala Lumpur, Wilayah Persekutuan Kuala Lumpur.
3. What personal data we collect
The types of your personal data we collect and process will depend on the nature of our business relationship with you and how you interact with us.
Through the Services
We collect information you provide in relation to our Services. For example:
– your name, email address, physical address, phone number, and other similar contact information;
– payment information, including credit card and bank account information;
– information about your location;
– information about your organization and your contacts, such as colleagues or people within your organization;
– usernames, aliases, roles, and other authentication and security credential information;
– content of feedback, testimonials, inquiries, support tickets, and any phone conversations, chat sessions and emails with or to us;
– your image (still, video, and in some cases 3-D), voice, and other identifiers that are personal to you when you attend one of our events or use certain of our Services;
– information regarding identity, including government-issued identification information;
– corporate and financial information; and
– VAT numbers and other tax identifiers.
Automatic information
We collect information automatically when you visit, interact with, or use our Services (including when you use your computer or other device to interact with our Services);download content from us; open emails or click on links in emails from us; and interact or communicate with us (such as when you attend one of our events or when you request customer support). For example:
– network and connection information, such as the Internet protocol (IP) address used to connect your computer or other device to the Internet and information about your Internet service provider;
– computer and device information, such as device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting;
– the location of your device or computer;
– authentication and security credential information;
– content interaction information, such as content downloads, streams, and playback details, including duration and number of simultaneous streams and downloads;
– our Services metrics, such as offering usage, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs;
– the full URL (Uniform Resource Locators) clickstream to, through, and from our website (including date and time) and our Services, content you viewed or searched for, page response times, download errors, and page interaction information (such as scrolling, clicks, and mouse-overs);
– email addresses and phone numbers used to contact us; and
– identifiers and information contained in cookies (see our Cookie Notice).
Information from other sources
We may collect information about you from other sources, including service providers, partners, and publicly available sources. For example:
– marketing, sales generation, and recruitment information, including your name, email address, physical address, phone number, and other similar contact information;
– subscription, purchase, support, or other information about your interactions with products and services offered by us, our affiliates, or third parties in relation to our Services; and
– credit history information from credit and fraud bureaus.
Special categories of data
If we collect special categories of data about you, we will only do so with your explicit consent or where another legal basis applies.
4. Why and on which legal basis we collect your personal data
We process your personal data in a variety of ways and for various purposes, always only if and where we can rely on a valid legal basis, as follows:
Purpose | Legal Basis |
|---|---|
To deliver our Services. We will process your personal data to deliver our Services to you | To perform our contract with you. |
To manage and improve our Services. We will use personal data to monitor, manage and improve the quality of our Service delivery, including by monitoring the quality and stability of our Service delivery and our systems; and testing and troubleshooting, generating statistics and analysing relevant information about system performance and usage. Where feasible, we will use anonymised or pseudonymised data for such analytical purposes, e.g. by way of aggregation or other means of de-identification. | To pursue our legitimate interest in monitoring and improving our Services and day-to-day operations. |
To personalise your experience. We may use your personal data to better understand your interests so that we can try to predict what other Services and information you might be most interested in. This will enable us to deliver more personalised content which is relevant for you, and which we believe you may find interesting. | To pursue our legitimate interest in offering you more relevant Services. |
For marketing communications. We may use your personal data to send you personalized marketing communications, such as relevant offers and news about our Services in a number of ways, including by email. Where required, we will ask you for your permission to send you direct marketing communications. If you are no-longer interested in receiving marketing communications from us, you can use the ‘unsubscribe’ link in our marketing emails, replying STOP to the short code in our marketing text messages, by phone, or by writing to us at the contact details set out below. Even after you have unsubscribed, you may still receive Service-related communications from us. Please note that unsubscribing from marketing communications from us will not affect your relationship with any TUI Group Companies with whom you have booked before. Please refer to the Privacy Notice of the respective TUI Group Company for further information on how they process your personal data. | To pursue our legitimate interest to send direct marketing communications to our customers. Your consent. |
To contact and interact with you. We want to serve you better as a customer, so there will be various situations in which we may contact you, for example by email, SMS, post, phone, chatbot or via social media. Where possible, we will only contact you via the communication channels you have shared with us. This may include responding to any enquiries or requests you have made; sending you service communications; sending you useful information; or sending you security alerts or other administrative messages. | To perform our contract with you where communication is required. To pursue our legitimate interest in communicating with you to improve your customer experience and to provide you with personal service in connection with our Services. |
Market research. We like to hear your views to help us to improve our Services, so we may contact you to invite you to participate in customer surveys, feedback questionnaires or other market research activities. Your participation is always optional. You can tell us to stop contacting you for market research purposes at any time. | To pursue our legitimate interest in conducting market research to help us to improve our Services. Your consent. |
Call monitoring and chat function. To save time and resources, we may use a call monitoring system. We may still ask for authentication to keep your data confidential. We may also use chat function to exchange information when you contact us. Calls and chats may be recorded for quality and training purposes as well as to handle legal claims, fraud detection and complaints. | To pursue our legitimate interest in monitoring calls for legitimate purposes. Your consent. |
To ensure safety and security. To ensure the security of our premises and facilities, IT systems, databases, websites or other digital infrastructure, including authentication of users, preventing and detecting security incidents, improving data security and protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity, service, testing and maintenance of our systems. We may have to cancel or freeze our Services if and as long as required to conduct required investigations and risk and security assessments. | For compliance with a legal obligation to which we are subject. To pursue our legitimate interest in maintaining the security, safety and integrity our IT systems, networks and other digital infrastructure and employees and visitors. |
For legal purposes. We may need to process your personal data to establish, exercise or defend our legal claims and rights, including appropriate dispute or dispute resolution procedures, for regulatory and official investigations and compliance, for internal investigations, to enforce our terms and conditions, or to comply with lawful requests from law enforcement and other authorities. | For compliance with a legal obligation to which we are subject. To pursue our legitimate interest to protect and enforce our legal rights and claims |
In order to fulfil your rights as a data subject. If you assert your rights as a data subject, for example by requesting access to your personal data, we will process the necessary data to fulfil your request. | To fulfil a legal obligation to which we are subject. |
We will not process your personal data for any other purposes than those set out above, unless we inform you about a change in purpose. In particular, we will not sell your personal data to third parties.
Generally, you are not obliged to provide your personal data to us for the above purposes, unless we specifically inform you that you are required by law to provide certain information. However, if you do not provide us with the information we request from you, we may not be able to provide you with our Services or products.
5. Who we share your personal data with
We will generally not share your personal data with third partiesunless that is required to deliver our Services or for any other purpose setout above. In particular, we may share your personal data with the following third parties:
Our affiliates within the TUI Group
We may share the minimum personal data necessary with other companies in the TUI Group for the above-mentioned purposes.
Suppliers
We work with carefully selected suppliers that carry out certain functions on our behalf. For example, companies that help us with IT services, storing and combining data, marketing, advertising campaign, market research, processing payments or handling chargebacks and otherwise delivering our Services.
Where our suppliers process personal data on our behalf, and in accordance with our instructions (so called data processors), we retain control over your personal data and will remain fully responsible for it. When engaging such data processors, we will apply appropriate safeguards as required by applicable law to ensure the integrity and security of your personal data. We will only share the minimum amount of personal data that is required to enable our suppliers to provide their products and services to us.
Professional advisors and other professional third parties
We may share your personal data with our professional advisors, such as law firms, tax advisors or auditors where that is required in connection with insurance claims, disputes or other legal claims or in connection with an audit or investigation we undergo. Any such third parties will be under a strict confidentiality obligation and will handle your personal data in line with their professional obligations.
Public, regulatoryand government authorities, and similar bodies
We may share your personal data with relevant public authorities and similar bodies. These include regulatory or enforcement authorities, lawyers or courts. We will only do so if required by applicable law or regulation or if legally permitted and ecessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims. We may share the minimum personal data necessary with other authorities and bodies if the law says we must, or we are legally allowed to do so.
Credit reference and fraud prevention agencies
We may share your personal data with credit reference and fraud prevention agencies. That means looking into any records we hold about you and your records with credit reference agencies (CRAs) or fraud prevention agencies (FPAs).
We may also do checks to confirm your identity. That is to help protect you from identity theft and other types of fraud, and to prevent and detect crime or money laundering. We may run more checks with CRAs and FPAs to keep your information up to date. If false or inaccurate information is provided and identified as fraud, the details will be passed to FPAs. This information may also be shared with law enforcement agencies.
If you tell us you have a spouse or financial associate, we may link your records together– so you must make sure you have their agreement to disclose information about them. CRAs may also link your records together and these links will stay on your and their files – unless you or your partner successfully files for a disassociation with the CRAs to break that link.
We may send these agencies details such as your name, address, accounts and bills, including how you manage them. That includes telling them about your account balances, what you pay us and when you miss a payment. If you don’t pay your bills on time CRAs will record that. Agencies may tell others doing similar checks, including organisations trying to trace you or recover money you owe them.
Corporate transactions
We may also share personal data with an organisation to which we sell or transfer (or enter into negotiations to sell or transfer) any of our businesses or any of our rights or obligations under any agreement we may have with you. If the transferor sale goes ahead, the organisation receiving your personal data can use your data in the same way as us.
6. Protecting your personal data
We know how important it is to protect and manage your personal data. We take appropriate security measures to help protect your personal data from accidental loss and from unauthorised access, use, alteration and disclosure.
We hold ISO/IEC27001:2022 certification. As such, we have implemented comprehensive security measures and countermeasures, and our team consistently follows best practices in their daily activities to ensure the continuous protection of sensitive information.
The security of your data also depends on you. For example, where we have given you or where you have chosen a password for access to certain services, you are responsible for keeping this password confidential.
7. Where we transfer your personal data
We may need to share your personal data with recipients in other countries in the course of our business activities. Such countries may not have the same level of data protection as the country in which your personal data was initially collected. In such cases we will protect your personal data in accordance with this Privacy Notice and applicable law.
If we process your personal data under the EU General Data Protection Regulation (“GDPR”) or the GDPR as incorporated into UK law by the Data Protection Act 2018 (“UKGDPR”) we will put in place appropriate safeguards to make sure your personal data remains adequately protected and that it is treated in line with this Notice. These safeguards include, but are not limited to, appropriate contract clauses, such as standard contract clauses approved by the European Commission and the UK International Data Transfer Addendum, and appropriate security measures. You can contact us anytime at the contact details below if you would like further information on such safeguards.
We may also transfer your personal data outside of the EEA or the UK where that is in your interest or necessary to conclude or perform our Services.
8. How long we retain your personal data
We will retain your personal data for only as long as it is necessary to provide our Services to you or for the other purposes set out in this Privacy Notice and to meet legal and regulatory record retention requirements. After this period, we will securely erase your personal data. If data is needed after this period for analytical, historical or other legitimate business purposes, we will take appropriate measures to anonymise this data.
9. About cookies and similar technologies
Cookies are small data files that allow a website to collect and store a range of data on your desktop computer, laptop or mobile device. Cookies help us to provide important features and functionality on our Websites and mobile apps, and we use them to improve your experience. Please see our separate Cookie Notice.
10. Links to other websites and social media features
Our Services may contain links to other websites and applications that have their own privacy notices. Please read the terms and conditions and privacy notice carefully before providing any personal data on another organisation’s website as we do not accept any responsibility or liability for websites of other organisations.
Our Services may contain social media features that have their own privacy notices. Please read their terms and conditions and privacy notice carefully before providing any personal data as we do not accept any responsibility or liability for these features. We may also maintain social media accounts ourselves. Whenever you connect with us through such social media, your social media service provider may share information with us.
11. How we use automated decision making and Artificial Intelligence (AI)
We may use automated decision-making to enhance your user experience and to keep our Services safe. Our processes and use of technology may be assisted by Artificial Intelligence (AI), such as virtual chat agents, support customer services, personalised content and recommendation engines, video and image enhancement and speech recognition.
AI applications are assessed and used in accordance with relevant TUI Group and local policies, guidance, business processes and risk considerations. Appropriate due diligence (background investigation) and risk assessment are undertaken as relevant to the role and scope of the AI application and to mitigate risks which may arise from our use of AI, such as data inaccuracies, hallucination, biases or other potentially harmful effects. The use of AI tools is monitore dand overseen by individuals working for or on our behalf.
For example, in connection with our Services, AI applications may be used in relation to:
– Determining the ranking of search results you see on our website;
– determining the type of recommendations we make on our website or in our direct marketing communication;
– monitoring and analysing the operations of our website and other systems, reviewing and troubleshooting system incidents;
– operating interactive chatbots; or
– the prevention and detection of breach of our terms and conditions or other fraudulent activities on our website or other resources.
Our use of AI or other automated systems will not result in an automated decision being made about you which would have legal or similarly significant effects on you. Where AI or other automated systems may assist or help to make a decision we make, such decisions will not be made without human review or intervention.
We will inform you if this changes. Should that be the case, we will implement suitable measures to safeguard your rights and freedoms, which may include your right to ask for human intervention to review a decision.
12. How we handle personal data belonging to children
The Services are not directed to children (as defined by local laws) and we do not knowingly collect personal data from children.
13. Your rights in relation to your personal data
Subject to applicable laws, conditions, and limitations, you have certain rights in relation to your personal data. For any requests, please contact us at the details set out in the next section. If you contact us to assert your rights, we will only process data that is necessary to respond to your request.
Please include details to help us identify and locate your personaldata. Where we can provide data access, we will do so free of charge exceptwhere further copies are requested, in which case we may charge a reasonablefee based on administrative costs.
Please note that we may ask you to verify your identity before we can act on your request or complaint. We may also ask you for more information to help ensure that you are authorized to make such a request or complaint when you contact us on behalf of someone else.
We will respond to a request without undue delay and, in any event, within one month of its receipt (or within a shorter period if required by applicable law). This period may be extended by two months, where necessary, taking into account the complexity and number of requests. In the event an extension is required, we will inform you within one month and provide reasons for the delay.
Right of access to your personal data
You have a right to ask for a copy of the personal data we hold about you. You can write to us asking for a copy of other personal data we hold about you. We want to make sure that the personal data we hold about you is accurate and up to date. If any information we hold about you is incorrect, please let us know.
Rectification of data
You can ask us to correct incorrect or incomplete personal data about you.
Right to Erasure
You can request the deletion of your personal data. For example, if data is no longer necessary for the purposes for which it was collected. You can also request deletion if we process your data on the basis of your consent and you withdraw this consent.
Right to restrict processing
You can request the restriction of the processing of your personal data. For example, if you dispute the accuracy of your data. You can then request the restriction of processing for how long it takes to verify the accuracy of the data.
Right to data portability
If data processing is based on consent or the performance of a contract and processing is carried out by automated means, you can ask to receive your data in a structured, common and machine-readable format and to transmit it to another data controller.
Right to object
Where processing is based on legitimate interests or the public interest, you can object at any time to the processing of your personal data, on grounds relating to your particular situation. Where personal data are processed for direct marketing purposes, including profiling to the extent that it relates to such marketing, you can object at any time without providing reasons.
Right to object to automated individualdecision-making, including profiling
You can object to a decision based solely on automated processing,including profiling, which produces legal effects concerning you or similarlysignificantly affects you. However, this right to object does not apply if thedecision is necessary for entering into, or performance of a contract with you,or it is authorized by applicable law, or is based on your explicit consent.
Right to withdraw your consent
If you have given us your consent for the processing of your personal data, you may withdraw your consent at any time with effect for the future. The withdrawal of your consent does not affect the lawfulness of processing based on the consent before its withdrawal. If you withdraw your consent, we will promptly delete the relevant data unless there is another legal ground permitting or requiring us to retain and continue processing such data.
Complaints about how your personal data is handled
You can also contact us if you have a complaint about how we collect, store or use your personal data. We aim to resolve complaints but if you are dissatisfied with our response, you may complain to your local data protection authority.
14. How to contact us
If you have any questions about this Privacy Notice, or you want to exercise your rights over your personal data or complain about how we collect, store or use your personal data, please contact our Data Protection Officer dpo.malaysia@tui.com
15. Key Terms
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
European Economic Area (EEA)
EU Member States plus Norway, Iceland and Lichtenstein.
Special categories of data
Personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data, biometric data for the purpose of uniquely identifying a natural person; health data; and data concerning a natural person’s sex life or sexual orientation.
TUI Group
TUI AG and its affiliates. TUI is one of the world’s leading tourism groups. We are a global enterprise and our companies provide tour operator services, travel agencies, tours and activities, cruises, airlines, and hotels. More information about the TUI Group can be found here https://www.tuigroup.com/en-en
TUI Group Company
Any of our affiliated companies within TUI Group which offers a travel experience.
16. Changes to our notice
This Privacy Notice replaces all previous versions. We may change the Notice at any time so please check it regularly on our website for any updates. If the changes are significant, we will provide a prominent notice on our website including, if we believe it is appropriate, electronic notification of Privacy Notice changes.
Last updated: March 2025