This notice provides guidance on data handling and processing obligations in accordance with applicable data protection and privacy regulations across relevant regions.

Instructions for Additional Data Processing and Compliance

At Sebleu, upholding the highest ethical standards is a core priority. We recognise individual privacy as a fundamental right and take the protection and security of personal data—managed internally and on behalf of our clients—extremely seriously.

Sebleu strengthened its commitment to privacy and data protection following the introduction of the European General Data Protection Regulation (GDPR) in 2016, which governs the processing of personal data of individuals in the European Union regardless of where such data is processed or stored.

We continuously monitor global developments in privacy and data protection legislation as part of our comprehensive data governance programme. Where appropriate, we adopt new standards as consistent, organisation-wide practices across all regions to meet regulatory requirements, client expectations, and operational responsibilities.

As additional legislation has emerged—such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)—Sebleu continues to assess regulatory impact and prepare for compliance obligations that affect our operations and services.

As a Sebleu service provider or supplier (“you”), you have a responsibility to protect the privacy and security of personal information provided to you by Sebleu or our clients.

Canada – PIPEDA and Supplier Compliance

For suppliers providing products, services, or technology to Sebleu in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia’s Personal Information Protection Act (PIPA) apply.

These laws govern how personal information is collected, used, disclosed, stored, and protected. Individuals have the right to access their personal information, provide consent, withdraw consent, and request correction of inaccuracies. Organisations are limited to collecting personal information strictly for identified and consented purposes.

The key principles of PIPEDA applicable to Sebleu suppliers include:

1. Accountability

Personal information must be protected, including information processed by third parties. Clear policies and accountability measures must be maintained.

2. Identifying Purposes

Purposes for data collection must be clearly identified, documented, and communicated prior to collection.

3. Consent

Meaningful consent must be obtained for collection, use, and disclosure. Individuals must be informed of implications when consent is withdrawn.

4. Limiting Collection

Only information necessary for identified purposes may be collected, using lawful and fair means.

5. Limiting Use, Disclosure, and Retention

Personal information may only be used or disclosed for stated purposes and must be securely destroyed or anonymised when no longer required.

6. Accuracy

Reasonable steps must be taken to ensure information is accurate, complete, and up to date.

7. Safeguards

Appropriate security measures must protect personal information against loss, unauthorised access, or misuse.

8. Openness

Policies relating to personal data management must be transparent, documented, and accessible.

9. Individual Access

Individuals have the right to access and request correction of their personal information.

10. Challenging Compliance

Individuals may challenge compliance with privacy obligations and principles.

European Union and United Kingdom – GDPR Compliance

For suppliers providing products, services, or technology to Sebleu in the EU or UK, the General Data Protection Regulation (EU) 2016/679 applies.

Suppliers must comply with GDPR principles, including:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Suppliers must maintain appropriate records and controls to demonstrate compliance.

Singapore – Personal Data Protection Act (PDPA)

For suppliers operating in Singapore, the Personal Data Protection Act (PDPA) governs the collection, use, disclosure, storage, and transfer of personal data.

Key obligations include:

• Obtaining and managing consent
• Limiting data use to stated purposes
• Providing access and correction rights
• Ensuring data accuracy and protection
• Managing retention and secure disposal
• Notifying individuals and authorities of notifiable data breaches
• Restricting cross-border transfers unless permitted by law

Sebleu’s Data Protection Obligations

Sebleu takes reasonable steps to ensure compliance with PDPA, GDPR, PIPEDA, and other applicable laws, including:

1. Maintaining accountability and governance structures
2. Informing individuals of data usage purposes
3. Respecting consent and withdrawal rights
4. Limiting collection and use to reasonable purposes
5. Ensuring data accuracy
6. Safeguarding personal information
7. Limiting data retention
8. Managing cross-border transfers responsibly
9. Providing access and correction rights
10. Reporting notifiable data breaches
11. Supporting data portability where applicable

All Sebleu suppliers, partners, and service providers must comply with applicable data protection laws relevant to their geographical region.

This Notice regarding Data Protection was last updated on 6 January 2026.