Addendum

PERSONAL DATA PROTECTION POLICY (ADDENDUM – MALAYSIA) Effective Date: May 2025 This Malaysia Addendum (“Addendum”) forms part of and supplements the Cortina Holdings Limited Personal Data Protection Policy (“Policy”) in relation to the collection, use, disclosure, and processing of personal data of individuals located in Malaysia. It sets out the provisions required to comply with legal and regulatory requirements in Malaysia and is intended to amend, replace or supplement relevant sections of the Policy, where necessary. In the event of any conflict between this Addendum and the Policy, the terms of this Addendum shall prevail in respect of personal data processed in Malaysia. The purpose of this Addendum is to inform you of how we manage Personal Data in accordance with the Personal Data Protection Act 2010 (Act 709) of Malaysia (“PDPA”).

Amendment to Policy

Your Personal Data Sections 1.1. & 1.2. of the Policy shall be deleted in its entirety and replaced with the following:

• The PDPA defines Personal Data as any information in respect of commercial transactions that: (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010. The submission of your Personal Data is entirely voluntary. However, please note that if you choose not to provide certain Personal Data, or if the Personal Data provided is insufficient or inaccurate, we may not be able to process your requests, provide you with the requested products or services, or otherwise fulfil the purposes outlined in this Policy.

• Cortina Group considers certain types of Personal Data as “sensitive personal data”. This includes, but is not limited to, any personal data consisting of information as to the physical or mental health or condition of an individual, their political opinions, religious beliefs or other beliefs of a similar nature, the commission or alleged commission of any offence, biometric data or any other personal data as prescribed under the PDPA. Cortina Group does not generally collect or process sensitive personal data unless explicit consent has been obtained from the individual, or where such processing is otherwise permitted or required under Malaysian law. However, should you voluntarily provide us with sensitive personal data to us—for example, health-related data such as information about allergies or skin conditions— your provision of sensitive personal data will be deemed as giving us your explicit consent by conduct, to collect, use, and disclose such information solely for the purpose for which it was provided if it is reasonable that you would voluntarily provide the information, and in accordance with the provisions of the PDPA. We will handle any sensitive personal data we receive with reasonable care and in compliance with applicable legal requirements.

Purposes for the Collection, Use and Disclosure of Your Personal Data Section 3.1.6. of the Policy shall be deleted in its entirety and replaced with the following:

• complying with laws, regulations, codes of practice, and assisting law enforcement authorities in Malaysia;

This section shall be inserted as Section 3.3 of the Policy and shall read as follows:

• We take reasonable and appropriate security measures to ensure that any disclosure of your Personal Data to third parties is implemented in a safe and secure manner. These measures include data encryption, controlled access to personal data based on job responsibilities, secure file transfer protocols, periodic security audits, implementation of firewalls and intrusion prevention systems, and staff training on data protection practices.

Cross Border Transfers of Personal Data Sections 4.1. & 4.2. of the Policy shall be deleted in its entirety and replaced with the following:

• As Cortina Group is an international business, you acknowledge and agree that some information (including Personal Data) may be transferred to regions/countries outside of Malaysia in the ordinary cause of our business including to parties located in; - Singapore - Thailand - Taiwan - Hong Kong (SAR) of China - Macau (SAR) of China
• When Cortina Group discloses personal information outside of Malaysia, we will comply with this Addendum and the requirements of the PDPA pertaining to the transfer of Personal Data outside of Malaysia, including any regulations or guidelines issued by the Personal Data Protection Commissioner. If we do so, we will notify you of the transfer and provide confirmation that the transfer of Personal Data to the recipient is necessary for the purposes of fulfilling our obligations under applicable laws, and that we have taken reasonable steps to ensure that your Personal Data so transferred will not be used or disclosed by the recipient for purposes other than as permitted under the PDPA, and your Personal Data continues to receive a standard of protection that is at least equivalent to the level of protection provided under the applicable Personal Data protection laws and regulations of Malaysia. Additionally, where it is necessary to do so, Cortina Group shall enter into legally binding data sharing agreements with the recipients. In this regard, you confirm that by continuing to have a relationship with or deal with Cortina Group, you have explicitly consented to the disclosure by Cortina Group of your Personal Data to the aforesaid recipient(s), to the extent permitted under Malaysian law.

Disclosure without Consent; Deemed Consent Section 5.2. of the Policy shall be deleted in its entirety and replaced with the following:

• Under certain circumstances, we may assume deemed consent from you when you voluntarily provided your Personal Data to use for the stated purpose(s). By providing your Personal Data to us, you acknowledge and agree that you have fully read and understood the Policy and this Addendum, and are consenting to the collection, use, processing and disclosure of your Personal Data as described in the Policy. The exceptions upon which Personal Data may be collected without consent are pursuant to Section 6 of the PDPA.

Security Section 7.1. of the Policy shall be deleted in its entirety and replaced with the following:

• Cortina Group shall make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks to Personal Data in its possession. We implement appropriate technical and organisational measures such as encryption of data during storage and transmission, access control management based on business need-to-know basis, secure password policies, regular system monitoring and vulnerability assessments, staff training on data protection, and physical security measures for premises and servers to safeguard the security and confidentiality of Personal Data. Please notify us immediately if you become aware of any breach of security.

Withdrawal, Access, and Correction of Your Personal Data Section 8.1.4. of the Policy shall be deleted in its entirety and replaced with the following:

• You may request to access or correct your Personal Data by submitting your request in writing or via email to our Data Protection Officer. To respond to your request, we may ask you to provide us with a proof of your identity. We will aim to provide access to your Personal Data within twenty-one (21) days from the date of receipt. If the request cannot be completed within this timeframe, we may extend the response period by up to fourteen (14) additional days and will notify you accordingly, including the reason for the delay;

Data Retention Section 10.1. of the Policy shall be deleted in its entirety and replaced with the following:

• We will only retain your Personal Data for as long as necessary to fulfil the purpose(s) we collected it for and where retention is no longer necessary for legal or business purposes, including for the purposes of satisfying any legal, accounting, or reporting requirements, or once the Personal Data is no longer necessary for the purposes it was collected, we will take reasonable steps to securely dispose or permanently delete the data, in accordance with our internal data retention polices and applicable Malaysia law.

Data Protection Officer Section 15.2. of the Policy shall be deleted in its entirety and replaced with the following:

• You may contact our Data Protection Officers in Malaysia via the following contact details:Contact Person: Mr Alvin Leow Designation: General Manager Telephone: +603 2148 2814 Email: [email protected]

Language This section shall be inserted as Section 17 of the Policy and shall read as follows: The Bahasa Melayu version of the Policy can be found here. In the event of any conflict and/or inconsistencies between the English and Bahasa Melayu versions, the English version shall prevail.