At SL-Silva (MM2H) Sdn. Bhd. (“The Agency,” “We,” “Us”), the safeguarding of your personal, medical, and financial information is managed with rigor and institutional-grade risk protocols.

Because we serve a global clientele, including citizens of the European Economic Area (EEA)—this Privacy Policy is designed to comply with two comprehensive data protection regimes:

• Malaysian Personal Data Protection Act 2010 (PDPA): Governs the processing of personal data in Malaysia, requiring strict adherence to seven principles including Consent, Security, and Data Integrity.
• EU General Data Protection Regulation (GDPR 2016/679): Grants individuals extensive rights over their data and enforces standards for its collection, processing, and international transfer.

This policy sets out how your data is collected, secured, and used to facilitate your Malaysia My Second Home (MM2H) relocation.

We process data only with a clear legal foundation:

• Contractual Necessity (Art. 6(1)(b)): Required to deliver agency services and secure MM2H residency.
• Legal Obligation (Art. 6(1)(c)): Compliance with MOTAC and Immigration requirements.
• Explicit Consent (Art. 9(2)(a)): For medical data, obtained via our Secure Client Portal.
• Explicit Consent (Art. 6(1)(a)): For marketing communications and brochure requests, with opt-out rights.

We recognize that cross-border data transfer is a primary concern for global executives.

• EU Infrastructure: Client dossiers are hosted on encrypted servers in Germany (IONOS SE), protected under EU privacy standards.

• Cross-Border Transfers to Malaysia: To process your application, our Kuala Lumpur headquarters must access this data. This transfer from the EU to Malaysia is conducted via encrypted, secure channels. We rely on the execution of a contract (your MM2H application) and strict internal access controls to legitimize this transfer under GDPR Chapter V and PDPA Section 129.

We never sell or monetize your data. Disclosure is limited to:

• Government Authorities: MOTAC, Immigration Department, Royal Malaysia Police.
• Fiduciary Partners: With consent, selected banks, medical providers, and insurers.
• Prospective Clients: Emails addresses collected for brochures remain securely stored on EU servers and are not shared externally.

We maintain institutional-grade safeguards, including:

• End-to-end encryption for all uploads via our Secure Private Client Portal.

• Role-Based Access Control (RBAC), restricting sensitive data to senior consultants.

Data is retained only as long as necessary:

• Active Processing: During the 3–6 month MOTAC application window.
• Post-Approval: We purge highly sensitive dossiers (passports, financial records, medical records) post-approval, retaining only the baseline invoicing and identity records required by Malaysian corporate tax law for 7 years.

Under the GDPR and PDPA, you retain full control over your data, including:

• Right of Access: Request a secure digital copy of the exact data we hold about you.

• Right to Rectification: Mandate the correction of any inaccurate or outdated dossiers.

• Right to Erasure (“Right to be Forgotten”): Request the permanent deletion of your data, provided it does not conflict with overriding Malaysian governmental retention laws regarding active immigration statuses.

• Right to Restrict Processing: Temporarily halt our processing of your data during a dispute.

• Right to Data Portability: Receive your data in a structured, machine-readable format.

• Right to Withdraw Consent: You may withdraw your consent for the processing of medical or special category data at any time via written notice to our Data Controller.