KNOW YOUR COUNTERPARTY QUESTIONNAIRE

PETRONAS is committed to the highest standards of integrity, openness and accountability in the conduct of the
Group’s business and operations. PETRONAS seeks to conduct its affairs in an ethical, responsible and transparent
manner. The PETRONAS Code of Conduct and Business Ethics (“CoBE”) sets out PETRONAS’ core principles and
detailed policy statements on the standards of behaviour and ethical conduct including with respect to ethics and
integrity, competition, sanction, export control and data privacy.

As part of our commitment, PETRONAS and its subsidiaries expect their third party counterparties, as per but not
limited to the following i.e. customers, partners, contractors, subcontractors, sellers, vendors, consultants, suppliers,
distributors, agents, representatives and others supplying materials, work or services for or on behalf of the Group,
to comply with all applicable laws and subscribe to the same values and ethical standards of integrity as PETRONAS
in the conduct of their business, as well as any other PETRONAS and its subsidiaries relevant guidelines or manual.

Therefore, before PETRONAS and its subsidiaries engage with any third party counterparties (hereinafter referred to
as ‘Company’ or ‘Counterparty’), we are obligated to conduct appropriate third party due diligence to understand
the business and background of our prospective business counterparties.

The following questionnaire for all three (3) parts is mandatory to be completed. You may use additional pages when
necessary, and return a scanned, signed copy to the PETRONAS focal person in charge. Please attached the required
documents listed in Document Checklist, signed and stamped the document under the Certification Section. If you
subsequently learn that any of the information provided below is incorrect or incomplete, please correct or
complete it (as applicable) and notify us as soon as possible.

PART A

1.Corporate Details

Registered Company Name

(Full Legal Name)

Other Name
(Any previous Legal Name/ Trading
Names)

Registration Number Tax Registration Number

Country of Incorporation Date of Incorporation

(dd/mm/yyyy)
Corporate Status No. of Employees
(Private Limited, Limited, Partnership
Listed, etc)
Open
 Nature and Line of Business
(Please state your core industry and
main activity e.g. Core Industry - Oil
& Gas, Main activity - Trading)

Registered Address

Business Address

Telephone Number

Email Address

Website

Branch (if any)

Branch Address

2. Contact Details

Primary Contact Person

Department
Telephone Number Email

Secondary Contact Person

Department
Telephone Number Email

3. Shareholders

Parent Company Country

(Full Legal Name)

Ultimate Parent Company Country

(Full Legal Name)

Open
Please provide the following details on the Company’s Shareholders and their details as follows.

Name Nationality/ ID/ Address Amount % of Type of

(Individual/ Company) Jurisdiction Registration of Shares Shares Shares
Number

Please provide diagram of the Company’s shareholding structure.

4. Board of Directors & Company Secretary

Please provide the following details on Company Secretary and each current director as follows.

Name Nationality/ Position Appointment Date of Birth

Jurisdiction (Company Secretary/ Independent Date
Director/ Non-Independent Director)

5. Management of Company
Please provide details on key management personnel (CEO, CFO, HOD).

Name Nationality/ Position Years in Position Years in Industry/

Jurisdiction Related Field

Open
 6. Dealing with PETRONAS Group Entities
Please provide information on current/ past contract that the company has/ had with PETRONAS Group Entities.

PETRONAS Entity Name Type of Credit Term Contract

Business/ (Applicable if for purchase of product Period
Service/ Product from PETRONAS, e.g. Open/ Secured
Term)

7. Contract Arrangement

Does the Company intend to enter the contract under a different legal entity? ☐ Yes
☐ No

If yes, please state.

Full Legal Name Entity’s ID Relationship Country Year of Business

(i.e. ROC with the Incorporation Operation
Number) Company

Does the Company intend to perform the contract as part of a partnership? ☐ Yes
(Consortium/ Unincorporated Joint-Venture/ Agency) ☐ No

If yes, please provide details of the arrangement.

Full Legal Name Entity’s ID Country Type of Partnership Remarks

(i.e. ROC (Consortium/ JV/
Number) Partnership)

Does the Company outsource or intend to outsource any of its services in ☐ Yes
relation to the proposed arrangement with PETRONAS? ☐ No

Open
If yes, please provide details of the third party contractors.

Please note that any outsource arrangement in relation to the transaction requires PETRONAS prior consent.

Name of Sub-contractor Entity Country/ Year of Job Scope Remarks

Jurisdiction Incorporation

8. Financial

Does the Company have history of bankruptcy? ☐ Yes

☐ No

If yes, please provide brief description on the bankruptcy.

Please provide 3 most recent annual Audited Financial Statements (Statements of Financial Position, Income Statement
and Cash Flow Statement) including Director’s report/ Auditor’s report/ Note to the Financial Statements with Disclosure
of Commitment & Contingent Liability.

Please provide the Company’s auditors and solicitors details.

Company Contact Person Year of Service

Auditors Name Name
Address Email
Phone
Advocates & Name Name
Solicitors Address Email
Phone

Is the Company listed on stock exchange? ☐ Yes

☐ No

Open
If yes, please provide details.

Name of Exchange Country Ticker Market As at Date Status

Capitalization

Is the Company being rated by any rating agency? ☐ Yes

☐ No

If yes, please provide details.

Rating Agency Rating Date

Please provide the Company’s banking details as follows.

Name of the Bank Address of the Bank Name of Account SWIFT Code IBAN/ Routing
Manager Code

Please include the last 6 months Bank Statement.

Does the Company have any credit facilities? ☐ Yes

☐ No

If yes, please provide details.

Name of Credit Type of Facility Amount Expiry Date Utilization As at Date

Facilities Given
(Banks/ Financial
Providers/ Other
Providers)

Please include Referral Letter from bank if applicable.

Open
 PART B

1. Experience & Expertise

Experience in the Industry: Years

Is the Company registered with Ministry of Finance (MOF)? ☐ Yes

☐ No

Is the Company licensed with any other Authority/ Statutory/ Regulatory Bodies? ☐ Yes
☐ No

If yes, please provide details.

Name of License/ Issued by License/ Registration Expiry

Registration Number

Does the Company own any Intellectual Property (IP), patent or technology relevant ☐ Yes
to the intended transaction? ☐ No

If yes, please provide details.

Patent Number Issuing Body Expiry Description/ Remark

Please provide details on experience of key technical personnel for the intended project.

Position Name Nationality Years of Qualification Key Project

Experience Delivered

Please attach CV and qualification certificate of the key personnel above.

Open
 2. Business Dimension

Company’s On-Going Project

Please answer Not Applicable (N/A) if this part of questions is not relevant.

Please list the Company’s on-going project (incorporated in order book).

Project Name/ Job Scope Value Period Progress Status

Property and Facility

Does the Company own or lease any property, facility or infrastructure? ☐ Yes
☐ No

If yes, please provide details.

Properties/ Facilities/ Infrastructure Owned/ Lease Expiry

Open
 PART C

TPRM 5 Critical Legal Areas

ETHICS & INTEGRITY

NO QUESTIONS RESPONSE

1. Are any of the current directors or current key employees of the Company also a Public
Official?

If so, please provide details.

DESCRIPTIONS

For ease of reference, “Public Official” shall include the following:

(i) a person employed by a public authority holding a legislative, executive,

administrative or judicial office, whether appointed or elected, whether
permanent or temporary, whether paid or unpaid, irrespective of that
person’s seniority;
(ii) any other person who performs a public function, including for a public
agency or public enterprise, or provides a public service; or
(iii) any other person defined as a “public official” in the domestic law of a
country.

2. Please disclose any relationship which the Company, its affiliates, its directors and/or
key employees has or have with any Public Official related to the transaction.

3. Have any payments been made by or on behalf of the Company during the past five
years to any Public Official?

If so, please provide details.

4. Does the Company has any affiliation with current PETRONAS employee who is involved
in this transaction?

If yes, please provide details:

• Full Legal Name of the Individual
• Position Held
• The Duty/Duties of the Position(s)
• Tenure (start & end dates)

Open
 ETHICS & INTEGRITY
NO QUESTIONS RESPONSE

5. Does any government, its agencies or controlled organisations, or any other

organisation performing a governmental function own any interest in or exercise any
control over the Company’s business?

If Yes, please list the nature and extent of any such interest or control.

6. Does the Company have and disseminate to its employees the following:

i) a written employee code of conduct;

ii) a written anti-bribery and corruption policy; and
iii) a policy and process for reporting bribery if discovered?

7. Has the Company (or any of its affiliates, shareholders, directors or key employees) ever
been the subject of any convictions or prosecutions, or is the subject of any pending
investigations by public authority, in relation to bribery or corruption? Provide details,
if any.

8. Does the Company require its contractors, sub-contractors and other third parties to
comply with its ethics and compliance policies (including anti-bribery and corruption)?

If Yes, please provide details to what extent does the Company monitor the integrity of
its third parties.

9. Has the Company (or any person or entity listed in this questionnaire) ever been barred
from competing for government contracts in any country?

If Yes, please provide details.

COMPETITION
NO QUESTIONS RESPONSE

1. a) Is the Company aware of the competition law in its respective jurisdiction?

b) Does the Company provide competition law training for all its employees including
its management?

c) Does the Company have:

i) a written competition law manual;

ii) a written meeting protocol;
iii) a written raid protocol; and/or
iv) a policy and process for reporting anti-competitive conduct/activities if
discovered?

If Yes, does the Company disseminate the above to all its employees?

Open
 COMPETITION
NO QUESTIONS RESPONSE

2. Has the Company ever been the subject of any convictions or prosecutions, or is it the
subject of any ongoing investigations by a public authority (e.g. Malaysia Competition
Commission), in relation to competition or anti-trust laws?

If Yes, please provide details.

SANCTIONS & EXPORT CONTROL

NO QUESTIONS RESPONSE

1. Is the Company or any of its affiliates are incorporated, located within or operating from
any countries subject to Comprehensive Sanctions?

If yes, please specify.

Definitions:

“Sanctions” means all laws or regulations concerning economic sanctions (including

embargoes, export restrictions, restrictions on the ability to make or receive
international payments, freezing or blocking of assets of targeted Persons, or the ability
to engage in transactions with or involving specified Persons or countries, or any laws
or regulations threatening to impose economic sanctions on any Person for engaging in
targeted behaviour) of any jurisdictions including –
(a) the United Nations;
(b) Malaysia;
(c) the European Union;
(d) the United Kingdom (including those administered by HM Treasury);
(e) the United States (including those administered by the Office of Foreign
Assets Control of the Department of the Treasury, the Bureau of Industry
and Security of the Department of Commerce, or the Department of State);

“Country Subject to Comprehensive Sanctions” as at June 2018:

(a) Cuba;
(b) Iran;
(c) Venezuela;
(d) North Korea;
(e) Syria; and
(f) Crimea Region.

“Person” means any natural person, corporation, limited liability company, trust, joint
venture, association, company, partnership, Governmental Authority or other entity.

2. Is the Company or any of its affiliates are engaged in transactions, investments, business
or other dealings that directly or indirectly involve or benefit any countries subject to
Comprehensive Sanctions or any person or entity which is the target or subject of any
Sanctions.
Open
 If yes, please specify.

3. Are any of the goods and/or services that will be supplied an item subject to export
control, such as the controls as prescribed under Strategic Trade Act 2010, the U.S
Export Administration Regulations or any other similar export control laws?

4. Has the Company ever been the subject of any convictions or prosecutions, or is it the
subject of any pending investigations by a public authority, in relation to economic
sanctions & export control regulations?

If yes, please provide details.

DATA PROTECTION
PART I: GENERAL CHECKLIST
NO QUESTIONS RESPONSE
1. Is the Company providing personal data processing services to PETRONAS or carrying
out personal data processing activities for and on behalf of PETRONAS?

Examples of personal data processing services:

• payroll management services,
• data centre / cloud storage services,
• development of new software or technology which involves processing or storage
of personal data,
• business process outsourcing services such as call centre services,
• marketing agents,
• any other services which involve processing or handling of personal data for and
on behalf of PETRONAS.

Definitions:
“Processing” is to be understood broadly to mean any operation or set of operations
which is performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction.

“Personal data” means any information relating to an identified or identifiable natural

person (“data subject”); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.

“Data processor” means a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the data user / data controller; “data
user” or “data controller” means the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the purposes and means
of the processing of personal data.

Open
 DATA PROTECTION
PART II: DETAILED CHECKLIST
to be answered if the answer to Part I above is “yes” and the transactions involve large scale processing of personal data
i.e. processing personal data beyond or in addition to the processing of employees’ personal data for the mere purpose
of execution and performance of the contract
NO QUESTIONS RESPONSE

1. Is there personal data protection law in place in your country?

If yes, what are the laws that govern personal data protection and enforcement in your
country?

Descriptions:
For example:
• In the European Union, the EU General Data Protection Regulation (GDPR);
• In the United Kingdom, the Data Protection Act 2018 (superseding the Data
Protection Act 1998);
• In Malaysia, the Personal Data Protection Act 2010;
• In Singapore, the Personal Data Protection Act 2012.

2. If yes, does the personal data protection law in the country accord at least an equivalent
(or more stringent) level of protection in relation to the processing of personal data as
compared to Malaysian personal data protection laws (i.e. the Malaysian Personal Data
Protection Act 2010)?

Descriptions:
For ease of reference, Malaysian PDPA generally provides for the following principles:
(i) adequate consent to be obtained from data subjects;
(ii) data subjects must be given notice and information in respect of the processing
of their personal data;
(iii) personal data must not be disclosed to third parties unless with consent or if
exempted by the law;
(iv) personal data must be kept secure and protected;
(v) personal data can only be retained for the period necessary to fulfil the relevant
purposes;
(vi) personal data must be kept accurate, complete and up-to-date;
(vii) data subjects must be given the right to access and correct their personal data.

3. Has the Company ever been the subject of any convictions or prosecutions, or is it the
subject of any pending investigations by a public authority, in relation to personal data
protection laws?

If yes, please provide details of such convictions, prosecutions, or investigations.

Descriptions:

Examples would include investigations instituted or carried out by the data protection
regulator, compounds issued by the data protection regulator, or even prosecution

Open
 DATA PROTECTION
PART II: DETAILED CHECKLIST
to be answered if the answer to Part I above is “yes” and the transactions involve large scale processing of personal data
i.e. processing personal data beyond or in addition to the processing of employees’ personal data for the mere purpose
of execution and performance of the contract
NO QUESTIONS RESPONSE

instituted by the data protection regulator in respect of non-compliance or breach of

the applicable data protection laws.

4. Has the Company conducted an information audit to map data flows?

Descriptions:
Data mapping is the process of identifying the types of personal data processed, and
location(s) in which the identified personal data is stored, to which other internal and
external entities the personal data is transferred to, and other relevant criteria.
5. Does the Company document what personal data it holds, where it came from, who the
Company share it with and what the Company do with it?

Descriptions:
Essentially whether the Company has developed and maintained a data inventory or
register which include details such as:

• name and contact details of the data controller and any joint data controller,
representatives and DPO;
• the purpose(s) of the processing;
• description of categories of data subjects and personal data;
• categories of recipients of personal data;
• details of transfers to third parties;
• time limits for erasure of different categories of data; etc.

6. Does the Company have an appropriate personal data protection policy? If yes, please
provide a copy of the policy for Company’s consideration.

Descriptions:
This refers to the policy which the Company has developed and implemented to
regulate processing of personal data within the Company, and to ensure the Company
is in compliance with the applicable data protection laws.

Generally, a company’s data protection policy would address the following:

• Roles and responsibilities of senior management, data protection officer /

committee (if any), employees and staff, in respect of processing personal data;
• Processing and handling of different types of personal data, such as customer data,
employee data, third parties’ data, etc;
• Technical and organisational security measures in order to protect and secure
personal data;
• Handling transfers of personal data to third parties;
• Responding to data subjects’ rights (e.g. access and correction to personal data);
• Data storage periods;
• Etc.
Open
 DATA PROTECTION
PART II: DETAILED CHECKLIST
to be answered if the answer to Part I above is “yes” and the transactions involve large scale processing of personal data
i.e. processing personal data beyond or in addition to the processing of employees’ personal data for the mere purpose
of execution and performance of the contract
NO QUESTIONS RESPONSE

7. Does the Company have a data protection lead or Data Protection Officer (DPO)?

Descriptions:
Data protection officers are generally officers within the companies made responsible
for overseeing data protection strategy and implementation to ensure compliance with
the requirements of the applicable data protection laws.

Under certain data protection laws (e.g. GDPR), DPO is a mandatory requirement.
8. Has the Company implemented adequate technical and organisational security
measures in order to protect and secure personal data from loss, misuse, unauthorised
or accidental access or disclosure (whether processed electronically or non-
electronically)? If yes, please provide details or copy of policy.

Descriptions:
Adequate technical and organisational security measures shall be based on the
requirements of the applicable data protection laws to the Company.

Security measures must consider both personal data processed electronically as well as
those processed non-electronically.
9. Is the Company currently accredited or certified in respect of its information security,
cybersecurity, or data privacy practices? (e.g. ISO 27001 certification, or such other
information security certification standard)

Descriptions:
Examples:
• ISO 27001 information security certification
• Certified Information Systems Security Professional (CISSP)

10. Does the Company provide personal data protection awareness training for all staff?

11. With regards to engaging sub-processor(s), does the Company ensure that there is a
contract in place with the sub-processor(s) and to include equivalent personal data
protection obligations?

12. With regards to engaging sub-processor(s), does the Company have any program
designed or implemented to ensure the compliance of sub-processor(s) (e.g. regular
audit processes and procedures to be carried out on the Company’s sub-processor(s))?

13. Does the Company have effective processes in place to identify and report any personal
data breaches to your data user / data controller or relevant authorities?

Descriptions:

Open
 DATA PROTECTION
PART II: DETAILED CHECKLIST
to be answered if the answer to Part I above is “yes” and the transactions involve large scale processing of personal data
i.e. processing personal data beyond or in addition to the processing of employees’ personal data for the mere purpose
of execution and performance of the contract
NO QUESTIONS RESPONSE

Company should have processes in place to detect and monitor any data breaches
which occur in its systems which store personal data for and on behalf of PETRONAS.

14. Does the Company have a process to respond to a data user / data controller's (in this
case, PETRONAS’) request for information following the individuals' or data subjects’
request to access their personal data?

Descriptions:
Company must be able to comply with specific requests from PETRONAS to access and,
where required, to correct personal data held for and on behalf of PETRONAS.

15. Does the Company have processes in place to ensure that the personal data the
Company hold remains accurate and up to date?

Descriptions:
Company will need to ensure it has processes in place to allow for updating or
corrections to personal data held for and on behalf of PETRONAS.

16. Does the Company have a process in place to routinely and securely dispose of personal
data that is no longer required, in line with the agreed timescales as stated in your
contract with the data user / data controller?

Descriptions:
Disposal here refers to destruction or permanent deletion of personal data, or where
permissible, anonymization of personal data.

17. Does the Company have procedures in place to respond to a data user’s / data
controller’s (in this case, PETRONAS’) request to limit or suppress the processing of
specific personal data?

Descriptions:
The Company may be required to limit, restrict processing of personal data or even to
remove specific personal data held for and on behalf of PETRONAS.

HUMAN RIGHTS

NO QUESTIONS RESPONSE

1. Does the Company have any statement / commitment on human rights?

2. Does the Company provide human rights awareness training to employees?

Open
 HUMAN RIGHTS

NO QUESTIONS RESPONSE

3. Does the Company have a grievance mechanism for employees and are the
employees aware of the grievance mechanism?

Definition

“grievance mechanism” means a non-judicial process through which grievances can

be raised and remedy can be sought by aggrieved party in a timely, fair and consistent
manner.

4. Is the Company aware of the PETRONAS Human Rights Commitment and its
obligations?

Document Checklist

No. Documents to be Submitted Yes/ No Remarks

1 Completed and signed KYC Questionnaire Form

(Section A, Section B and Section C)
2 Certified copy of Business Registration Certificate/ Certificate of
Incorporation
3 Memorandum and Article of Association
4 Shareholding Structure – Diagram of Shareholding Structure
5 Annual Report/ Company Profile – Latest
6 Certified Copy of audited Financial Statement for most recent last
three (3) years, including Director’s report/ Auditor’s report/ Note
to the Financial Statements with Disclosure of Commitment &
Contingent Liability
7 Referral Letter from the Bank stating type and amount of credit
facility
8 Bank Statements for most recent last six (6) months
9 Certified copy of relevant license, registration as mentioned in
Section B (if any)
10 Ownership/ Lease Agreement on Properties/ Facilities/
Infrastructure (if any)
11 CV of Key Personnel for intended project (if relevant)
12 Data Protection Policy (if any)
13 BNM Residency Document
14 Other supporting documents (if any)

Note:

1. All documents sourced from outside of Malaysia must be in English. Should the original document is not in
English, please provide a certified translation to the original.
Open
 2. PETRONAS personnel may request for further clarification and additional document(s) during registration
process. Please ensure the contact person(s) given in Section A is the person in charge of this application and
related matters.

Notice of Disclosure

Personal Data Protection Act 2010 (“PDPA 2010”)

Pursuant to the enforcement of PDPA 2010, we hereby wish to give this notice and seek your consent on the processing
of your personal data as well as to give an assurance of our commitment to ensure that your data is securely processed,
kept and not used or disclosed for any other purpose than the commercial dealings we have with you. The contact to
whom written requests for access to personal data or correction and/or deletion of personal data or for information
regarding policies and procedures and types of personal data handled by us can be made to the following:

PETRONAS Contact Person

Name: Maz Zafirah Zainuddin

Email Address: [email protected]

Certification

By signing this document, the undersigned, being duly authorized to complete this questionnaire, hereby certify the
following:

o Declares that he/she has, or has obtained from the relevant authority, the proper mandate and authority to
disclose such information;
o Consents to the processing of such information for the purpose described in the Notice of Disclosure;
o Acknowledges that the processing of such information may be conducted by a third party on behalf of
PETRONAS which may occur in another country than the country of disclosure; and
o Represents that the information provided in this document is, to the best of his/her knowledge is accurate,
current and complete as of the date of disclosure.

For and on behalf of (INSERT COMPANY NAME)

Signed by the authorized representative of the company:

Signature

Date
Name
Designation

Open