Scratchathon 2025
Data Collection Notice
PDPA 2010 Compliance • Last updated: August 2025
NOTICE: This document explains how STEM Academy Sdn Bhd collects, uses, and protects personal data specifically for Scratchathon 2025 competition, in compliance with Malaysia's Personal Data Protection Act 2010 (PDPA).
1. Data Controller
STEM Academy Sdn Bhd (Company No. 1475422-X) is the data controller for all personal data collected through Scratchathon 2025 registration and submission processes.
2. Types of Personal Data Collected
Registration Data
| Category | Data Collected | Mandatory |
|---|---|---|
| Student Information | Full name, IC/Passport number, email, age, gender, race, phone number, school name, PPD area | Yes |
| Parent/Guardian Info (for participants under 18) |
Full name, IC/Passport number, email address, phone number | Yes |
| Teacher Information (optional) |
Full name, IC/Passport number, email address, phone number | No |
Submission Data
- Project Files: Scratch project files (.sb3)
- Project Information: Title, description, metadata
- Submission Records: Timestamps, file sizes, submission status
- Authentication Data: IC number and PIN for submission verification
System Data
- Technical Information: IP addresses, browser information, access logs
- Communication Records: Email correspondence, support tickets
- Event Data: Registration timestamps, submission times, competition participation
3. Purposes of Data Collection
Personal data is collected and processed for the following purposes:
Primary Purposes:
- Competition Administration: Registration processing, participant verification, competition management
- Communication: Sending registration confirmations, PINs, updates, and competition information
- Project Management: Receiving, storing, and evaluating project submissions
- Awards & Recognition: Identifying winners, preparing certificates, organizing award ceremonies
Secondary Purposes:
- Educational Showcase: Displaying winning projects in exhibitions and educational materials
- Statistical Analysis: Generating anonymized reports on participation demographics
- Future Communications: Informing participants about future competitions and educational opportunities
- Legal Compliance: Meeting regulatory requirements and resolving disputes
4. Data Sharing & Disclosure
Personal data may be shared with:
Internal Sharing:
- Competition Team: Judges, organizers, and technical staff involved in competition management
- Educational Partners: Schools and educational institutions for participant verification
- Award Partners: Organizations involved in prize distribution and recognition
External Sharing:
- Government Agencies: Ministry of Education, state education departments (as required)
- Service Providers: Email service providers, web hosting, technical support
- Legal Authorities: When required by law or court order
Important: We do NOT sell, rent, or commercialize participant personal data to third parties.
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Registration Data | 3 years | Competition records, future invitations |
| Project Submissions | 5 years | Educational showcase, portfolio reference |
| Communication Records | 2 years | Support and dispute resolution |
| System Logs | 1 year | Security and technical analysis |
6. Participant Rights (PDPA 2010)
Under Malaysia's Personal Data Protection Act 2010, you have the right to:
Access Rights:
- Data Access: Request information about personal data we hold
- Data Correction: Request correction of inaccurate or incomplete data
- Processing Information: Understand how your data is being processed
Control Rights:
- Consent Withdrawal: Withdraw consent for data processing (with limitations)
- Data Limitation: Request limitation of data processing
- Objection Rights: Object to certain types of data processing
Note: Some rights may be limited during active competition participation to ensure fair competition administration.
7. Data Security Measures
- Technical Safeguards: Encrypted data transmission, secure servers, access controls
- Administrative Controls: Staff training, data handling procedures, regular security reviews
- Physical Security: Secure facilities, controlled access to systems and documents
- Backup Procedures: Regular data backups with encryption and secure storage
8. Parental Consent
For participants:
- Parental/guardian consent is required for registration
- Parents have the right to access and correct their child's data
9. Data Breach Notification
In the unlikely event of a data breach that may affect participant personal data:
- Immediate Response: We will take immediate steps to secure affected systems and limit breach impact
- Authority Notification: Relevant authorities will be notified within 72 hours as required by PDPA
- Participant Notification: Affected participants and parents will be notified within 7 days via email
- Remedial Actions: Information about steps being taken and recommended actions for participants
- Support: Dedicated support channel for breach-related queries
Limitations on Rights:
- Some rights may be limited during active competition participation
- Legal obligations may require retention of certain data
- Legitimate interests in maintaining competition integrity
- Technical limitations in data portability
10. Updates to This Notice
This Data Collection Notice may be updated to reflect changes in:
- Competition requirements and processes
- Legal and regulatory requirements
- Data processing technologies and methods
- Organizational policies and procedures
Significant changes will be communicated via email and website updates.
Data Protection Contacts
For Data Protection Queries:
- Email: admin@stemacademy.edu.my
- Subject: "PDPA - Scratchathon Data Request"
- Response Time: Within 21 days as required by PDPA
For Competition Queries:
- Email: admin@stemacademy.edu.my
- Telegram: @scratchathon
- Website: Scratchathon 2025
Company Information:
STEM Academy Sdn Bhd (1475422-X)
Level 2, Lot 16, Block A1, Saradise Kuching
Jalan Stutong, 93350 Kuching, Sarawak