What are the PDPA 7 Key Factors
A summary of the seven key things you should know about the PDPA key points is as follows:
1: Personal data‘
means any information in respect of commercial transactions that is: Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose.
Recorded with the intention that it should wholly or partly be processed by means of such equipment, or
Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in each case that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user. Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.
Sensitive personal data‘
means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offense or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by published order. Other than the categories of sensitive personal data listed above, the Minister has not published any other types of personal data to be sensitive personal data as of December 20, 2019.
2: Collection and processing
Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the
processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject
under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility
for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and
maintained properly by the data user.
Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects
regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data
disclosures to third parties.
On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015 (“Standards”), which set out
the Commission’s minimum requirements for processing personal data. The Standards include the following:
Security Standard For Personal Data Processed Electronically
Security Standard For Personal Data Processed Non-Electronically
Retention Standard For Personal Data Processed Electronically And Non-Electronically
Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically Players. The Personal Data Protection Committee will be established to set out further sub-regulations and protect the rights of the data subjects. Any entities collecting, using, disclosing and/or transferring personal data will be required to comply with the PDPA as a data controller and/or a data processor (which have different roles and obligations).
(3) Data Transfer .
Under the PDPA, a data user may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been
specified by the Minister. However, there are exceptions to this restriction, including the following:
The data subject has given his or her consent to the transfer.
The transfer is necessary for the performance of a contract between the data subject and the data user.
The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be
processed in a manner that would contravene the PDPA.
The transfer is necessary to protect the data subject’s vital interests.
4.0 Data Security
Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop
and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data
user must comply, and the data user is required to ensure that its data processors comply with these security standards.
In addition, the Standards provide separate security standards for personal data processed electronically and for personal data
processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to
protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or
5: Data Breach Notification
There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia. However, news
reports dated October 5, 2018 suggest that Malaysia’s laws could be updated, to include data breach notification requirements
modeled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice
to government authorities.
Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor
and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the
Commissioner has the power to inspect the systems used in personal data processing and the data user is required, at all
reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner
or the inspection officers may require the production of the following during inspection:
The record of the consent from a data subject maintained in respect of the processing of that data subject’s personal data
by the data user
The record of required written notices issued by the data user to the data subject
The list of personal data disclosures to third parties
The security policy developed and implemented by the data user
The record of compliance with data retention requirements
The record of compliance with data integrity requirements, and
Such other related information which the Commissioner or any inspection officer deems necessary
Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal
liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will
have joint and several liability for non-compliance by the body corporate, subject to a due diligence defense.
7: Data Subject Rights
- Rights to access information
Under the Access Principle, data subjects are given a right to access their personal data. A request for access must be adhered to within 21 days from the receipt of the request. A reasonable fee may be imposed by the data user for access requests, with the maximum fee fixed under the Personal Data Protection (Fees) Regulations 2013. There are a range of exceptions to this right including where it would result in disproportionate expense.
- Rights to data portability
The PDPA does not accord data portability rights. However, under the Access Principle, a data subject who has requested access to his personal data that is being processed by a data user, is entitled to be provided with a copy of such personal data in an intelligible form.
- Right to be forgotten
There is no specific right in the PDPA for data subjects to have their data erased. However, a data subject has the right to withdraw consent for the processing of his personal data.
- Objection to direct marketing and profiling
The PDPA grants data subjects a specific right to prevent processing for the purposes of direct marketing. Direct marketing under the PDPA means “communication by whatever means of any advertising or marketing material which is directed to particular individuals”.
- Other rights
Under the Access Principle, data subjects also have a right to have their personal data corrected.
Who is required to register under the PDPA
Currently, the PDPA requires the following classes of data users to register under the PDPA:
A licensee under the Communications and Multimedia Act 1998
A licensee under the Postal Services Act 2012
Banking and financial institution
A licensed bank and licensed investment bank under the Financial Services Act 2013
A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
A development financial institution under the Development Financial Institution Act 2002
A licensed insurer under the Financial Services Act 2013
A licensed takaful operator under the Islamic Financial Services Act 2013
A licensed international takaful operator under the Islamic Financial Services Act 2013
A licensee under the Private Healthcare Facilities and Services Act 1998
A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private
Healthcare Facilities and Services Act 1998
A body corporate registered under the Registration of Pharmacists Act 1951
Tourism and hospitalities
A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed
travel agent or licensed tourist guide under the Tourism Industry Act 1992
A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry
Certain named transportations services providers
A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
A private school or private educational institution registered under the Education Act 1996
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993
A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961 carrying on business as follows:
2: A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies
3: A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment
Agencies Act 1981
A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak
Certain named utilities services providers
A licensee under the Pawnbrokers Act 1972
A licensee under the Moneylenders Act 1951
What is the Scope of the PDPA
The Act aThe Malaysian Personal Data Protection Act 2010 (“the Act”) applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions (“data user”). The Act even applies to persons not established in Malaysia (for example: foreign companies), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.
Are Data Processing Officers (DPOs) a Requirement
Currently, Malaysian law does not require that data users appoint a data protection officer. But the appointment of one can enhance the brand integrity on privacy matters.
What are the requirements for the PDPA Act
Under the Act, data users are required to comply with 7 Personal Data Protection Principles.
1. General: Personal data can only be processed with the data subject’s consent.
2. Notice and Choice: Data subjects must be informed by written notice of, among other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the choices and means by which the data subject can limit the processing of their personal data.
3. Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
4. Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
5. Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
6. Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
7. Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.
What are the penalties?
The Personal Data Protection Act 2010 (“PDPA”) is an Act that regulates the processing of personal data in regards to commercial transactions. It was gazetted in June 2010. The penalty for non-compliance is between RM100k to 500k and/or between 1 to 3 years imprisonment.
Relentless Malaysia PDPA Service What's Included?
Our PDPA Service Includes the Following
- PDPA Assessment
- Dedicated DPO
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Risk Assessments
- Data Breach Support
- Data Protection Policy Writing
- PDPA Framework Design
- PDPA Privacy Maturity Gap Analysis and Remediation Report
Relentless Your PDPA Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.