The Personal Data Protection Act 2010 (“PDPA”).
Entry into force
The PDPA came into force on 15 November 2013.
Details of the competent national supervisory authority
Personal Data Protection Commissioner (“PDP Commissioner”)
Aras 6, Kompleks Kementerian Komunikasi dan Multimedia
Lot 4G9, Persiaran Perdana, Presint 4
Pusat Pentadbiran Kerajaan Persekutuan
62100 Putrajaya
Malaysia
www.pdp.gov.my
Notification or registration scheme and timing
Data users that fall under any one or more of the class specified in the Personal Data Protection (Class of Data Users) Order 2013 (“Order”) are required to register with the PDP Commissioner. The relevant classes include banking and financial institutions, insurers, healthcare service providers, airline operators and utilities service providers.
Applications for registration may be made via a designated website ( https://daftar.pdp.gov.my/p_register ).
Exemptions to notification
No, there are no exemptions for registration for data users who fall under any one or more classes prescribed in the Order. However, only those who fall within any one or more of the classes are required to register.
What is the territorial scope of application?
The PDPA applies to data users if they are: (i) established in Malaysia (regardless of whether or not the personal data is processed in the context of that establishment); or (ii) not established in Malaysia, but use equipment in Malaysia to process the personal data otherwise than for the purposes of transit through Malaysia.
Is there a concept of a controller and a processor?
The PDPA uses the term “data user”, a concept similar to a controller . A data user is defined in the PDPA as a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a processor .
Only data users are required to comply with the Personal Data Protection Principles. The Personal Data Protection Principles do not directly apply to processors .
Are both manual and electronic records subject to data protection legislation?
Yes. The PDPA applies to both electronic records and records in a structured filing system .
Are there any national derogations?
The PDPA only protects personal data that is used in connection with commercial transactions. Personal data processed by an individual for the purposes of that individual’s personal, family or household affairs, including recreational purposes, should be exempted from the provisions of the PDPA.
The PDPA does not apply to the Federal Government (i.e. the government of Malaysia) and State Governments (i.e. governments of states within Malaysia).
There are also exemptions to the application of certain Personal Data Protection Principles in certain circumstances, namely personal data processed: (i) for the prevention or detection of crime or for the purpose of investigations; (ii) for the apprehension or prosecution of offenders; (iii) for the assessment or collection of any tax or duty or any other imposition of a similar nature; (iv) in relation to information regarding the physical or mental health of a data subject where application of the provisions to the data subjec t would likely cause serious harm to the physical or mental health of the data subject or any other individual; (v) to prepare statistics or research provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject ; (vi) where necessary for or in connection with any order or judgment of a court; (vii) to discharge regulatory functions if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; and (viii) personal data processed only for journalistic, literary or artistic purposes, provided that the processing is undertaken with a view to the publication by any person of the journalistic, literary or artistic material, the publication would be in the public interest and compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes.
What is personal data?
Personal data is defined as information that relates directly or indirectly to a data subject , who is identified or identifiable from that information or from that and other information in the possession of a data user, and includes any sensitive personal data and expressions of opinion about the data subject .
Is information about legal entities personal data?
No. However, as there have been no guidelines on what constitutes personal data, information regarding sole or individual proprietors and individual partners may be considered to be personal data.
What are the rules for processing personal data?
In order to legitimately process personal data, the seven Personal Data Protection Principles must be complied with.
Under the General Principle, in order for personal data to be processed, a data user must first seek and obtain the consent of data subjects . Alternatively, the processing must be necessary: (i) for the purposes of a contract with the data subject ; (ii) for the taking of steps at the request of the data subject with a view to entering into a contract; (iii) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; (iv) in order to protect the vital interests of the data subject ; (v) for the administration of justice; or (vi) for the exercise of any functions conferred on any person by or under any law. This principle also states that a data user may only process the personal data for purposes connected to the purpose for which the personal data was provided to the data user, and that the processing should be adequate and not excessive in relation to the purpose of processing.
Data subjects also have a right under the PDPA to withdraw their consent to the processing of personal data by a data user.
The Disclosure Principle states that personal data of a data subject cannot be disclosed to any third party without the knowledge and consent of the data subject . Under the Data Integrity Principle, a data user must take reasonable steps to ensure that personal data processed is accurate, complete, not misleading, and up-to-date. The Retention Principle obliges a data user not to keep personal data for any longer than is required.
Data users are also subject to the Notice and Choice Principle, Security Principle and Access Principle, which are discussed in further detail below.
The PDPA contains a number of exemptions including exemptions for processing for personal purposes, journalistic purposes and judicial purposes.
Are there any formalities to obtain consent to process personal data?
No, the PDPA does not define “consent”, nor does it prescribe any formalities in terms of the consent. However, the Personal Data Protection Regulations 2013 provide that the data user must keep a record of consents from data subjects .
Are there any special rules when processing personal data about children?
No. The PDPA does not have any special rules concerning the processing of personal data about children. However, the Personal Data Protection Regulations 2013 do state that when a data subject is under the age of eighteen years, the data user shall obtain consent to process the data subject’s personal data from the parent, guardian or person who has parental responsibility for the data subject concerned.
Are there any special rules when processing personal data about employees?
There is no specific provision in the PDPA governing processing of employees’ personal data. In this regard, the general provisions in the PDPA apply when processing employees’ personal data.
Note however that the PDPA specifically allows data users to process employees’ sensitive personal data without the employees’ explicit consent, if the processing is necessary for the purpose of the performance of rights or obligations conferred or imposed by law on the data user in connection with the employees’ employment .
What is sensitive personal data?
Sensitive personal data is defined as any personal data consisting of information as to the physical or mental health or condition of a data subject , his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister responsible for personal data protection (currently the Minister of Communications and Multimedia) may determine. This definition differs slightly from the standard types of sensitive personal data .
Are there additional rules for processing sensitive personal data?
Yes. Sensitive personal data may only be processed with the explicit consent of the data subject , if the sensitive personal data has been made public by the data subject or if the processing satisfies certain statutory conditions set out in the PDPA.
Those statutory conditions are that processing is: (i) for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment; (ii) in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the consent of the data subject ; (iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld; (iv) for medical purposes and is undertaken by a healthcare professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;(v) for the purpose of, or in connection with, any legal proceedings; (vi) for the purpose of obtaining legal advice; (vii) for the purposes of establishing, exercising or defending legal rights; (viii) for the administration of justice; (ix) for the exercise of any functions conferred on any person by or under any written law; or (x) for any other purposes as the Minister thinks fit. Please note that the term “vital interests” is defined in the PDPA as “matters relating to life, death or security of a data subject ”.
Are there additional rules for processing information about criminal offences?
Information about criminal offences committed or allegedly committed by a data subject would fall within the definition of “sensitive personal data” and would therefore be treated in the same manner as sensitive personal data.
Note also that where personal data is processed by a data user for (i) the prevention or detection of crime or for the purpose of investigation; (ii) the apprehension or prosecution of offenders; or (iii) the assessment or collection of any tax and duty or any other imposition of a similar nature, the data user is exempted from complying with the General Principle, the Notice and Choice Principle, the Disclosure Principle and the Access Principle.
Are there any formalities to obtain consent to process sensitive personal data?
The processing of sensitive personal data requires “explicit consent” of the data subject . However, the PDPA does not define “consent” or “explicit consent”, nor does it prescribe any formalities in terms of the consent. However, as set out above, data users must keep a record of consents from data subjects .
When must a data protection officer be appointed?
There is currently no obligation for a data user to appoint a data protection officer.
What are the duties of a data protection officer?
Is there a general accountability obligation?
There is no express provision on general accountability obligation in the PDPA.
Are privacy impact assessments mandatory?
There is no statutory requirement under the PDPA to carry out privacy impact assessments.
Privacy notices
Under the Notice and Choice Principle, a data user must serve a written notice to the data subject . In this notice, the data user must describe, inter alia, the types of personal data collected, what the processing is for, the source of the personal data, and the class of third parties to whom the personal data may be shared with. The notice must be in both the national language and English.
Rights to access information
Under the Access Principle, data subjects are given a right to access their personal data. A request for access must be adhered to within 21 days from the receipt of the request. A reasonable fee may be imposed by the data user for access requests, with the maximum fee fixed under the Personal Data Protection (Fees) Regulations 2013. There are a range of exceptions to this right including where it would result in disproportionate expense.
Rights to data portability
The PDPA does not accord data portability rights. However, under the Access Principle, a data subject who has requested access to his personal data that is being processed by a data user, is entitled to be provided with a copy of such personal data in an intelligible form.
Right to be forgotten
There is no specific right in the PDPA for data subjects to have their data erased. However, a data subject has the right to withdraw consent for the processing of his personal data.
Objection to direct marketing and profiling
The PDPA grants data subjects a specific right to prevent processing for the purposes of direct marketing. Direct marketing under the PDPA means “communication by whatever means of any advertising or marketing material which is directed to particular individuals”.
Other rights
Under the Access Principle, data subjects also have a right to have their personal data corrected.
Security requirements in order to protect personal data
There is a general requirement under the PDPA on security of personal data, which imposes an obligation on a data user to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
The Personal Data Protection Standards 2015 (“PDP Standards”) issued by the PDP Commissioner also provide minimum requirements for data security in processing personal data electronically and non-electronically. This includes the requirement to provide user IDs and passwords for employees to access personal data, and to terminate the user IDs and passwords immediately when an employee is no longer handling data. Data users are also required to establish physical security procedures, such as storage of personal data in an appropriate location which is unexposed and safe from physical or natural threats and the provision of a closed-circuit camera at the site where data is stored (if necessary).
Specific rules governing processing by third party agents (processors)
A processor does not have direct obligations to comply with the PDPA. A data user would usually impose contractual obligations on the processor to process personal data in accordance with the requirements in the PDPA.
Note that where processing of personal data is carried out by a processor on behalf of a data user, the data user must ensure that the processor : (i) provides sufficient guarantees in respect of putting technical and organisational security measures in place to govern the processing of the personal data; and (ii) takes reasonable steps to ensure compliance with those measures.
Notice of breach laws
There are no obligations for notification in the event of a breach. However, data users may make voluntary notifications to the PDP Commissioner (here).
The PDP Commissioner has issued a Public Consultation Paper on the “Review of the Personal Data Protection Act 2010” on 14 February 2020. The paper includes a proposal to introduce obligations to report data breach incidents, the public consultation for which closed on 10 March 2020. However, as at the date of writing, there is no publicly available information pertaining to the current status of the consultation paper.
Restrictions on transfers to third countries
Yes. Transfers of personal data outside of Malaysia may only be done if the said country is published in the Gazette. To date, no countries have been published.
Alternatively, personal data can be transferred outside Malaysia if: (i) the data subject has given his consent to the transfer; (ii) the transfer is necessary for the performance of a contract between the data subject and the data user; (iii) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which is entered into at the request of the data subject or is in the interests of the data subject ; (iv) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights; (v) the data user has reasonable grounds to believe that in all circumstances of the case, the transfer is for the avoidance or mitigation of adverse action against the data subject (and it is not practicable to obtain the data subject’s consent to the transfer, and if it was practicable to obtain such consent, the data subject would have given his consent); (vi) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in a manner which would be in contravention of the PDPA; (vii) the transfer is necessary to protect the vital interests of the data subject ; and (viii) the transfer is in the public interest in circumstances determined by the Minister.
Notification and approval of national regulator (including notification of use of Model Contracts)
No such notification or approval is required.
Use of binding corporate rules
No. Malaysia has yet to expressly recognise the use of binding corporate rules as a means to justify transborder dataflow .
Fines
A breach of the provisions of the PDPA can result in a range of fines and/or imprisonment. Some of the more important sanctions are set out below.
Failure to comply with the seven Personal Data Protection Principles is an offence punishable by a fine of up to 300,000 Malaysian Ringgit (approximately € 58,000 ) and/or imprisonment for up to two years.
Breach of the restriction on transborder dataflow is an offence and can result in a fine of up to 300,000 Malaysian Ringgit (approximately €58,000 ) and/or imprisonment for up to two years.
Data users who fall under any one or more of the class of data users stated in the Order, who process personal data without registering themselves, commit an offence and may be liable to a fine of up to 5 00,000 Malaysian Ringgit (approximately €96,000 ) and/or imprisonment for up to two years.
The PDPA contains a prohibition against: (i) the collection or disclosure of personal data held by a data user; and (ii) procuring the disclosure to another person of personal data held by a data user, without the consent of the said data user. Breach of this prohibition is an offence punishable by a fine of up to 500,000 Malaysian Ringgit (approximately €96,000 ) and/or imprisonment for up to three years.
Imprisonment
As set out above, failure to comply with the PDPA can lead to imprisonment for up to three years.
Compensation
The PDPA does not explicitly give individuals a right to compensation in cases of a breach of the PDPA.
Other powers
The PDP Commissioner has wide enforcement powers, including power to do all things necessary or expedient for or in connection with the performance of his functions under the PDPA. Further, the PDP Commissioner may in writing authorise any appointed officer or any public officer to exercise the powers of enforcement under the PDPA.
The enforcement powers given to the PDP Commissioner and the authorised officers under the PDPA include, amongst others, the powers to: (i) search and seize (with or without warrant); (ii) be given access to computerised data; (iii) require production of computer, book, account, etc.; (iv) require attendance of persons acquainted with a case; (v) examine persons acquainted with a case; (vi) forfeit seized computers, books, accounts, etc.; and (vii) arrest without warrant any person who is reasonably believed to have committed or is attempting to commit an offence under the PDPA.
Practice
In the year 2020, the PDP Commissioner inspected the personal data systems of 30 data users. The PDP Commissioner’s approach to these inspections were more focused on creating awareness and encouraging and guiding organisations on how to comply with the PDPA, rather than to penalise for non-compliance .
Note that certain offences under the PDPA (and relevant subsidiary legislation) may be subject to a compromise process (known as “compounding”) by the PDP Commissioner with the consent of the Public Prosecutor. If an offence is compounded, no prosecution is to be instituted in respect of the offence against the person to whom the offer to compound was made.
In 2020, the PDP Commissioner took an enforcement action against a data user in the communications sector for contravening of the Security Principle under the PDPA, whereby the data user was compounded (in lieu of prosecution) for the sum of RM37,500 (approximately €8,200).
ePrivacy laws
There are no specific ePrivacy laws.