General Overview on PDPA Compliance in Malaysia

In Malaysia, data protection is governed under the Personal Data Protection Act 2010 (“PDPA”). Under Section 2 of the PDPA, any person, company, partnership, or association who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions in Malaysia is required to adhere to the PDPA (“data users”).

The PDPA applies specifically to the processing of personal data for commercial transactions, and it establishes seven principles that data users must adhere to. Its purpose is to protect the personal data of individuals and regulate the collection, processing, and safekeeping of such data by organizations or individuals.

This article aims to explore the set of principles that data users must adhere to under the PDPA.

General Principle

The General Principle stated under Section 6 of the PDPA requires data user to ensure that the collection of personal data to be consented by the individuals. Additionally, it prohibits the processing of personal data that is unrelated to the organization’s operations and emphasizes that the data processed should not be excessive.

Notice and Choice Principle

The Notice and Choice Principle under Section 7 of the PDPA requires for data users to prepare written notices in both the Malay and English languages. These notices should provide information about how the personal data, to which individuals have given their consent, will be processed, along with a summary of the collected data. The notice must also be given immediately when the personal data is first requested by the data users or when the personal data is first gathered, utilized or disclosed to a third party by the data users.

Disclosure Principle

The Disclosure Principle under Section 8 of the PDPA requires data users to obtain consent for disclosure of personal data that is other than the consented purpose or to any third party other that the individuals consented to at the time of collection.

Security Principle

The Security Principle under Section 9 of the PDPA is imposed on data users to ensure that necessary actions are taken to prevent leakage of personal data as well as any loss, misappropriation, modification, illegal or unintentional access, disclosure, alteration or destruction during the processing of data. Data users must guarantee that appropriate assurances regarding data processing, encompassing technological and security measures, are diligently complied with.

Retention Principle

The Retention Principle under Section 10 of the PDPA requires for data users to be responsible and take measures in destroying or removing personal data that are no longer needed for the purpose of which it was consented to and to not be kept longer than is appropriate for the reason for which it was collected.

Data Integrity Principle

The Data Integrity Principles under Section 11 of the PDPA requires data users to ensure that all personal data collected in relation to its purpose are correct, complete, non- deceptive and up-to-date.

Access Principle

The Access Principle under Section 12 of the PDPA states that data supplied to data users may be accessed by individuals who supplied the information and in the event of incorrect, incomplete, misleading or obsolete information, request for a data correction. It is however can be refused by data users if the request falls within the ambit of Section 32 of the PDPA.

Cross-Border Data Transfer

The PDPA states that data user may not transfer personal data to jurisdictions outside of Malaysia that is not specified by the Minister except if the transfer has been consented by the subject was necessary for the performance of contract, the transfer is necessary to protect the subject’s interest. In such instances, the data user must take all reasonable steps and exercise due diligence to ensure that the personal data will not contravene the PDPA. In practice, it as common that data users will insert clauses pertaining to disclosure of information to the affiliates and third party in relation to the transaction and company.

Conclusion

The case of Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors has indicated that the right of privacy of an individual needed to be safely guarded and not even the authority may act irrationally and in ultra vires on obtaining information from corporations are businesses in obtaining personal information without adhering to the permitted disclosures under the PDPA. The PDPA that was passed by the Malaysian Parliament on 2010 and came into force on 2013 is expected to be presented in Parliament for its amendment before the end of this year. It is said that the amendment would impose requirement for mandatory notification of companies or data users to Personal Data Protection Department as well as increasing fines or penalties against data users found to be misusing data. In addition, in order for the PDPA to not become obsolete, the General Code of Practice has been introduced as well as the Code of Practice for Takaful and Banking.

Author: Aryn Rozali

Published Date: 19 May 2023

References:

[1] Fahmi, Amendment to Personal Data Protection Act to be tabled in Parliament by year end. https://www.malaymail.com/news/malaysia/2023/01/25/fahmi-amendments-to-personal
data-protection-act-to-be-tabled-in-parliament-by-year-end/51871

[2] Personal Data Protection Act 2019

[3] General Code of Practice

[4] Public Bank Berhad v Tan Teck Seng Jason &
Anor [2021] MLJU 92

[5] Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors [2022] 11 MLJ 898