InsiderTAPS (9 December 2019)
Practical Guidance on Compliance with the Personal Data Protection Act 2010 ("PDPA")
Download PDF File
9 December 2019
Scope and application of PDPA
- Who does the PDPA apply to?
The PDPA applies to any person who processes and has control over or authorizes the processing of, any personal data in respect of commercial transactions (i.e. data user). In essence, the PDPA applies to the processing of personal data by persons established in Malaysia (regardless of whether or not the personal data is processed in the context of that establishment) and persons who are not established in Malaysia but use equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
- Who is exempted from the PDPA?
The PDPA does not apply to government and credit reporting agencies under the Credit Reporting Agencies Act 2010. Personal data processed outside Malaysia (unless it is intended to be further processed in Malaysia) and personal data processed for the purpose of personal, family or household affairs, including recreational purpose, are also exempted from the PDPA.
- What is personal data?
“Personal data” is defined as any information in respect of commercial transactions, which is being processed or recorded for the purpose of processing or filing, that relates directly or indirectly to a data subject, and includes sensitive personal data. This includes name, NRIC number, residential address, phone number, email address and photo.
“Sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette.
Registration of data user
- Is there any registration requirement?
The PDPA requires a data user who belongs to any of the following classes of data users to be registered with the Personal Data Protection Commissioner (“Commissioner”):
- banking and financial institution;
- tourism and hospitalities;
- direct selling;
- real estate;
- pawnbroker; and
- How to apply for registration of data user?
Registration of data user is done by filing an online application at the official website of the Personal Data Protection Department, accompanied by registration fee ranges between RM100 and RM400, depending on the type of business.
- What is the validity period of registration?
The registration is valid for 24 months from the date the application is approved. Renewal of the registration must be made not later than 90 days before the expiry of the registration with the prescribed renewal fee.
Obligations of data user
- What are the practical steps recommended to be taken for compliance with the PDPA?
A data user should implement the key practical steps as outlined below as part of its PDPA compliance programme:
appoint an employee of managerial level who has been well trained, to oversee data management and compliance with the PDPA including handling requests, inquiries and complaints in respect of personal data.
conduct a data protection audit of the data user’s practices and procedures in relation to processing of personal data to identify areas of non-compliance and potential non-compliance and thereafter determine and formulate a corrective action plan to address and mitigate the risk of non-compliance identified and strengthen compliance with the PDPA.
develop and implement a data protection policy, to be supplemented by a data security policy and data retention policy, setting out the data user’s obligations under the PDPA as well as processes, procedures, standards and best practices in processing personal data, to enable employees to better understand and comply with the PDPA.
create, if not already have in place, or review, modify and update existing notices, policies, handbooks and standard forms to ensure they are in line with the PDPA.
review and amend existing contracts to incorporate data protection clauses and ensure such clauses are in line with the PDPA.
conduct a data protection training to educate employees and raise awareness on PDPA.
keep and maintain a record of (i) any application, notice, request or any other information relating to personal data that has been or is being processed; and (ii) all information and documentations relating to processing operations which are able to demonstrate compliance with the PDPA.
- When may personal data be processed?
Personal data may be processed upon consent of data subject who has been notified of the processing of personal data. For sensitive personal data, explicit consent is required. Apart from relying on consent, personal data (including sensitive personal data) may be processed on other basis specified in the PDPA.
- How may consent be obtained?
There is no specific form in which the consent must be obtained as long as such consent is capable of being recorded and maintained properly. Nonetheless, it is good practice to obtain express consent, for instance, by signing a consent form or ticking or clicking an opt-in box.
- What are the requirements for data protection notice?
The notice must be in writing, in Malay and English language, containing the following information relating to the processing of personal data:
- that personal data of the data subject is being processed by the data user and a description of the personal data;
- the purposes for which the personal data is being or is to be collected and further processed;
- the sources of the personal data;
- the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;
- the class of third parties to whom the data user discloses or may disclose the personal data;
- the choices and means the data user offers the data subject for limiting the processing of personal data;
- whether it is obligatory or voluntary for the data subject to supply the personal data; and
- where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.
- Is there any restriction to disclose personal data to third party?
Personal data may not be disclosed for any purpose or to any party, other than that which was made known to them at the time of collection of personal data unless further consent is obtained. Apart from relying on consent, disclosure of personal data is permitted on other basis specified in the PDPA.
- Where a data processor is engaged to process personal data on behalf of data user, what are the measures required to be in place to ensure data security?
Whilst data processor is not subject to direct obligations and responsibilities under the PDPA, data user must enter into a contract to bind the data processor in respect of its operating and data processing activities. In this connection, data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out, and takes reasonable steps to ensure compliance with those measures.
- How long may personal data be retained? When should it be disposed?
Personal data must not be kept longer than is necessary for the fulfilment of the purposes for which it was to be processed. It must be destroyed or permanently deleted if it is no longer required. There is no specific retention period or destruction timeline under the PDPA for the storage of the personal data and this may be subject to requirements by other legislations such as employment laws, company laws and tax laws which may require personal data to be retained for a specific period of time.
- Is there any restriction to transfer personal data outside Malaysia?
Personal data may not be transferred outside Malaysia unless to places specified by the Minister and published in the Gazette or on other basis specified in the PDPA such as upon consent of the data subject. The Commissioner has on 4 May 2017 issued a public consultation paper setting out whitelist places to which personal data may be transferred but it has yet to come into force. For more information on the proposed whitelist places, please see: https://www.taypartners.com.my/tp/2015/index.php/insidertaps-20190415.
- Is a data user subject to any industry-specific regulation or guideline?
A data user who is subject to registration under the PDPA must comply with its respective industry code of practice issued by the respective class of data user which has been approved and registered by the Commissioner. A code of practice serves as a guide to data users to comply with the PDPA. It sets the minimum standards of conduct in respect of personal data which are expected of a particular class of data users and stipulates measures to be deployed by the data users to ensure the processing activities are in compliance with the PDPA.
To date, the Commissioner has registered codes of practice for several industries, namely electricity (utilities) (w.e.f. 23 June 2016), insurance and takaful (w.e.f. 23 December 2016), banking and financial institution (w.e.f. 19 January 2017), aviation (transportation) (w.e.f. 21 November 2017) and communications (w.e.f. 23 November 2017).
Rights of data subject
- What are the rights of data subject?
Data subject has the following rights:
- right to access to personal data;
- right to correct personal data;
- right to withdraw consent;
- right to prevent processing likely to cause damage or distress; and
- right to prevent processing for direct marketing.
- How to respond to a request to exercise the rights of data subject?
Upon receipt of a written request to access or correct personal data, data user must respond to the request not later than 21 days, or if extended, 14 days after the expiration of the 21-day period. Where compliance with such request is refused under the PDPA, data user must give written notice to the requestor stating the reasons for the refusal.
Where a written notice is given to data user to exercise the right to withdraw consent or the right to prevent processing likely to cause damage or distress or for direct marketing, data user must cease or not to begin the processing of the personal data.
- Is there a requirement to report a data breach to Commissioner?
There is no requirement to report a data breach to the Commissioner under the PDPA.
Nonetheless, the Commissioner has on 7 August 2018 issued a public consultation paper on the implementation of data breach notification, introducing the requirement for data users to notify the Commissioner of a data breach within 72 hours of becoming aware of the breach, but it has yet to come into force. For more information on the data breach notification requirement, please see:
- What are the remedies available to data subject in the event of a data breach?
In the event of a data breach, the only recourse available to data subject is to complain to the Commissioner. The PDPA does not provide for the right to bring a claim against the data user for compensation.
Penalties and enforcement
- What are the penalties for non-compliance with the PDPA?
Non-compliance with the PDPA is an offence which attracts a maximum fine of RM500,000 or 3 years imprisonment. In the event the offence is committed by a body corporate, any person who at the time of commission of the offence was a director, CEO, COO, manager, secretary or other similar officer of the body corporate, may be liable severally or jointly in the proceeding with the body corporate.
It is noteworthy that the Commissioner has commenced taking measures to enforce the PDPA. The first prosecution under the PDPA concluded in May 2017. In this case, a local private college operator was charged for processing personal data without a certificate of registration issued by the Commissioner. The offence attracts a fine of not exceeding RM500,000 or imprisonment for a term not exceeding 3 years, or both. Since this case, there has been several other data users charged for the same offence (failure to register as data user) in the past 2 years, including one hotel operator, one private higher educational institution and two job recruitment agencies. The hotel operator was also charged for processing personal data without consent of data subject.
- What are the information and documents required by the Commissioner during an inspection?
The Commissioner may request for the following information and documents:
- the record of consent obtained from data subjects;
- the record of written notice issued to data subjects;
- the list of disclosure to third parties;
- the security policy;
- the record of data retention and disposal;
- the record of updates and amendments to personal data; and
- all other information and documentations relating to processing operations and compliance action.
Therefore, it is imperative for data user to keep and maintain a record of the aforesaid so they may be produced to the Commissioner to demonstrate compliance.