Personal Data Protection in Malaysia


Published on

The Personal Data Protection Act 2010 has come into force in Malaysia. These slides explain the governing principles in order for you to have an overview whether your company is ready to comply.

Published in: Education, Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Personal Data Protection in Malaysia

  1. 1. Personal Data Protection in Malaysia Are you ready?
  2. 2. The Law On 15 November 2013, the Personal Data Protection Act 2010 (PDPA) was Gazetted to come into force. This Act regulates all companies who process personal data in commercial transactions.
  3. 3. Your company is caught by the PDPA if you...   Process personal data for own commercial use  Outsource the process of personal data to other companies  Act as outsourced service provider to process personal data for others In short, unless you do not keep any data of customers or suppliers, the Act applies to you.
  4. 4. What is personal data? Any data which can identify a person is considered personal data. There are 2 categories of personal data as follows: Personal Data Sensitive Personal Data  Name  Physical health or condition  Address  Mental health or condition  Tel No  Political views  Email  Religious or other similar beliefs  Gender  Criminal records  Date of birth   Photos  Videos, etc Any other information deemed by the Minister to be sensitive personal data
  5. 5. Difference between personal data and sensitive personal data All personal data must be processed in accordance with the principles set out in the PDPA. However, sensitive personal data can only be processed if explicit consent is given under section 40 PDPA.
  6. 6. The meaning of “processing” personal data Processing includes any form of dealing with personal data such as collecting, keeping, organizing, using, etc. The definition of “processing” under the Act is adequately exhaustive to ensure that any dealing with personal data will be considered “processing”.
  7. 7. 7 Principles of Personal Data Protection under the PDPA 1. General Principle 2. Notice and Choice Principle Person whose data is to be processed must consent. Person must be notified his personal data will be processed and how. He must also be given the choice to limit the right to process. 3. Disclosure Principle 4. Security Principle Personal data cannot be used except for purpose stated, and cannot be disclosed except to disclosed third parties. Companies must have sufficient steps and procedures to protect personal data from loss, misuse, modification, unauthorised access or disclosure, alteration or destruction.
  8. 8. Principles of Personal Data Protection (2) 5. Retention Principle 6. Data Integrity Principle Personal data cannot be kept longer than necessary, and must be destroyed or permanently deleted if no longer required. Companies must take reasonable steps to ensure personal data is accurate, complete, not misleading and kept updated. And finally, 7. Access Principle Any person must be permitted access to his own personal data and be entitled to correct any inaccurate, incomplete or misleading information of himself.
  9. 9. Need to register as data user Companies processing personal data must register as a data user under the PDPA. This registration must be renewed on an annual basis.
  10. 10. Obligation to keep records Companies must also keep records of every notice, application or request made by any person regarding the processing of his personal data.
  11. 11. Enforcement Provisions   Commissioner entitled to inspect system of every company either pursuant to complaint or on own initiative. No claim for costs or damages can lie against enforcement officers in carrying out their duties (appropriately or otherwise).   Commissioner may search premises and seize records including computers, with or without a warrant (if authorised officer is satisfied delay in getting warrant will result in lost or tampered evidence). Officers can compel attendance of any person for purposes of facilitating investigations, and arrest any person suspected of committing an offence under the Act.
  12. 12. Offences and punishment  Offences of unlawful collection and processing of personal data can, on conviction, attract a fine of up to RM500,000-00 or imprisonment of up to 3 years or both.  If company is found liable, its director, CEO, COO, manager, secretary or similar officer may be held personally liable for the said offence.
  13. 13. So, what must you do?       Analyse your current practices. Identify where you fall short of the requirements of the PDPA. Revamp your forms, processes and procedures to comply with the requirements and 7 principles. Document your revised forms, processes and procedures. Allocate roles and responsibilities in order to ensure continued compliance by your company. Register your company as a personal data user. This is compulsory under the PDPA. Train your staff to comply and avoid liabilities.
  14. 14. REMINDER: Outsourcing to third parties does not help. Your company continues to be liable for the conduct of the third party service provider under the PDPA.
  15. 15. Need help? We can assist you to comply with the PDPA by: 1. reviewing your existing forms, processes and procedures and revamping them to comply; 2. documenting your policy and practices and structure roles and responsibilities to ensure compliance; 3. register your company as a personal data user; 4. train your staff.
  16. 16. For more information, please contact: Chan Kheng Hoe Partner, Corporate and Commercial Tel: +603-6205 3928 Fax: +603-6205 4928 E-mail: When in doubt,