Personal Data Protection in
Are you ready?
On 15 November 2013, the Personal Data
Protection Act 2010 (PDPA) was Gazetted to
come into force. This Act regulates all
companies who process personal data in
Your company is caught by the
PDPA if you...
personal data for
personal data to
personal data for
In short, unless you do not keep any data of
customers or suppliers, the Act applies to
What is personal data?
Any data which can identify a person is considered
personal data. There are 2 categories of personal data
Sensitive Personal Data
Physical health or condition
Mental health or condition
Religious or other similar beliefs
Date of birth
Any other information deemed
by the Minister to be sensitive
Difference between personal data
and sensitive personal data
All personal data must be processed in
accordance with the principles set out in the
However, sensitive personal data can only be
processed if explicit consent is given under
section 40 PDPA.
The meaning of “processing”
Processing includes any form of dealing with
personal data such as collecting, keeping,
organizing, using, etc.
The definition of “processing” under the Act is
adequately exhaustive to ensure that any
dealing with personal data will be considered
7 Principles of Personal Data
Protection under the PDPA
1. General Principle
2. Notice and Choice Principle
Person whose data is to be
processed must consent.
Person must be notified his
personal data will be processed
and how. He must also be given
the choice to limit the right to
3. Disclosure Principle
4. Security Principle
Personal data cannot be used
except for purpose stated, and
cannot be disclosed except to
disclosed third parties.
Companies must have sufficient
steps and procedures to protect
personal data from loss,
unauthorised access or
disclosure, alteration or
Principles of Personal Data
5. Retention Principle
6. Data Integrity Principle
Personal data cannot be kept
longer than necessary, and
must be destroyed or
permanently deleted if no
Companies must take reasonable
steps to ensure personal data is
accurate, complete, not
misleading and kept updated.
7. Access Principle
Any person must be permitted access to his own personal data and be
entitled to correct any inaccurate, incomplete or misleading
information of himself.
Need to register as data user
Companies processing personal data must
register as a data user under the PDPA.
This registration must be renewed on an annual
Obligation to keep records
Companies must also keep records of every
notice, application or request made by any
person regarding the processing of his personal
Commissioner entitled to
inspect system of every
company either pursuant to
complaint or on own initiative.
No claim for costs or damages
can lie against enforcement
officers in carrying out their
duties (appropriately or
Commissioner may search
premises and seize records
including computers, with or
without a warrant (if authorised
officer is satisfied delay in
getting warrant will result in lost
or tampered evidence).
Officers can compel
attendance of any person for
purposes of facilitating
investigations, and arrest any
person suspected of committing
an offence under the Act.
Offences and punishment
Offences of unlawful
personal data can, on
conviction, attract a
fine of up to
imprisonment of up to
3 years or both.
If company is found
liable, its director,
CEO, COO, manager,
secretary or similar
officer may be held
personally liable for
the said offence.
So, what must you do?
Analyse your current practices. Identify where you fall
short of the requirements of the PDPA.
Revamp your forms, processes and procedures to comply
with the requirements and 7 principles.
Document your revised forms, processes and procedures.
Allocate roles and responsibilities in order to ensure
continued compliance by your company.
Register your company as a personal data user. This is
compulsory under the PDPA.
Train your staff to comply and avoid liabilities.
Outsourcing to third parties does not help. Your
company continues to be liable for the conduct of
the third party service provider under the PDPA.
We can assist you to comply with the PDPA by:
1. reviewing your existing forms, processes and
procedures and revamping them to comply;
2. documenting your policy and practices and
structure roles and responsibilities to ensure
3. register your company as a personal data user;
4. train your staff.
For more information, please contact:
Chan Kheng Hoe
Partner, Corporate and Commercial
Tel: +603-6205 3928
Fax: +603-6205 4928
When in doubt, Ask@MyCounsel.com.my