Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Personal Data Protection Act 2010 (Malaysia)


Published on

A Presentation which provides an overview on Personal Data Protection Act of Malaysia

Published in: Law
  • Be the first to comment

  • Be the first to like this

Personal Data Protection Act 2010 (Malaysia)

  1. 1. A Presentation by: PERSONAL DATA PROTECTION ACT 2010 D a v i d G u r u p a t h a m & K o a y David Gurupatham & Koay
  2. 2. INTRODUCTION  Came into force on 15 November 2013  To regulate the usage, processing and disclosure of personal data in commercial transaction in Malaysia David Gurupatham & Koay
  3. 3. WHAT CONSTITUTES PERSONAL DATA?  S4 PDPA Commercial transaction – transaction of a commercial nature, whether contractual or not, and includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance  Applies to personal data processed or intended to be processed in Malaysia David Gurupatham & Koay
  4. 4. - Equipment in Malaysia is being used to process  Information must relate directly or indirectly to a data subject who is identifiable from the information in the possession of the data user  Eg: name, address, gender, telephone number, email address, NRIC number, incomeDavid Gurupatham & Koay
  5. 5. APPLICATION  Any person who processes or has control over the processing of any personal data in respect of commercial transaction  Processing includes collecting, recording, storing personal data or carrying out operation on the personal data (e.g. handling out forms to potential buyers) David Gurupatham & Koay
  6. 6. Definition:-  Data user – a person, alone or jointly processes or has control over the processing of personal data  Data subject – individual who is the subject of personal data (e.g. potential clients)  Data processor – any person other than an employee of the data user who processes the personal data solely on behalf of the data user (e.g. lawyers,agents,bankers) David Gurupatham & Koay
  7. 7. REGISTRATION OF CLASS OF DATA USERS  Personal Data Protection (Registration of Data User) Regulations 2013  Data users that fall under the classes specified are required to register with Personal Data Protection CommissionerDavid Gurupatham & Koay
  8. 8. 1. Communications 2. Banking and financial institution 3. Insurance 4. Health 5. Tourism and hospitalities 6. Transportation 7. Education 8. Direct selling 9. Services 10. Real estate (a licensed housing developer under the HDA 1966) 11. Utilities David Gurupatham & Koay
  9. 9. 7 PERSONAL DATA PROTECTION PRINCIPLES 1. General Principle 2. Notice and Choice Principle 3. Disclosure Principle 4. Security Principle 5. Retention Principle 6. Data Integrity Principal 7. Access Principal Section 5(2) PDPA - Have to comply with all the Principles above failing which liable to a fine <RM300k or imprisonment <2 years David Gurupatham & Koay
  10. 10. 1. General Principle Data user can process personal data once the data subject has given consent to the processing Exception:- (a) The performance of a contract to which the data subject is the party; (b) At the data subject’s request, with a view of entering into a contract David Gurupatham & Koay
  11. 11. (c) Compliance with any legal obligation to which the data user is subject, other than a contractual obligation; (d) Protecting the vital interests, namely matters relating to life, death or security, of the data subject; (e)The administration of justice; or (f) The exercise of any functions conferred on any person under any law. Information can only be processed if: - It is for a lawful purpose directly related to the activity of the data user; - It is necessary for or directly related to that purpose; and - The data is not excessive for that purpose David Gurupatham & Koay
  12. 12. Consent of Data Subject Section 3 PDP Regulations  In any form as long as it can be recorded and maintained properly by the data user  If data subject is under 18 years old, consent to be obtained from parent, guardian or person who has parental responsibility  Burden of proof lies on data user David Gurupatham & Koay
  13. 13. 2. Notice and Choice Principle  Data user is required to inform a data subject by written notice, both in BM and English: - A description of the data being processed; - The purposes for which the personal data is being collected or processed - Source of that personal data, if available; - The data subject’s right to access to and request correction of the personal data and contact particulars of the data user in the event of any inquiries or complaints; David Gurupatham & Koay
  14. 14. - The class of third parties to whom the data is or may be disclosed; - The choices and means offered to a data subject to limit the processing of the data; and - Whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so Notice has to be given as soon as practicable:  At the point the data is being collected or when it is first requested  When that data is uses for purposes other than which it was collected  Before that data is being disclosed to a third party David Gurupatham & Koay
  15. 15.  Clear and readily accessible means must be provided to the data subject  Section 4 PDP Regulations - Data user needs to provide the following details: - Designation of the contact person; - Phone number; - Fax number, if any; - Email address, if any; and - Such other related information David Gurupatham & Koay
  16. 16. 3. Disclosure Principle  Prohibits the disclosure of personal data without the data subject’s consent: - If the data collected previously was for a purpose other than for which it was initially collected; and - The data is to be released to a third party that is in a different class than which the data subject consented Section 5 PDP Regulations - need to keep and maintain a list of disclosure to third parties David Gurupatham & Koay
  17. 17. Exception  Consent has been given by the data subject;  To prevent or detect crime, or for the purpose of investigations;  Required or authorised by law or order of the court;  The data user had acted under the belief that he has the right in law to disclose the data to another person;  The data user had acted under the reasonable belief that he would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure;  For the public interests in circumstances as determined by the Minister David Gurupatham & Koay
  18. 18. 4. Security Principle  Data user is obligated to take steps to protect the personal data during processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction 5. Retention Principle  Personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it is processed  Personal data is to be destroyed or permanently deleted if it is no longer required for that particular purpose David Gurupatham & Koay
  19. 19. 6. Data Integrity Principle  Data user has to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept- up-to-date, having regard to the purpose for which it was collected and processed. 7.Access Principle  The data subject has the right to access his own data and to correct the same where the personal data is inaccurate, incomplete, misleading or outdated David Gurupatham & Koay
  20. 20. PDPA Criminal Offences  Failure to register  Processing after registration revoked  Disclosure without consent  Transferring data without adequate protection  Unlawful collection  Selling data David Gurupatham & Koay
  21. 21. Penalties  Section 16 PDPA : Processing without registration – RM500k or a prison term not exceeding 3 years or both  Section 37 PDPA : Failure to comply with data correction request – RM100K or a prison term not exceeding 1 year or both  Section 38(4) PDPA : Processing personal data after data subject consent has been withdrawn – RM 100K or a prison term not exceeding 1 year or both David Gurupatham & Koay