New Laws to protect Personal Data

Jillian Chia provides a primer on the Personal Data Protection Act 2010



Regulation of the use, processing and disclosure of personal data in Malaysia has been a subject of interest and debate since the late 1990s. Although the use of personal data in certain industries, such as the banking and finance, healthcare and telecommunications industries, is regulated by industry-specific legislation, there has not been any data protection legislation of general application in Malaysia until recently.


Several data protection legislation have been proposed over the years, including the Data Protection Bill 1998 and the Data Protection Bill 2001, but none came to fruition. A new Personal Data Protection Act 2010 (“PDP Act”) has recently been enacted due to the increasing need to curb the unauthorised use of personal data in Malaysia.


The PDP Act was passed by the Malaysian Parliament in May 2010 and received Royal Assent on 2 June 2010. It will come into operation on a date to be appointed by the Minister of Information Communications and Culture ("Minister") by notification in the Gazette.


The PDP Act purports to safeguard personal data by requiring the data user to comply with certain obligations and conferring certain rights to the data subject in relation to his personal data. Some of the pertinent provisions of the PDP Act are discussed in this article.



What kind of data is covered?

Three conditions must be fulfilled in order for any data to be considered as ‘personal data’ within the ambit of the PDP Act.


Firstly, the data must be in respect of commercial transactions. ‘Commercial transactions’ is defined under the PDP Act as transactions of a commercial nature, whether contractual or not, and includes any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.


Secondly, such information must:


(i) be processed by means of equipment operating automatically in response to instructions given for that purpose;

(ii) be recorded with the intention that it should be processed by such equipment; or

(iii) be recorded as part of, or with the intention that it should form a part of a relevant filing system.


Thirdly, the information must relate directly or indirectly to a data subject who is identifiable from the information or other information in the possession of the data user.


The definition of ‘personal data’ appears to be sufficiently wide to cover the usual types of personal information collected in day to day transactions i.e. name, address, telephone number, email address, banking details and identification card numbers. Such data are also generally collected in most commercial transactions such as when purchasing items off the internet, subscribing for telecommunications services or registering to be a member of a website. Therefore upon the implementation of the PDP Act the use, processing and disclosure of such personal data will be regulated.


The PDP Act does not apply to information processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010 as the processing of such information has been specifically excluded from the definition of personal data under the PDP Act.



Application of the PDP Act

The PDP Act applies to any person who processes or has control over the processing of any personal data in respect of commercial transactions.


"Processing" has been defined widely under the PDP Act to cover activities which are normally carried out on personal data including collecting, recording or storing personal data or carrying out various operations, such as organising, adapting, altering, retrieving, using, disclosing and disseminating of such data.


The PDP Act applies to a party who is not established in Malaysia but uses equipment in Malaysia to process personal data otherwise than for purposes of transit through Malaysia.


The PDP Act does not apply to personal data that is processed outside of Malaysia, unless such data is intended to be further processed in Malaysia. It also does not apply to the Malaysian Federal and State Governments.


Most of the obligations under the PDP Act apply to a "data user", i.e. "a person who either alone or jointly in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor."


A "data processor" is "any person other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any other purpose of his own." Hence, a back-end data processor who processes personal data solely on behalf of a data user will not be bound directly by the provisions of the PDP Act.



Specific Exemptions

Personal data processed for the purposes set forth below are exempted from the provisions of the PDP Act:


(i) personal data processed for the prevention or detection of crime, for the purposes of investigations, apprehension or prosecution of offenders, or assessment or collection of any tax or duty or other similar impositions;

(ii) personal data processed solely for the purposes of preparing statistics or carrying out research provided that the resulting statistics or research results are not in a form which identifies the data subject;

(iii) personal data that is necessary for the purposes of or in connection with any court judgment or order;

(iv) personal data processed for the purposes of discharging regulatory functions if the application of those provisions would be likely to prejudice the proper discharge of those regulatory functions.



Personal Data Protection principles

The PDP Act asserts seven Personal Data Protection Principles which have to be complied with when processing personal data, namely:


1. General Principle;

2. Notice and Choice Principle;

3. Disclosure Principle;

4. Security Principle;

5. Retention Principle;

6. Data Integrity Principle; and

7. Access Principle


Non-compliance by a data user of any of the aforesaid principles constitutes an offence under the PDP Act and the penalty includes fines or imprisonment or both. Certain principles are qualified by exceptions and exemptions as provided for under the PDP Act.



General Principle

The General Principle prohibits a data user from processing a data subject’s personal data except with the data subject’s consent. This principle is qualified by 6 exceptions where such processing is necessary for:


(i) the performance of a contract to which the data subject is the party;

(ii) taking of steps, at the data subject’s request, with a view of entering into a contract;

(iii) compliance with any legal obligation to which the data user is the subject, other than a contractual obligation;

(iv) protecting the vital interests, namely matters relating to life, death or security, of the data subject;

(v) the administration of justice; or

(vi) the exercise of any functions conferred on any person under any law.


The PDP Act also sets out certain parameters for the processing of personal data. It provides that such data may not be processed unless:


(i) it is for a lawful purpose directly related to the activity of the data user;

(ii) it is necessary for or directly related to that purpose; and

(iii) the data is not excessive for that purpose.


Additional and more stringent conditions are imposed for the processing of ‘sensitive personal data’, that is, data on the physical, mental health or condition, the political opinions, religious beliefs or other similar beliefs of a data subject, the commission or alleged commission of an offence by a data subject and any other data declared by the Minister to be sensitive personal data.



Notice and Choice Principle

The PDP Act requires a data user to inform a data subject by written notice, in both the national and English languages, of the following:


(i) that the personal data of the data subject is being processed and a description of the data;

(ii) the purposes for which the personal data is being collected and further processed;

(iii) any information available to the data user as to the source of that personal data;

(iv) the data subject’s right to request access to and correction of the personal data and contact particulars of the data user in the event of any inquiries or complaints;

(v) the class of third parties to whom the data is or may be disclosed;

(vi) the choices and means offered to a data subject to limit the processing of the data; and

(vii) whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so.


Notice of the above has to be given by the data user “as soon as practicable”, that is, when the data user first requests the personal data from the data subject, or when the data user first collects the personal data of the data subject, or before the data user uses it for a purpose other than the original purpose or discloses it to a third party.


The data subject must also be provided with a clear and readily assessible means to exercise his choice, where necessary, in the national and English languages.



Disclosure Principle

This principle prohibits the disclosure, without the data subject’s consent, of personal data:


(i) for any purpose other than that for which the data was disclosed at the time of collection, or a purpose directly related to it; and

(ii) to any party other than a third party of the class notified to the data user.


The PDP Act provides exceptions to the Disclosure Principle. Disclosure of personal data is permitted where:


(i) consent has been given by the data subject;

(ii) the disclosure is necessary to prevent or detect crime, or for the purpose of investigations;

(iii) the disclosure is required or authorized by law or order of the court;

(iv) the data user had acted under the belief that he has the right in law to disclose the data to another person;

(v) the data user had acted under the reasonable belief that he would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or

(vi) the disclosure was justified as being in the public interests in circumstances as determined by the Minister.



Security Principle

The PDP Act imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.


Where the data processing is carried out by a data processor on behalf of a data user, the data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.



Retention Principle

Under this principle, personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it is processed. A duty is also imposed on the data user to take reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed.



Data Integrity Principle

The data user has to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept-up-to-date, having regard to the purpose (and any directly related purpose) for which it was collected and processed.




Access Principle

The PDP Act gives the data subject the right to access his own data and to correct the same where the personal data is inaccurate, incomplete, misleading or outdated. The PDP Act provides grounds on which the data user may refuse to comply with a data access or data correction request by the data subject.



Transfer of personal data out of Malaysia

It is pertinent to note that the PDP Act does not permit a data user to transfer any personal data to a place outside Malaysia unless to such a place specified by the Minister and published in the Gazette. There are certain circumstances specified in the PDP Act where personal data can be transferred out of Malaysia, i.e. where the data subject has given consent to the transfer, if the transfer is necessary for the performance of a contract between the data subject and data user, the transfer is for purposes of legal proceedings or for purposes of obtaining legal advice.



Rights of Data Subject

The PDP Act confers rights on a data subject vis-à-vis a data user in relation to his personal data and the processing thereof. Such rights include:


(i) the right to access personal data;

(ii) the right to correct personal data;

(iii) the right to withdraw consent to process personal data;

(iv) the right to prevent processing likely to cause damage and distress; and

(v) the right to prevent processing for direct marketing.


Certain of the rights mentioned above are qualified by the provisions in the PDP Act.



Registration of data users

The Minister may specify a class of data users who are to be registered under the legislation. However, as the PDP Act is not yet in force, it remains to be seen the types of data users which will be required to register. The Minister may also require data user forums to be established and codes of practice to be prepared.




The provisions of the PDP Act are extensive in nature and grant data subjects a say over how their personal data is processed and used. The PDP Act also imposes a wide range of obligations on data users in relation to the personal data collected. Upon the implementation of the PDP Act, data users will have to change the way in which they process and manage personal data and to ensure that their business processes comply with the seven Personal Data Protection Principles.


The PDP Act will, upon its enforcement, also confer safeguards to data subjects against abuse and unwanted disclosure of their personal data by data users.


Regrettably, as the PDP Act only applies to personal data that is collected in respect of commercial transactions, the collection, use and dissemination of data that is collected for non-commercial purposes, such as registration for social networking websites and free online newspapers or lifestyle magazines, remains unregulated. Hence, the abuse and dissemination of such data may continue unabated.



JILLIAN CHIA YAN PING ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it )



IFLR 1000 2019 Rankings


IFLR 1000 2019 has ranked Skrine as a Tier 1 firm in four practice areas. In addition, eight of our lawyers were listed among the leading lawyers.


Asialaw Profiles 2019 Rankings


Asialaw Profiles 2019 has ranked Skrine as an ‘Outstanding’ firm in seven industry and practice areas. In addition, 10 of our lawyers were listed among the leading lawyers.


Benchmark Litigation Asia-Pacific 2018


We are pleased to announce that our firm is recognised as a Top Tier Firm in the inaugural Benchmark Litigation Asia-Pacific 2018. Some of our partners were also listed in the rankings.



English | Bahasa Malaysia