• An Image Slideshow
  • An Image Slideshow
  • An Image Slideshow
  • An Image Slideshow
SALIENT PROVISIONS OF THE PERSONAL DATA PROTECTION ACT 2010

A. WHAT DOES THE ACT REGULATE?

The Act regulates the processing of personal data (including sensitive personal data) by providing various safeguards to protect the interest of data subjects.

 

 

B. WHAT IS PERSONAL DATA?


Personal data

1. Section 4 defines personal data. Three conditions must be satisfied for information to come within this definition.

2. Firstly, the data must be in respect of commercial transactions. A 'commercial transaction' is defined in section 4 as a transaction of a commercial nature, whether contractual or not, which includes any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.

3. Secondly, such information must:

 

(1) be processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(2) be recorded with the intention that it should be processed wholly or partly by such equipment; or

(3) be recorded as part of, or with the intention that it should form part of, a relevant filing system.

 

4. Thirdly, the information must relate directly or indirectly to a data subject who is identified or identifiable from the information or other information in the possession of a data user.

5. Information that is processed for the purposes of a credit reporting business under the Credit Reporting Agencies Act 2010 is specifically excluded from the definition of "personal data". Therefore the obligations of the data user and rights of a data subject under the Act will not apply to information processed under that legislation.

6. Personal data includes sensitive personal data and expression of opinion about the data subject.

 

Sensitive personal data

7. Sensitive personal data means:

(1) personal data which consists of information on:

(a) the physical health, mental health or condition of a data subject;

(b) the political opinions, religious beliefs or other beliefs of a similar nature of a data subject;

(c) the commission or alleged commission of an offence by a data subject; or

 

(2) any other personal data declared by the Minister in the Gazette to be sensitive personal data.

 

 

C. PROTECTION OF PERSONAL DATA AND ITS PROCESSING

1. The Act safeguards personal data and its processing in the following ways:

(1) by imposing an obligation on a data user to comply with seven Personal Data Protection Principles; and

(2) by providing certain rights to a data subject in relation to his personal data.

 

 

D. PERSONAL DATA PROTECTION PRINCIPLES

1. A data user who processes personal data must comply with the 7 Personal Data Protection Principles set out in sections 6 to 12 of the Act, namely:

(1) General Principle;

(2) Notice and Choice Principle;

(3) Disclosure Principle;

(4) Security Principle;

(5) Retention Principle;

(6) Data Integrity Principle; and

(7) Access Principle.

 

Non-compliance by a data user with any of these principles is an offence under the Act.

2. It is important to note that certain of the Personal Data Protection Principles are qualified by exceptions or exemptions contained in the Act.

 

General Principle

3. Section 6 sets out the application of the General Principle to personal data and sensitive personal data.

 

Processing of personal data

4. The General Principle prohibits a data user from processing a data subject’s personal data except with the latter’s consent.

 

5. The General Principle is qualified by 6 exceptions in section 6(2) which permits personal data to be processed without the data subject’s consent, namely:

(1) for the performance of a contract to which the data subject is a party;

(2) for the taking of steps at the data subject's request with a view to entering into a contract;

(3) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;

(4) to protect the vital interests of the data subject;

(5) for the administration of justice; or

(6) for the exercise of any functions conferred on any person under any law.

 

6. Section 6(3) also sets out certain parameters for the processing of personal data, namely that such data may not be processed unless:

(1) it is for a lawful purpose directly related to the activity of the data user;

(2) it is necessary for or directly related to that purpose; and

(3) the data is adequate but not excessive in relation to that purpose.

 

Processing of sensitive personal data

7. The processing of sensitive personal data must comply with the conditions specified in section 40 and is permitted in the following circumstances:

(1) with the explicit consent of the data subject; or

(2) if the processing is necessary:

 

(a) for the performance of any right or obligation which is conferred or imposed by law on the data user in connection with employment;

(b) to protect the vital interests of the data subject or another person if consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the data subject’s consent;

(c) to protect the vital interests of another person in a case where consent by or on behalf of the data subject has been unreasonably withheld;

(d) for medical purposes and is undertaken by a healthcare professional or a person who owes a duty of confidentiality similar to that of a healthcare professional;

(e) for or in connection with any legal proceedings;

(f) for the purpose of obtaining legal advice;

(g) for the purposes of establishing, exercising or defending legal rights;

(h) for the administration of justice;

(i) for the exercise of any functions conferred on any person under any written law;

(j) for any purpose the Minister thinks fit; or

(3)  where the information contained in the personal data has already been made public through the data subject’s own deliberate actions.

 

Notice and Choice Principle

8. Section 7 requires a data user to inform a data subject by written notice of the following:

(1) that the personal data of the data subject is being processed and a description of the data;

(2) the purposes for which personal data is being collected and further processed;

(3) any information available to the data user as to the source of that personal data;

(4) the data subject’s right to request access to and correction of the personal data and contact particulars of the data user in the event of any inquiries or complaints;

(5) the class of third parties to whom the data is or may be disclosed;

(6) the choices and means offered to a data subject to limit the processing of personal data; and

(7) whether it is obligatory or voluntary for the data subject to supply data, and in the event of the former, the consequences of the failure to do so.

 

9. The notice must be given by the data user in the national and English languages and is to be given ‘as soon as practicable’:

(1) when the data user first requests the data subject to provide his personal data;

(2) when the data user first collects the personal data of the data subject; or

(3) in any other case, before the data user uses it for a purpose other than the original purpose or before the data user discloses it to a third party.


The data subject must be provided with a clear and readily assessible means to exercise his choice, where necessary, in the national and English languages.

 

Exception

10. Section 41 exempts a data user from complying with the Notice and Choice Principle in relation to the subsequent collection of personal data from the same data subject which is carried out within 12 months from the first collection if it will result in a repetition by the data user of his obligations under the Notice and Choice Principle in respect of the first collection.

 

Disclosure Principle

11. Section 8 prohibits the disclosure, without the data subject's consent, of personal data:

(1) for any purpose other than the purpose for which the data was to be disclosed at the time of collection, or a purpose directly related to it; and

(2) to any party other than a third party of the class notified to the data subject under the Notice and Choice Principle.

 

Exceptions

12. Section 39 provides exceptions to the Disclosure Principle. It permits the disclosure of personal data where:

(1) consent has been given by the data subject;

(2) the disclosure is necessary to prevent or detect crime, or for the purpose of investigations,

(3) the disclosure is required or authorized by law or order of court;

(4) the data user had acted under the reasonable belief that he has the right in law to disclose the data to another person;

(5) the data user had acted under the reasonable belief that he would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or

(6) the disclosure was justified as being in the public interests in circumstances as determined by the Minister.

 

Security Principle

13. Section 9 imposes an obligation on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

 

14. If the processing is carried out by a data processor on behalf of a data user, that data user is required for the purposes of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction to ensure that the data processor:

(1) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing; and

(2) takes reasonable steps to ensure compliance with those measures.

 

Retention Principle

15. Section 10 provides that personal data shall not be retained longer than is necessary for the fulfillment of the purpose for which it is processed.

16. The section also imposes a duty on the data user to take reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

 

Data Integrity Principle

17. Section 11 requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date, having regard to the purpose (and any directly related purpose) for which it was collected and processed.

 

Access Principle

18. Section 12 confers on a data subject a right of access to his own data and to correct the same if it is inaccurate, incomplete, misleading or outdated.

 

Other Important Obligations of a Data User

Records

19. Section 44 requires a data user to maintain in such form as determined by the Personal Data Protection Commissioner, a record of application, notice, request or any other information relating to personal data that has been or is being processed by him.

 

Transfer of personal data

20. Section 129 prohibits a data user from transferring personal data to any place outside Malaysia other than a place specified by the Minister. Section 129(3) sets out 8 exceptions to this prohibition.

 

 

E. RIGHTS OF DATA SUBJECT

1. The Act confers the following rights on a data subject vis-à-vis a data user in relation to his personal data and the processing thereof:

(1) the right of access to personal data;

(2) the right to correct personal data;

(3) the right to withdraw consent to process personal data;

(4) the right to prevent processing likely to cause damage or distress; and

(5) the right to prevent processing for direct marketing.

 

2. It should be noted that the above-mentioned rights of a data subject are qualified by certain provisions of the Act. These qualifications are discussed below.

 

Right of Access

3. Section 30 confers a right on an individual (requestor), upon written request and payment of a prescribed fee, to be informed by a data user as to whether the personal data of that individual is being processed by or on behalf of that data user.

 

Time-frame for compliance

4. Subject to the exceptions discussed below, a data user is required to comply with a data access request under section 30 within 21 days of receipt of the request.

 

5. A data user who is unable to comply with a data access request within the above-referred 21 days time frame shall, before the expiry of that time frame:

(1) inform the requestor in writing of his inability to comply with the request and the reasons therefor; and

(2) comply with the request to the extent that he is able to do so.

6. Notwithstanding paragraph E5, the data user shall comply in whole with the request within a further period of 14 days after the expiry of the initial 21-day period.

 

Grounds for Non-Compliance with Request

7. Section 32(1) confers the right on the data user to refuse to comply with the request on the following grounds:

(1) where the data user is not supplied with sufficient information as to the identity of the requestor or of the relevant person making the request;

(2) where the data user is not supplied with sufficient information to enable him to locate the personal data;

(3) where the burden or expense of providing access is not proportionate to the risk of the data subject’s privacy;

(4) where the data user cannot comply with the request without disclosing the personal data of another individual who is identifiable from that information (unless consent of that individual has been obtained or it is reasonable to comply without the consent of such other individual);

(5) the processing of personal data is controlled by another data user in a manner which prohibits the relevant data user from complying in whole or part with the request;

(6) where it will be against any court order;

(7) where it will disclose confidential commercial information; or

(8) where the access is regulated by another law.

 

8. A data user who refuses to comply with a data access request must inform the requestor of his refusal (and the reasons for refusal) within 21 days from his receipt of the request and in the case of refusal under paragraph E7(5) above, the name of the other data user concerned.

 

Right to correct Personal Data

9. A requestor or a data subject is entitled under section 34 to request for a correction of his personal data if he knows or considers his personal data held or supplied by the data user to be inaccurate, incomplete, misleading or not up-to-date.

 

Compliance with data correction request

10. If the data user is satisfied that the data should be corrected, he shall do all of the following within 21 days from the day of receipt of the request:

(1) correct the personal data;

(2) supply a corrected copy to the data subject or the requestor;

(3) take steps to supply a third party with a corrected copy of the personal data with a notice stating the reasons for such correction if:

(a) the personal data has been disclosed to that third party within 12 months preceding the day on which the correction is made; and

(b) the data user believes that the third party has not ceased to use the data for the purpose for which it was disclosed (or for any directly related purpose).

 

11. If the data user is unable to comply with the request within the 21 days time frame, he must issue notify the requestor of his inability to do so (and the reasons therefor) before the expiry of the 21-day period. The data user must, however, comply with the request to the extent that he is able to do so within that time period.

12. The data user must then comply fully with the data correction request within a period of 14 days after the expiry of the initial 21 day period.

 

Grounds for Non-Compliance with Correction Request

13. Section 36(1) sets out the circumstances in which a data user may refuse to comply with the data correction request. They are:

(1) where the data user is not supplied with sufficient information as to the identity of the requestor or of the relevant person making the request;

(2) where the data user is not supplied with such information as to enable him to ascertain the manner in which the personal data is inaccurate, incomplete, misleading or outdated;

(3) where the data user is not satisfied that the personal data which is required to be corrected is inaccurate, incomplete, misleading or not up-to-date;

(4) where the data user is not satisfied that the correction requested for is accurate, complete, not misleading or up-to-date; or

(5) where the processing of personal data is controlled by another data user in a manner which prohibits the relevant data user from complying in whole or part with the data correction request.

 

14. A data user who, pursuant to section 36, refuses to comply with a data correction request must within 21 days from receipt of the request, inform the requestor of the refusal and the reasons therefor. Where a request is refused on the grounds set out in paragraph E13(5), the data user must provide the requestor with the name and address of the other data user concerned.

 

15. If the data correction request relates to an expression of opinion and the data user is not satisfied that the opinion expressed is inaccurate, incomplete, misleading or not up-to-date, he must:

(1) make a note which is to be annexed to the personal data or elsewhere of the matters in respect of which the requestor deems the opinion expressed to be inaccurate, incomplete, misleading or not up-to-date;  and

(2) ensure that the relevant data cannot be used by any person without his attention being drawn to the note.

 

The data user is also required to attach a copy of the note to the notice of refusal which he issues to the requestor.

 

Withdrawal of Consent

16. A data subject may, by written notice to a data user, withdraw his consent to the processing of his personal data. The data user shall cease processing the personal data of such data subject upon receipt of the notice.

 

Right to prevent processing likely to cause damage or distress

17. A data subject may, by way of a data subject notice under section 42(1), require a data user to cease or not commence the processing of personal data for a specified purpose or in a specified manner which, based on the reasons stated by the data subject, may or is likely to cause substantial damage or substantial distress to him or to another person which is or would be unwarranted.

 

Exceptions

18. The right in section 42(1) shall not apply where:

(1) the data subject had given his consent;

(2) the processing is necessary for:

(a) the performance of a contract to which the data subject is a party;

(b) the taking of steps at the data subject's request with a view to entering a contract;

(c) compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by contract; or

(d) the protection of the vital interests of the data subject.

 

19. A data user is required to respond to the data subject notice within 21 days by notifying the data subject that:

(1) he has complied or intends to comply with the notice; or

(2) he regards the data subject notice as wholly or partly unjustified and his reasons therefor and the extent, if any, to which he has complied or intends to comply with the notice.

 

20. A data subject who is not satisfied with the data user’s response may submit an application to the Commissioner to require the data user to comply with his request. The Commissioner may direct the data user to comply with the request to the extent that the Commissioner deems justified.

 

Right to prevent processing for direct marketing

21. Section 43 confers a right on a data subject, by written notice, to require a data user at the end of such period as is reasonable, to cease or not to begin processing his personal data for the purposes of direct marketing.

22. If the data user refuses to comply with the notice, the data subject may apply to the Commissioner to require the data user to comply with the notice. The Commissioner may require the data user to comply with the notice to the extent that the Commissioner deems justified.

 

 

F. LIMITATIONS

General

1. As mentioned above, information which is not processed in respect of commercial transactions and information that is processed for the for the purposes of a credit reporting business under the Credit Reporting Agencies Act 2010 do not come within the definition of "personal data" and are therefore excluded from the operation of the Act.

 

2. The Act only applies to a data user who is a person established in Malaysia. It does not apply to a data user who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data (other than for the purpose of transit through Malaysia).

 

3. For the purposes of the Act, a person is deemed to be established in Malaysia if:

(1) he, being an individual, is physically present in Malaysia for not less than 180 days in one calendar year;

(2) it is a company incorporated under the Companies Act, 1965;

(3) it is a partnership or other unincorporated association formed under any written laws in Malaysia;

(4) it, not being a person who falls within sub-paragraphs (1), (2) or (3) above, maintains in Malaysia:

(a) an office, branch or agency through which he carries on any activity; or

(b) a regular practice.

 

4. The Act will not apply to:

(1) the Federal Government or State Governments; or

(2) personal data processed outside Malaysia unless such data is intended to be further processed in Malaysia.

 

5. The Act does not apply to personal data processed by an individual for his own personal, family or household affairs (including recreational purposes).

 

Specific Exemptions

6. Personal data processed for the purposes set out below are exempted from the (a) General Principle, (b) Notice and Choice Principle, (c) Disclosure Principle, and (d) Access Principle (and other related provisions of the Act):

 

(1) personal data processed for the prevention or detection of crime or for the purposes of investigations, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or other similar impositions;

(2) personal data processed for preparing statistics or carrying out research provided that such data is not processed for any other purpose and the resulting statistics or research results are not in a form which identifies the data subject;

(3) personal data that is necessary for the purposes of or in connection with any court judgment or order;

(4) personal data processed for the purposes of discharging regulatory functions if the application of those provisions would be likely to prejudice the proper discharge of those regulatory functions.

 

7. Personal data processed in relation to information of the physical or mental health of a data subject is exempted from the Access Principle (and other related provisions of the Act) if the application of those provisions would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.

 

8. Personal data processed for journalistic, literary or artistic purposes are exempted from the (a) General Principle, (b) Notice and Choice Principle, (c) Disclosure Principle, (d) Retention Principle, (e) Data Integrity Principle, and (f) Access Principle (and other related provisions of the Act) if the following conditions are fulfilled:

(1) the processing is undertaken for the publication of the journalistic, literary or artistic material;

(2) the data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the pubic interest; and

(3) the data user reasonably believes that in all the circumstances, compliance with the provision in respect of which an exemption is claimed is incompatible with the journalistic, literary or artistic purposes.

 

Further Exemptions

9. The Minister may, upon the recommendation of the Commissioner, grant further exemptions from the provisions of the Act.

 

G. REGISTRATION OF SPECIFIED DATA USERS

1. The Minister may, upon the recommendation of the Commissioner, specify a class of data users who are to be registered under the Act.

 

2. The Act appears to impose only 2 significant additional obligations on a data user who is required to be registered:

(1) the data user will be obliged to comply with any conditions or restrictions that may be imposed on him in the certificate of registration; and

(2) it is an offence for a data user who falls within a class specified by the Minister to process personal data without a certificate of registration.

 

 

H. OTHER SALIENT PROVISIONS

Commissioner

1. The Act provides for the appointment and sets out the functions and powers of a Personal Data Protection Commissioner. His functions include advising the Minister on the national policy for data protection and implementing and enforcing data protection laws.

 

Data User Forum and Code of Practice

2. The Commissioner may, with the agreement of a body, designate that body to be a data user forum for a specific class of data users. A data user forum may upon its own initiative or at the request of the Commissioner, prepare a code of practice. The Commissioner may also opt to issue such a code if one is not prepared by the relevant forum. Data users are under obligation to comply with the relevant code of practice. The failure to do so constitutes a statutory offence.

 

Advisory Committee

3. The Act establishes a Personal Data Protection Advisory Committee. The functions of the Committee are to advise the Commissioner on all matters relating to personal data protection, the administration of the Act and any other matter referred to them by the Commissioner. The Commissioner is not bound by the advice of the Committee.

 

Appeal Tribunal

4. The Act establishes an Appeal Tribunal. The powers of the Tribunal include hearing of appeals lodged with them by any person who is aggrieved by the decision of the Commissioner. The procedures for an appeal are set out in the Act. The decision of the Tribunal is final and binding on the parties to an appeal and may, with leave of the Sessions Court, be enforced in the same manner as a judgment or order, and be entered as a judgment.

 

 

SKRINE ©

1 June 2010

(updated 4 March 2011)

 

 
ACCOLADES & AWARDS

IFLR 1000 2019 Rankings

alb-mla-2018-winner

IFLR 1000 2019 has ranked Skrine as a Tier 1 firm in four practice areas. In addition, eight of our lawyers were listed among the leading lawyers.

>> READ MORE

Asialaw Profiles 2019 Rankings

Asialaw-Profiles-Outstanding-Firm-2019

Asialaw Profiles 2019 has ranked Skrine as an ‘Outstanding’ firm in seven industry and practice areas. In addition, 10 of our lawyers were listed among the leading lawyers.

>> READ MORE

Benchmark Litigation Asia-Pacific 2018

alb-mla-2018-winner

We are pleased to announce that our firm is recognised as a Top Tier Firm in the inaugural Benchmark Litigation Asia-Pacific 2018. Some of our partners were also listed in the rankings.

>> READ MORE

PDPA NOTICE

English | Bahasa Malaysia