Malaysia Personal Data Protection Act (PDPA) Your Guide Part One

Kuala Lumper Skyline" width="1080" height="675" />

Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010, and came into force on November 15, 2013.

Definitions

Definition of personal data

‘Personal data’ means any information in respect of commercial transactions that is:

• Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose
• Recorded with the intention that it should wholly or partly be processed by means of such equipment, or
• Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in each case

…that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

Definition of sensitive personal data

‘Sensitive personal data means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offence or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by a published order. Other than the categories of sensitive personal data listed above, the Minister has not published any other types of personal data to be sensitive personal data as of December 26, 2018.

Authority

Pursuant to the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed to implement the PDPA’s provisions. The Commissioner will be advised by a Personal Data Protection Advisory Committee will be appointed by the Minister and will consist of one Chairman, three members from the public sector, and at least seven, but no more than eleven other members. The appointment of the Personal Data Protection Advisory Committee will not exceed a term of three years; however, members can be appointed for two successive terms.

The Commissioner’s decisions can be appealed through the Personal Data Protection Appeal Tribunal. The following are examples of such appeals

• Decisions relating to the registration of data users under Part II Division 2 of the PDPA
• The refusal of the Commissioner to register a code of practice under Section 23(5) of the PDPA
• The service of an enforcement notice under Section 108 of the PDPA
• The refusal of the Commissioner to vary or cancel an enforcement notice under Section 109 of the PDPA, or
• The refusal of the Commissioner to conduct or continue an investigation is based on a complaint under Part VIII of the PDPA.

If a data user is not satisfied with a decision of the Personal Data Protection Advisory Committee, the data user may proceed to file a judicial review of the decision in the Malaysian High Courts.

Which Organisations are Required to Register

Currently, the PDPA requires the following classes of data users to register under PDPA:

1. Communications
   • A licensee under the Communications and Multimedia Act 1998
   • A licensee under the Postal Services Act 2012
2. Banking and financial institution
   • A licensed bank and licensed investment bank under the Financial Services Act 2013
   • A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
   • A development financial institution under the Development Financial Institution Act 2002
3. Insurance
   • A licensed insurer under the Financial Services Act 2013
   • A licensed takaful operator under the Islamic Financial Services Act 2013
   • A licensed international takaful operator under the Islamic Financial Services Act 2013
4. Health
   • A licensee under the Private Healthcare Facilities and Services Act 1998
   • A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998
   • A body corporate registered under the Registration of Pharmacists Act 1951
5. Tourism and hospitality
   • A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992
   • A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992
6. Transportation
   • Certain named transportation services providers
7. Education
   • A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
   • A private school or private educational institution registered under the Education Act 1996
8. Direct selling
   • A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993
9. Services
   • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961 carries on business as follows:
     • legal
     • audit
     • accountancy
     • engineering
     • architecture
   • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961
   • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981
10. Real estate
    • A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
    • A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
    • A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak
11. Utilities
    • Certain named utility services providers
12. Pawnbroker
    • A licensee under the Pawnbrokers Act 1972
13. Moneylender
    • A licensee under the Moneylenders Act 1951

Certificates of registration are valid for at least one year, after which data users must renew registrations and may not continue to process personal data.

Data users are also required to display their certificate of registration at a conspicuous place at their principal place of business, and a copy of the certificate at each branch, where applicable.

The Commissioner may designate a body as a data user forum for a class of data users. Data user forums can prepare codes of practice to govern compliance with the PDPA, which can be registered with the Commissioner. Once registered, all data users must comply with the provisions of the code, and non-compliance violates the PDPA. As of December 26, 2018, the Commissioner has published several codes of practice, including for the banking and financial sector, the aviation sector, the utility sector and the insurance and takaful industry in Malaysia.

Do I Need to Appoint a Data Protection Officer

Currently, Malaysian law does not require that data users appoint a data protection officer.

Tune in for Part Two to follow