Personal Data Protection Department (PDPD) is an agency under the Ministry of Communications and Multimedia Commission (MCMC) was established on May 16, 2011 after the Parliament passed the bill relating to the Personal Data Protection Act 2010 (PDPA) of Act 709.
The main responsibility of this department is to oversee the processing of personal data of individuals involved in commercial transactions by User Data that is not misused and misapplied by the parties concerned.
Users need to be protected to prevent any form of abuse against the storage or processing of personal data of individuals, public and private sectors in Malaysia for commercial transactions is stipulated under the PDPA.
In enforcing the PDPA, JPDP has mandated to all Personal Data User Group consists of individuals or private parties unless the Government officially registered for the purpose of protecting the rights of consumers and the public.
JPDP chaired by the Director General, assisted by a Deputy Director General. Meanwhile, there are three main parts in JPDP the Registration and Operation, Monitoring and Legal Division.
Prior to 2010, the regulation of personal data was governed mainly by industry specific legislation. Industry specific legislation in respect to data protection existed in the banking and finance, healthcare, and telecommunications industries, amongst others. In May 2010, the PDPA was passed by the Malaysian Parliament and received Royal Assent in June 2010. The PDPA came into force on 15 November 2013, with a three-month grace period ending on 14 February 2014.
Together with the PDPA, five pieces of subsidiary legislation were also enforced on 15 November 2013. These address issues such as the appointment of the Personal Data Protection Commissioner (‘the Commissioner’), the registration of data users, and the fees that may be imposed under the PDPA. This subsidiary legislation was passed simultaneously in order to facilitate the enforcement of the PDPA.
The subsidiary legislation that has been passed to date include:
Other subsidiary legislation pertains to the appointment of the Commissioner.
The Commissioner has issued the Personal Data Protection Standard 2015 (‘the 2015 Standards’) which came into force on 23 December 2015. The 2015 Standards include: security standards, retention standards, and data integrity standards, which applies to personal data that is processed electronically and non-electronically. The 2015 Standards are intended to be ‘a minimum requirement’ and will apply to all data users, meaning any person who processes, has control of, or allows the processing of, any personal data in connection with a commercial transaction.
Data user forums were formed for specific industries, in particular, for the communications, banking and finance, insurance, hospitality, transport, direct sales, professional services, and utility sectors. Each data user forum was directed by the Commissioner to develop its own codes of practice for adherence by data users in the respective sectors.
Four codes of practice were finalised and registered by the Commissioner in 2017, namely the Code of Practice for the Banking and Financial Sector 2017, the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017, Code of Practice on Personal Data Protection for the Insurance and Takaful Industries in Malaysia 2017, and the Personal Data Protection Code of Practice for the Communications Class Data Users 2017.
The Department of Personal Data Protection (‘PDP’) has released a number of guidance documents and Frequently Asked Questions (‘FAQs’) on their website on various matters under the PDPA and its subsidiary legislation. There is also the Draft Guide for Data Users which was issued in March 2016.
There has yet to be any reported cases under the PDPA. However, it has been reported on the PDP’s website that enforcement actions in the form of penalties have been taken against entities in various sectors, namely tourism, education, and services sectors, for failure to register as data users and, in one case, for failure to obtain the requisite consent from the data subject.
The PDPA applies to any person who processes or has control over the processing of personal data (‘data user’). It is pertinent to note that processing is defined widely under the PDPA to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data. Furthermore, only individuals are referred to as data subjects under the PDPA. The PDPA also contains specific provisions for data processors. A data processor that processes personal data solely on behalf of a data user may not be bound directly by the provisions of the PDPA, but rather, it is the duty of the data user to ensure compliance by the data processor with the relevant provisions under the PDPA.
The PDPA does not apply to personal data processed outside Malaysia, unless the data is intended to be further processed in Malaysia, and it also does not apply to a data user who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data, other than for the purpose of transit through Malaysia. The Government of Malaysia (‘Government’) and state governments are also exempted from the application of the PDPA along with any information processed for the purposes of a credit reporting business under the Credit Reporting Agencies Act 2010.
The PDPA covers processing in relation to personal data defined as collecting, recording, holding, or storing of personal data, or carrying out of any operation or set of operations on personal data, including:
Personal data processed only for the purposes of that individual’s personal, family, or household affairs, including recreational purposes, are exempted from the PDPA.
However, the following are exempted from certain, but not all, data protection principles under the PDPA in some circumstances:
The PDP is an agency under the Ministry of Communications and Multimedia (‘MCM’). It was officially launched by the Minister in Kuala Lumpur on 12 February 2012. The PDPA came into force on 15 December 2013. The current Commissioner is Mazmalek bin Mohamad who was appointed with effect from 22 January 2019.
The main responsibility of the PDP is to enforce and regulate the PDPA in Malaysia, and it focuses on the processing of personal data in commercial transactions and avoiding the misuse of personal data. In enforcing the PDPA, the Commissioner has also been mandated to register all classes of data users under the Order.
The Commissioner has the power to carry out inspections of data protection systems under the PDPA. Furthermore, the 2013 Regulations provide that the personal data system must, at all reasonable times, be open to the inspection of the Commissioner or any inspection officer. During this inspection, documents such as consent and notice forms may be requested, as well as the list of third-party disclosure or any other documentation evidencing compliance with standards issued by the Commissioner, or any other information that the Commissioner may request.
Other powers include, among other things, the power to designate data user forums, issue and register codes of practice, carry out investigations on receipt of complaints, serve enforcement notices, and authorise officers to take enforcement actions.
Three conditions must be fulfilled in order for data to be considered as personal data under the PDPA, namely:
In respect of the first condition, ‘commercial transactions’ are defined under the PDPA as transactions of a commercial nature and include any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. It is currently unclear whether an employment relationship is considered to be a commercial transaction and whether employment-related information would come under the scope of the PDPA. The definition of ‘personal data’ appears to be sufficiently wide to cover the usual types of personal information collected in day to day transactions, for example, name, address, telephone number, email address, banking details, and photographs.
Sensitive personal data under the PDPA includes ‘any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette.’ The obligations imposed by the PDPA in respect of sensitive personal data are more stringent.
The PDPA defines ‘data user’, which is the equivalent of a ‘data controller’ as a person who either alone, or jointly, or in common with other persons, processes any personal data or has control over, or authorises the processing of any personal data, but does not include a data processor.
A data processor under the PDPA means ‘any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes.’
The PDPA defines ‘data subject’ as an individual who is the subject of the personal data.
There are currently no express provisions or guidance in the PDPA on ‘biometric data’. However, such data could fall within the scope of ‘sensitive personal data’ as it consists of information regarding the ‘physical condition of the data subject’.
‘Health data’ is not specifically defined under the PDPA but such data would fall within the scope of ‘sensitive personal data’ as it consists of information as to the ‘physical or mental health or condition of a data subject’.
There are currently no express provisions or guidance in the PDPA on ‘pseudonymisation’.
This principle prohibits a data user from processing personal data without the consent of a data subject. However, a data user is not required to comply with this requirement where the processing is necessary for:
Please see section 5 above.
Please see section 5 above.
Please see section 5 above.
Please see section 5 above.
There are no exemptions from consent for data processing carried out in public interests in general, but there are exemptions such as for public interest in freedom of expression i.e., where the data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest.
The concept of ‘legitimate interests’ do not feature under Malaysian data protection laws.
A data user is required to comply with the seven personal data protection principles.
As outlined above. Further to this, the General Principle also sets out certain parameters for the processing of personal data. It provides that personal data shall not be processed unless:
The 2013 Regulations stipulate that consent must be recorded and must be properly kept by data users. The requirement to record consent implies that consent should be sought expressly or by way of opt-in methods, as arguably consent cannot be recorded where it is implied or where an opt-out method is used. Further, it is pertinent to note that the 2013 Regulations stipulate that the onus to prove consent is on the data user. The 2013 Regulations also state that when consent is required, the requirement to obtain consent shall be presented as distinguishable in its appearance from other matters. Where personal data relates to a data subject under 18 years of age, consent must be sought from the parent, guardian, or person who has parental responsibility of the data subject.
This principle requires a data user to inform a data subject of various matters relating to the information of the data subject, which is being processed by, or on behalf of that data user.
The PDPA requires a data user to inform a data subject by written notice of the following, in both the national language, Malay, and English:
Notice of the above has to be given by the data user ‘as soon as practicable,’ that is, when the data user first requests the personal data from the data subject, when the data user first collects the personal data of the data subject, or before the data user uses it for a purpose other than the original purpose or discloses it to a third party. The data subject must also be provided with a clear and readily accessible means to exercise his choice, where necessary, in both Malay and English.
This principle prohibits a data user from disclosing the personal data of a data subject:
However, disclosure of personal data is permitted where:
The 2013 Regulations stipulate that a list of third-party disclosures must also be kept by the data user, and such a list may be requested by the Commissioner or inspecting officer during an inspection.
This principle imposes an obligation on a data user to adopt specified measures to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction during its processing. Where the data processing is carried out by a data processor on behalf of a data user, the data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organisational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.
Under the PDPA, it is stipulated that the following factors must be taken into account:
According to the 2013 Regulations, a security policy has to be formulated by the data user. A brief overview of the security standards prescribed by the 2015 Standards are as follows:
In respect of non-electronically processed personal data, a data user must:
This principle provides that personal data must not be retained longer than is necessary for the fulfilment of the purpose for which it is processed and requires the data user to destroy or permanently delete all personal data which is no longer required for the purpose for which it was processed. However, under other laws, there may be minimum data retention periods, which may be specified, for example, under certain tax laws. It would appear unlikely that the retention of data in compliance with retention periods stipulated under other laws would be considered a contravention of the Retention Principle, though this has not yet been tested.
A brief overview of the retention standards prescribed by the 2015 Standards is as follows:
This principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
A brief overview of the data integrity standards prescribed by the 2015 Standards are as follows:
The provisions under the PDPA generally concern data users directly and not data processors. However, data users are in certain cases required to contractually bind data processors to ensure compliance with the PDPA.
The Order and the Order Amendment set out the classes of data users who have to be registered with the Commission.
The sectors which have been specified are:
It appears that for the most part, licensees under the relevant sectors are the data users, who have to be registered. Under the PDPA, a data user who falls within the prescribed classes is required to register itself within three months of the coming into force of the PDPA, although in practice, late registrations are still being accepted subject to such registrations being accompanied by a letter of explanation outlining the reason for late registration. The registration of data users can be completed on the PDP’s website. The Minister may also require data user forums to be established and codes of practice to be prepared.
The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country, which has been specified and recorded in the Official Gazette by the Minister.
Currently, no countries have been specified officially. Notwithstanding the prohibition on transfers of personal data out of the country, the PDPA sets out a number of exceptions to the prohibition, such as, where the consent of the data subject has been obtained for such transfer and where the transfer is necessary for the performance of a contract between the parties. When in doubt as to whether the exemptions on data transfer apply, the prudent approach would be to obtain consent from the data subject in respect of such out of Malaysia transfer. In relation to outsourcing, a data user is not allowed to share data with third parties unless the consent of the individual has been obtained.
A data user must keep and maintain a record of any application, notice, request, or any other information relating to personal data processed by him in the form and manner that may be determined by the Commissioner.
The personal data system must also be open for inspection and the Commissioner or inspection officer may require certain documents to be produced including inter alia record of consent and notice, list of disclosures to third parties and the security policy. Other laws may also prescribe record-keeping requirements, e.g., tax law.
There is no requirement to conduct a Data Protection Impact Assessment (‘DPIA’) under the PDPA.
The PDPA does not mandate the appointment of a data protection officer (‘DPO’) but the application form for registration of data users requires a ‘compliance person’ to be named which is indicated as the individual who will ‘supervise the application of the PDPA’ in the data user’s organisation. A proposal paper entitled ‘Guidelines on Compliance with Personal Data Protection 2010’ seeking to introduce the designation of such officer was issued in 2014 but until it is gazetted as law, its status remains unclear.
The PDPA does not currently provide for this but the authorities issued a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification which seeks to introduce a data breach notification regime, where data users will be required to notify regulators and affected individuals in the event of a data breach. The consultation paper sets out, among others, the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident and to provide details about the data at risk, actions that have been taken or will be taken to mitigate the risks to the data, details of notifications to affected individuals, and details of the organisation’s training programs on data protection. However, the consultation paper has yet to be gazetted as law.
While it is not a mandatory requirement under the PDPA, data breach notification to the Commissioner can be done online here. Information required includes, particulars of data user and the person giving this notification, details of the data breach, containment and recovery, notifications made to other parties (regulators and law enforcement agencies, affected parties, data processors, or other overseas data protection authorities).
While there is no general obligation to report a personal data breach to either individuals or the PDP under the PDPA, there appears to be various reporting obligations imposed by different regulators and authorities that have jurisdiction depending on the specific facts of each case.
As such, whether there is a requirement for notification of data breaches is largely fact specific and may depend on various factors including the types of services carried out, the entity concerned, and the level of severity of the breach. It is also not uncommon for regulators and authorities to have directives or guidelines which are internal or issued directly to industry meaning that the public does not have access to them.
In the health sector, there are general reporting obligations which are not specific to the notification of data breaches but may be relevant. For instance, section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director General or any person authorised by him in that behalf, such unforeseeable and unanticipated incidents as may be prescribed.
In the financial sector, depending on the facts of the case, various reporting obligations imposed by regulators and authorities may be triggered which may or may not relate to data breaches. For instance, under the Guidelines on Internet Insurance published by the Central Bank of Malaysia (‘BNM’), licensed insurers that carry out internet insurance activities are required to report material security breaches, system downtime, and degradation in system performance that critically affects the insurer to the BNM.
The BNM has also issued the Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorised access, modification, or disclosure by whatever means of customer information. There is also a template attached to the guidance document for reporting a customer information breach.
Under the Guidelines on Data Management and Management Information System (‘MIS’) Framework published by the BNM, boards of licensed financial institutions are required to inform the BNM of any developments that may have a material bearing on the institution’s operations, risk profile, or financial condition. Public listed companies are also subject to the Listing Requirements issued by Bursa Malaysia where listed issuers are required to disclose to the public immediately all material information necessary for informed investing.
Where capital market entities are concerned, the Guidelines on Management of Cyber Risk published by the Securities Commission of Malaysia (‘SC’) requires all such entities to report to the SC any detection of a cyber incident which may or has had an impact on the information assets or systems of the entity, on the day of the occurrence of the incident. Therefore, whether there are notification of data breach requirements largely depends on the specific facts and circumstances of each case. However, under the Financial Services Act 2013 (‘FSA’), protection is conferred upon those that disclose in good faith to the BNM their knowledge, belief, or any document or information that a breach of contravention has been committed or is about to be committed under the FSA.
In addition to the retention principle under the PDPA, as highlighted in section 6 above, the 2015 Standards outline three main standards: security, retention, and data integrity which have application to personal data which is processed either electronically and non-electronically.
A brief overview of the measures prescribed by the 2015 Standards are as follows:
Under the PDPA, children (minors under the age of 18) cannot provide consent to the processing of their personal data. Where a minor’s personal data is involved, the 2013 Regulations requires that consent be obtained from the parent, guardian, or person who has parental responsibility on the minor.
‘Criminal conviction data’ is considered as ‘sensitive personal data’ under the PDPA.
Processing ‘sensitive personal data’ requires explicit consent unless an exemption applies. Some examples are where the processing relates to information that has been made public as a result of steps deliberately taken by the data subject or where the processing is necessary:
Where the processing of personal data is carried out by a data processor on behalf of a data user, the PDPA for the purpose of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction, requires the data user to ensure that the data processor:
In addition to the obligations placed on a data user, the PDPA also confers the following rights on a data subject (which are further explained below):
Some of the rights mentioned above are further qualified by the provisions in the PDPA. In respect of the right of a data subject to prevent processing for direct marketing purposes, the PDPA stipulates that a data subject may, at any time by notice in writing to a data user, require the data user to cease or not to begin processing his/her personal data for purposes of direct marketing. Direct marketing is defined under the PDPA as ‘communication by whatever means of any advertising or marketing material, which is directed to particular individuals.’
In the event the data subject is dissatisfied with the data user’s failure to comply with the notice to cease processing for direct marketing, the data subject may submit an application to the Commissioner to require the data user to comply with the notice. It is pertinent to note that if a data user fails to comply with the requirements of the Commissioner they would be committing an offence under the PDPA, which attracts a fine of up to MYR 200,000 (approx. €40,280) or to imprisonment for a term not exceeding two years, or both.
As of 11 January 2015, a data subject who believes that there has been a misuse of his/her data by an individual or an organisation may lodge a complaint online on the Commissioner’s website (accessible here) in order for the necessary investigation to be carried out.
Please see the explanation under ‘Notice & Choice Principle’ above.
A data subject has a right of access to his own data and to correct the same if it is inaccurate, incomplete, misleading, or outdated, subject to certain conditions. Certain prescribed procedures have been set out where access or correction is requested by the data subject (i.e., whether the data subject requires a copy of the personal data; data user must acknowledge receipt of the request). The 2013 Regulations also set out the information which may be requested by a data user when processing an access request.
The terminology under the PDPA is ‘right to correction’, which has been addressed under 8.2 above.
There are no express rights of erasure under the PDPA.
Under the PDPA, a data subject has the following rights to object/opt-out:
A data subject can withdraw consent for the processing of his/her personal data at any time by way of written notice.
A data subject may by written notice require a data user to cease or not begin processing personal data for a specified purpose or in a specified manner if:
There are no express rights of data portability under the PDPA.
This right does not feature under Malaysian data protection laws.
Failure to comply with the provisions in the PDPA may amount to a criminal offence. Breaching of any of the seven data protection principles attracts a fine of up to MYR 300,000 (approx. €60,400) and/or to two years imprisonment. The unlawful collection, disclosure, and sale of personal data attracts a fine of up to MYR 500,000 (approx. €100,680) and/or up to three years imprisonment.
If a corporate body is found to have committed an offence, the officers of such corporate bodies are deemed to have committed the offence personally. However, the officer(s) of such corporate body may not be found to have committed the offence if he/she/they can prove the offence was committed without his/her/their knowledge or consent and he/she/they had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.
The Compounding of Offences Regulations came into operation on 15 March 2016, and provides that certain offences may be compounded with the consent of the Public Prosecutor in the form and manner prescribed. The offences prescribed thus far relates to certain offences under the PDPA, the 2013 Regulations, and the Registration Regulation.
The PDP has released its Annual Report 2016 (only available in Malay here) based on inspections carried out pursuant to Section 101 of the PDPA. The report shows that inspections were carried out across various sectors including direct sales, education, health, banking and financial, property, and tourism sectors. The report also shows that there have been several non-compliances with the PDPA following such inspection, particularly the security principle as well as notice and choice principle.
Apart from inspections and audits, as noted above, the PDP has been taking enforcement actions against non-compliance, and it is expected that the PDP will continue to increase efforts in respect of such enforcement actions.
On 18 March 2019, the MCM Minister announced that the Government is currently reviewing the PDPA to ensure it is in line with global developments. The MCM is keen to incorporate key points of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) into the PDPA. Among the areas being looked at by the MCM are cross-border data transfers, data breach notifications, and whether the Government should be exempted from the PDPA.
As part of an ongoing review of the PDPA, the Commissioner has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 dated 14 February 2020 to seek the views and comments of the public on 22 issues. Some of the issues for which feedback is sought include extension of obligations to data processors, data portability, the appointment of DPO, the reporting of data breaches, and providing a right to commence civil litigation against data users.