The Personal Data Protection Act 2010 has come into force in Malaysia. These slides explain the governing principles in order for you to have an overview whether your company is ready to comply.

1. Personal Data Protection in
Malaysia
Are you ready?

2. The Law
On 15 November 2013, the Personal Data
Protection Act 2010 (PDPA) was Gazetted to
come into force. This Act regulates all
companies who process personal data in
commercial transactions.

3. Your company is caught by the
PDPA if you...


Process
personal data for
own commercial
use

Outsource the
process of
personal data to
other companies

Act as
outsourced
service provider
to process
personal data for
others
In short, unless you do not keep any data of
customers or suppliers, the Act applies to
you.

4. What is personal data?
Any data which can identify a person is considered
personal data. There are 2 categories of personal data
as follows:
Personal Data
Sensitive Personal Data

Name

Physical health or condition

Address

Mental health or condition

Tel No

Political views

Email

Religious or other similar beliefs

Gender

Criminal records

Date of birth


Photos

Videos, etc
Any other information deemed
by the Minister to be sensitive
personal data

5. Difference between personal data
and sensitive personal data
All personal data must be processed in
accordance with the principles set out in the
PDPA.
However, sensitive personal data can only be
processed if explicit consent is given under
section 40 PDPA.

6. The meaning of “processing”
personal data
Processing includes any form of dealing with
personal data such as collecting, keeping,
organizing, using, etc.
The definition of “processing” under the Act is
adequately exhaustive to ensure that any
dealing with personal data will be considered
“processing”.

7. 7 Principles of Personal Data
Protection under the PDPA
1. General Principle
2. Notice and Choice Principle
Person whose data is to be
processed must consent.
Person must be notified his
personal data will be processed
and how. He must also be given
the choice to limit the right to
process.
3. Disclosure Principle
4. Security Principle
Personal data cannot be used
except for purpose stated, and
cannot be disclosed except to
disclosed third parties.
Companies must have sufficient
steps and procedures to protect
personal data from loss,
misuse, modification,
unauthorised access or
disclosure, alteration or
destruction.

8. Principles of Personal Data
Protection (2)
5. Retention Principle
6. Data Integrity Principle
Personal data cannot be kept
longer than necessary, and
must be destroyed or
permanently deleted if no
longer required.
Companies must take reasonable
steps to ensure personal data is
accurate, complete, not
misleading and kept updated.
And finally,
7. Access Principle
Any person must be permitted access to his own personal data and be
entitled to correct any inaccurate, incomplete or misleading
information of himself.

9. Need to register as data user
Companies processing personal data must
register as a data user under the PDPA.
This registration must be renewed on an annual
basis.

10. Obligation to keep records
Companies must also keep records of every
notice, application or request made by any
person regarding the processing of his personal
data.

11. Enforcement Provisions


Commissioner entitled to
inspect system of every
company either pursuant to
complaint or on own initiative.
No claim for costs or damages
can lie against enforcement
officers in carrying out their
duties (appropriately or
otherwise).


Commissioner may search
premises and seize records
including computers, with or
without a warrant (if authorised
officer is satisfied delay in
getting warrant will result in lost
or tampered evidence).
Officers can compel
attendance of any person for
purposes of facilitating
investigations, and arrest any
person suspected of committing
an offence under the Act.

12. Offences and punishment

Offences of unlawful
collection and
processing of
personal data can, on
conviction, attract a
fine of up to
RM500,000-00 or
imprisonment of up to
3 years or both.

If company is found
liable, its director,
CEO, COO, manager,
secretary or similar
officer may be held
personally liable for
the said offence.

13. So, what must you do?






Analyse your current practices. Identify where you fall
short of the requirements of the PDPA.
Revamp your forms, processes and procedures to comply
with the requirements and 7 principles.
Document your revised forms, processes and procedures.
Allocate roles and responsibilities in order to ensure
continued compliance by your company.
Register your company as a personal data user. This is
compulsory under the PDPA.
Train your staff to comply and avoid liabilities.

14. REMINDER:
Outsourcing to third parties does not help. Your
company continues to be liable for the conduct of
the third party service provider under the PDPA.

15. Need help?
We can assist you to comply with the PDPA by:
1. reviewing your existing forms, processes and
procedures and revamping them to comply;
2. documenting your policy and practices and
structure roles and responsibilities to ensure
compliance;
3. register your company as a personal data user;
4. train your staff.

16. For more information, please contact:
Chan Kheng Hoe
Partner, Corporate and Commercial
Tel: +603-6205 3928
Fax: +603-6205 4928
E-mail: khenghoe@mycounsel.com.my
When in doubt, Ask@MyCounsel.com.my