General data protection laws
The Personal Data Protection Act 2010 (“PDPA“).
Entry into force
The PDPA came into force on 15 November 2013.
Details of the competent national regulatory authority
Personal Data Protection Commissioner (“PDP Commissioner”)
Aras 6, Kompleks Kementerian Komunikasi dan Multimedia
Lot 4G9, Persiaran Perdana, Presint 4
Pusat Pentadbiran Kerajaan Persekutuan
Notification or registration scheme and timing
Data users that fall under any one or more of the classes specified in the Personal Data Protection (Class of Data Users) Order 2013 (“Order”) are required to register with the PDP Commissioner. The relevant classes include banking and financial institutions, insurers, healthcare service providers, airline operators and utilities service providers.
Applicants must fill in Form 15(1) and submit it to the PDP Commissioner. Data users had a grace period of three months from the date the PDPA came into force (i.e. up to 14 February 2014) to submit their applications for registration.
No, there are no exemptions for registration for data users who fall under any one or more classes prescribed in the Order. However, only those who fall within any one or more of the classes are required to register.
Appointment of a data protection officer
There is currently no obligation for a data user to appoint a data protection officer.
What is personal data?
Personal data is defined as information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, and includes any sensitive personal data and expressions of opinion about the data subject. This definition is therefore similar to the standard definition of personal data.
However, the PDPA only protects personal data that is used in connection with commercial transactions.
Is information about legal entities personal data?
No. However, as there have been no guidelines on what constitutes personal data, information regarding sole or individual proprietors and individual partners may be considered to be personal data.
What are the rules for processing personal data?
In order to legitimately process personal data, the seven Personal Data Protection Principles must be complied with.
Under the General Principle, in order for personal data to be processed, a data user must first seek and obtain the consent of data subjects. Alternatively, the processing must be necessary: (i) for the purposes of a contract with the data subject; (ii) for the taking of steps at the request of the data subject with a view to entering into a contract (iii) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; (iv) in order to protect the vital interests of the data subject; (v) for the administration of justice; or (vi) for the exercise of any functions conferred on any person by or under any law. This principle also states that a data user may only process the personal data for purposes connected to the purpose for which the personal data was provided to the data user.
Data subjects also have a right under the PDPA to withdraw their consent to the processing of personal data by a data user.
The Disclosure Principle states that personal data of a data subject cannot be disclosed to any third party without the knowledge and consent of the data subject. Under the Data Integrity Principle, a data user must take reasonable steps to ensure that personal data processed is accurate, complete, not misleading, and up-to-date. The Retention Principle obliges a data user not to keep personal data for any longer than is required.
Data users are also subject to the Notice and Choice Principle, Security Principleand Access Principle, which are discussed in further detail below.
The PDPA contains a number of exemptions including exemptions for processing for personal purposes, journalistic purposes and judicial purposes.
Are there any formalities to obtain consent to process personal data?
No. The PDPA does not define “consent”, nor does it prescribe any formalities in terms of the consent. However, the Personal Data Protection Regulations 2013 provide that the data user must keep a record of consents from data subjects.
What is sensitive personal data?
Sensitive personal data is defined as any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister responsible for personal data protection (currently the Minister of Communications and Multimedia) may determine. This definition differs slightly from the standard types of sensitive personal data.
Are there additional rules for processing sensitive personal data?
Yes. Sensitive personal data may only be processed with the explicit consent of the data subject, if the sensitive personal data has been made public by the data subject or if the processing satisfies certain statutory conditions set out in the PDPA.
Those statutory conditions are that processing is: (i) for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment; (ii) in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the consent of the data subject; (iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld; (iv) for medical purposes and is undertaken by a healthcare professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional; (v) for the purpose of, or in connection with, any legal proceedings; (vi) for the purpose of obtaining legal advice; (vii) for the purposes of establishing, exercising or defending legal rights; (viii) for the administration of justice; (ix) for the exercise of any functions conferred on any person by or under any written law; or (x) for any other purposes as the Minister thinks fit. Please note that the term “vital interests” is defined in the PDPA as “matters relating to life, death or security of a data subject”.
Are there any formalities to obtain consent to process sensitive personal data?
The processing of sensitive personal data requires “explicit consent” of the data subject. However, the PDPA does not define “consent” or “explicit consent”, nor does it prescribe any formalities in terms of the consent. However, as set out above, data users must keep a record of consents from data subjects.
What is the territorial scope of application?
The PDPA applies to data users if they are: (i) established in Malaysia (regardless of whether or not the personal data is processed in the context of that establishment); or (ii) not established in Malaysia, but use equipment in Malaysia to process the personal data otherwise than for the purposes of transit through Malaysia.
Who is subject to data protection legislation?
The PDPA uses the term “data user”, a concept similar to a data controller. A data user is defined in the PDPA as a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor.
Only data users are required to comply with the Data Protection Principles. The Personal Data Protection Principles do not directly apply to data processors.
Are both manual and electronic records subject to data protection legislation?
Yes. The PDPA applies to both electronic records and records in a structured filing system.
The PDPA does not explicitly give individuals a right to compensation in cases of a breach of the PDPA.
Fair processing information
Under the Notice and Choice Principle, a data user must serve a written notice to the data subject. In this notice, the data user must describe, inter alia, the types of personal data collected, what the processing is for, the source of the personal data, and the class of third parties to whom the personal data may be shared with. The notice must be in both the national language and English.
Rights to access information
Under the Access Principle, data subjects are given a right to access their personal data. A request for access must be adhered to within 21 days from the receipt of the request. A reasonable fee may be imposed by the data user for access requests, with the maximum fees fixed under the Personal Data Protection (Fees) Regulations 2013. There are a range of exceptions to this right including where it would result in disproportionate expense.
Objection to direct marketing
The PDPA grants data subjects a specific right to prevent processing for the purposes of direct marketing. Direct marketing under the PDPA means “communication by whatever means of any advertising or marketing material which is directed to particular individuals”.
Under the Access Principle, data subjects also have a right to have their personal data corrected.
Security requirements in order to protect personal data
There is a general requirement under the PDPA on security of personal data, which imposes an obligation on a data user to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
Specific rules governing processing by third party agents(processors)
Where processing of personal data is carried out by a data processor on behalf of a data user, the data user must ensure that the data processor: (i) provides sufficient guarantees in respect of putting technical and organisational security measures in place to govern the processing of the personal data; and (ii) takes reasonable steps to ensure compliance with those measures.
Notice of breach laws
There are no obligations for notification in the event of a breach.
Restrictions on transfers to third countries
Yes. Transfers of personal data outside of Malaysia may only be done if the said country is published in the Gazette. To date, no countries have been published.
Alternatively, personal data can be transferred outside Malaysia if conditions that are broadly similar to the standard conditions for transborder dataflow are satisfied. These are that: (i) the data subject has given his consent to the transfer; (ii) the transfer is necessary for the performance of a contract between the data subject and the data user; (iii) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which is entered into at the request of the data subject or is in the interests of the data subject; (iv) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights; (v) the data user has reasonable grounds to believe that in all circumstances of the case, the transfer is for the avoidance or mitigation of adverse action against the data subject (and it is not practicable to obtain the data subject’s consent to the transfer, and if it was practicable to obtain such consent, the data subject would have given his consent); (vi) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in a manner which would be in contravention of the PDPA; (vii) the transfer is necessary to protect the vital interests of the data subject; and (viii) the transfer is in the public interest in circumstances determined by the Minister.
Notification and approval of national regulator (including notification of use of Model Contracts)
No such notification or approval is required.
Use of binding corporate rules
No. Malaysia has yet to expressly recognise the use of binding corporate rules as a means to justify transborder dataflow.
A breach of the provisions of the PDPA can result in a range of fines and/or imprisonment. Some of the more important sanctions are set out below.
Failure to comply with the seven Personal Data Protection Principles is an offence punishable by a fine of up to 300,000 Malaysian Ringgit (approximately €67,000) and/or imprisonment for up to three years.
Breach of the restriction on transborder dataflow is an offence and can result in a fine of up to 300,000 Malaysian Ringgit (approximately €67,000) and/or imprisonment for up to two years.
Data users who fall under any one or more of the class of data users stated in the Order, who process personal data without registering themselves, commit an offence and may be liable to a fine of up to 300,000 Malaysian Ringgit (approximately €67,000) and/or imprisonment for up to two years.
The PDPA contains a prohibition against: (i) the collection or disclosure of personal data held by a data user; and (ii) procuring the disclosure to another person of personal data held by a data user, without the consent of the said data user. Breach of this prohibition is an offence punishable by a fine of up to 500,000 Malaysian Ringgit (approximately €110,000) and/or imprisonment for up to three years.
As the PDPA has just come into force, there has been no enforcement activity as of yet.
The PDP Commissioner is the enforcement authority in Malaysia. Appeals against decisions made by the PDP Commissioner may be made to an Appeal Tribunal (said tribunal has yet to be set up).