Author name: Wong Shen Ming

FYI! This article is the third of a series of pieces on PDPA compliance for marketing processes in Malaysia. Click to read Part 1: PDPA and Marketing in Malaysia and Part 2: Individual Rights Under the PDPA. As marketing databases grow and campaigns become more automated, businesses in Malaysia face a second layer of PDPA risk: How personal data is stored, shared, retained, and governed over time.  This article focuses on the operational and organisational obligations that arise once marketing data is collected.  Security of data in marketing databases  Under the Security Principle in Section 9 of the PDPA, businesses must take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure.  As marketing operations often involve multiple systems, teams, and external parties, databases are a common source of personal data security incidents, especially when:  Therefore, legally insulating security practices for marketing data include:  Retention of personal data for marketing  Under the Retention Principle in Section 10 of the PDPA, personal data must not be kept longer than is necessary for the purpose for which it was collected.   It further requires data controller to take reasonable steps to ensure personal data is destroyed or permanently deleted once it is no longer required, and in a marketing context, while some businesses may prefer to retain customer data “just in case” it may be useful for future campaigns, such blanket retention is not permitted under the PDPA.  Where a data subject has opted out of direct marketing or withdrawn consent, the personal data should be deleted, unless there is another lawful purpose for retention.  As the PDPA does not prescribe a fixed retention period. businesses may determine it based on their operational and legal requirements and document them in internal policies or data governance frameworks.  Data accuracy and integrity  Under the PDPA’s Data Integrity Principle (Section 11), businesses are required to take reasonable steps to ensure that personal data processed is accurate, complete, not misleading and kept up-to-date.  In a marketing context, data accuracy issues commonly arise where:  To mitigate these risks, businesses should:  Use of third-party marketers  Many organisations outsource marketing to external agencies or rely on third-party platforms. In these arrangements, personal data is often shared with external parties for marketing execution.  Under the PDPA:  Although data processors also have obligations under the PDPA to safeguard personal data entrusted to them, responsibility and accountability under the PDPA ultimately remain with the organisation.   To manage risk, businesses should:  Outsourcing marketing execution does not outsource PDPA responsibility.  Requirement to appoint a Data Protection Officer (DPO)  Businesses that carry out extensive marketing activities should also consider whether they are required to appoint a Data Protection Officer (DPO) under the PDPA. Businesses that process personal data on a large scale (i.e., processing personal data of 20,000 or more data subjects) will be required to appoint a DPO.  In practice, many marketing-driven businesses reach or exceed this threshold without realising it. Marketing databases often contain thousands of customer records, and when combined with:  the total volume of personal data processed by the businesses may easily meet the threshold for mandatory DPO appointment.  Internal governance and staff training  Marketing teams typically have broad access to customer data and campaign tools, making internal governance and staff training critical. Businesses should ensure that personnel involved in marketing activities understand:  Additionally, where a Data Protection Officer has been appointed, marketing teams should have a clear escalation path for PDPA-related questions or issues.  Let ELP be your PDPA legal advisors  A PDPA-compliant marketing strategy should incorporate security controls, retention principle, vendor governance, and organisational accountability alongside consent and opt-out mechanisms.  If your organisation requires assistance assessing marketing-related PDPA risks, reviewing data retention practices, or evaluating DPO appointment obligations, feel free to reach out for a consultation. 

FYI! This article is the second of a series of pieces on PDPA compliance for marketing processes in Malaysia. Click to read Part 1: PDPA and Marketing in Malaysia and continue with Part 3: Managing Customer Databases for PDPA Compliance. Marketing activities place individuals in frequent and direct contact with emails, messages, calls, advertisements, and promotions, sometimes through automated systems.   As a result, marketing is one of the areas where individuals are most likely to feel that their personal data is being misused, overused, or processed without proper control.  Under the Personal Data Protection Act 2010 (PDPA), individuals are given specific rights to control how their personal data is used for marketing purposes, particularly the ability to opt out of direct marketing and withdraw consent.  Right to prevent processing for direct marketing  Under Section 43 of the PDPA, a data subject can require the business to cease processing their personal data for direct marketing purposes. Once a data subject exercises this right:  Where a business fails to comply, the data subject may submit a complaint to the Personal Data Protection Commissioner, who may in turn require the business to take steps to comply with the opt-out request, failing which the business will face potential fines of up to RM200,000, imprisonment for up to two years, or both.  Businesses should make it easy for individuals to opt out of marketing communications and ensure that opt-out requests are properly recorded and acted upon.   Withdrawal of consent  Section 38 of the PDPA allows data subjects to withdraw consent to the processing of their personal data at any time. Key points businesses should be aware of:  For example, a customer may withdraw consent to receive promotional emails but may still receive transactional communications such as invoices, service notifications, or account-related updates.   Businesses should take care not to include marketing content within such transactional communications after consent has been withdrawn as failure to comply is punishable by a fine of up to RM100,000, imprisonment for up to 1 year, or both.  Let ELP be your PDPA legal advisors  Businesses in Malaysia must recognise that under the PDPA, individuals have enforceable rights to opt out of direct marketing and withdraw consent at any time and failure to respect these rights may escalate from dissatisfaction to severe penalties.  If your organisation requires assistance reviewing marketing consent practices, updating privacy notices, or assessing PDPA compliance risks, feel free to reach out for a consultation. 

Steps to comply with Section 129 of the PDPA, the provision regulating transfer of personal data from Malaysia to any place outside the country.