Entering a New Data Privacy Age

Entering a New Data Privacy Age

The Personal Data Protection Act 2010 (“PDPA”) finally came into force on 15 November 2013 and marks the introduction of a data privacy regime in Malaysia.

The objective of the PDPA is to regulate the processing of personal data and to safeguard the data privacy rights of  individuals. It applies to anyone who processes personal data (“data user”) of an individual (“data subject”) in commercial transactions.

Data users have until 14 February 2014 to comply with the PDPA. Essentially, a data user must comply with the 7 personal data protection principles, which form the backbone of the PDPA.

The 7 principles are;

  • General – consent is required before personal data can be processed
  • Notice & Choice – individuals must be notified of the purpose their data is processed
  • Disclosure – personal data cannot be disclosed without consent
  • Security – data users must take practical steps to protect the security of personal data
  • Retention – personal data can only be retained for as long as it is required
  • Data Integrity – personal data that is collected must be accurate, complete and updated
  • Access – all individuals have the right to view and correct their personal data

Aside from the negative publicity, penalties for violation of data privacy or non-compliance or  with the PDPA include fines of up to RM500,000 for companies and/or fines and imprisonment of up to 3 years for officers of the offending company.

The Regulations

Several new regulations have also been issued. These are:

  • Personal Data Protection Regulations 2013;
  • Personal Data Protection (Class of Data Users) Order 2013;
  • Personal Data Protection (Registration of Data User) Regulations 2013; and
  • Personal Data Protection (Fees) Regulations 2013.
  • Personal Data Protection Regulations 2013

These regulations provide some clarification on the 7 principles, which can be summarised as follows:

  • General Principle – consent obtained by data users from data subjects must be capable of being recorded and maintained properly. It appears that implied consent is not acceptable.
  • Notice & Choice Principle – data users must give data subjects information on how to contact them for inquiries or complaints, such as the designation of the contact person, phone and fax numbers, email address and any other related information (if any).
  • The notice must also be given in Malay.
  • Security Principle – data users must develop and implement a security policy that will comply with the security standards prescribed by the Personal Data Protection Commissioner (“Commissioner”). Data users must also ensure that these security standards are complied with by data processors who process personal data on their behalf.
  • Retention Principle – data users must ensure that personal data of their data subjects are retained in accordance with the standards prescribed by the Commissioner.
  • Data Integrity Principle – data users must ensure that the processing of personal data is in accordance with the data integrity standards prescribed by the Commissioner.
  • Personal Data Protection (Class of Data Users) Order 2013

This order provides that the following classes of data users must register with the Commissioner in the next 3 months:

  1. Communications Banking and financial institutions
  2. InsuranceHealth (e.g. private hospitals, clinics, dental clinics and pharmacies)
  3. Tourism and hospitalities (e.g. tour operators, travel agents tourist guides, tourist accommodation premises)
  4. Transportation (all Malaysian airlines)
  5. Education (e.g. private higher education institutions, private schools)
  6. Direct selling Services (e.g. lawyers, auditors, accountants, engineers, architects, retail and wholesale dealings and employment agencies)
  7. Real Estate (e.g. housing developers)
  8. Utilities

The other two regulations deal with the fees payable under the PDPA and the registration process for data users. Registration fees range from RM100 to RM400, depending on the category of the data user.

Appointment of the Commissioner

The Minister of Communications and Multimedia has also announced the appointment of Tuan Haji Abu Hassan bin Ismail as the Commissioner. It is also expected that the Personal Data Protection Department (“PDPD”) will be converted into an independent Personal Data Protection Commission, which is consistent with the provisions of the PDPA and in line with international practice.

Implementation Phases

The writer understands that the PDPA will be implemented in 3 phases:

  • Phase 1 will focus on the registration of data users and creating awareness;
  • Phase 2 will see enforcement teams carrying out inspections for compliance; and
  • Phase 3 will see the Commissioner undertake audits and commence a prosecution for non-compliance.

Concluding Words

Whilst individuals will rejoice in knowing there is a law that now protects their personal data, there remain numerous points which require clarification as the PDPA has not issued comprehensive guidelines on how the PDPA will be enforced.

Nevertheless, given the severe penalties under the PDPA, and potential reputational damage for non-compliance or violation of data privacy, it is unlikely companies will not comply. If not already in place, businesses should immediately review their processes, contracts and standard forms, and implement sound internal policies on personal data processing to ensure compliance with the PDPA.


About the author:
This article was written by Edwin Lee Yong Cieh, Partner of LPP Law – law firm in Kuala Lumpur, Malaysia (+6016 928 6130, [email protected]). Feel free to contact him if you have any queries.
This article was first published in CHIP Magazine Malaysia.
The view expressed in this article is intended to provide a general guide to the subject matter and does not constitute professional legal advice. You are advised to seek proper legal advice for your specific situation.

Let LPP Law be Your Legal Advisors

Contact Us illustration
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.
Share this article:

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.

 © Copyright 2020, Lee & Poh Partnership

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.