In 2010, the Malaysian Parliament passed the Malaysia Personal Data Protection Act (PDPA). In June, the law received Royal Assent. However, the PDPA didn't go into effect until November 15, 2013.
The PDPA provides a comprehensive framework designed to protect individuals' personal data with respect to transactions that are commercial in nature.
In the article below, we'll cover what the PDPA aims to do, whom it applies to, what it requires, and how to comply.
The following is a brief introduction to the PDPA. The Malaysian government passed the legislation to boost overall consumer confidence in e-commerce and other business transactions.
The Malaysian Parliament deemed this necessary since the country saw an increase in personal data being sold without the user's knowledge and consent. At the same time, there was a troubling rise in identity theft and credit card fraud.
Before 2010, personal data was regulated by industry-specific legislation. Examples of industries where the government regulated personal information are telecommunications, banking and finance, and healthcare.
Today, the Malaysian PDPA covers all businesses that are based in Malaysia regardless of industry. Foreign companies that conduct business transactions with residents of the country using equipment in Malaysia, which process personal information, are also bound by the law's regulations.
The authority responsible for carrying out the regulations within Malaysia's PDPA is the Personal Data Protection Commissioner. This individual is empowered to conduct a broad range of job functions within the scope of the 2010 data protection law.
These powers include:
This article provides a broad overview of the Malaysian PDPA along with some of the most "need to know" items within the law for those doing business in Malaysia.
However, the country's Department of Personal Data Protection provides in-depth FAQs and guidance documents on its website. The documents cover not only the PDPA, but also supplementary legislation.
Anyone who processes personal data or has control over that processing is considered a "data user." This can therefore be a person or an organization. The Malaysian PDPA covers all data users based in Malaysia and all data users who use equipment in Malaysia to process data.
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
It's relevant to note that under the PDPA, "processing" covers a broad range of activities.
Data processors may also be individuals or organizations. However, this is something of a "third-party" category. Under the PDPA, these data processing third-parties, which process personal data on behalf of a data user, are not directly bound by the same regulations.
Instead, the data user is expected to oversee the data processor and make sure that relevant regulations are adhered to.
The following are exempt from the PDPA:
There are four main definitions that you need to be familiar with regarding the Malaysian PDPA. These are:
To be considered "personal data" under the PDPA, three conditions must be met. These are:
Additionally, "personal information" as defined by the PDPA is considered to be much the same as that covered by Europe's General Data Protection Regulation (GDPR). In other words, "personal information" covers all the types of data business owners have come to expect when it comes to data privacy and protection laws.
These include but may not be limited to:
According to the PDPA, commercial transactions include anything to do with the exchange or supply of services or goods, banking and insurance, financing, investments, and agency.
It's important to note that the PDPA does not specify whether employment relationships are considered a type of commercial transaction.
You may be tempted to ask why there is a separate category for sensitive data when there's already a category for personal information.
After all, isn't personal data sensitive, too?
The fact is that while some data protection laws lump a lot of data categories together under "personal data" or "personal information" where obligations are much the same, the PDPA imposes greater responsibilities on data users when it comes to "sensitive data."
Under the PDPA, sensitive data includes such things as an individual's:
While the PDPA uses the term "data user," the term is essentially the same as the GDPR's "data controller."
The data user is an individual who processes any personal data alone, jointly, or together in common with others. Additionally, a data user may be someone who authorizes the processing of personal data but doesn't include a data processor.
As stated in the PDPA, a data processor is "any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes."
There are seven data protection principles that all data users must comply with under the Malaysian PDPA. These principles describe how your company's website must handle a data subject's personal information.
These principles are:
Let's take a look at each principle individually.
The first Malaysian PDPA principle is simply known as the "General Principle." It demands that data users acquire valid consent from data subjects before collecting personal and sensitive information.
Similar in nature to GDPR requirements, consent from a data subject must be explicit and provided through an affirmative opt-in. Consent is not considered valid otherwise.
In other words, under Malaysia's PDPA, implied consent isn't valid. For example, suppose you only had a notice on your website that you collect data, but you didn't give your site's visitors a way to opt-out of that data collection. In that case, any information you gathered from your site's visitors would have been without their consent.
Additionally, many of the items that constitute "personal data" are bits of information that cookies usually process. Having an acceptable cookie consent notice that obtains explicit consent is therefore essential as well.
Generally speaking, personal information is only allowed to be processed under the PDPA if it is:
There are some exceptions to the stipulation for consent. For instance, if you collect data to fulfill a contract, then explicit consent is not required.
Like many other data privacy and protection laws, Malaysia's PDPA requires that you provide your website's users with notice concerning your company's data processing activities.
You must provide a conspicuous written statement regarding the following:
The notice and choice principle is directly tied into the general principle since you must provide your website's visitors with notice and let them know what their options are in order for them to know precisely what they are consenting to.
Finally, the data user must provide notice in both English and Malay and before any data processing occurs.
The PDPA prohibits you from disclosing personal data to any third party. You must obtain explicit consent from the data subject in advance.
In other words, all data you collect whether it's from opt-in forms, cookies and trackers, social media plugins, analytics, etc., may only be shared with others outside your company if you've acquired the express permission of your website's visitors to do so.
As a whole, when it comes to disclosing or sharing data you collect, you're limited to what you've specified in your notice and to third parties you've explicitly listed in it.
Furthermore, if you do list third parties in your notice with whom you intend to share data, you must maintain up-to-date and accurate lists.
Strict measures to safeguard personal data is obligatory under the PDPA.
To comply with this requirement, your business must put in place a security policy, which details the following:
Data users need to remember that the legal responsibility to protect a data subject's personal information includes ensuring that strict safeguards are in place. These safeguards encompass, but aren't limited to, the following:
The Malaysian PDPA allows you to store (or retain) a data subject's personal information only for the amount of time required for you to fulfill the reasons stated within your information and notice.
It is essential for you to bear in mind that you're legally required to delete all personal information in your possession once you've used it for the purposes stated in your information and notice.
With that said, there aren't any legal limits placed on the amount of time you can retain personal data. As long as you're actively using that information for the purposes you made public, then time limits do not apply.
However, you must also recall that the personal data you collect is subject to inspection by the Department of Personal Data Protection. You, therefore, must maintain full and accurate records, including records of deleted data.
Essentially, this principle demands that businesses ensure that all personal data collected from data subjects is up-to-date, complete, and accurate.
Moreover, data subjects have the right to request corrections to any information that is deemed inaccurate, incomplete, or misleading.
The following are the key points to keep in mind regarding the Malaysian PDPA:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
16 July 2021