1. Why is PDPA so important?
The Personal Data Protection Act 2010 (“PDPA”) is the primary legislation concerning data protection in Malaysia. It is important as it provides guidance and the best practice rules for companies to follow on how to process personal and sensitive data.
Today, the use of such data is an integral part of today’s commercial world. A vast amount of personal and sensitive data are being collected, used and transferred to third party companies everyday for a variety of commercial reasons. This trend is expected to grow exponentially with the emergence of advanced technology that are becoming more and more accessible to business owners.
To simply put it, the failure to obey the PDPA could have serious consequences that expose your business to expensive and often unnecessary civil lawsuits. Moreover, violating the PDPA can also see you and your business facing serious penalties, resulting in harsh punishments by the authority.
2. Who should comply with the PDPA?
The PDPA applies to any person who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions.
At this point, it may be noted that while the PDPA does not have an extraterritorial application like the GDPR, any foreign companies whether or not the company itself has a physical presence in Malaysia will still be caught under the PDPA, if the foreign company uses equipment in Malaysia to process personal data otherwise than for the purposes of transit through the country. In that case, the PDPA requires that foreign company to establish a representative/ company with a physical presence in Malaysia.
3. What constitutes ‘personal’ and ‘sensitive’ personal data?
The PDPA applies to both ‘Personal Data’ and ‘Sensitive Personal Data’.
‘Personal data’, means any information concerning commercial transactions, which is processed by means of equipment operating automatically in response to instructions given for that purpose. Further, any information that is recorded with the intention that it should be processed by means of such equipment, or is recorded as part of a relevant filing system are also constitute as personal data. Clearly, this definition is broad and fairly all-encompassing that may include NRIC/Passport No., home addresses, contact details, and occupation.
‘Sensitive personal data’ is defined under the PDPA as any personal data consisting of information as to the physical or mental health or condition of the person, his political opinions and/or his religion.
4. What is the difference between a ‘data user’ and ‘data subject’?
The PDPA defines ‘data user’ as a person who processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor.
The ‘data subject’ means an individual who is the subject of the personal data.
5. Are there restrictions on cross-border data transfers from Malaysia?
Yes, the PDPA prohibits the transfer of any personal data of a data subject overseas unless to such places specified by Minister, upon the recommendation of the Minister, by notification published in the Gazette. Nonetheless, it is worth mentioning that a proposed order was recommended by the Minister that will allow the transfer of personal data to certain safe harbour jurisdictions outside Malaysia without having to obtain consent or invoke any of the exceptions provided under the PDPA.
As of the date of this publication, the Minister has yet to approve the safe harbor jurisdictions. Hence, at this time, the Minister may only allow international data transfers if there is in that place any law which is substantially similar to PDPA, or that particular country can ensure an adequate level of protection in relation to the processing of personal data.
On top of that, you may only transfer personal data outside Malaysia if there is consent, or it meets any other exceptions as provided under the PDPA, for example where the transfer is necessary for the performance or conclusion of a contract between data user and data subject, or for the purpose of any legal proceedings or for the obtaining of legal advice for establishing, exercising or defending legal rights.
6. What are the penalties of non-compliance?
Anyone disobeying the PDPA may be liable to fines of up to RM500,000.00 and imprisonment for a term not exceeding 3 years, or both.
In the event that a company commits an offence under the PDPA, these persons can be charged severally or jointly in the same proceedings with the company:
- any person who at the time of the commission of the offence was a director, CEO, COO, manager, secretary
- Any other similar officer of the company or was purposting to act in any such capacity or was in any manner responsible for the management of any affairs of the company or was assisting in such management
Disclaimer: The above article is intended for general informational and education purposes only and not for the purpose of providing legal and professional advice. Got a question on the Malaysian Data Protection law? Contact members of Chern & Co. at firstname.lastname@example.org.