Top
Top

Global Data Privacy Guide

Malaysia

(Asia Pacific) Firm Skrine

Contributors Jillian Chia

Updated 01 Mar 2022
What is the key legislation?

The Personal Data Protection Act 2010 (the "Act") governs the processing of personal data in respect of commercial transactions. The Act contains principles of consent, notice, disclosure, security, data retention, data integrity and access.  

Note: The key legislation governing data protection in Malaysia is The Personal Data Protection Act 2010 ("PDPA"). The PDPA came into force on November 15, 2013, and it sets out seven key principles in the processing of personal data by a data user. Five further pieces of subsidiary legislation have been enacted pursuant to the PDPA to further facilitate the enforcement of the PDPA.

Recently, the Personal Data Protection Standard 2015 (“PDP Standards”) was issued by the PDP Commissioner. The PDP Standards spell out three main standards namely: Security Standards, Retention Standards and Data Integrity Standards which have application to both personal data which are processed both electronically and non-electronically.

What data is protected?

Personal data protects information in respect of a commercial transaction from which an individual is identified or identifiable.  

Note: “Personal data” means any information in respect of commercial transactions, which—

  • is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
  • is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
  • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

Examples of what would be considered personal data include name and contact details.

“Sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offense or any other personal data as the Minister may determine by order published in the Gazette.

Examples of sensitive personal data would include data concerning an individual's health, political opinions, religion, as well as arrests and convictions for criminal offenses.

Who is subject to privacy obligations?

The PDPA applies to any person who processes or has control over the “processing” of any personal data (data user).

Note: “Data user” means a person who either alone, jointly, or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor.

“Processing” carries wide meaning under the PDPA and means “in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including— 

  • the organization, adaptation or alteration of personal data;
  • the retrieval, consultation or use of personal data;
  • the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
  • the alignment, combination, correction, erasure or destruction of personal data”.

There is also a category referred to as “data processors” which carry the following meaning:-

“data processor”, in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes.

A data user would be ultimately responsible for any data processors it utilizes.

The PDPA does not apply to personal data processed outside Malaysia unless the data is intended to be further processed in Malaysia and it also does not apply to a data user who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data (save where it is only for purposes of transit).

The Malaysian Federal and State Governments are also exempt from the PDPA.

Data users who fall within certain sectors are required to register with the PDP Commissioner. The sectors which have been specified are:

  • Communications
  • Banking and Financial Institutions
  • Insurance
  • Health
  • Tourism and Hospitalities
  • Transportation
  • Education
  • Direct Selling
  • Services, namely organizations carrying on the following businesses: legal, audit, accountancy, engineering or architecture, retail or wholesale dealing as defined under the Control Supplies Act 1961, private employment agencies.
  • Real Estate
  • Utilities
  • Pawnbroker
  • Moneylender
What are the principles applicable to personal data processing?

The PDPA prohibits a data user from processing personal data without the consent of a data subject and the PDPA requires a data user to inform a data subject of various matters relating to the information of a data subject, which is being processed by or on behalf of that data user.

Note: The General Principle of the PDPA prohibits a data user from processing personal data without the consent of the data subject unless it is for the following reasons:

  • for the performance of a contract to which the data subject is a party;
  • for the taking of steps at the request of the data subject with a view to entering into a contract;
  • for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
  • in order to protect the vital interests of the data subject;
  • for the administration of justice; or
  • for the exercise of any functions conferred on any person by or under any law.

The Notice and Choice Principle of the PDPA requires a data user to inform a data subject by written notice of the following, in both the national language (Malay) and English:

  • that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;
  • the purposes for which the personal data is being or is to be collected and further processed;
  • of any information available to the data user as to the source of that personal data;
  • of the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;
  • of the class of third parties to whom the data user discloses or may disclose the personal data;
  • of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
  • whether it is obligatory or voluntary for the data subject to supply personal data; and
  • where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.

Notice has to be provided as soon as practicable which means:-

  • when the data subject is first asked by the data user to provide his personal data;
  • when the data user first collects the personal data of the data subject; or
  • in any other case, before the data user—
  • uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or
  • discloses the personal data to a third party.
How is the processing of personal data regulated?

Data user cannot disclose any personal data of a data subject for any purpose other than the purpose disclosed (and directly related purpose) and to any party other than the class of third parties to the data subject. (Disclosure Principle of the PDPA)

Note: However, the disclosure of personal data is permitted where:

  • consent has been given by the data subject;
  • the disclosure is necessary to prevent or detect crime, or for the purpose of investigations;
  • the disclosure is required or authorized by law or order of the court;
  • the data user had acted under the belief that he has a legal right to disclose the data to another person;
  • the data user had acted under the reasonable belief that he would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or
  • the disclosure was justified as being in the public interests in circumstances as determined by the Minister.
How are storage, security and retention of personal data regulated?

A data user is obligated to take specified measures to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction during its processing. (Security Principle) A data user must also not retain longer than is necessary of any data for the fulfillment of the purpose for which it is processed and requires the data user to destroy or permanently delete all personal data, which is no longer required for the purpose for which it was processed. (Retention Principle)

Note: Where data is being processed, the data user themselves or the data user on behalf of the data processor must take into account the following security factors:

  • the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
  • the place or location where the personal data is stored;
  • any security measures incorporated into any equipment in which the personal data is stored;
  • the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
  • the measures taken for ensuring the secure transfer of the personal data.

The PDP Standards also which provides certain measures which have to be complied with under the Security Standards.

Where a “data processor” is used, the Security Standards stipulate that the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure,

alteration or destruction, ensure that the data processor—

provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
takes reasonable steps to ensure compliance with those measures.

The Retention Principles stipulates that personal data must not be retained longer that is necessary for the fulfillment of the purpose for which it is processed. The PDP Standards also contains the Retention Standards which specify the measures which have to be taken in terms of retention of data.  

What are the data subjects' rights?

The Access Principle confers the right on a data subject to access his personal data and to correct the same if it is inaccurate, incomplete, misleading or outdated.

Note: A data subject shall be given access to his personal data

held by a data user and be able to correct that personal data

where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under the PDPA.

The PDPA also grants rights to data subjects to request for access to and/or correction of personal data. The PDPA prescribes the procedures and there are also timelines that would have to be complied with by a data user where there is an access and/or correction request.

The PDPA also provides the grounds on which such data access request may be refused such as where the burden or expense of providing access is disproportionate to the risks to the data subject’s privacy in relation to the personal data in the case in question or where the data user cannot comply with the data access request without disclosing personal data relating to another individual, among other factors.

A data correction request may also be turned down where the data user is not supplied with such information as he may reasonably require to ascertain in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date or where the data user is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date, among other factors.

Are there restrictions on cross-border data transfers?

A data user shall not transfer any personal data of a data subject to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.

Note: No permitted place/country has been specified in the Gazette at present, though there has been a public consultation paper issued in 2017 regarding proposed whitelisted countries which include EEA member countries and the United States of America. 

Notwithstanding the prohibition, a data user may transfer any personal data to a place outside of Malaysia if:

  • the data subject has given his consent to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the data user;
  • the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which—
    • is entered into at the request of the data subject; or
    • is in the interests of the data subject;
  • the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
  • the data user has reasonable grounds for believing that in all circumstances of the case—
    • the transfer is for the avoidance or mitigation of adverse action against the data subject;
    • it is not practicable to obtain the consent in writing of the data subject to that transfer; and
    • if it was practicable to obtain such consent, the data subject would have given his consent;
  • the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the PDPA;
  • the transfer is necessary in order to protect the vital interests of the data subject; or
  • the transfer is necessary as being in the public interest in circumstances as determined by the Minister.
Are there any notification requirements for data breaches?

There are no breach notification requirements in the PDPA.

Who is the privacy regulator?

A “Personal Data Protection Commissioner” will be appointed by the minister to carry out the functions and the powers assigned to the Commissioner by the PDPA. There is currently a Personal Data Protection Commissioner appointed and also a Personal Data Protection Department which has been set up. 

Note: The functions of the Commissioner include:

  • to advise the Minister on the national policy for personal data protection and all other related matters;
  • to implement and enforce personal data protection laws, including the formulation of operational policies and procedures;
  • to promote and encourage associations or bodies representing data users to prepare codes of practice and to disseminate to their members the codes of practice for the purposes of the PDPA;
  • to cooperate with bodies corporate or government agencies for the purpose of performing his functions;
  • to determine in pursuance of section 129 whether any place outside Malaysia has in place a system for the protection of personal data that is substantially similar to that as provided for under this Act or that serves the same purposes as this Act;
  • to undertake or cause to be undertaken research into and monitor developments in the processing of personal data, including technology, in order to take account any effects such developments may have on the privacy of individuals in relation to their personal data;
  • to monitor and supervise compliance with the provisions of the PDPA, including the issuance of circulars, enforcement notices or any other instruments to any person;
  • to promote awareness and dissemination of information to the public about the operation of the PDPA;
  • to liaise and cooperate with persons performing similar personal data protection functions in any place outside Malaysia in respect of matters of mutual interest, including matters concerning the privacy of individuals in relation to their personal data;
  • to represent Malaysia through participation in events that relate to personal data protection as authorized by the Minister, whether within or outside Malaysia; and
  • to carry out such activities and do such things as are necessary, advantageous and proper for the administration of this Act, or such other purposes consistent with the PDPA as may be directed by the Minister.
What are the consequences of a privacy breach?

Breaches of the provisions of the PDPA will result in a fine and/or imprisonment. A public consultation paper was also issued in 2018 regarding a proposed breach notification procedure.  

Note: Failure to comply with the provisions in the PDPA may amount to a criminal offense:

  • Breach of any of the seven data protection principles attracts a fine up to RM 300,000 and/or up to two years imprisonment.
  • The unlawful collection, disclosure and sale of personal data attract a fine up to RM 500,000 and/or up to three years imprisonment.

If a body corporate is found to have committed an offense, the officers of such body corporate are deemed to have committed the offense personally. However, the officer(s) of such body corporate may not be found to have committed the offense if he/they can prove the offense was committed without his/their knowledge or consent and he/they had taken all reasonable precautions and exercised due diligence to prevent the commission of the offense.

The PDP Commissioner has public consultation paper in 2018 regarding a proposed data breach notification procedure (“DBN”).

The said paper states that the DBN requirements are intended to be implemented by the end of 2018 by way of imposing conditions in the certificate of registration issued by the PDP Commissioner to data users. It is currently unclear whether all data users or only data users subject to the registration requirements under the PDPA will be required to comply with such DBN requirements.

The proposed DBN requires, among others, the notification to the Commissioner to be made not later than 72 hours after becoming aware of a data breach. There is also a prescribed data breach notification template that requires certain information to be provided, such as:-

  • details about the data breach (e.g. type and amount of personal data involved in the breach);
  • contain or control measures (e.g. actions/measures taken or to be taken to contain the breach);
  • notification (e.g. who has been notified about the breach? What advice was given to the affected data subject?);
  • training and guidance in relation to data protection (e.g. training/awareness program to staff prior to the breach).
How is electronic marketing regulated?

There are no specific rules on electronic marketing under the PDPA however the PDPA has a general provision on the section on the processing of personal data for direct marketing.

Note: “Direct marketing” is defined in the PDPA as “the communication by whatever means of any advertising or marketing material which is directed to particular individuals”. This would be wide enough to encompass electronic marketing.

The PDP stipulates that a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his personal data for purposes of direct marketing.

Where the data subject is dissatisfied with the failure of the data user to comply with the notice, whether in whole or in part, the data subject may submit an application to the Commissioner to require the data user to comply with the notice. Where the Commissioner is satisfied that the application of the data subject is justified, the Commissioner may require the data user to take such steps for complying with the notice.

A data user who fails to comply with the requirement of the Commissioner under subsection (3) commits an offense and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

There was a Proposal Paper for a Guide in Dealing with Direct Marketing which was issued by the PDP Department in 2013 which covered both conventional and electronic direct marketing, however, such proposal paper has been discontinued after feedback was obtained from the relevant stakeholders.

Are there any recent developments or expected reforms?

Several Codes of Practice for various industries have been issued by the PDP Commissioner after discussions with the various sectors involved. 

The Minister of Communications and Multimedia announced that the Ministry and the PDP Department are in the midst of reviewing the PDPA to ensure it is up to date and in line with current developments. In February 2020, a proposal was issued to seek the views and comments of the public, as part of an ongoing review of the PDPA.

Note: The PDP Standards came into force in late December 2015 and outline three main standards namely: Security Standard, Retention Standard and Data Integrity Standard which have applications to personal data processed both electronically and non-electronically.

The PDP Standards are stated to be “a minimum requirement” and will apply to all data users, meaning any person who processes, has control of or allows the processing of any personal data in connection with a commercial transaction.

The PDPA Commissioner may designate a body as a data user forum in respect of a specific class of data users for the purposes of the PDPA and such data user forum may develop may prepare a code of practice on its own initiative; or upon request by the Commissioner.

The following enforceable codes of practice have been registered: Code of Practice for the Utilities Sector (Electricity), Code of Practice for the Insurance/Takaful Industry, Code of Practice for the Banking and Financial Sector, Code of Practice for the Transportation Sector (Aviation), Code of Practice for the Communications Sector, Code of Practice for the Utilities Sector (Water), and Code of Practice for Private Hospitals in the Healthcare Industry. 

The Minister of Communications and Multimedia has indicated that changes may have to be made to local data protection laws, in particular, the PDPA to prevent data breaches and it brings its provisions on par with the General Data Protection Regulation ("GDPR"). The Minister had also stated that the Ministry is looking to work with other ASEAN countries to develop a framework for data protection. Notably, a proposal paper, ‘Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010’ has also been issued to seek the views and comments of the public, as part of an ongoing review of the PDPA.

Global Data Privacy Guide

Malaysia

(Asia Pacific) Firm Skrine

Contributors Jillian Chia

Updated 01 Mar 2022