Personal Data Protection

(1) What is the general framework governing protection of personal information and data in Malaysia?

Processing of personal data in Malaysia is governed by the Personal Data Protection Act 2010 (“PDPA”), which came into force on 15 November 2013. The PDPA applies to any person who processes, and any person who has control over or authorizes the processing of any personal data in respect of commercial transactions (such person is referred to as a ‘data user’ under the PDPA). “Processing” of personal data carries wide meaning and includes collection, storage, use, disclosure, transmission, transfer and destruction of personal data.

(2) What is the meaning of “personal data” under the PDPA in the respect of protection of personal information?

‘Personal data’ which comes within the ambit of the PDPA must relate directly or indirectly to an individual, who is identified or identifiable from the information or other information in the possession of a data user, and the data must be processed by equipment or be recorded with the intention that it should form part of a relevant filing system. Such personal data must also be in respect of a “commercial transaction”, such as in the course of sale of goods or supply of services.

(3) What is the intention/purpose of PDPA?

The PDPA purports to safeguard personal data by requiring the data user to comply with seven data protection principles and by conferring certain rights to the individual.

The data protection principles oblige data users to obtain consent for the processing of personal data, to notify the individual of certain prescribed matters pertaining to the processing of their personal data, to ensure that any personal data processed is held securely and up to date, among other requirements. The PDPA also grants rights to individuals to have access to their personal data, to correct any inaccurate personal data as well as the right to withdraw consent.

The PDPA generally prohibits cross-border transfers of personal data save where the exceptions apply or where the transfer is to a permitted place specified by the Minister.

(4) Which regulatory bodies regulate the usage of personal data in Malaysia?

A Personal Data Protection Commissioner is appointed to oversee compliance of the PDPA by data users and a Personal Data Protection Department has been set up under the purview of the Ministry of Communications and Multimedia.

In respect of registration, only certain classes of data users are required to register with the Personal Data Protection Commissioner; namely those who are registered or licensed under the following sectors: Communications, Banking & Financial institutions, Insurance, Health, Tourism & Hospitalities, Transportation, Education, Direct Selling, Services, Real Estate and Utilities.