The Malaysia Personal Data Protection Act (PDPA) of 2010 was introduced and implemented on November 15, 2013. It sets out a complete cross-sectoral framework to protect individuals’ personal data regarding commercial transactions.
This article is the first of three and covers an introduction to PDPA 2010 law, its underlying scope and definitions, where PDPA authority lies and the sectors that must register.
An introduction to PDPA 2010 law
The PDPA was introduced to strengthen consumer confidence in business transactions and e-commerce, given the increasing number of credit cards and identify theft frauds and personal data selling without the user’s consent.
Before PDPA 2010 was introduced, data protection obligations were present among specific sectoral secrecy and confidentiality obligations only – personal information was protected only as ‘confidential information’ through civil actions or contractual obligations regarding breach of confidence.
Scope and definitions
Under the Act, data users must comply with seven personal data protection principles:
- General – Personal Data may only be processed by the explicit permission of the data subject.
- Notice and Choice – Data subjects must be kept informed through written notice to (among other things) the type of data being processed, the purpose for processing it, the option to request access to that data and make any amendments, and the choices and means through which the data subject wishes to limit the processing of all such personal data.
- Disclosure – Personal data must not be disclosed for any purpose other than when it was disclosed at the time of collection; furthermore, data must only be disclosed to persons the data subject has already agreed to or notified the data user in advance.
- Security – Data users must take the required steps to protect personal data from misuse, loss, manipulation or unauthorized disclosure/access, modification or destruction.
- Retention – Personal data may not be stored for a duration longer than the one necessary for fulfilment of the underlying purpose.
- Data integrity – Data users need to take the appropriate steps to ensure that their personal data is up to date, accurate, complete and not misleading in any way.
- Access – Data subjects must be allowed access to their personal data if they want to update/correct inaccurate, incomplete or misleading data.
The Personal Data Protection Commissioner is the acting and responsible authority in Malaysia to implement and execute PDPA 2010 laws.
The Commissioner is at sole discretion to do whatever is necessary regarding the performance of his/her job functions within the PDPA. This includes:
- The power to investigate
- Inspect data users’ personal data system
- Access computerized data
- Search and seize data where necessary (with or without a warrant)
The Commissioner also has the right to serve an enforcement notice after investigation, which outlines the breach, remedial steps needed and the compliance deadline – or if required, direct the data user to stop processing data indefinitely.
Sectors that must register
The following sectors are required to register with the Commissioner’s office according to the Personal Data Protection Order 2013:
- Banking and financial institutions
- Tourism and hospitality
- Direct selling
- Real estate
- Services sector (accountancy, audit, legal, architecture or engineering)
The VinarcoFormiti International Team cover data regulations across the Asia Pacific Region Find out more here.
In Part 2, we’ll be discussing disclosure principle, security principle, retention principle, and data integrity principle contained within PDPA 2010.