Lee Hishammuddin Allen & Gledhill
The following law(s) specifically govern personal data / information:
The Malaysian Personal Data Protection Act 2010 (PDPA) specifically governs personal data.
The key data protection principles in this jurisdiction are:
The PDPA provides for the following data protection principles that a data user (equivalent to data controller under the EU General Data Protection Regulation) must comply with:
- General Principle: A data user must not process personal data about a data subject unless the data subject consents to the personal data processing, or explicitly consents to the processing of sensitive personal data. (Section 6, PDPA)
- Notice and Choice Principle:A data user must by written notice provide information to the data subject regarding the personal data processing activities of the data user and set out choices for the data subject regarding limiting the personal data processing. (Section 7, PDPA)
- Disclosure Principle: A data user must not disclose personal data without the data subject's consent except where the disclosure is: (a) for a purpose disclosed to the data subject at the time of collection, or for a purpose directly related to that purpose; or (b) to a third party who belongs to a class listed on the written notice issued to the data subject under the Notice and Choice Principle. (Section 8, PDPA)
- Security Principle: A data user must take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. (Section 9, PDPA)
- Retention Principle: Personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose (Section 10, PDPA).
- Data Integrity Principle: A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date. (Section 11, PDPA)
- Access Principle: A data subject shall be given access to their personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date. (Section 12, PDPA)
The supervisory authority / regulator in charge of data protection is:
The Personal Data Protection Commissioner (PDPC).
Is there a requirement to register with a supervisory authority / regulator?
A data user who belongs to any class of data users listed under the Personal Data Protection (Class of Data Users) Order 2013 must register with the PDPC.
This includes data users in the following industries: Communications, banking and financial institution, insurance, health, tourism and hospitalities, transportation (aviation), education, direct selling, professional services, real estate, Utilities, pawn brokering and moneylending.
The registration procedures and requirements are provided in the Personal Data Protection (Registration of Data User) Regulations 2013, which, in gist, provide for the following:
- To apply to be registered, a data user must furnish a copy of constitution (previously known as memorandum of association and article of association), if the data user is a private or public company, or in other cases, a copy of constituent document under which the data user is established.
- The application to be registered must be accompanied with registration fees ranging from RM100 – RM400, depending on the type of establishment of the data user.
- If the application is successful, a certificate of registration will be issued to the data user, which would be valid for a period of not less than twelve months from the date on which the certificate of registration is issued.
Is there a requirement to notify the supervisory authority / regulator?
There is no requirement to notify PDPC before any processing activities are commenced or before transferring personal data to another jurisdiction.
Is it possible to register with / notify the supervisory authority / regulator online?
A data user who belongs to any class of data users listed under the Personal Data Protection (Class of Data Users) Order 2013 can apply to be registered via the website of the Department of Personal Data Protection here: https://daftar.pdp.gov.my/
The key data subject rights under the data protection laws of this jurisdiction are:
Under the PDPA, data subjects have the following rights:
- The right to access personal data (Section 30, PDPA)
- The right to correct personal data (Section 34, PDPA)
- The right to withdraw consent for the processing of their personal data (Section 38, PDPA)
- The right to prevent processing likely to cause unwarranted substantial damage or distress to them or another person (Section 42, PDPA)
- The right to prevent processing for purposes of direct marketing (Section 43, PDPA)
Is there a requirement to appoint a data protection officer (or equivalent)?
There is no requirement to appoint a data protection officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
There is no requirement to conduct a data protection impact assessment.
Does this jurisdiction have any specific data breach notification requirements?
There is no data breach notification requirement.
The following restrictions apply to the international transfer of personal data / information:
The PDPA generally prohibits a data user from transferring personal data to a place outside Malaysia, except to countries specified by the Minister in charge of data protection (who is currently the Minister of Communications and Multimedia), upon the recommendation of the PDPC, by notification published in the Gazette. To date, the Minister has yet to specify any places where personal data can be transferred freely to.
Notwithstanding this, the PDPA provides for certain circumstances where a data user may transfer personal data to a place outside Malaysia. These circumstances are:
- The data subject consents to the transfer.
- The transfer is necessary for the performance of a contract between the data subject and the data user.
- The transfer is necessary for the conclusion or performance of a contract between the data user and a third party entered into at the data subject's request, or is in the interests of a data subject.
- The transfer is for the purpose of legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising, or defending legal rights.
- The data user has reasonable grounds to believe that:
- the transfer is to avoid or mitigate adverse action against a data subject;
- it is not practical to obtain written consent; and
- if obtaining consent was practical, the data subject would consent.
- The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in contravention of the PDPA.
- The transfer is necessary to protect the data subject's vital interests.
- The transfer is necessary as being in the public interest in circumstances as determined by the Minister of Communications and Multimedia.
(Section 129, PDPA)
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the PDPA has “extra-territorial effect” on organisations outside of Malaysia in certain circumstances.
The PDPA applies to any person who processes or has control over or authorises the processing of any personal data concerning commercial transactions, and who:
- Is established in Malaysia.
- Is not established in Malaysia, but uses equipment in Malaysia to process personal data other than for the purposes of transit through Malaysia.
(Section 2(2), PDPA.)
The PDPA considers the following data users to have establishments in Malaysia:
- An individual who is physically present in Malaysia for no less than 180 days in one calendar year.
- A body incorporated under the Companies Act 1965.
- A partnership or other unincorporated association formed under any written Malaysian laws.
- Any person who does not fall within any of the above but maintains in Malaysia:
- an office, branch, or agency through which the person carries on any activity; or
- a regular practice.
(Section 2(4), PDPA.)
The following rules specifically deal with marketing:
Under the PDPA, data subjects may object to direct marketing at any time by writing to a data user. On receipt of that objection, the data user must cease, or not begin, processing personal data for direct marketing purposes.
Where a data user does not comply with the objection request, the data subjects may submit an application to the PDPC to require the data user to comply with the objection request.
Under the PDPA, direct marketing means a communication by any means of advertising or marketing material directed to particular individuals.
(Section 43, PDPA)
Do different rules apply to business-to-business and business-to-consumer marketing?
Under the PDPA, “data subjects” is defined as an individual who is the subject of the personal data. This definition indicates that the PDPA only applies when an individual’s personal data is collected and processed by the data user.
In so far as business-to-business marketing is concerned, the marketing is not directed towards individuals, but companies. Hence, business-to-business marketing is not governed by the PDPA.
Business-to-consumers marketing, however, would be governed by the PDPA.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
There are no rules specifically dealing with electronic marketing. Instead, the general rules relating to direct marketing, as discussed above, would apply to any form of direct marketing, whether electronic or non-electronic.
The following rules specifically deal with cookies:
There are no rules specifically dealing with cookies.
The consequences of non compliance with data protections laws (including marketing laws) are:
Failure to comply with the PDPA may entail fines and imprisonment.
The penalties for non-compliance with the PDPA are (depending on the offences committed):
- Fines between MYR10,000 and MYR500,000.
- Imprisonment of between six months to three years.
- Both a fine and imprisonment.
For non-compliance with the PDPC’s direction to a data user to cease or not to begin processing of data subjects’ personal data for purposes of direct marketing, the penalties entailed are a fine not exceeding MYR200,000 or imprisonment for a term not exceeding two (2) years or to both.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
As mentioned above, the PDPA has “extra-territorial effect” on organisations outside of Malaysia in certain circumstances.
In this regard, organisations located outside of Malaysia who collect and process personal data in Malaysia should conduct the necessary assessment to identify if the PDPA applies to them. If yes, then they are required to comply with the requirements under the PDPA.
Multinational organisations should be aware of the following upcoming data protection developments:
A study was conducted in 2019 to review the PDPA. On 14 February 2020, the PDPC issued a Public Consultation Paper on the Review of the PDPA, to gauge the views and comments of the public regarding the proposed improvement of the PDPA with a view to strengthen the existing provisions in the PDPA to be in line with international standard. As of to-date, there has not been any update by the PDPC about this review.