Background and applicability of the Personal Data Protection Act 2010 (“PDPA”)
The PDPA regulates the processing of individuals’ personal data and widely defined processing as collecting, recording, holding or storing; or carrying out any operation or set of operations on personal data in commercial transactions in Malaysia.
The PDPA applies to you if you:
- have a business in Malaysia;
- process personal data in a commercial transaction;
- control over or authorize another person to process personal data in a commercial transaction;
- process personal data using equipment located in Malaysia;
- record personal data in a filing system.
The PDPA does not apply to:
- Federal and State Government.
- non-commercial transactions.
- personal, family & household affairs.
- credit reference agencies i.e. (CTOS) – governed under Credit Reporting Agencies Act, 2010
- personal data processed outside of Malaysia.
Key Highlights of the PDPA
1. What are commercial transactions?
The PDPA is applicable when your business, processes personal data in any transaction of a commercial nature. The PDPA defined commercial transactions as transactions whether contractual or not, which include matters relating to supply or exchange of goods or services, agency, investments, financing, banking and insurance.
2. Roles under the PDPA
3. What is personal data and are you collecting personal data in your business?
If your business requires customers to provide their personal data such as name, identification card number, address, photograph, telephone numbers through a manual form, website or software application, most likely, you are processing personal data involving collecting, recording, holding or storing the personal data.
4. 7 personal data protection principles
A business dealing with the processing of personal data is legally obligated to comply with the 7 personal data protection principles. The principles are the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle.
The business is to ensure that the personal data is:
- processed for a lawful purpose and is necessary with consent of the individual – General Principle (Section 6 of the PDPA);
- adequate and not excessive for that purpose – General Principle (Section 6 of the PDPA);
- processed according to the individual’s rights under the PDPA – Notice and Choice Principle (Section 7of the PDPA);
- not to be disclosed without the individual’s consent – Disclosure Principle (Section 8 of the PDPA);
- secured with security measures incorporated in the equipment or at the workplace – Security Principle (Section 9 of the PDPA);
- not kept longer than is necessary – Retention Principle (Section 10 of the PDPA);
- accurate, complete and updated – Data Integrity Principle (Section 11 of the PDPA);
- accessible by the individual to view and correct his personal data – Access Principle (Section 12 of the PDPA).
How the 7 personal data protection principles apply?
A business may only process a customer’s personal data if he consents to it and has been informed prior to the collection of the personal data the purpose of collecting his personal data. For example, when a business intends to perform customer profiling such as a customer’s buying patterns and purchase history then the business needs to indicate such purposes in its data protection notice.
For a better understanding of how a business is affected by the PDPA, let’s use an e-commerce business as an example: if an intended customer intends to purchase a product through the e-commerce website, the website will prompt the intended customer to register with the website by providing identifiable information of the intended customer.
In the e-commerce online application form, the intended customer needs to disclose his personal data such as his name, address, telephone number, email, date of birth, nationality and gender. The business must ensure that the stated purpose for which the data is being processed must be clearly indicated for the processing activities. The customer must not be misled, and the consent provided by the customer should not be a blanket consent allowing the e-commerce business to use the personal data at its own discretion. Accepting a blanket consent or obtaining consent in isolation without proper and full disclosure does not legitimise the act of processing the personal data. Also, consent obtained due to coercion, undue influence, fraud, misrepresentation or mistake may not adequately satisfy the condition for processing.
In the context of obtaining products and services by filling paper applications and forms, the same processes of complying with the 7 personal data protection principles must be followed by the business.
A business is not allowed to utilize or disclose the customer’s personal data for any other purpose without the customer’s consent, must ensure that the customer’s personal data is accurate, complete, and kept up-to-date and the customer’s personal data may not be kept for a longer period of time than is necessary for the fulfilment of its intended purpose. The customer under the PDPA must also be informed by written notice of his rights to request access to his personal data at all times and be entitled to correct it if necessary.
It is critical for a business processing personal data to evaluate their policies, processes and security controls to avoid personal data leakages, unauthorised use and access committed by its employees or third parties.
A business not complying with the 7 personal data protection principles commits an offence under the PDPA and on conviction be liable to a fine not exceeding RM300,000 (Ringgit Malaysia Three Hundred Thousand) or imprisonment for a term not exceeding two years or both.