PDPA 2010 — Malaysia’s Personal Data Protection Act

In this article, we will look into the data protection act of Malaysia, PDPA 2010, and what are its requirements for protecting and lawfully using the personal data of Malaysian citizens. 

Malaysia’s PDPA, like any data protection acts, serves the Malaysians right to privacy of their personal data, and protecting their rights and freedom. However, unlike many data protection acts, Malaysia PDPA applies to entities that process data inside Malaysia. 

It is enacted through seven principles that govern how personal data must be handled. Like GDPR, it requires people’s explicit consent to process their data. 

Malaysia’s Personal Data Protection Act (PDPA) 2010 came into force on November 15, 2013. Like any other data protection act, it aims to protect the personal data of people and introduce privacy standards for handling them. 

Under the PDPA, personal data refers to any information from which it is possible to identify a person, directly or indirectly. Sensitive personal data means any personal data consisting of information related to the physical or mental health or condition of data subjects, their political opinions and religious beliefs or other beliefs of a similar nature, or criminal offenceoffense reports.

The Personal Data Protection Commissioner (PDPC) is the supervising authority in Malaysia for implementing and enforcing the PDPA. 

They have the:

• The power to investigate
• Inspect data users’ personal data system
• Access the data
• Search and take hold of the data with or without a warrant

The PDPC can serve notices and stop data processing following an investigation. They can also direct steps to take to comply with the act.

The Act applies to any data user (person, establishments, websites, companies, etc.) who processes or authorizes the processing of personal data for commercial purposes. If the person is not in Malaysia, the act will only apply if they have used any equipment in Malaysia to process the data.

What makes Malaysia’s data protection act different from other acts is that its regulations do not extend to data processing outside of Malaysia. That is, if the personal data is processed outside Malaysia, the act will not apply unless it will be further processed in Malaysia. The act also does not apply to the federal government and state governments.

General principle

You cannot process personal data without the explicit consent of the data subject unless it is for:

• fulfilling contractual obligation
• taking steps required for entering a contract upon the request of the data subject
• fulfilling legal obligation other than any contractual obligations
• protecting the vital interest of the data subject
• administration of justice
• exercising any function granted to a person under the law

You can only process personal data under the following circumstances:

• It is for a lawful purpose.
• It is required or related to the lawful purpose.
• The personal data is adequate and not excessive for the purpose.

Notice and choice principle

Under the PDPA, you must notify data subjects:

• that their personal data is being processed, and provide a description of the data
• the purpose for which the data was or will be collected
• any information available about the source of the personal data
• about the data subject’s right to request access to or correction of their personal data, and the contact information for registering any inquiries or complaints
• the classification of third parties with whom the personal data is disclosed
• the means and choices for the data subjects to limit data processing
• whether it is obligatory or voluntary for data subjects to share personal data
• if it is obligatory, then the consequences of not sharing the data.

The notice must be given to the data subject before or at the time of collecting personal data.

Disclosure principle

Under this principle, you cannot disclose a data subject’s personal data without consent,

• for any other purpose other than the one for which the data was collected
• For any purpose that is not related to the existing one
• to any party other than the designated third parties

Other than consent, you are allowed to disclose personal data if

• it is necessary to detect or prevent crime or is required for criminal investigation or legal action
• it is authorized by law or a court order
• the data user’s belief that they have reasonable legal grounds to disclose the personal data
• the data user’s belief that the data subject would have given consent if they were aware of the disclosure
• the personal data disclosure was justified and is in the public interest, in circumstances determined by the acting Minister (who is in charge of the protection of personal data)

Security principle

You must protect the personal data from any loss, misuse, unauthorized or accidental access or disclosure, by regarding:

•  the nature of the personal data and the consequences of its loss, misuse, unauthorized or accidental access or disclosure, alteration or destruction
• the place or location of storage of the personal data
• any security measures incorporated in these places
• any measures that are taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data
• the measures that are taken for ensuring the secure transfer of the personal data

Retention principle

You must not keep personal data longer than necessary for the intended purpose. You must ensure that the data is destroyed or permanently deleted if it is no longer necessary for the purpose. 

Data integrity principle

You must ensure that the personal data collected is accurate, complete, not misleading, and up-to-date.

Access principle

Data subjects have the right to request access to their personal data and to correct that personal data if it is inaccurate, incomplete, misleading, or not up-to-date. The only exception if their requests are not accepted. 

A data user must comply with the request within 21 days of receiving it. You can also impose a reasonable fee for providing access to the data.

Right of access to personal data

A data subject has the right to access their personal data and information about whether personal data is being processed by or on behalf of the data user. They are also entitled to receive a copy of the personal data in an easy-to-understand format.

You must not take more than 21 days to comply with the request. If you are unable to comply within 21 days, you must inform the data subject and the reason for it.

In such a case, you will have 14 days to comply.

Right to correct personal data 

The data subjects have the right to get their personal data corrected in case it is inaccurate, incomplete, misleading, or not kept up-to-date.

As earlier mentioned, you have 21 days to comply with this request. You must inform the data subjects in case you are unable to respond to the request and convey the reason for it. 

After making the necessary correction, you must provide the data subjects a copy of the corrected data.

If you fail to comply with the PDPA standards or commit any offense as per the law, you will be fined up to five hundred thousand Malaysian Ringgit or imprisonment up to three years or both.

If you have a website of Malaysian origin or that collects and process the personal data of Malaysian citizens inside the country, you must consider the following points to make it PDPA-compliant:

1. Identify the type of data your website collects.
2. Identify the lawful purpose for which you collect the data.
3. Add a cookie consent banner to inform and get consent from the visitors for using cookies that collect data.
4. Get consent to collect other data and sharing them with third parties.
5. Add a privacy policy page that discloses information about the type of data you collect, how and why, and the third parties you share the data with.
6. Add a link or page for visitors to request access to and correction of their personal data.
7. If the data collected is no longer required for your intended purpose, remove or delete it from your database.
8. Secure your website and protect the database from unauthorized access or theft. 

CookieYes is a cookie consent solution for GDPR and CCPA compliance. It manages user consent for cookies. 

With the CookieYes cookie consent banner, you can inform users about the information that Malaysia PDPA requires websites to disclose. You can block third-party cookies before you get user consent. 

Some of the major features that CookieYes provides are:

• Fully customizable cookie consent notice to make it match your website’s design.
• Cookie consent banner in 26 languages spoken worldwide.
• Auto-translation of the consent notice.
• Auto-scan of your website for cookies and add them to your website.
• Identifies and auto-block third-party cookies before getting user consent and you can also add cookie scripts to block them prior to consent.
• Logs user consent for easy demonstration of consent if needed, and
• easily and quickly add a privacy policy page that discloses information about how the website process the data and the necessary contact information for queries and concerns. 

Sign up today for free and make your website cookie-compliant.