The Malaysia Personal Data Protection Act 2010 – All You Need to Know (Part 1)

The Malaysia Personal Data Protection Act 2010 – All You Need to Know (Part 1)

The Malaysia Personal Data Protection Act (PDPA) of 2010 was introduced and implemented on November 15, 2013. It sets out a complete cross-sectoral framework in order to protect individuals’ personal data with regard to commercial transactions.

This article is the first of three and covers an introduction to PDPA 2010 law, its underlying scope and definitions, where PDPA authority lies and the sectors that must register.

An Introduction to PDPA 2010 Law

The PDPA was introduced to strengthen consumer confidence in business transactions and e-commerce, given the increasing number of credit card and identify theft frauds as well as personal data selling without the user’s consent.

Before PDPA 2010 was introduced, data protection obligations were present among specific sectoral secrecy and confidentiality obligations only – personal information was protected only as ‘confidential information’ through civil actions or contractual obligations in regards to breach of confidence.

Scope and definitions

Under the Act, data users must be in compliance with seven personal data protection principles:

  1. General – Personal Data may only be processed by the explicit permission of the data subject.
  2. Notice and Choice – Data subjects must be kept informed through written notice so as to (among other things) the type of data being processed, the purpose for processing it, the option to request access to that data and make any amendments, and the choices and means through which the data subject wishes to limit the processing of all such personal data.
  3. Disclosure – Personal data must not be disclosed for any purpose other than when it was disclosed at the time of collection; furthermore, data must only be disclosed to persons to which the data subject has already agreed to or notified the data user in advance.
  4. Security – Data users must take the required steps to protect personal data from misuse, loss, manipulation or unauthorized disclosure/access, modification or destruction.
  5. Retention – Personal data may not be stored for a duration longer than the one necessary for the fulfilment of the underlying purpose.
  6. Data integrity – Data users need to take the appropriate steps to ensure that their personal data is up to date, accurate, complete and not misleading in any way.
  7. Access – Data subjects must be allowed access to their personal data in case they want to update/correct inaccurate, incomplete or misleading data.

PDPA authority

The Personal Data Protection Commissioner is the acting and responsible authority in Malaysia for implementing and executing PDPA 2010 laws.

The Commissioner is at sole discretion to do whatever is necessary in regards to the performance of his/her job functions within the PDPA. This includes:

The power to investigate
Inspect data users’ personal data system
Access computerized data
Search and seize data where necessary (with or without a warrant)
The Commissioner also has the right to serve an enforcement notice after investigation, which outlines the breach, remedial steps needed and the compliance deadline – or if required, direct the data user to stop processing data indefinitely.

Sectors that must register

The following sectors are required to register with the Commissioner’s office according to the Personal Data Protection Order 2013:

Banking and financial institutions
Tourism and hospitality
Direct selling
Real estate
Services sector (accountancy, audit, legal, architecture or engineering)

The Formiti International Team cover data regulations across 6 global regions and 15 countries, Find out more here

In Part 2, we’ll be discussing the disclosure principle, security principle, retention principle, and data integrity principle contained within PDPA 2010.


Call Now Button