The Malaysia Personal Data Protection Act (PDPA) of 2010 was introduced and implemented on November 15, 2013. It sets out a complete cross-sectoral framework in order to protect individuals’ personal data with regard to commercial transactions.
This article is the first of three and covers an introduction to PDPA 2010 law, its underlying scope and definitions, where PDPA authority lies and the sectors that must register.
The PDPA was introduced to strengthen consumer confidence in business transactions and e-commerce, given the increasing number of credit card and identify theft frauds as well as personal data selling without the user’s consent.
Before PDPA 2010 was introduced, data protection obligations were present among specific sectoral secrecy and confidentiality obligations only – personal information was protected only as ‘confidential information’ through civil actions or contractual obligations in regards to breach of confidence.
Under the Act, data users must be in compliance with seven personal data protection principles:
The Personal Data Protection Commissioner is the acting and responsible authority in Malaysia for implementing and executing PDPA 2010 laws.
The Commissioner is at sole discretion to do whatever is necessary in regards to the performance of his/her job functions within the PDPA. This includes:
The power to investigate
Inspect data users’ personal data system
Access computerized data
Search and seize data where necessary (with or without a warrant)
The Commissioner also has the right to serve an enforcement notice after investigation, which outlines the breach, remedial steps needed and the compliance deadline – or if required, direct the data user to stop processing data indefinitely.
The following sectors are required to register with the Commissioner’s office according to the Personal Data Protection Order 2013:
Banking and financial institutions
Tourism and hospitality
Services sector (accountancy, audit, legal, architecture or engineering)
The Formiti International Team cover data regulations across 6 global regions and 15 countries, Find out more here
In Part 2, we’ll be discussing the disclosure principle, security principle, retention principle, and data integrity principle contained within PDPA 2010.