Personal Data Protection (Compounding of Offences) Regulations 2016

Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

 Scroll to top