Personal Data Protection (Registration of Data User) Regulations 2013

Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

Enforcement of the Personal Data Protection Act 2010

It is official. The Malaysian Personal Data Protection Act 2010 (“PDPA”) will be in force on 15 November 2013. As expected, Tuan Abu Hassan bin Ismail is appointed as the Personal Data Protection Commissioner with effect from 15 November 2013.

Data users now have 3 months to comply with the PDPA in respect of personal data processed before 15 November 2013 and immediate compliance with the PDPA for personal data collected from 15 November 2013.

The enforcement of the PDPA also introduced four (4) new subsidiary legislations namely:-

1.Personal Data Protection (Fees) Regulations 2013;
2. Personal Data Protection (Registration of Data User) Regulations 2013;
3. Personal Data Protection (Class of Data Users) Order 2013; and
4. Personal Data Protection Regulations 2013.

For your easy reading, I have summarised the new regulations below.

Registration of Class of Data Users

The new regulations require certain class of data users to register with the Personal Data Protection Commissioner. They are:-

1. Communications
(a) A licensee under the Communications and Multimedia Act 1998 [Act 588].
(b) A licensee under the Postal Services Act 2012 [Act 741].

2. Banking and financial institution
(a) A licensed bank and licensed investment bank under the Financial Services Act 2013 [Act 758].
(b) A licensed islamic bank and licensed international islamic bank under the Islamic Financial Services Act 2013 [Act 759].
(c) A development financial institution under the Development Financial Institution Act 2002 [Act 618].

3. Insurance
(a) A licensed insurer under the Financial Services Act 2013.
(b) A licensed takaful operator under the Islamic Financial Services Act 2013.
(c) A licensed international takaful operator under the Islamic Financial Services Act 2013.

4. Health
(a) A licensee under the Private Healthcare Facilities and Services Act 1998 [Act 586].
(b) A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998.
(c) A body corporate registered under the Registration of Pharmacists Act 1951 [Act 371].

5. Tourism and hospitalities
(a) A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992 [Act 482].
(b) A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992.

6. Transportation
(a) Malaysian Airlines System (MAS).
(b) Air Asia.
(c) MAS Wings.
(d) Air Asia X.
(e) Firefly.
(f) Berjaya Air.
(g) Malindo Air.

7. Education
(a) A private higher educational institution registered under the Private Higher Educational Institutions Act 1996 [Act 555].
(b) A private school or private educational institution registered under the Education Act 1996 [Act 550].

8. Direct selling
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993 [Act 500].

9. Services
(a) A company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:
(i) legal;
(ii) audit;
(iii) accountancy;
(iv) engineering; or
(v) architecture.

(b) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961 [Act 122].
(c) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981 [Act 246].

10. Real estate
(a) A licensed housing developer under the Housing Development (Control and Licensing) Act 1966 [Act 118].
(b) A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah.
(c) A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.

11. Utilities
(a) Tenaga Nasional Berhad.
(b) Sabah Electricity Sdn. Bhd.
(c) Sarawak Electricity Supply Corporation.
(d) SAJ Holding Sdn. Bhd.
(e) Air Kelantan Sdn. Bhd.
(f) LAKU Management Sdn. Bhd.
(g) Perbadanan Bekalan Air Pulau Pinang Sdn. Bhd.
(h) Syarikat Bekalan Air Selangor Sdn. Bhd.
(i) Syarikat Air Terengganu Sdn. Bhd.
(j) Syarikat Air Melaka Sdn. Bhd.
(k) Syarikat Air Negeri Sembilan Sdn. Bhd.
(l) Syarikat Air Darul Aman Sdn. Bhd.
(m) Pengurusan Air Pahang Berhad.
(n) Lembaga Air Perak.
(o) Lembaga Air Kuching.
(p) Lembaga Air Sibu.

Personal Data Protection Regulations 2013

Personal Data Protection Regulations 2013 provided some guidelines on the definition of consent of a data subject in the PDPA. In this regard, consent must be in a form that can be recorded and maintained properly by the data user. Burden of proof for consent lie on the data user.

Any privacy policy must also provide the designation of the contact person, phone number, fax number (if any), e-mail address (if any) and such other related information.

Data user shall develop and implement a security policy to comply with Security Principal.

The Personal Data Protection Regulations 2013 also stated that the Personal Data Protection Commissioner may notify a data user of his intention to carry out an inspection on a personal data system used by a data user.

 Scroll to top