Enforcement of the Personal Data Protection Act 2010

It is official. The Malaysian Personal Data Protection Act 2010 (“PDPA”) will be in force on 15 November 2013. As expected, Tuan Abu Hassan bin Ismail is appointed as the Personal Data Protection Commissioner with effect from 15 November 2013.

Data users now have 3 months to comply with the PDPA in respect of personal data processed before 15 November 2013 and immediate compliance with the PDPA for personal data collected from 15 November 2013.

The enforcement of the PDPA also introduced four (4) new subsidiary legislations namely:-

1.Personal Data Protection (Fees) Regulations 2013;
2. Personal Data Protection (Registration of Data User) Regulations 2013;
3. Personal Data Protection (Class of Data Users) Order 2013; and
4. Personal Data Protection Regulations 2013.

For your easy reading, I have summarised the new regulations below.

Registration of Class of Data Users

The new regulations require certain class of data users to register with the Personal Data Protection Commissioner. They are:-

1. Communications
(a) A licensee under the Communications and Multimedia Act 1998 [Act 588].
(b) A licensee under the Postal Services Act 2012 [Act 741].

2. Banking and financial institution
(a) A licensed bank and licensed investment bank under the Financial Services Act 2013 [Act 758].
(b) A licensed islamic bank and licensed international islamic bank under the Islamic Financial Services Act 2013 [Act 759].
(c) A development financial institution under the Development Financial Institution Act 2002 [Act 618].

3. Insurance
(a) A licensed insurer under the Financial Services Act 2013.
(b) A licensed takaful operator under the Islamic Financial Services Act 2013.
(c) A licensed international takaful operator under the Islamic Financial Services Act 2013.

4. Health
(a) A licensee under the Private Healthcare Facilities and Services Act 1998 [Act 586].
(b) A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998.
(c) A body corporate registered under the Registration of Pharmacists Act 1951 [Act 371].

5. Tourism and hospitalities
(a) A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992 [Act 482].
(b) A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992.

6. Transportation
(a) Malaysian Airlines System (MAS).
(b) Air Asia.
(c) MAS Wings.
(d) Air Asia X.
(e) Firefly.
(f) Berjaya Air.
(g) Malindo Air.

7. Education
(a) A private higher educational institution registered under the Private Higher Educational Institutions Act 1996 [Act 555].
(b) A private school or private educational institution registered under the Education Act 1996 [Act 550].

8. Direct selling
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993 [Act 500].

9. Services
(a) A company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:
(i) legal;
(ii) audit;
(iii) accountancy;
(iv) engineering; or
(v) architecture.

(b) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961 [Act 122].
(c) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981 [Act 246].

10. Real estate
(a) A licensed housing developer under the Housing Development (Control and Licensing) Act 1966 [Act 118].
(b) A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah.
(c) A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.

11. Utilities
(a) Tenaga Nasional Berhad.
(b) Sabah Electricity Sdn. Bhd.
(c) Sarawak Electricity Supply Corporation.
(d) SAJ Holding Sdn. Bhd.
(e) Air Kelantan Sdn. Bhd.
(f) LAKU Management Sdn. Bhd.
(g) Perbadanan Bekalan Air Pulau Pinang Sdn. Bhd.
(h) Syarikat Bekalan Air Selangor Sdn. Bhd.
(i) Syarikat Air Terengganu Sdn. Bhd.
(j) Syarikat Air Melaka Sdn. Bhd.
(k) Syarikat Air Negeri Sembilan Sdn. Bhd.
(l) Syarikat Air Darul Aman Sdn. Bhd.
(m) Pengurusan Air Pahang Berhad.
(n) Lembaga Air Perak.
(o) Lembaga Air Kuching.
(p) Lembaga Air Sibu.

Personal Data Protection Regulations 2013

Personal Data Protection Regulations 2013 provided some guidelines on the definition of consent of a data subject in the PDPA. In this regard, consent must be in a form that can be recorded and maintained properly by the data user. Burden of proof for consent lie on the data user.

Any privacy policy must also provide the designation of the contact person, phone number, fax number (if any), e-mail address (if any) and such other related information.

Data user shall develop and implement a security policy to comply with Security Principal.

The Personal Data Protection Regulations 2013 also stated that the Personal Data Protection Commissioner may notify a data user of his intention to carry out an inspection on a personal data system used by a data user.

Comments

23 responses to “Enforcement of the Personal Data Protection Act 2010”

  1. gilagolf Avatar
    gilagolf

    Dear Sir,

    Under the services category, if my company category is not listed as any of the ones in 9a) b) and c), does that mean PDPA does not apply to us? I was under the understanding that PDPA will apply to ALL businesses but only the businesses listed above is required to register.

    1. FCL Avatar
      FCL

      gilagolf: The category listed above is only for classes of data users who are required to register with the Commissioner. The PDPA applies to all businesses that process personal data.

  2. Micro Avatar
    Micro

    What is the consequence if the data subject did’nt want to give consent to the data user to process their personal data? Kindly advice

    1. FCL Avatar
      FCL

      Micro: It depends on the facts of the case. For example, if data subject refuses to give his name to register an account with you, one of the consequences is that you will not be able to provide him with your services/products.

  3. Vincent Teoh Avatar
    Vincent Teoh

    Will data protection act affect those callers such as telemarketers , insurance agents and property agents ?

    1. FCL Avatar
      FCL

      Vincent: Yes, the law applies to them.

  4. Sitatunga Avatar
    Sitatunga

    What about the Record that should be kept by data users under Section 44 of the Act? Any details from the Regulators on its form?

    1. FCL Avatar
      FCL

      Sitatunga: At the moment, no details on the section 44 Form have been provided by the Commissioner.

  5. Hmliau Avatar
    Hmliau

    May I know where & how to register, mr foong?

  6. helen Avatar
    helen

    Is a Co (Sdn Bhd ) which providing tax services / tax agent need to register under this PDP act ?

    1. FCL Avatar
      FCL

      Helen: Companies providing tax services are not required to register at this juncture.

  7. Danny Foo Avatar

    Quick question. Must the PDPA notice (short and/or long) be in English and BM OR 1 language is permitted ?

    And how is the PDPA in effect for blogs like this when there isn’t an authorization step before posting a comment ?

    1. FCL Avatar
      FCL

      Danny: Must be in both BM and English.

  8. Jack Avatar
    Jack

    For recruitment services where we keep resume/CV with full particulars to enable us to do matching to our client wants. We also collect personal record of candidates with their past working experiences. Does that mean we got to erase all these record?

    1. FCL Avatar
      FCL

      Jack: maybe – depending whether you have the consent of the data subjects (candidates).

  9. asmah Avatar
    asmah

    Does PDPA applies to government sectors?

    1. FCL Avatar
      FCL

      asmah: No, PDPA exempts the Federal and State Governments.

      1. Joel Avatar
        Joel

        How about between an agreement between the state and a private company? Do we need to put in PDPA clause in the agreement?

        1. FCL Avatar
          FCL

          Joel: It would depend on the purpose of the agreement. Regardless, I would recommend such clauses to be inserted in such agreement.

          1. Joel Avatar
            Joel

            Thanks FCL!

  10. Min young Avatar

    Hi does it require to register our company is register under “The Company Act 1965” dealing with customers to make call for lead generation program on behalf of our partner, “Customers also share their details with us”.

    1. FCL Avatar
      FCL

      Min Young: Do you mean register with the Personal Data Protection Commissioner? If so, there is no requirement for “lead generation” companies to register with them.

Leave a Reply

Your email address will not be published. Required fields are marked *