NAVIGATING THE PERSONAL DATA PROTECTION ACT (”PDPA”) 2010

Information technology is becoming increasingly integrated with our daily lives, fostering a symbiotic relationship between goods or services providers and their consumers; the providers would gather invaluable personal data from their consumers, whereas the consumers could have a seamless and personalised experience.

However, this development has opened the pandora's box of online threats, such as ransomware, phishing, and hacking. As such, our policymakers have enected the Personal Data Protection Act ("PDPA") 2010. The PDPA is a two-fold legislation; it regulates the processing of personal data and provides for connected and incidental matters. The PDPA has transformed personal data protection in Malaysia, replacing industry-specific regulations (e.g., in banking and healthcare) with a comprehensive umbrella legislation applicable across all sectors.

The PDPA applies exclusively to commercial transactions. In contrast, Federal or State Governments, data processed outside Malaysia without further processing within Malaysia, personal data for personal, family, household, or recreational use, and businesses under the Credit Reporting Agencies Act 2010 are exempted. The PDPA also aligns with international standards and covers various stakeholders through its inclusion of protection principles, procedural requirements, data user forums, code of practice, and data subjects' rights.

There are 7 personal data principles which data users or processors must respect:

• General

• Notice & Choice

• Disclosure

• Security

• Retention

• Data Integrity

• Access

There are also 5 data subjects’ rights enshrined under Part II, Division 4 of the PDPA:

• To access personal data

• To correct personal data

• To prevent processing likely to cause damage or loss

• To withdraw consent

• Prevent processing for direct marketing purposes

In the context of PDPA, "processing" covers collecting, holding, recording, storing, or carrying out operations on the personal data. To better understand the PDPA, it would be advisable to get to know the key parties involved:

- Data subjects

o Individuals whose personal data are being collected.

- Data users

o Persons possessing, controlling, or authorising the processing of any personal data.

- Data processors

o Persons other than the data user's employee who solely process data for data users.

- Third party

o Persons besides the ones listed above.

The Personal Data Protection Commissioner (PDPC) will help in ensuring that the legal rights of data users are being upheld and that the organisations meet their obligations under the PDPA. The powers of a PDPC are being provided under Section 49 of the PDPA which include:

• Collect fees as may be prescribed by the Minister

• Appoint any persons to assist him in performing his functions

• Formulate HR development and cooperation programmes

• Perform other functions assigned by the Minister

• Do things consequential to the performance of his functions.

It also includes dealing with inspections, complaints and investigations in section 101 of PDPA. The Commissioner may also issue a Code of Practice (CoP). These codes may include recommendations on data security measures, consent mechanisms, data retention policies and more, depending on the particular industry's requirements. A Cop is wider in nature which it covers multiple areas of ethical behavior and professional conduct. The PDPA Notice and General Code of Practice (CoP) are two distinct approaches to governing the handling of personal data. The PDPA Notice is narrow in nature and it is a mandatory disclosure that organizations must provide to individuals when collecting their personal data. The PDPA Notice is legally binding and organizations are obliged to follow the guidelines stipulated in the PDPA regarding its content and delivery. Failure to do so can result in legal consequences, including fines and penalties.

PDPA plays a pivotal role in safeguarding the privacy and personal information of individuals in our increasingly digital world. It not only establishes a legal framework for responsible data handling but also fosters trust between individuals and organizations.