Personal Data Protection Act PDPA 2010 | Malaysia

Personal Data Protection Act (PDPA) 2010 – An Overview

Reading Time: 6 minutes

Private Data Policy Act PDPA 2010 Malaysia

Malaysia has recently implemented its own version of the Personal Data Protection Act (PDPA) 2010. This will have many implications for companies engaging in digital marketing. Let’s take a look at how it might affect you, the marketer.

Disclaimer: Nothing written here constitutes legal advice.

1) Personal Data Protection Act (PDPA) Principles

Malaysia’s Personal Data Protection Act (2010) comprises of the following principles:

  • General Principle
  • Notice and Choice Principle
  • Disclosure Principle
  • Security Principle
  • Retention Principle
  • Data Integrity Principle
  • Access Principle

Anyone who breaches any of the above principles will be liable to a fine not exceeding three hundred thousand ringging (MYR300,000) and / or a jail term not exceeding two years.

An important term that you should know with regards to the PDPA 2010 is “data user”. A data user is a person or persons who has control over or is able to authorize the processing of any personal data.

General Principle

Principles PDPA Malaysia

The general principle is that you will have to obtain the consent of an individual (let’s call this person Alicia, it sounds more personal) if you want to process that data.

This is unless:

  1. Processing is necessary for the performance of a contract in which Alicia is a party
  2. You need to process the data because Alicia is considering entering into a contract with you
  3. To comply with any legal obligations in which Alicia is a subject
  4. You need to protect Alicia’s vital interests
  5. For the administration of justice

Notice and Choice Principle

For marketers, the most crucial element will be getting consent and providing adequate notice.

What to Notify

Under Malaysia’s Personal Data Protection Act (PDPA) 2010, you need to provide a written notice that includes:

  • A description of the personal data being processed
  • The purpose for which the data is being collected or processed
  • Source of that personal data, if available
  • Alicia’s right to access her personal data as well as to request correction of any errors or omissions and how to contact you (the data user) to gain access
  • If you are disclosing Alicia’s personal data to any third party users, you must inform her of the class of third party users
  • Whatever choices or options you have that Alicia can opt to limit the process of personal data, including that data that might relate to other people that might be identified from Alicia’s personal data
  • Whether Alicia has an option to submit to submit the data or it is compulsory
  • If it is compulsory, the consequences of not submitting that data must be made known to Alicia

This means that your Data Protection Policies or Privacy Policy should include all of the information above.

Another important point is that the notice above must be in both Bahasa Malaysia and English and Alicia has the choice of selecting the language.

When to Notify

You should provide the notice as described above:

  • At the point the data is being collected or when it is first requested
  • When you are using that data for purposes other than which it was collected
  • Before that data is being disclosed to a third party

Disclosure Principle

You will need to get Alicia’s express consent (again) if:

  • You are going to use the data you have previously collected for a purpose other than for which it was initially collected
  • You are releasing Alicia’s data to a third party that is in a different class than which she has consented her data to be released to

Security Principle

You must take reasonable precautions to keep the data safe. If you are processing the data or hiring someone else (‘data processor’) to process the data for you, the data processor must make sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and take reasonable measures to ensure compliance with those measures.

Retention Principle

Malaysia’s PDPA 2010 states that you cannot retain personal data longer than necessary to fulfill the function in which it was collected. Once that purpose has been fulfilled, you must take all reasonable precautions to destroy or permanently delete that data.

Data Integrity Principle

It is your responsibility to take reasonable steps to ensure that any data collected is accurate, complete, not misleading and kept up-to-date.

Access Principle

You must provide Alicia access to her personal data and she must be able to correct any errors or omissions with regard to that data unless it is expressly refused by the PDPA 2010.

2) Registration

Several classes of data users will be required to register under the PDPA (2010).

Class of Users

You can find the document outlining the class of data users by searching for it Personal Data Protection Act PDPA 2010 Class of Users).

These classes of users include:

  • Communications
  • Banking & Financial Institutions
  • Insurance
  • Health
  • Tourism & Hospitality
  • Transportation
  • Education
  • Direct Selling
  • Services (includes companies registered under the Companies Act 1965)
  • Real Estate
  • Utilities
Registration: What to Expect

To register under the PDPA 2010, you will need:

  • To pay the registration fees
  • For public or private companies, you will need to bring along your Memorandum of Association and Articles of Associations
  • For other types of companies, you need to bring along the constituent documents under which you are established

The Malaysian Institute of Accountants has released a flow chart of the registration process that you can access here.

Upon registration, you will be issued a certificate. This certificate will be valid for a period of twelve (12) months unless it has been revoked.

You will have to pay to get your certificate renewed.

If you do not renew your certificate, you can be fined up to two hundred and fifty thousand ringgit (MYR250,000) and / or jailed for up to a maximum of two (2) years.

You will need to display your certificate conspicuously at your principal place of business and a copy at each branch. If you fail to do so, you will be fined up to ten thousand ringgit (MYR10,000) and / or be jailed up to one (1) year.

Schedule of Registration Fees

[sociallocker id=”4457″]

You can download the Personal Data Protection (Registration of Data User) Regulations 2013 document by clicking on the link.


3) With Regards to Direct Marketing

Alicia (the data subject, if you recall), can request that she not be the subject of any direct marketing activities.

For the purposes of this section, “direct marketing” means the communication by whatever means of any advertising or marketing material which is directed to particular individuals.

If you do not cease to do so, Alicia may send a complaint to the Commissioner and, if it has been found to be justified and reasonable, you will be sent a notice to comply. If you do not comply with this notice, you can be fined up to two hundred thousand ringgit (MYR200,000) and / or be jailed for up to two (2) years.

4) Record-Keeping

A data user shall keep and maintain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by him.

5) Right of Access to Personal Data

You will have to provide Alicia with access to her personal data. There might be a fee involved for a “requestor” (their words) to have any information with regards to Alicia’s personal data or to have a copy of the data.

I’m not a lawyer, but the use of the word “requestor” and not “data subject” seems to me that any third party may approach the data user and purchase your personal information. If that’s the case, then that doesn’t seem to protect the data subject’s privacy that much, does it? Do correct me if I’m wrong here.

If a data subject (Alicia, again) requests access to her data, you have twenty-one (21) days from receipt of that request to comply. If for some reason you are unable to do so, you must:

  • Inform Alicia that you are unable to do so
  • Provide the reasons why
  • Comply to the data request access to the extent that you are able to do so

More Info on Personal Data Protection Act (PDPA) Malaysia

You can check out Malaysia’s Personal Data Protection Act (PDPA) 2010 in its entirety on the Kementerian Kommunikasi & Multimedia‘s (also known as the Ministry of Communications & Multimedia) website.

<!– Update your html tag to include the itemscope and itemtype attributes. –>
<!– Add the following three tags to your body. –> Personal Data Protection Act (PDPA) 2010 – An Overview Malaysia has recently implemented its own version of the Personal Data Protection Act (PDPA) 2010. This will have many implications for companies engaging in digital marketing. Let’s take a look at how it might affect you, the marketer.