Official Portal of
Department of Personal Data Protection

Frequently Asked Questions


To provide protection for an individual’s personal information to be processed for the purposes of commercial transactions.

All individuals and organizations that process personal data in their dealings must comply with the rules set out in the Personal Data Protection Act 2010. The Federal Government and the State are exempted.

What Are the Rules?

  1. General Principle
  2. Notice and Choice Principle
  3. Disclosure Principle
  4. Security principles
  5. Retention Principle
  6. Data Integrity Principle
  7. Access Principle

Any information/data or a chain of information that allows a living individual to be identified are covered under the Personal Data Protection Act. Below are some examples of data that can be considered as personal data:

  1. Name and address
  2. Identification card number
  3. Passport number
  4. Health Information
  5. E-mail Address
  6. Picture
  7. lmages recorded by the closed-circuit television (CCTV)
  8. Information contained in personal files
An organization must comply with the Act only if the organization is “processing” personal data. Personal Data Protection Act gives definition to the meaning of the word “processing”. “Processing” have many definitions. “Processing” personal data means doing something towards the data including collecting, recording, holding, storing, organizing, modifying, disclosing and destroying. Reading or access the information already considered as “processing”
Examples of activities that can be considered as “processing” includes:
  1. Collecting data through forms, by phone or via the web
  2. Publishing data
  3. Selling data
  4. Using administrative data
  5. Using data for marketing purposes
  6. Recording data
  7. Disclosing or providing data to other organizations
  8. Destroying data
Personal Data Protection Act applies to individuals and organizations if they are “data user”. “Data User” is an individual or organization that:
  1. Processes personal data, or
  2. Has control over the processing of personal data, or
  3. Allows processing of personal data
A data processor is an individual or organization that processes personal data on behalf of the data user, and does not process the personal data for any of his own purposes. Personal Data Protection Act does not apply to a data processor.
If organization A engages organization B to process data on its behalf, in this connection, organization A is the data user while organization B is the data processor. Personal Data Protection Act requires organization A to ensure that organization B pledges to take measures to protect the security of data processed. Organization A is also required by the Act to ensure that organization B complies with such measures.
Personal Data Protection Act provides rules concerning good practices in the processing of personal data of living individuals. The Act defines the individuals whose data is processed by data users as data subjects.

Data subjects are given the following rights:

  1. The right to be told whether their data is processed by an organization
  2. The right to access personal data
  3. The right to rectify personal data
  4. The right to withdraw consent to process personal data
  5. The right to prevent processing likely to cause damage or distress (distress)
  6. The right to prevent processing for purposes of direct marketing

Under the Personal Data Protection Act, sensitive personal data means any data consisting of information as to an individual’s physical or mental health condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the commission or alleged commission by the individual of any offense is also a sensitive personal data.

The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and must be with explicit consent of the data subject.

Individuals who feel that their personal data have been processed in breach of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.

Remedies under the Personal Data Protection Act is in the form of a criminal offense. The Act has created several new criminal offenses. Among them are the following:

  1. Processing of personal data without a certificate of registration
  2. Processing of personal data after the revocation of registration
  3. Non-compliance with the Personal Data Protection Principles
  4. Processing of personal data after consent is withdrawn
  5. Processing of sensitive personal data not in accordance with the conditions that have been set
  6. Selling or offering to sell personal data
  7. Failure to comply with the requirements of the Personal Data Protection Commissioner to comply with the notice on direct marketing.

Jabatan Perlindungan Data Peribadi

Scroll to Top