- General Questions
To protect the personal information of an individual that is processed for the purpose of commercial transactions.
All individuals and organizations that process personal data in their affairs must comply with the regulations set out in the Personal Data Protection Act 2010. The Federal Government and State Governments are exempt.
The Personal Data Protection Act contains seven principles of information handling practices that must be followed.
General Principles
Principles of Notice and Choice
The Principle of Revelation
Safety Principles
Storage Principles
Principles of Data Integrity
Access Principles
Any data that allows a living individual to be identified is protected under the Personal Data Protection Act. Some examples of data can be considered personal data as long as a living individual can be identified from the information or data:
Name and address
Identification card number
Passport number
Health information
Email address
Pictures
limage in closed circuit recording (CCTV)
Information in personal files
An organization must comply with the Act only if it “processes” personal data. The Personal Data Protection Act defines the meaning of the word “processing”. The definition is very broad. “Processing” personal data means doing something to the data including collecting, recording, holding, storing, organizing, changing, disclosing and destroying. Just by reading or accessing information is already considered “processing”.
Examples of activities that may be considered “processing” include:
Collect data using a form, over the phone or through a website
Publishing data
Selling data
Using data in administration
Using data for marketing purposes
Record data
Disclose or provide data to other organizations
Destroy data
The Personal Data Protection Act applies to an individual and an organization if they are a “Data Controller.” A “Data Controller” is an individual or organization that:
Processing personal data, or
Have control over the processing of personal data, or
Authorizing the processing of personal data
The Personal Data Protection Act does not apply to an individual or organization that processes personal data on behalf of a data controller.
If organization A obtains the services of organization B to process data on its behalf, then in this relationship, organization A is the data controller while organization B is the data processor. The Personal Data Protection Act requires organization A to ensure that organization B guarantees to take security measures to protect the data it processes. Organization A is also required by the Act to ensure that organization B complies with the measures.
The Personal Data Protection Act provides rules on good practice in processing personal data of living individuals. The Act defines the individuals whose data is processed by the data controller as data subjects.
Data subjects are granted the following rights:
The right to be informed whether their data is being processed by an organisation
The right to access personal data
The right to correct personal data
The right to withdraw consent to process personal data
The right to prevent processing that may cause damage or distress
The right to prevent processing for direct marketing purposes
The Personal Data Protection Act defines sensitive personal data as information about an individual’s health or physical or mental condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the conduct or statement of conduct of any offense by an individual is also sensitive personal data.
The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and such processing must be with the express consent of the data subject.
Individuals who feel that their personal data has been processed in breach of the provisions of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.
The Act does not specifically provide for the right to claim damages.
Remedies under the Personal Data Protection Act are in the form of criminal offences. The Act has created several new criminal offences, these include the following offences:
Processing personal data without registration certificate
Processing personal data after registration is cancelled
Violate any data principles
Processing personal data after consent is withdrawn
Processing sensitive personal data not according to the conditions that have been set
Selling or offering to sell personal data
Failure to comply with the requirements of the Personal Data Protection Commissioner to comply with notices regarding direct marketing.
- General principles
If the data controller clearly states in its contract with the third party the responsibility to comply with the PDPA when processing personal data on their behalf, any breach by the third party may be subject to fines/imprisonment or both.
Yes, you must ensure that there is in that place outside Malaysia in force any law which is substantially similar to the PDPA, or which has the same purpose as the Act; or the place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection provided by the PDPA.
No, because you are included as a third party in the bank agreement between the bank and the customer.
If the data controller clearly states in its contract with the third party the responsibility for compliance with the PDPA when processing personal data on their behalf, any breach by the third party may be subject to fines/imprisonment or both.
Yes, you can scan records. However, because records are sensitive data; you need to ensure data security is in accordance with PDP Security Principles and Standards.
yes. However, sending promotional newsletters or updates must have consent from your customers.
- Registration
Once a company has registered as a Data Controller under the PDPA, it can begin to comply with the provisions of the Act.
In situations where both colleges hold the same brand under one license by the Ministry of Education; the main college has to register and apply for CTC from the PDP Commissioner for all its branches in Malaysia.
However, if both colleges hold separate licenses; then registration is applicable to both.
As Immigration is a federal department, it is not bound by the PDPA. In addition, according to Section 39; disclosure of personal data to authorities may be granted such as for the prevention and detection of crime, and for investigative purposes. However, the data controller should have procedures to verify the validity of the request.
The data controller may not keep personal data longer than necessary unless there are other legal provisions that require longer data retention.
Yes, under P.U.(A) 337/2013, Regulation 8(1) and Regulation 9; each branch must display a certified true copy of the registration certificate. A certified true copy can be applied for online at https://daftar.pdp.gov.my
Data controllers who are within the Personal Data Protection (Group of Data Controllers) Order 2013 (P.U.(A). 336) or the Personal Data Protection (Group of Data Controllers) (Amendment) Order 2016 (P.U.(A). 326)
Registered data controllers will be issued a Registration Certificate and a Data Controller Forum will be established. The Data Controller Forum will provide a Code of Practice where it can increase trust and integrity in handling personal data
Late registration renewal is considered as processing personal data without a registration certificate. It is an offense under Section 16(4) of the PDPA.
- Principles of Notice and Choice
A Privacy Notice that must be consistent with all provisions under Section 7, PDPA must be served by the data controller to its customers when processing the customer’s personal data. In addition, consent for the transfer of personal data abroad must also be obtained by the data controller. However, as a data processor; you are responsible for ensuring the security of the transfer.
You can put up a simple CCTV notice about “Surveillance for Safety”
The Commissioner’s Office has established Guidance on Privacy Notices. Yes, the Office has communicated with MAH in producing the Tourism & Hospitality Sector Code of Practice
- The Principle of Revelation
In order to provide services to customers, the bank may need to disclose customer information to any third party acting on behalf of the bank.
This is in line with Section 8 of the PDPA which states that there is no disclosure of personal data without the customer’s consent to any third party other than those listed by the data controller in the Disclosure List as required by PU(A) 335/2013.
The APDP Disclosure Principles stipulate that no data subject’s personal data may be disclosed without consent