The PDPA, Data Protection Rights for Malaysian Citizens

Malaysia’s Personal Data Protection Act 2010 or PDPA for short is a data privacy law that was passed in Malaysia in 2010. Prior to the passing of the PDPA, data legislation within Malaysia was limited to sector-specific laws in relation to finance, healthcare, communications, etc. What’s more, the PDPA also established subsidiary legislation, including laws regulating the registration of data users, fees, and the compounding of offenses under the law. Moreover, this subsidiary legislation also established a commissioner for the purposes of enforcing the law in relation to non-compliance.

What is the scope and application of the PDPA?

In terms of the personal scope of the law, the PDPA applies to any person who processes or has control over the processing of personal data (‘data user’). It is pertinent to note that processing is defined widely under the PDPA to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data. In relation to the territorial scope of the law, the PDPA generally does not apply to personal data that is processed outside of Malaysia, unless said personal data will be processed further within Malaysia, or if a data controller uses equipment within the country to process data.

In terms of the material scope of the law, the PDPA covers personal data, defined as the collection, recording, holding, or storing of personal data, as well as carrying out any operation in relation to personal data, including the following:

• The organization, alteration, and adaptation of personal data.
• The use, consultation, and retrieval of personal data.
• The disclosure of personal data by the means of transmission, dissemination, transfer, or any other means of making personal data available.
• The combination, correction, alignment, erasure, and destruction of personal data.

What are the requirements of data controllers under the PDPA?

The PDPA establishes a number of data protection principles that data controllers must adhere to at all times when collecting, processing, or disclosing the personal data of Malaysian citizens. These data protection principles are as follows:

• General principle– The general principle of the PDPA mandates that personal data shall not be processed unless said data is used for a lawful purpose that is directly related to the activity of the data user, is necessary for or directly related to this purpose, and that the data is both adequate and non-excessive and relation to this purpose.
• Notice and choice principle– The notice and choice principle mandates that data controllers must provide data subjects with written notice detailing whether the personal data of the data subject is being processed, as well as a description of the data, the purposes for which this personal data is to be collected and further processed, any information available to the data controller as it pertain to the source of the personal data that is used, the data subjects right to both access and request correction as it relates to personal data, the contact details of the data controller in the event of any complaints or inquiries, the class or categories of third parties to whom the data may also be disclosed to, the choices and means that are to be offered to the data subject in order to limit the processing of their personal data, and whether it is obligatory or voluntary for the data subject to supply their data, as well as the consequences that can result from refusing to divulge said personal data.
• Disclosure principle– The disclosure principle prohibits a data controller from disclosing the personal data of a data subject for any purpose other than the purpose disclosed, or to any party other than the class of third parties disclosed to the data subject.
• Security principle– The security principle requires that data controllers adopt specific measures to protect the personal data of data subjects from loss, misuse, alteration, modification, or any other form of unauthorized access or disclosure during the course of data processing activities.
• Retention principle– The retention principle mandates that personal data must not be retained for any period longer than is necessary to fulfill the purposes for which said data was collected and processed. The retention principle also requires that data controllers destroy or permanently delete all personal data that is no longer needed for the purpose in which it was stored.
• Data integrity principle– The data integrity principle mandates that data controllers take reasonable measures and steps to ensure that personal data is accurate, complete, and kept up to date in relation to the purpose, including any other directly related purposes, for which all personal data was collected and processed.

What are the rights of data subjects under the PDPA?

The PDPA grants Malaysian citizens various rights in relation to data protection. These rights include:

• The right to access personal data.
• The right to require a data controller to correct their personal data.
• The right to withdraw consent to the processing of personal data.
• The right to prevent data processing that is likely to cause damage or distress.
• The right to prevent data processing for direct marketing purposes.

In terms of punishments in relation to violations of the law, data controllers who are found to be in non-compliance with the PDPA are subject to a prison term of up to three years, as well as administrative fines ranging from MYR 300,000 (,079) to MYR 500,000 (6,814). Additionally, due to the sub legislation that was also passed alongside the PDPA, data controllers are also subject to compounded offenses and term punishments, in instances in which a particular data controller is found to be repeatedly in violation of the law.

As the PDPA was passed over 10 years ago in 2010, Malaysia was an early adopter of the privacy legislation that has become commonplace in recent years. As many countries around the world have taken great influence from the EU’s General Data Protection Regulation or GDPR, the PDPA is in many ways ahead of the curve as it pertains to both the requirements that are placed on data controllers, as well as the punishments that can be imposed against said data controllers when they violate the law. As such, Malaysia is among a shortlist of countries around the world that offers stringent data protection rights to their citizens, with few exceptions.