Personal Data Principles Under Personal Data Protection Act 2010 (PDPA)
Introduction
In Malaysia, the Personal Data Protection Act 2010 (“PDPA”) regulates the processing of personal data in commercial transactions and provide for matters connected therewith and incidental thereto. The PDPA applies to any person who processes, has control over or authorizes the processing of any personal data in respect of commercial transaction.
The term “commercial transaction” is defined in the PDPA to mean “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”.
In essence, the PDPA requires a “data user”1 (now known as “data controller”) to comply with seven (7) personal data protection principles (“Data Protection Principles”). This article emphasizes on the Data Protection Principles in the subsequent sections.
Data Protection Principles
- General Principle
A data user is prohibited from processing personal data about a “data subject”2 except without the consent of the data subject and for certain permitted circumstances such as performance of contract, to which the data subject is the party, compliance with any legal obligation, protecting vital interest of the data subject, administration of justice, etc.
- Notice and Choice Principle
A data user is required to inform the data subject about the processing of their personal data, including its purpose, source, and third-party disclosures. They must be made aware of their rights to access, correct, and limit the processing of their data. Additionally, they should know whether providing data is mandatory and the consequences of non-compliance.
- Disclosure Principle
Personal data cannot be disclosed without the data subject's consent, except for purposes directly related to the purpose for which it was collected. It also cannot be shared with parties outside the specified third-party class. Any disclosure must align with the original intent of data collection.
- Security Principle
A data user must take practical steps to protect personal data from loss, misuse, or unauthorized access, considering factors like data nature, storage, security measures, personnel reliability, and secure transfer. If a data user uses a data processer to handle the data, the data user must ensure the processor provides adequate security measures and complies with them. These actions are meant to safeguard personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
- Retention Principle
Personal data should not be kept longer than necessary for the intended purpose. The data user is responsible for ensuring that personal data is destroyed or permanently deleted once it is no longer needed for processing. Reasonable steps must be taken to ensure its proper disposal.
- Data Integrity Principle
A data user must take reasonable steps to ensure personal data is accurate, complete, not misleading, and kept up-to-date. This should be done in consideration of the original and any related purposes for which the data was collected.
- Access Principle
A data subject has the right to access their personal data held by a data user and correct any inaccuracies, incompleteness, misleading information, or outdated data except where compliance with a request to such access or correction is refused under the PDPA.
Recent Amendments
Recent amendments have been made to the PDPA which include, amongst others, allowing delivery of notices under the PDPA via electronic means, "data users" will now be referred to as "data controllers", consideration of bio-metric data as sensitive personal data, extended application of Security Principle to data processors, increase in the penalty for violation of Data Protection Principles, appointment of data protection officers and introduction of data portability rights3.
Offences by Body Corporate
If a corporate body commits an offence under the PDPA, any person who, at the time of the offence, held the position of director, chief executive officer, chief operating officer, manager, secretary, or a similar role within the corporate body, or was acting in such a capacity, or was in any way responsible for managing its affairs or assisting in its management, may be held accountable.
Penalty
Contravention of the Data Protection Principles will result in a fine of up to RM1,000,000.00 or imprisonment for a term not exceeding three years or both.
Conclusion
PDPA serves as a crucial framework for safeguarding personal data from misuse while ensuring responsible data processing by organisations. By establishing clear guidelines on data collection, storage, and usage, the PDPA enhances consumer trust and aligns Malaysia with global data protection standards. Compliance with the PDPA is essential for businesses to avoid legal repercussions and maintain ethical data practices. Moving forward, continuous updates and enforcement will be key in addressing emerging data privacy challenges in the digital era.
1 Data User: means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor
2 Data Subject: means an individual who is the subject of the personal data
3 While some of the amendments are already effective, the remaining are expected to be effective on 1 April 2025 and 1st June 2025.
Yasmin Harizal
Associate (Corporate & Commercial) | NSA Legal
Read other articles
Discover joint venture essentials: explore incorporated vs unincorporated models, case studies & strategies for successful collaboration.
Explore how liability and indemnity clauses reveal how contracts manage risks - limiting responsibility while compensating damages.
Discover the importance of NDAs in safeguarding business interests, from employment to M&As. Learn when and why you need one with NSA Legal’s insights.
Explore key differences between franchising & licensing, their legal definitions, and penalties for misclassification in Malaysia.
Explore Malaysia's Gag Orders law : learn the sub judice rule, key approval factors, and how courts balance media freedom with fair trial rights.
Explore Malaysia’s Act 852, a law that sets strict rules on vaping—covering sales, age limits, nicotine levels, ads, and product safety checks.
Key legal and strategic factors to consider before collaborating with influencers or celebrities to protect your brand and ensure clear expectations.
Discover Trademarks that protect your brand, build consumer trust, prevent imitation, and grow as valuable business assets in a competitive market.