data protection in malaysia: overview

22
Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764 © 2020 Thomson Reuters. All rights reserved. 1 Data protection in Malaysia: overview by Adlin Abdul Majid, Partner, Lee Hishammuddin Allen & Gledhill, with Practical Law Data Privacy Advisor Country Q&A | Law stated as of 07-Apr-2020 | Malaysia A Q&A guide to data protection in Malaysia. This Q&A guide gives a high-level overview of the data protection laws, regulations, and principles in Malaysia, including the main obligations and processing requirements for data controllers, data processors, or other third parties. It also covers data subject rights, the supervisory authority's enforcement powers, and potential sanctions and remedies. It briefly covers rules applicable to cookies and spam. To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool. Regulation Legislation 1. What national laws regulate the collection, use, and disclosure of personal data? General Laws In Malaysia, the Personal Data Protection Act 2010 (PDPA) and its subsidiary legislation regulates the collection and use of personal data. The PDPA's subsidiary legislation includes: The Personal Data Protection Regulations 2013. The Personal Data Protection (Class of Data Users) Order 2013. The Personal Data Protection (Registration of Data User) Regulations 2013. The Personal Data Protection (Fees) Regulations 2013. The Personal Data Protection (Compounding of Offences) Regulations 2016. The Personal Data Protection Standard 2015.

Upload: others

Post on 03-Nov-2021

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 1

Data protection in Malaysia: overviewby Adlin Abdul Majid, Partner, Lee Hishammuddin Allen & Gledhill, with Practical LawData Privacy Advisor

Country Q&A | Law stated as of 07-Apr-2020 | Malaysia

A Q&A guide to data protection in Malaysia.

This Q&A guide gives a high-level overview of the data protection laws, regulations, and principles in Malaysia,including the main obligations and processing requirements for data controllers, data processors, or other thirdparties. It also covers data subject rights, the supervisory authority's enforcement powers, and potential sanctionsand remedies. It briefly covers rules applicable to cookies and spam.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

Regulation

Legislation

1. What national laws regulate the collection, use, and disclosure of personal data?

General Laws

In Malaysia, the Personal Data Protection Act 2010 (PDPA) and its subsidiary legislation regulates the collectionand use of personal data. The PDPA's subsidiary legislation includes:

• The Personal Data Protection Regulations 2013.

• The Personal Data Protection (Class of Data Users) Order 2013.

• The Personal Data Protection (Registration of Data User) Regulations 2013.

• The Personal Data Protection (Fees) Regulations 2013.

• The Personal Data Protection (Compounding of Offences) Regulations 2016.

• The Personal Data Protection Standard 2015.

Page 2: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 2

Sectoral Laws

No sectoral laws specifically pertain to personal data processing . However, under the PDPA, specific classes ofdata users (typically within the same industry) may prepare and register their codes of practice with the PersonalData Protection Commissioner (Commissioner) (see Question 7). Data users registered within the same class mustcomply with these codes of practice (see Section 25(2), PDPA). Codes of practice for the following industries arecurrently in effect:

• The utilities (electricity) sector.

• The banking and financial institutions sector.

• The insurance and takaful sector.

• The aviation sector.

• The communications sector.

Certain laws also impose secrecy obligations for certain types of data, which may include personal data. For example:

• The Financial Services Act 2013 and the Islamic Financial Services Act 2013, which prohibit any person whohas access to documents or information relating to the affairs or account of any customer of a financial orIslamic financial institution, from disclosing this information, unless otherwise permitted under these acts.For more information on these laws, see Practice note, Bank Secrecy Laws (Malaysia).

• The Money Services Business Act 2011, which prohibits the director, chief executive officer, controller, oremployee of a licensee or money services business from disclosing any information or document relating tothe affairs or accounts of any of its customers, unless otherwise permitted under the law.

• The Credit Reporting Agency Act 2010, which prohibits credit reporting agencies from disclosing, unlessotherwise permitted under that law:

• customer's information that a credit provider collected during or in connection with providing credit;or

• any customer record or information processed during or in connection with the carrying on of a creditreporting business.

With the exception of the Credit Reporting Agencies Act 2010, the foregoing laws are still subject to the PDPA whenthe data involved falls within the definition of personal data (see Question 3).

The answers to this Q&A focus on the PDPA. Other laws are outside the scope of this Q&A.

Scope of Legislation

Page 3: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 3

2. To whom do the laws apply?

The Personal Data Protection Act 2010 (PDPA) protects the personal data of data subjects, who are individuals whoare the subject of personal data (Section 4, PDPA).

The PDPA applies to data users, known in other jurisdictions as data controllers, who are any persons who process,have control over, or authorise the processing of any personal data pertaining to commercial transactions (Section4, PDPA).

The PDPA does not provide a definition for persons. However, under the Interpretation Acts of 1948 and 1947, thedefinition of person includes any "body of persons, corporate or unincorporated."

The PDPA does not directly regulate data processors, which means any person, other than an employee of the datauser, who processes the personal data solely on behalf of the data user, and does not process the personal data forany of its own purposes (Section 4, PDPA).

For more on the definition of personal data, see Question 3. For more on data processing operations pertaining tocommercial transactions, see Question 4. For more information on exemptions from the PDPA, see Question 6.

3. What personal data does the law regulate?

The Personal Data Protection Act 2010 (PDPA) regulates personal data processing. Personal data is any informationwith respect to a commercial transaction that relates directly or indirectly to an identified or identifiable individual(data subject), who can be identified from that information or from that and other information in the data user'spossession, where the data is also:

• Processed wholly or partly by automated means.

• Recorded with the intention that it wholly or partly by automated means.

• Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filingsystem.

(Section 4, PDPA.)

Personal data also includes any sensitive personal data and expressions of opinion about a data subject. Sensitivepersonal data is any personal data consisting of the following information about a data subject:

• Physical or mental health or condition.

Page 4: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 4

• Political opinions.

• Religious beliefs or other beliefs of a similar nature.

• The data subject's commission or alleged commission of an offence.

• Any other personal data as the Minister of Communications and Multimedia may determine, by orderpublished in the Gazette. To date, the Minister has not published any orders in the Gazette defining anypersonal data as sensitive personal data.

(Section 4, PDPA.)

For information regarding the processing of personal data, see Question 4. For information regarding the processingof sensitive personal data or special categories of personal data, see Question 11.

4. What acts are regulated?

The Personal Data Protection Act 2010 (PDPA) regulates personal data processing with respect to commercialtransactions.

Processing means collecting, recording, holding, or storing the personal data or carrying out any operation or setof operations on the personal data, including:

• The organization, adaptation, or alteration of personal data.

• The retrieval, consultation, or use of personal data.

• The disclosure of personal data by transmission, transfer, dissemination, or otherwise making the personaldata available.

• The alignment, combination, correction, erasure, or destruction of personal data.

(Section 4, PDPA.)

A commercial transaction is any transaction of a commercial nature, whether contractual or not, which includes anymatters relating to:

• The supply or exchange of goods or services.

• Agency and investments.

• Financing, banking, and insurance.

Page 5: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 5

• Any credit reporting business that a credit reporting agency carries out under the Credit Reporting AgenciesAct 2010.

(Section 4, PDPA.)

5. What is the jurisdictional scope of the rules?

The Personal Data Protection Act 2010 (PDPA) applies to any person who processes or has control over or authorizesthe processing of any personal data with respect to commercial transactions, and who:

• Is established in Malaysia.

• Is not established in Malaysia, but uses equipment in Malaysia to process personal data other than for thepurposes of transit through Malaysia.

(Section 2(2), PDPA.)

The PDPA considers the following data users to have establishments in Malaysia:

• An individual who is physically present in Malaysia no less than 180 days in one calendar year.

• A body incorporated under the Companies Act 1965.

• A partnership or other unincorporated association formed under any written laws in Malaysia.

• Any person who does not fall within any of the above but in Malaysia maintains:

• an office, branch, or agency through which the person carries on any activity; or

• a regular practice.

(Section 2(4), PDPA.)

6. What are the main exemptions (if any)?

Page 6: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 6

The Personal Data Protection Act 2010 (PDPA) does not apply to personal data processing in the followingcircumstances:

• By the federal government and state governments.

• For purposes of a credit reporting business carried on by a credit reporting agency under the CreditReporting Agencies Act 2010.

• Outside Malaysia, which is not intended to be further processed in Malaysia.

• By an individual only for the purposes of that individual's personal, family, or household affairs, includingrecreational purposes.

(Sections 3 to 4 and 45, PDPA.)

In addition, the PDPA provides exemptions from compliance with certain personal data protection principles,including personal data processing in the following circumstances:

• For the prevention or detection of crime or for the purposes of investigations.

• For the apprehension or prosecution of offenders.

• For the assessment or collection of any tax or duty or any other imposition of a similar nature.

• In relation to information of the data subject's physical or mental health if these obligations would likelycause serious harm to the physical or mental health of a data subject or any other individual.

• For the sole purpose of preparing statistics or carrying out research, provided that the resulting statistics orthe results of the research are not made available in a form that identifies the data subject.

• When necessary for the purpose of or in connection with any order or judgment of a court.

• For the purpose of discharging regulatory functions if these obligations would likely prejudice the properdischarge of those functions.

• For journalistic, literary, or artistic purposes subject to certain conditions.

(Sections 45(1) to (2), PDPA.)

Notification

7. Is notification or registration with a supervisory authority required before processing data?

Page 7: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 7

Under the Personal Data Protection Act 2010 (PDPA), data users must give written notice (in English and thenational languages) to a data subject on the processing of a data subject's personal data (Section 7(3), PDPA). Formore on data users, see Question 2. For notice requirements, see Question 12.

Data users in the class of data users listed under the Personal Data Protection (Class of Data Users) Order 2013must register with the Personal Data Protection Commissioner (see Section 14, PDPA.) This includes data users inthe following industries:

• Communications.

• Banking and financial institutions.

• Insurance.

• Health.

• Tourism and hospitality.

• Transportation (aviation).

• Education.

• Direct selling.

• Professional Services.

• Real estate.

• Utilities.

• Pawn brokering.

• Moneylending.

A data user who falls within the class of data users listed above who processes personal data without first registeringand obtaining a certificate of registration, commits an offense (Section 16(4), PDPA).

A data user must accompany its application for registration with a fee and either a copy of:

• The memorandum of association and article of association if the data user in question is a private or publiccompany.

• The constituent document under which the data user is established, if the data user is not a private or publiccompany.

(Section 15, PDPA.)

Although these documents are specifically provided for under the Personal Data Protection (Registration ofData User) Regulations 2013, this is not an exhaustive list. Depending on the data user's industry, additionaldocumentation may apply.

For more on data user registration, renewal, and revocation, see Sections 16 to 19 of the PDPA.

Page 8: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 8

For more on controllers' other obligations under the PDPA, see Question 8; for more on notification requirementsto individual data subjects, see Question 12.

Main Data Protection Rules and Principles

Main Obligations and Processing Requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Under the Personal Data Protection Act 2010 (PDPA), data controllers are known as data users. When processingpersonal data, a data user must comply with the following main personal data protection principles:

• General Principle. Data users must not process personal data about a data subject unless the datasubject consents to the personal data processing, or explicitly consents to process sensitive personal data. Inaddition, personal data must only be processed:

• for a lawful purpose directly related to a data user's activity of;

• to the extent necessary for or directly related to that purpose; and

• to an extent that is adequate and is not excessive in relation to that purpose.

• Notice and Choice Principle. The data protection notices must set out the choices that data subjects haveto limit the personal data processing. For more information on notices, see Questions 7 and 12.

• Disclosure Principle. Data users must not disclose personal data without the data subject's consentexcept where the disclosure is:

• for a purpose for which the personal data was to be disclosed at the time of collection, or for a purposedirectly related to that purpose; or

• to a third party who belongs to a class listed on the written notice issued to the data subject under theNotice and Choice Principle.

• Security Principle. Data users must take practical steps to secure and protect personal data. For moreinformation on security requirements, see Question 15.

• Retention Principle. Data users must:

• not keep personal data longer than is necessary to fulfil the processing's purpose; and

Page 9: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 9

• take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is nolonger required for the purpose for which it was to be processed.

• Data Integrity Principle. Data users must take reasonable steps to ensure that personal data is accurate,complete, not misleading, and kept up to date.

• Access Principle.Data users must provide a data subject with access to the subject's personal data andensure that the subject is able to correct inaccurate, incomplete, misleading, or outdated personal data.

(Sections 5 to 12, PDPA.)

9. Is the consent of data subjects required before processing personal data?

Under the General Principle (see Question 8) of the Personal Data Protection Act 2010 (PDPA), data users mustobtain data subjects' consent before processing their personal data (Section 6(1), PDPA). The PDPA does notspecifically define consent, but the Personal Data Protection Regulations 2013 (PDP Regulations) provide thatconsent may be in any form as long as the data user can:

• Record consent.

• Properly maintain the recorded consent.

(Regulation 3(1), PDP Regulations).

The PDP Regulations also require data users to present the request separately from other matters if the consentconcerns other matters. Data users bear the burden of proving consent, and may be required to produce records ofconsent during Personal Data Protection Commissioner inspections (see Regulator details).

Online consent is acceptable if it complies with the PDP Regulations. Implied or inferred consent is also acceptable,but data users may have difficulty recording, maintaining, and producing records of consent obtained in this manner.

If a data subject is under the age of 18 years, the data user must obtain consent from one of the following:

• Parent.

• Guardian.

• Person who has parental responsibility over the data subject.

(Section 4, PDPA.)

Page 10: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 10

10. If consent is not given, on what other grounds (if any) can processing be justified?

Under the Personal Data Protection Act 2010 (PDPA), the data user is not required to obtain consent whenprocessing data:

• For the performance of a contract to which a data subject is a party.

• While conducting pre-contractual due diligence at the data subject's request.

• For compliance with any legal obligation to which a data user is the subject, other than a contractualobligation.

• To protect a data subject's vital interests.

• For the administration of justice.

• For the exercise of any functions conferred on any person by or under any law.

(Section 6(2), PDPA.)

In addition, the Personal Data Protection Act 2010 (PDPA) provides exemptions from compliance with certainpersonal data protection principles including processing personal data for:

• The prevention or detection of crime or for the purposes of investigations.

• The apprehension or prosecution of offenders.

• The assessment or collection of any tax or duty or any other imposition of a similar nature.

• The sole purpose of preparing statistics or carrying out research, provided that the resulting statistics or theresults of the research are not made available in a form that identifies the data subject.

• A necessary purpose of or in connection with any court order or judgment.

• The purpose of discharging regulatory functions if the PDPA application would likely prejudice the properdischarge of those functions.

• Journalistic, literary, or artistic purposes subject to certain conditions.

(Section 45(2), PDPA.)

For more on data controllers' other main obligations, see Question 8. For more on consent as a legal basis to processdata, see Question 9.

Special Rules

Page 11: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 11

11. Do special rules apply for certain types of personal data, such as sensitive data?

Under the Personal Data Protection Act 2010 (PDPA), data users must obtain the data subject's explicit consentwhen processing sensitive personal data (Section 40(1)(a), PDPA). The PDPA does not define explicit consent. Inthe absence of local guidance and precedent, explicit consent may refer to specific, express consent.

Explicit consent is not required in the following circumstances:

• Where the processing is necessary:

• for purposes of exercising or performing any right or obligation conferred or imposed by law inconnection with employment;

• to protect the vital interests of the data subject or another person;

• to protect the vital interests of another person in a case where consent by or on behalf of the datasubject has been unreasonably withheld;

• for medical purposes and the processing is undertaken by a health care professional or a person who inthe circumstances owes a duty of confidentiality;

• for the purposes of or in connection with any legal proceedings;

• for the purposes of obtaining legal advice;

• for the purposes of establishing, exercising, or defending legal rights;

• for the administration of justice;

• for the exercise of any functions conferred on any person by or under any written law; or

• For any other purposes determined by the Minister of Communications and Multimedia. The data subjectdeliberately makes public the information in the personal data.

(Section 40(1), PDPA.)

For more information on legal processing of non-sensitive personal data, see Question 9 and Question 10.

Rights of Individuals

Page 12: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 12

12. What information rights do data subjects have?

Under the Personal Data Protection Act 2010 (PDPA), data users must inform a data subject by notice in writing (inboth English and the national languages) of the following information:

• That the data user or an entity acting on its behalf processes the data subject's personal data.

• A description of the personal data processed.

• The data user's purpose for processing the personal data.

• Any information available to the data user on the source of that personal data.

• The data subject's right to request access to and correction of their personal data.

• The means the data user offers for the data subjects to ask questions or file complaints and the contactdetails of a person handling questions or complaints for the data user.

• The third parties to whom the data user discloses or may disclose the personal data.

• The choices and means the data user offers the data subject to limit the processing of personal data,including personal data relating to other persons who may be identified from that personal data.

• Whether the provision of data by the data subject is obligatory or voluntary, and the consequences for if thedata subject fails to supply the personal data.

(Section 7(1), PDPA.)

Timely notice must conform to one of the following:

• As soon as practicable when the personal data is collected.

• Before the personal data is used for a purpose other than for the purpose it was collected.

• Before the personal data is disclosed to a third party.

(Section 7(2), PDPA.)

For more on other specific data subject rights, see Question 13.

13. Other than information rights, what other specific rights are granted to data subjects?

Under the Personal Data Protection Act 2010 (PDPA), data subjects have the following rights:

Page 13: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 13

• The right to be informed about the data controller's personal data collection and use, including the source ofthe personal data and any third parties to whom the data controller may disclose the personal data (Section30, PDPA; see Question 12).

• The right to access personal data (Section 30, PDPA).

• The right to rectify personal data (Section 34,PDPA).

• The right to withdraw in writing consent for the processing of their personal data (Section 38, PDPA).

• The right to prevent processing likely to cause unwarranted substantial damage or distress to them oranother person (Section 42, PDPA).

The right to prevent processing for purposes of direct marketing (Section 43, PDPA). Data users must cease theprocessing of the specific personal data for which consent is withdrawn (Section 38(2), PDPA).

14. Do data subjects have a right to request the deletion of their data?

See Question 13.

Security Requirements

15. What security requirements are imposed in relation to personal data?

Under the Personal Data Protection Act 2010 (PDPA), data users should take practical steps to secure and protectpersonal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, ordestruction, taking into account:

• The personal data and the harm that would result from such loss, misuse, modification, unauthorized oraccidental access or disclosure, alteration or destruction.

• The place or location where the personal data is stored.

• Any security measures incorporated into any equipment in which the personal data is stored.

Page 14: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 14

• The measures taken for ensuring the reliability, integrity, and competence of personnel having access to thepersonal data.

• The measures taken for ensuring the secure transfer of the personal data.

(Section 9, PDPA.)

The data user must develop and implement a written security policy (see Regulation 6(1), PDP Regulations). Inaddition, the data user must ensure that its security policy complies with security standards that the Personal DataProtection Commissioner sets out from time to time (see Regulator details).

The Personal Data Protection Standards 2015 (PDP Security Standards) provide the security standards for personaldata processed electronically and non-electronically. The PDP Security Standards provide that data users must,among other requirements:

• Have a register of employees involved in personal data processing.

• Control, limit, and regulate employees' access to a personal data system.

• Provide user IDs and passwords for personal data access.

• Establish physical security procedures including:

• monitoring and controlling movement in and out of data storage sites; and

• storing personal data in locked and safe place.

• Safeguard computer systems from malware threats and update back-up and recovery systems and anti-virusprotections.

• Regulate usage of removable devices and cloud computing services.

• Maintain proper records of access to personal data.

• Ensure employees' confidentiality obligations when processing personal data.

• Ensure documents containing personal data are destroyed efficiently.

• Conduct awareness programs to all employees on the responsibility to protect personal data.

• Enter into binding contracts with third parties processing personal data to ensure the third parties complywith safety requirements.

Page 15: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 15

16. Is there a requirement to notify data subjects or the supervisory authority about personal datasecurity breaches?

The Personal Data Protection Act 2010 (PDPA) does not require that data subjects be notified of data securitybreaches.

Processing by Third Parties

17. What additional requirements (if any) apply where a third party processes the data on behalf ofthe data controller?

The Personal Data Protection Act 2010 (PDPA) requires data user's engaging data processors to process personaldata on a data user's behalf to ensure that the data processor:

• Provides sufficient guarantees with respect to the technical and organizational security measures governingthe processing to be carried out.

• Takes reasonable steps to ensure compliance with those measures.

(Section 9(2), PDPA.)

The data user must ensure that all data processors comply with the security standards while processing personal dataon behalf of a data user. Under the Personal Data Protection Standards 2015, data users must enter into a bindingcontract with third parties processing personal data to ensure that the third parties comply with safety requirements.

For information on cross-border data transfers, see Question 20.

Electronic Communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject'sterminal equipment?

Page 16: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 16

The Personal Data Protection Act 2010 (PDPA) does not specifically regulate the storing of cookies or equivalentdevices on the data subject's terminal equipment. If the storing of cookies or equivalent devices on the data subject'sterminal equipment involves the processing of the data subject's personal data, the data user must comply with thegeneral PDPA data protection principles (see Question 11).

19. What rules regulate sending commercial or direct marketing communications?

The Personal Data Protection Act 2010 (PDPA) provides an opt-out mechanism for direct marketing, which meansthe communication, by whatever means, of any advertising or marketing material directed to particular individuals.The PDPA generally does not require organizations to secure the recipient's consent before sending marketingemails. Instead, it requires an organization to cease, or not begin, processing personal data for direct marketingpurposes upon the recipient's written request. of. (Section 43, PDPA.)

In addition when sending unsolicited commercial communications to data subjects, the data user must comply withthe data protection principles under the Personal Data Protection Act 2010 (PDPA) (see Question 11).

For more information on direct marketing in Malaysia, see Country Q&A, Email Marketing Compliance: Malaysia.

International Transfer of Data

Transfer of Data Outside the Jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Personal Data Protection Act 2010 (PDPA) generally prohibits data users from transferring personal dataoutside Malaysia, unless an exception applies. Notwithstanding, a data user may transfer any personal data to aplace outside Malaysia in the following circumstances:

• The Personal Data Protection Commissioner has approved the transfer to the designated jurisdiction bynotification published in the Gazette. To date, the Commissioner has not approved any jurisdictions to whichdata users may transfer personal data outside of Malaysia.

• The data subject consents to the transfer.

• The transfer is necessary for the performance of a contract between the data subject and the data user.

Page 17: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 17

• The transfer is necessary for the conclusion or performance of a contract between the data user and a thirdparty entered into at the data subject's request or in interests of a data subject.

• The transfer is for the purpose of legal proceedings or for the purpose of obtaining legal advice or forestablishing, exercising, or defending legal rights.

• The data user has reasonable grounds to believe all of the following:

• the transfer is for the avoidance or mitigation or adverse action against the data subject;

• it is not practicable to obtain the data subject's written consent to that transfer; and

• if it was practicable to obtain the consent, the data subject would have consented.

• The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personaldata will not be processed in contravention of the PDPA.

• The transfer is necessary to protect the data subject's vital interests.

• The transfer is necessary as being in the public interest in circumstances as determined by the Minister ofCommunications and Multimedia.

(Section 129(3), PDPA.)

For more on transferring personal data out of Malaysia under the PDPA, see Practice Note, Cross-Border PersonalData Transfers (Malaysia).

21. Is there a requirement to store any type of personal data inside the jurisdiction?

There is no requirement under the Personal Data Protection Act 2010 (PDPA) to store any type of personal datainside Malaysia.

Data Transfer Agreements

22. Are data transfer agreements contemplated or in use? Has the supervisory authority approved anystandard forms or precedents for cross-border transfers?

Page 18: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 18

There are no specific requirements under the Personal Data Protection Act 2010 (PDPA) for a data user to enterinto a data transfer agreement. The national authorities have not approved any standard forms or precedents. Datausers, however, may employ data transfer agreements to:

• Comply with the requirements for the transfer of personal data outside of Malaysia.

• Ensure that data recipients process data in compliance with the PDPA.

For general and country-specific resources to help organizations comply with data protection laws when transferringpersonal data across borders, see Cross-Border Personal Data Transfers Toolkit.

23. For cross-border transfers, is a data transfer agreement sufficient to legitimize transfer?

See Question 20 and Question 22.

24. Must the relevant supervisory authority approve the data transfer agreement for cross-bordertransfers?

The Personal Data Protection Commissioner does not have to approve the data transfer agreement if the agreementcomplies with the requirements for the transfer of personal data outside of Malaysia. For more information onrequirements for transfer of personal data outside of Malaysia, see Question 20 and Question 22.

Enforcement and Sanctions

25. What are the enforcement powers of the supervisory authority?

Under the Personal Data Protection Act 2010 (PDPA), the Personal Data Protection Commissioner (Commissioner)may authorize any officer or public officer to exercise the enforcement powers under the PDPA. These enforcementpowers include:

Page 19: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 19

• Investigating.

• Searching and seizing with or without warrant.

• Accessing computerized data.

• Requiring the production of computer, book, account, computerized data, or other document the data userkeeps.

• Requiring attendance of persons acquainted with the case.

• Examining persons acquainted with the case.

• Requiring forfeiture of computer, book, account, computerized data, or other documents.

• Making arrests.

(Part 9, PDPA.)

26. What are the sanctions and remedies for non-compliance with data protection laws?

The penalties for non-compliance with the Personal Data Protection Act 2010 are:

• Fines between RM10,000 to RM500,000.

• Imprisonment of between six months to three years.

• Both a fine and imprisonment.

For non-compliance with the personal data protection principles (see Question 8), the penalties are a fine ofRM300,000 (equivalent to USD73,000), imprisonment of two years, or both (Section 5, PDPA).

Currently, the national authority's priority is to create awareness and conduct audits on selected entities. It isanticipated that enforcement activities will commence in the near future.

Regulator Details

Department of Personal Data Protection (Jabatan Perlindungan DataPeribadi)

W www.pdp.gov.my/index.php

Page 20: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 20

Main areas of responsibility. The Department of Personal Data Protection (JPDP) enforces andregulates the Malaysian Personal Data Protection Act 2010 (PDPA). The JPDP is a department underthe Ministry of Communications and Multimedia. The JPDP is headed by the Personal Data ProtectionCommissioner, who is assisted by Deputy Commissioners and Assistant Commissioners. In addition, aPersonal Data Protection Commissioner carries out the functions and powers assigned to it under thePDPA. The Minister of Communications and Multimedia (Minister) is in-charge of the formulation andimplementation of the national policy on personal data protection under the PDPA and is further chargedwith the responsibility for the Department of Personal Data Protection.

Main areas of responsibility:

The Commissioner's functions include the following:

• To implement and enforce personal data protection laws, including the formulation ofoperational policies and procedures.

• To determine which places outside of Malaysia have in place a system for the protection ofpersonal data that is substantially similar to that of the PDPA or that serves the same purposes asthe PDPA.

• To monitor and supervise compliance with the provisions of the PDPA, including the issuance ofcirculars, enforcement notices, or any other instruments to any person.

• To promote awareness and dissemination of information to the public about the operation of thisPDPA.

The Commissioner has the following powers:

• To collect fees as the Minister may prescribe.

• To appoint agents, experts, consultants, or any other persons as the Commissioner thinks fit toassist in the performance of its functions.

• To perform any other functions as the Minister may assign from time to time.

• To take action incidental to or consequential on the performance of the Commissioner'sfunctions.

Online Resources

Department of Personal Data Protection (Jabatan Perlindungan DataPeribadi)

W www.pdp.gov.my/index.php/en/

Page 21: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 21

Description: This website is the official website of the Department of Personal Data Protection (JPDP).It provides general information on the JPDP and the laws on personal data protection in Malaysia. Thewebsite includes:

• Links to the laws and consultation papers on personal data protection.

• Links to check data user registration status.

• Announcements of activities carried out by the JPDP.

• Latest news and updates on the Personal Data Protection Act 2010 (PDPA).

• Frequently Asked Questions on the application of the PDPA.

• The JPDP's contact information.

Contributor Profiles

Adlin Abdul Majid, Partner

Lee Hishammuddin Allen & GledhillT + 603 2170 5816

F + 603 2161 3933

E [email protected]

W www.lh-ag.com

Professional qualifications. Advocate and Solicitor of the High Court of Malaya

Areas of practice. Privacy and personal data protection; technology, media and telecommunications.

Non-professional qualifications. Master of Arts (Jurisprudence), University of Oxford (1997)

Representative matters

• Representing clients in diverse industries, including banking, insurance, telecommunications,logistics, public infrastructure services, retail, property investment and development, hospitalityand tourism, and government services.

• Conducting compliance exercises which include privacy impact assessments and drafting andreviewing of policies, guidelines, agreements, and other documents.

Page 22: Data protection in Malaysia: overview

Data protection in Malaysia: overview, Practical Law Country Q&A w-007-6764

© 2020 Thomson Reuters. All rights reserved. 22

• Advising on:

• consent of data subjects and the issuance of notices;

• direct marketing;

• transfer of personal data outside of Malaysia and data transfer agreements;

• outsourcing services;

• cloud computing services;

• street level data collection; and

• human resource issues, including employee monitoring.

Languages. English, Bahasa Malaysia

Professional associations/memberships. The Malaysian Bar Council's Personal Data ProtectionCommittee; The Malaysian Bar Council's Information Technology Committee; The InternationalAssociation of Privacy Professionals.

Publications

• Annotated Statutes for the Personal Data Protection Act 2010.

• Global contributor to DataGuidance, the leading international publication for data protectionand privacy legislation issues.

• Regularly issue alerts on the PDPA on firm website.

END OF DOCUMENT