What is “personal data”?
“Personal data” means any information in respect of commercial transactions that relate, directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.
“Sensitive personal data” means any personal data consisting of information as to among other things the physical or mental health or condition of a data subject, his political opinions or his religious beliefs.
The processing of sensitive personal data is prohibited unless the data subject has given his explicit consent to the processing of the sensitive personal data, or where the processing is necessary for certain purposes, more particularly set out in the PDPA.
Applicability of the PDPA
The PDPA applies to:
- Any person who processes; and
- Any person who has control over or authorizes the processing of,
any personal data in respect of commercial transactions (the "Data User”) and where such persons are:
- Established in Malaysia; or
- Not established in Malaysia, but uses equipment for processing personal data otherwise than for the purposes of transit through Malaysia.
In general, Data Users are prohibited from transferring any personal data to a place outside Malaysia unless to such place as specified by the Minister of Communications and Digital or where consent from the data subject has been obtained.
To note that the PDPA will not apply to personal data processed outside Malaysia unless it is intended to be further processed in Malaysia.
What does “processing” mean?
“Processing” means the collecting, recording, holding or storing of personal data or carrying out any operation or set of operations on the personal data.
Activities that may fall within the definition of “processing” include:
- Collecting data using a form;
- Using personal data for administrative purposes; or
- Using personal data for marketing purposes.
Requirement to be registered as data users under the PDPA?
A Data User belonging to any of the following classes of Data Users, are required to be registered under the PDPA:
- Communications
- Utilities
- Insurance
- Health
- Tourism and hospitalities
- Transportation
- Education
- Direct selling
- Services
- Real estate
- Moneylender licensee
- Pawnbroker licensee
- Banking and financial institution
“Services” include a company carrying on accountancy or engineering business; and “Communications” include a licensee under the Postal Services Act 2012
Registered Data Users will be issued a certificate of registration. Such Data Users who process personal data without a certificate may be liable to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding 3 years or to both.
Liabilities
Under the PDPA, Data Users are required to comply with the 7 Personal Data Protection Principles (“Principles”) when processing personal data. A Data User who contravenes the Principles commits an offence and may be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or to both.
Further, a person who abets the commission or attempts to commit any offence under the PDPA, commits an offence and will be liable to the same punishments for the offence. Additionally, any person who does any act preparatory or in furtherance of the commission of any offence, shall also be liable for the offence.
Moreover, where a body corporate commits an offence, directors and officers in the management of a company, can also be held personally or jointly liable for the offence, and subject to the same penalties.
Next in the series
We will set down and consider the Principles in parts 2 and 3 of this series.
This article was originally published on the Hsian & Co. website, 3 July 2023, and has been reproduced with the authors’ consent.
