Summary of PDPA

Malaysia’s Personal Data Protection Act 2010 (PDPA)


Summary of PDPA:

  1. Objective: To provide protection for an individual’s personal information to be processed for the purposes of commercial transactions.
  2. Who must comply to PDPA: : All individuals and organizations that process personal data in their dealings must comply with the rules set out in the Personal Data Protection Act 2010. The Federal Government and the State are exempted.
  3. Principles of Data Protection: Personal Data Protection Act contains seven principles of information handling practices that must be followed, namely:
    1. General Principle
    2. Notice and Choice Principle
    3. Disclosure Principle
    4. Security principles
    5. Retention Principle
    6. Data Integrity Principle
    7. Access Principle
  4. Type of data to be protected: Any information/data or a chain of information that allows a living individual to be identified is covered under the Personal Data Protection Act includes but not limit to; Name and address, Identification card number, Passport number, Health Information, E-mail Address, Picture, images recorded by the closed-circuit television (CCTV), Information contained in personal files etc.
  5. Activities and processes that must adhered with the Act: An organization must strictly adhered and comply with the Act when there are processes involved activities of includes but not limit to; Collecting data through forms, by phone or via the web, Publishing data, Selling data, Using administrative data, Using data for marketing purposes, Recording data, Disclosing or providing data to other organizations, Disclosing or providing data to other organizations, Destroying data and etc.
  6. Must comply by “Data User”: Data User referred to an individual that Processes personal data, has the control over the processing of personal data, or allows processing of personal data. Personal Data Protection Act applies to both individuals and organizations if they are “data user”.
  7. Data Processor: A data processor is an individual or organization that processes personal data on behalf of the data user, and does not process the personal data for any of his own purposes. Personal Data Protection Act does not apply to a data processor.
  8. Responsibility of Data Users on data processing activity: Personal Data Protection Act requires and tags the legal responsibility on “data user” to ensure that “data processor” pledges to take measures to protect the security of data processed and comply with PDPA.
  9. The rights granted by the Personal Data Protection Act to the “data subjects”: Personal Data Protection Act provides rules concerning good practices in the processing of personal data of living individuals. The Act defines the individuals whose data is processed by data users as “data subjects“. The Data subjects are given the following rights:
    1. The right to be told whether their data is processed by an organization
    2. The right to access personal data
    3. The right to rectify personal data
    4. The right to withdraw consent to process personal data
    5. The right to prevent processing likely to cause damage or distress (distress)
    6. The right to prevent processing for purposes of direct marketing
  10. Definition of sensitive personal data: Under the Personal Data Protection Act, sensitive personal data means any data consisting of information as to an individual’s physical or mental health condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the commission or alleged commission by the individual of any offence is also a sensitive personal data.
  11. Requirements for the processing of sensitive personal data: The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and must be with explicit consent of the data subject.
  12. Report of Abused: Individuals who feel that their personal data have been processed in breach of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.