Personal Data Protection

Act

Kuala Lumpur Bar Committee

8 May 2018

1 © 2018 Koh Dipendra Jeremiah Law

 PERSONAL DATA PROTECTION ACT 2010

An Act to regulate the processing of personal data in

commercial transactions and to provide for matters
connected therewith and incidental thereto.

2
“ data user” : a person who either alone or jointly or in common with other
persons processes any personal data or has control over or authorizes the
processing of any personal data, but does not include a data processor.

“data subject” : means an individual who is the subject of the personal

data.

“data processor” : means a person who processes the personal data

solely on behalf of the data user……not for his own purpose

3
 PERSONAL DATA PROTECTION ACT 2010
 Regulate the processing
and usage of personal data in
commercial transactions by data
users for the purpose of
protecting the data subject’s
personal data and safeguarding
their interests.
An individual who is the subject
of personal data
Collecting
Recording
HoStoring
Organising
A either alone or jointly
or in common with other
persons processes or
authorises the processing
of any personal data or
has control over personal
data, but does not
include a data processor.
4
Personal Data Protection
Any type of processing of personal data will have to be in compliance
with “7 data principles”.

“processing” is defined as (Sec 4):

Collecting, Recording, Storing, Organising and carrying out any

operation or set of operation on any personal data and includes
recording, amendment, deletion, organisation, adaptation,
alteration, retrieval, consultation, alignment, combination, blocking,
erasure, destruction or dissemination of the personal data”

5
 7 DATA PROTECTION PRINCIPLES
2. NOTICE &
1. GENERAL
CHOICE
PRINCIPLE
PRINCIPLE

DATA
4. SECURITY PROTECTION 3. DISCLOSURE
PRINCIPLE PRINCIPLES PRINCIPLE

6. DATA
5. RETENTION 7. ACCESS
INTEGRITY
PRINCIPLE PRINCIPLE
PRINCIPLE

6
(1)General Principle:

 Data user shall obtain the consent of the data subject before processing the
personal data. Exceptions where the data user may still process the
personal data are found in section 6 (2). If the processing is necessary.

 These are : for performance of contract, with a view of entering into a

contract, compliance with legal obligations, protect vital interests,
administration of justice, exercise of any functions conferred by law.

 In any case processing of personal data must be for the lawful

purpose directly related to the activity of the data user and is
necessary for or directly related to that purpose and used for the
intended purpose and personal data is adequate but not excessive in
relation to that purpose.

7
General Principle:

 However if “sensitive personal data” is involved, then the data user is to

comply with section 40 which involves obtaining explicit consent of the data
subject OR unless the processing is necessary.

 For : part of employment data with statutory obligation, protection of vital

interest of data subject (where cannot obtain consent) or vital interest of
another person, for a medical purpose by a healthcare professional or like
person, or in legal proceedings, or for obtaining legal advice, or defending
legal rights, or administration of justice, or exercise of function under any
written law or any other purposes as the Minister thinks fit.

OR the information in the personal data has been made public by the data
subject.


8
(2) Notice and Choice Principle :

 Data user shall give written notice to inform data subject of :

 The processing of his/her personal data;
 The description of data;
 The purpose for collection and processing,
 The source of the personal data;
 The right of the data subject to request for access to and request for
correction to be made to the personal data. How to contact the data user for
inquiries or complaints;
 The class of 3rd parties to whom personal data may be disclosed;
 The data user shall also inform the data subject of the choice and means of
limiting the processing of the personal data including where other parties
may be identified from the data subject’s personal data.
 Whether it is obligatory or voluntary to supply personal data; if obligatory,
then consequences if not supplied;
 Privacy Notice is to be in National AND English language.

9
(3) Disclosure Principle :

 Governed by S. 8 of the PDPA 2010.

 No personal data shall, without the consent of the data

subject be disclosed

(a) for any purpose other than:

i. the purpose for which the personal data was to be

disclosed at the time of collection of the personal data;
ii. a purpose directly related to the purpose referred to in
the paragraph immediately above; or

(b) to any party other than a third party of the class of third
parties as specified in paragraph S. 7(1)(e) of the Act.

* Therefore, it must be disclosed only for its intended purpose

and not to third parties. 10
(3) Disclosure Principle
Subject to S. 39 of the PDPA 2010.
Exceptions to Disclosure Principle :

Personal Data may still be disclosed for any other purpose

(other than for the purpose it was to be disclosed at the time of
collection) ONLY under the following circumstances :

• Data Subject has consented; or

• The disclosure is necessary for the prevention, detection of
crime or required by law or authorised by order of a court;
or
• Data User acted in reasonable belief that he had in law the
right to disclose to other persons; or
• Data User acted in reasonable belief that he would have
had the consent of the data subject if the data subject had
know of the said disclosing; or
• Disclosure was justified in the public interest in
circumstances determined by the Minister.
11
(4) Security Principle :

 Data user shall when processing personal data take practical steps to
protect the same from lost, misuse, modification, unauthorized or
accidental access or disclosure, alteration or destruction having
regard to:-

• Nature of the personal data and the consequential harm;

• Place or location where personal data is stored;
• Security measures incorporated in storage equipment;
• Measures taken to ensure reliability, integrity and competence of
personnel
• Measures taken to ensure secured transfer of personal data

 Where data processor acts on behalf of data user, data processor

shall provide sufficient guarantees on technical and organizational
security measures and take reasonable steps to ensure compliance
of those measures

12
(5) Retention Principle :

 Data user not to keep personal data any longer than necessary after
its intended purpose…. after fulfillment of that purpose.

 Data user has a duty to take all reasonable steps to destroy or

permanently delete the personal data.

13
(6) Data Integrity Principle :

 Data user shall take reasonable steps to ensure personal

data is accurate, complete, not misleading and kept up-to-
date, taking into consideration the purpose for which it
was collected and processed.

14
(7) Access Principle :

 Data user shall give access to data subject to correct any

inaccurate, incomplete, misleading or not up-to-date
personal data unless the Act allows such refusal.

15
Personal Data Protection
Salient features of the PDPA:
EXEMPTIONS found in Sections 45
contravene the 7 Personal Data Protection Principles

If the personal data processed by an individual only for individual’s

personal, family or household affairs including for recreational
purposes. – full exemption from 7 Principles.

[OR personal data is processed for :

• Prevention or detection of crime or for investigation;
• Apprehension or prosecution of offenders;
• Assessment or collection of any tax or duty;

Then exemption from 4 Principles only – 1. General, 2. Notice & Choice, 3.

Disclosure and 7. Access Principle … and related provisions of the Act.

16
Personal Data Protection
EXEMPTIONS found in Sections 45

If personal data processed in relation to physical or

mental health – then exempted from no.7. Access
Principle

If personal data processed in relation to preparing

statistics or research, then exempted from 1. General, 2.
Notice & Choice, 3. Disclosure and 7. Access Principle
… and related provisions of the Act.

If personal data processed in relation to order or

judgement of a court, then exempted from 1. General, 2.
Notice & Choice, 3. Disclosure and 7. Access Principle
… and related provisions of the Act.

17
Personal Data Protection

EXEMPTIONS found in Sections 45 and 46,

If personal data processed for discharging regulatory functions,

then exempted from 1. General, 2. Notice & Choice, 3.
Disclosure and 7. Access Principle … and related provisions of
the Act.

If personal data processed for journalistic, literacy or artistic

purposes, then exempted from 1. General, 2. Notice & Choice,
3. Disclosure, 5. Retention, 6. Data Integrity and 7. Access
Principle … and related provisions of the Act…….. But
publication must have special importance of public interest,
freedom of expression and data user reasonably believes that
any compliance with the 6 exempted principles is incompatible
with journalistic, literacy or artistic purposes.

18
 Personal Data Protection
Transfer of Data Outside Malaysia (Sec 129)

The PDPA specifies that no personal data may be transferred outside

Malaysia unless the place has been approved by the Minister (Sec 129(1)).

However, transfer of data outside of Malaysia may take place if, among
others (Sec 129(3))

i. the data subject has given consent, or

ii. the transfer is necessary for the performance of a contract between the
data subject and data user,
iii. the transfer is necessary for the conclusion or performance of a contract
with the data user and 3rd party on the request of data subject or in his
interest,

19
 Personal Data Protection

Transfer of Data Outside Malaysia (Sec 129)

i. The transfer is for legal proceedings or obtaining legal advice, or

defending legal rights;
ii. Data user had reasonable grounds for believing that the transfer is for the
avoidance or mitigation of adverse action or not practicable to obtain
consent in writing of data subject and if it was practicable to obtain such
consent, the data subject would have consented.
iii. Data user has taken all reasonable precautions and exercised all due
diligence that data will not be processed in a manner that would have
been prohibited under the PDPA in Malaysia. ….the data user has taken
reasonable steps to ensure that the data will not be processed in a
manner which would contravene the PDPA, or
iv. The transfer is necessary to protect the data subject's vital interests; or
v. The transfer is necessary as being in public interest in circumstances
determined by the Minister.

*** Non compliance with this provision makes a data user liable to a fine of
RM300,000 and/or 2 years imprisonment or Both (Sec 129(5))
20
 Final Question & Answer Session

© 2017 Koh Dipendra Jeremiah

21
Law
Jeremiah R. Gurusamy
Partner

Koh Dipendra Jeremiah Law

Advocates & Solicitors
9-2, 2nd Floor, Jalan Medan Setia 1,
Plaza Damansara, Damansara Heights,
50490 Kuala Lumpur,
Malaysia.

Tel: 603-2095 6505

Fax: 603-2095 7505
E-Mail: [email protected]

© 2017 Koh Dipendra Jeremiah

22
Law