Compliance

7 Principles of PDPA Malaysia (What Are They?)

7 principles of pdpa malaysia

As a business owner, there are many things you need to care about, from day-to-day operations to making sure your business stays compliant with laws and regulations. If you're doing business in Malaysia or dealing with Malaysian citizens, your business is subject to the regulations outlined in the seven principles of the PDPA Malaysia.

But we know all too well how confusing the ins and outs of data protection laws are, and sometimes, even the smallest mistake can end up costing your business. To help you navigate the world of data protection in Malaysia, we have put together an all-you-need-to-know guide on the seven principles of PDPA in Malaysia.

Ready? Let's get started.

Key Takeaways

  • The Personal Data Protection Act of Malaysia contains a set of 7 principles that were created to safeguard the personal data of data subjects in relation to data being used for commercial transactions.
  • The seven principles of the PDPA Malaysia include the general, notice and choice, disclosure, security, retention, data integrity and access principles.
  • Violations of the principles can result in a fine of up to MYR 300,000 ($70,000) and a two-year imprisonment.

PDPA Malaysia Explained

So, what exactly is the PDPA Malaysia? The Personal Data Protection Act of Malaysia is a data protection law that was created to safeguard the data privacy of personal data from Malaysian citizens in relation to data being used for commercial transactions.

The PDPA now gives Malaysian citizens rights over how, when and why their personal data is collected and what it is used for. Responsibilities were introduced that businesses (data controllers) need to abide by or face the consequences.

Malaysia's Personal Data Protection Act was relatively new to the country when it was introduced in May 2010. Before that, personal data was protected by industry-specific legislation. But now, the new data protection law aims to provide protection to citizens, regardless of location.

The Malaysian government passed the data protection law and received Royal Assent in June 2010 but only came into effect in November 2013. The Malaysian Ministry of Justice, which belongs to the Commissioner of the Department of Personal Data Protection, is the one that enforces the PDPA.

Some amendments have been added to the PDPA Malaysia over the years. In 2015, the Personal Data Protection Standard 2015 was passed, which was an amendment that included additional security standards, data integrity standards and retention standards for personal data that is processed electronically and non-electrically.

In 2016, there were two more: The Compounding of Offences Regulations and the Order Amendment. The latest amendment to the PDPA was passed in 2021, called the Personal Data Protection (Appeal Tribunal) Regulations 2021.

Scope of PDPA Malaysia

PDPA Malaysia's application scope is broken down into three categories: personal, territorial, and material.

The PDPA makes provisions so that any person who is processing or has some form of control over a data subject's personal data is subject to the responsibilities of the PDPA. But, it’s important to note that third parties who process data on behalf of the data user are not directly bound to the PDPA.

Then, we get the second scope, territorial. Unlike other data protection laws, the PDPA Malaysia does not apply to personal data that is processed outside of Malaysia. However, if you are processing personal data from Malaysian citizens, even if you’re not in Malaysia, your business is subject to the PDPA.

The material scope covers who collects, processes, and shares personal data, plus the purposes of the collected personal data.

However, there are some exemptions to this scope of application:

  • Federal and state governments of Malaysia
  • Data handlers processing data outside of Malaysia
  • Data processed for judiciary purposes
  • Data processing due to the mental and physical health of the data subject
  • Data processed for statistical purposes
  • Data processed for journalistic, artistic or literary purposes

7 Principles of PDPA Malaysia

The PDPA Malaysia is made up of 7 principles that guide businesses on how to remain compliant with the law and provide data privacy for data subjects. Let's take a deeper look into what these principles are and how your business can comply with them.

General principle

The general principle outlines what collected personal data is processed for, and it can only be processed if:

  • It is lawfully used for purposes relating to the data user and nothing else
  • It is not collected in excessive amounts
  • It is absolutely necessary for its intended purpose
  • Consent was obtained

The general principle also tells businesses that they must first get consent before sensitive personal information can be collected. For minors under the age of 18, consent must be obtained from their parents or legal guardians.

Make sure your business complies with this principle by practicing data minimization, which means collecting personal data that is used for its intended purposes only.

Your business should always ensure that consent from the data subject is recorded and kept in a safe space to maintain good data privacy records in case of an audit.

Notice and choice principle

The notice and choice principle states that businesses (data controllers) inform the data subject of all matters related to collecting, processing and sharing their personal information. This needs to be a written notice in both Malay and English.

Your written notice must include the following:

  • The purpose of the collected personal data
  • The details like what, when, and how the data is being collected
  • Inform the data subject of their rights
  • Correct contact details of your business
  • The details of third-party processors who will have access to their data
  • The choices that the data subject has in regard to process limiting and opting-out
  • Whether the data subject is obligated or not to supply the data (and if they are, the consequences for the data subject should they fail to supply the data)

To comply with this principle, your business should give the data subject this written notice as soon as practicable. It is important that this notice is written in both Malay and English.

Disclosure principle

The third principle of disclosure prohibits data users from sharing collected personal information for purposes other than the original purpose or without consent.

This principle was created to help prevent cybercrime like data breaches and ensure that businesses are protecting the data privacy of data subjects. Your business needs to implement secure and efficient safety measures in regard to this principle.

Security principle

The security principle is an important principle that your business needs to follow. The PDPA Malaysia outlines that all data users need to adopt efficient security measures to protect personal data from loss, modification, misuse, unauthorized access, destruction, and disclosure.

To comply with this data protection principle, your business is required by the PDPA to create a security policy according to the 2015 standards.

This includes but is not limited to:

  • All individuals need to be registered in a registration system before being allowed access to their personal data
  • To ensure that all your staff protect the confidentiality of their personal data
  • Implementing backup and recovery systems
  • Implement physical security procedures like entry and exit controls or CCTV installation

Your business can also hire a data protection officer (DPO) to oversee your security measures and maintain compliance.

Retention principle

The retention data protection principle governs how long businesses can store collected sensitive personal data, and that data should not be stored for longer than its original intended purpose. Businesses will need to destroy this stored data.

Some exceptions include:

  • Data stored for tax purposes in which there is actually a minimum retention period

To keep your business complaint, you need to make sure you have a personal data disposal

schedule and that all data relating to commercial transactions is disposed of within 14 days.

Data integrity principle

The data integrity data protection principle is much like the name implies. It was created to ensure that businesses take reasonable steps to ensure that all the collected personal information is correct, up-to-date, complete, and not misleading.

To stay compliant, your business can follow the guidelines set out by the 2015 standard. These include:

  • Preparing a form (electronic or non-electronic) where data subjects can update their data
  • Upon receiving a request to update from a data subject, you need to process this right away
  • Inform the data subject about the updating of their personal data through an announcement or other methods

Access principle

The seventh principle of the PDPA Malaysia is the access data protection principle, which stipulates that data subjects must be given access to their personal data and be able to correct that data if it is inaccurate, misleading, or out of date.

This process is known as a DSAR (Data Subject Access Request), and your business needs to provide access as soon as practicable.

Data Subject Rights Provided Under Malaysia PDPA

In addition to the seven principles that businesses need to comply with, the Malaysia PDPA has also given citizens more control over their personal data by creating data subject rights. To stay on the right side of the law, your business should not violate these rights.

The right to be informed

Much like the notice and choice principle, data subjects have the right to be informed of when, how, and why their personal data is being collected, how long it will be stored, and other relevant information. Data subjects also need to give consent first.

Businesses need to give out written notices for consent in Malay and English to data subjects, or else they could be penalized for non-compliance.

Right to access

All data subjects have the right to access their collected personal information to review what data the business has on them.

When the data subject requests a copy of their personal data, businesses must ensure that they acknowledge the receipt of the request and carry out the process as soon as practicable.

Right to rectification

This right to rectification is the right to request changes made if the data is incorrect, misleading, or no longer accurate. Businesses also need to provide clear instructions for data subjects to request this process.

Right to object/opt-out

The PDPA in Malaysia gives data subjects the right to withdraw consent for their data being used at any time by written notice. The PDPA also states that data subjects have the right to opt-out of data processing if that processing is likely to cause damage or distress.

To do this, data subjects will need to provide the data user with a written notice with the intent to prevent processing.

Right to prevent processing for direct marketing purposes

In addition to the right to prevent processing due to likely damage or distress, data subjects have the right to prevent the processing of personal data for direct marketing purposes.

This means businesses can no longer keep possession and use collected personal data for marketing services and products.

Penalties for Non-Compliance with PDPA Malaysia Principles

According to Section 55 of the PDPA, the Commissioner of the Department of Personal Data Protection oversees all decisions regarding non-compliance and enforces that all applicable businesses follow the regulations.

If your business does not adhere to the principles laid out in the PDPA, you can be penalized for non-compliance. Penalties for non-compliance are straightforward, as a breach of any of the seven principles can attract fines of up to MYR 300,000 ($70,000) and two years imprisonment.

Section 16 of the PDPA states that corporations like private healthcare institutions, direct sales businesses, licensed banks, utilities and transportation service providers need to register their activities with the PDPA.

In addition to penalties for violating the seven principles, the unlawful collection, processing, sharing, and selling of personal data can result in fines of up to MYR 500,000 and three years of imprisonment.

Suppose your business does a data transfer of personal data that was collected from inside Malaysia and transported out of the country. In that case, you can be fined up to RM300,000 and two years imprisonment.

Closing

Now you know why it is so important that if you're doing business in Malaysia, you must make sure you are compliant to avoid paying penalties or facing jail time. Non-compliance can be costly and damaging to your business.

With so many regulations, where do you even begin? Choose Captain Compliance, a global compliance service, to help you navigate Malaysia's complex world of data protection laws.

To help businesses like yours, we offer corporate compliance and outsourced compliance solutions, like compliance training, to help your business remain compliant with PDPA principles in Malaysia. Get in touch with Captain Compliance today.

FAQs

What personal data is covered under the PDPA Malaysia?

The PDPA covers all personal data that is electronic or non-electronic. In addition, the PDPA still covers the data, even if it is true or false.

Learn more about what personal data is made up of.

How do I report a PDPA violation in Malaysia?

Complaints of violations of the principles can be made through the Personal Data Protection System (SPDP).

Keep your business compliant by staying on top of data localization laws by country.

Does Malaysia follow the GDPR?

If your business is based in Malaysia and you are doing business with people in Europe, then yes, you will need to comply with the GDPR. However, if you do not conduct business with EU residents, you will not be required to follow the GDPR.

Learn more on how to stay compliant with the GDPR.

What is the difference between GDPR and Malaysia?

Malaysia's PDPA principles only apply to personal data in regard to commercial transactions, whereas the GDPR is not limited.

Looking for GDPR compliance solutions? Click here to find out more.