The Malaysia PDPA Guide for Business


PDPA was introduced to increase consumer confidence in commerce and e-commerce in the face of the ever-increasing number of credit cards and to detect identity theft and sales fraud involving unauthorized users. PDPA stipulates a set of data protection principles, and data controllers must always abide by these principles when collecting, processing or disclosing personal data of Malaysian citizens. General principles-PDPA’s general principles require that personal data should not be processed unless such data is used for a legitimate purpose directly related to the activities of the data user, is necessary or directly related to this purpose, and the information is sufficient. And it is not excessive and related to this goal.    

However, it should be noted that DPA specifically allows data users to process confidential personal data of employees without the explicit consent of employees if the processing is necessary to ensure compliance with the rights or obligations granted or imposed by law on the use of employees employment data. PDPA does not apply to personal data processed outside Malaysia, except when the data is intended for further processing in Malaysia and does not apply to a data user who is not registered in Malaysia, except when that person does not use the equipment in Malaysia. for the processing of personal data, with the exception of the purposes of transit through Malaysia. Consequently, the PDPA will also apply to foreign entities that process personal data in Malaysia, whether or not they have an actual physical presence in Malaysia, provided that the person falls into the above categories. Data processed exclusively outside of Malaysia may not be subject to the Law on the Protection of Personal Information and Human Rights.    

Given that PDPA only regulates personal data in the context of commercial transactions, there is also some ambiguity as to whether nominal social media users (for example, for entertainment and social purposes) can benefit from the protection provided by PDPA. In contrast, PDPA does not require data users to consider privacy or security when designing systems or processes.    

According to PDPCM, civil society organizations generally violate the general principles of information security, retention, and disclosure. However, the 2013 Financial Services Act (FSA) provides protection for financial companies that voluntarily disclose information, knowledge or documents to Bank Negara, which clearly indicates that violations have occurred or are about to occur in accordance with the FSA guidelines. Any company that doubts whether its business operations (including data processing and storage) comply with legal principles and the above-mentioned minimum standards is recommended to seek legal advice.    

Organizations should include technical and organizational mechanisms to protect personal information when developing new processes and systems. In addition, data protection officers must report to the top management of the organizations with which they work and must not perform any duties that could create a conflict of interest. The PDPA does not require the appointment of a Data Protection Officer (DPO), but the Data User Registration Application form does require the appointment of a Compliance Officer, called the person who will oversee the application of the PDPA in organizing the data. users.    

The Commissioner issued a public consultation document called the 2017 Personal Data Protection Order (Transfer of Personal Data to Locations Outside Malaysia) (Proposed 2017 Regulation), which asked the public for their views on the draft White List of Commissioners from countries where the personal data comes from. Malaysia can be freely transferred without resorting to the exceptions provided in Section 129 (3) of the Human Rights Protection Act (PDPA). The project includes initiatives to strengthen the data protection framework, in particular the revision of the PDPA. They relate to issues such as the appointment of a Personal Data Protection Officer (Ombudsman), data user registration and fees that may be levied under the PDPA. Prior to PDPA approval, data legislation in Malaysia was limited by industry law regarding finance, healthcare, communications, etc.    

Data protection in Malaysia is mainly governed by the Personal Data Protection Act (PDPA) 2010 and its supplementary provisions as described below. The Personal Data Protection Commissioner is an actively responsible agency in Malaysia, responsible for implementing and enforcing the PDPA 2010 law. The European GDPR sets out rules for processing and protecting the personal information of EU data subjects.    

It has established a comprehensive cross-industry framework to protect personal data related to business transactions. The main responsibility of the PDP is to implement and regulate the PDPA in Malaysia, which focuses on the processing of personal data in business transactions and the prevention of personal data abuse. The Malaysian government has established the PDPA to allow residents to better control their personal and confidential data, as well as how individuals and organizations that do business with them use this data. Since 2010, the Malaysian government has been committed to improving the privacy and data protection of its residents.    

In short, PDPA Malaysia requires end-user consent, requires Malaysian users to be informed about the processing of data on their websites, grants Malaysians the right to access and correct their data, and regulates all processing of personal data through its 7 PDPA principles. PDPA Malaysia revolves around end-user consent, requiring your website to first obtain explicit and explicit consent from visitors before activating any cookies and trackers that process personal data, like other important privacy laws. Worldwide data such as EU GDPR, Brazil LGPD and POPIA South Africa. Malaysia PDPA compliance for your website means obtaining explicit/explicit consent from Malaysian end-users before processing their personal data and informing them with detailed information about the data processing activities on your websites, for example, the types of data you collect for what goals and with whom you share it.    

There are no privacy provisions in the Malaysian PDPA, such as the EU GDPR, which requires data controllers to consider privacy in the default settings of their processing activities. Nevertheless, Malaysia’s PDPA was formulated and promulgated five years before the GDPR, and the latest rules are very similar to the first. Since many countries/regions in the world are greatly affected by the EU General Data Protection Regulation or GDPR, PDPA is at the forefront of data controller requirements and penalties applicable to the data in many respects. The controller violated the law. However, data subjects in the European Union have broad rights.    

Violation of the restriction on cross-border data flow is a criminal offence and can result in a fine of up to MYR 300,000 (approximately EUR 66,500) and/or imprisonment for up to two years. Under Section 5 of the PDPA, violation of any of the data protection principles is an offence under the PDPA and is punishable by a fine of up to RM300,000 and/or a prison sentence of up to 2 years. Violation of the PDPA regulations can result in various fines and/or jail time. As stated above, failure to comply with the PDPA can result in up to three years in prison. 

 



Source link

Author: Formiti Data Privacy Consultancy Blog

Leave a Reply

Your email address will not be published. Required fields are marked *