Collecting, Processing and Transfer of Personal Data in Malaysia: When and How?
Almost all businesses would have to deal with collection, processing and transfer of personal data at some point in the business. Under Malaysia’s Personal Data Protection Act 2010 (“PDPA”), the definition of “data user” is wide enough to capture most of the businesses as “data user” in their day-to-day operations.
Some common instances which business will usually collect, process of transfer personal data are:
- For marketing purpose. Collection of personal data to send newsletters / promotional materials to the data subjects.
It is common for businesses to request contact information from individuals for direct marketing purpose. This is especially common in an online setting, when website users are asked to submit their email address. Even if only the email address is collected, this could still fall under collection and processing of personal data under the PDPA.
- For employment matters.
When an employer stores job applications (which contains the applicant’s personal data) for future purpose, or when an employer communicates with the job applicant to seek more information or to schedule an interview, you are processing their personal data.
- Creating an Account for Customers / Storing Personal Data of Customers
If your business allows your customers to create an account using their personal data (be it online or offline), or if you hold or store their personal data, you are a “data user” under the PDPA.
- Entering into collaboration agreement or service contracts with third parties.
Depending on the nature of the contract, most commercial agreements involve transfer of personal data.
Some of the best practices for a data user under such circumstances include:
- Providing a PDPA notice (in both English and Malay) to the data subject. Do note that this PDPA notice is mandatory under the PDPA. This PDPA notice shall inform the data subjects of the purpose of data collection, how their personal data will be processed, their rights as data subjects, etc.
- If collection of personal data is done online, there should be a PDPA Notice available online and a clearly visible link on the homepage.
- The data subject should sign the PDPA notice to signify their consent. If the PDPA notice is in an online form, there should be a link for the users to click “I Agree”.
- As a rule of thumb, data users should obtain data subjects’ consent at the point of collection.
- When an employer replies to a job applicant’s email, the email should also be accompanied with a PDPA notice, and seek their consent for the collection and processing of their personal data.
- Providing a mechanism whereby data subject can “opt-out” of receiving marketing materials or communications.
- Carefully review any contract with third parties, especially when transfer of personal data is involved. Among others, the contract should provide clearly the rights and obligations of both data transferor and data recipient.
The above is not an exhaustive list and is a general guide. What is pertinent is that businesses should take the time and effort to understand their obligations under the PDPA and take steps to comply with it.
This article was written by Shawn Ho and Ee Lyne Chong. Shawn leads the corporate practice group of Donovan & Ho, and has been recognised as a Notable Practitioner, whilst the firm has been recognised as a Notable Firm for Corporate and M&A by Asialaw Profiles 2020. We are also ranked a Recommended Firm by IFLR1000 for 2020.
Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.