In early May 2017, a company in the educational industry was charged under the Personal Data Protection Act 2010 (“PDPA”) for processing the personal data of former employees without a certificate of registration. If convicted, the maximum penalty is a fine of RM500,000 or up to three years in jail, or both.

It was the first case to be prosecuted under the PDPA, and based on our correspondence with Personal Data Protection Department (“PDPD“), it will be the first of many.

The PDPA has been in force since 2013, and we have been watching with increasing trepidation how general awareness in the business community has remained relatively low. Like the sword of Damocles hanging over the heads of non-complaint businesses, it was a matter of time before a data user will be booked under the PDPA.

Alas, those fears are now confirmed.

The PDPA applies to data users, i.e. businesses who processes personal data for commercial purposes. There are no hard and fast rules as to what constitutes personal data, but a good rule of the thumb is that if a data can personally identify a person, it is a personal data for the purposes of the PDPA.

Some categories of data users must be registered with the PDPD, they are listed below:

  1. Communications
  2. Banking
  3. Insurance
  4. Health
  5. Tourism/hospitality
  6. Transportation
  7. Education
  8. Direct selling
  9. Real Estate
  10. Utilities
  11. Pawnbrokers
  12. Moneylenders
  13. Services

This is a growing list and may continue to be expanded on. (For example, pawnbrokwers and moneylenders were added to the list in December 2016).

Upon successful registration, data users will be issued a certificate of registration. Data users who are in the list above but have not registered themselves may find themselves charged with an offence under the PDPA, like the company mentioned in the first paragraph of this article.

Data users that are not in the above categories do not need to register with the PDPD, but are still subject to other requirements in the PDPA.

All data users need to comply with 7 main principles (more information on those principles can be found here). The principles are detailed in the PDPA, and further supplemented in Personal Data Protection Regulations and most recently, the PDPA Standards.

Compliance with the principles is not particularly difficult. The PDPD has, in drawing up the policies, has made compliance commercially viable even for start-ups and SMEs. In short, it is not too burdensome to comply with the PDPA once you know what to look out for.

We were informed that the PDPD will be running compliance inspections of certain classes of data users. By the time PDPD informs you they are coming in, you will most likely not have enough time to put your compliance policies and standard operating protocols in place.

So, if you are in any doubt about your compliance with PDPA, time to get those doubts cleared for your own peace of mind.


About the author: Ian Liew is an associate in Donovan & Ho’s corporate and commercial practice group. He is an advocate and solicitor of the High Court of Malaya, and has advised clients on issues such as shareholders’ agreements, venture capitalist fund-raising, and mergers & acquisitions of businesses.  


Malaysian Employment Law : Asia Employment Law Congress 2017
E-Signing: What You Need to Know

Latest Articles

The Cornerstone of a M&A Journey: Going Beyond the Basic Terms of a Term Sheet

by | March 13, 2024 |

LinkedIn Facebook Twitter Gmail Print Friendly The initial stages of a Merger and Acquisition (“M&A”) often involve parties trying to establish a meeting of minds on essential commercial terms, to […]

How ESG Trends and Laws Will Impact Early-Stage Fundraising for Malaysian Start-ups and SMEs

by | December 22, 2023 |

LinkedIn Facebook Twitter Gmail Print Friendly In Malaysia’s dynamic business landscape, Start-ups and Small-Medium Enterprises (SMEs) continue to be pivotal contributors to the nation’s economic growth. As responsible and sustainable […]

Proposed Amendments to Malaysia’s Companies Act 2016 – Enhancing Transparency on Beneficial Ownership 

by | December 15, 2023 |

LinkedIn Facebook Twitter Gmail Print Friendly Introduction In an effort to improve Malaysia’s corporate legal framework, a series of amendments to the Companies Act 2016 have been proposed by the […]

Share This