In Malaysia, the Personal Data Protection Act 2010 (“PDPA”) was enacted to regulate the processing of personal data in commercial transactions, and to provide individuals with control over their personal data. To learn more about the PDPA, you can read our earlier article on this topic here.
To recap, certain classes of data users have been required to register under the PDPA since its implementation on 15 November 2013 and these include data users in the banking and financial sector, insurance industry, utilities sectors, among others. The Personal Data Protection Commissioner (“Commissioner”) has also issued specific codes of practice for these sectors of data users, which set out specific requirements for the handling of personal data in their respective industries.
Who are subject to the General Code of Practice?
On 15 December 2022, the Commissioner has issued a General Code of Practice (“General CoP”) for those classes of data users who are not subject to any other codes of practice registered under the PDPA. Moving forward, data users in the sectors of moneylending, pawnbrokers, tourism, education, direct selling, real estate and those in the professional services (e.g., legal, audit, accountancy, engineering, architecture) will therefore need to comply with the General CoP (“Data Users”).
What is the General CoP?
The General CoP serves as a guide for Data Users in complying with the PDPA. It sets out best practices for the collection, use, disclosure, storage, and disposal of personal data.
The General CoP includes several changes to reflect the evolving landscape of data privacy and protection. One of the key changes is the inclusion of guidance on the preparation of a personal data protection notice, the guideline for which was issued by the Commissioner early last year. Businesses that already have their personal data protection notice should revisit and update it accordingly.
Another significant change is it provides further clarity how consent should be recorded and maintained. It explains that explicit consent is required from individuals before collecting their personal data either by conduct or performance, or verbally and to ensure that the data is stored securely. Businesses should therefore revisit their current procedure to ensure that their method(s) of obtaining consent from data subjects is up to date.
In addition to these changes, the General CoP also includes guidelines on the collection of personal data from children and the use of direct marketing. The Data Users are required to obtain parental consent before collecting personal data from children and to provide an easy opt-out option for direct marketing communications.
Key takeaways
The General CoP reflects the changing landscape of data privacy and protection in Malaysia. Hence, it is essential for the Data Users to familiarize themselves with the General CoP and ensure that their data processing practices are in line with its guidelines. By doing so, Data Users can build trust with their customers or stakeholders and protect their personal data from unauthorized access or use. Some practical steps (which are non-exhaustive) that Data Users can consider implementing to comply with the General CoP include:
- Indicate in the privacy policy if any sensitive personal data (i.e., relating to mental/physical health, political opinions, religious beliefs or commission of offense) will be processed.
- Indicate whether the data of children below age of majority, i.e. 18 years will be processed.
- State the names of third parties to whom personal data will be disclosed.
- Include a clickable box or an opt-in function that appears for user to click and indicate consent right before the personal data is submitted.
- Provide a communication channel or opt-out function for customers to requests that the delivery of direct marketing materials be stopped and to comply with such requests within a reasonable time frame.
- Establish a personal data system that can be inspected by the Commissioner when requested (with consent records, signed privacy notices and internal security policies).
- Implement compliance framework with self-audit system or internal training / awareness for employees to understand importance of complying with PDPA
Non-compliance with the General CoP can also result in penalties under the PDPA. The PDPA provides for fines of up to RM100,000 and/or imprisonment for a term not exceeding 1 year for offenses related to the mishandling of personal data (see Section 29 of PDPA). These penalties can be imposed on both individuals and corporations.
In the case of a body corporate, the directors and officers in the management of the company could also be held personally liable for non-compliance with the PDPA and could be subject to fines and imprisonment if the company is found to be in breach of the General CoP.
Please contact us at info@dnh.com.my if you would like us to review your current privacy policy and procedures to ensure compliance with the General CoP.
***
This article was written by Shawn Ho (Partner) & Sylvia Lock (Senior Associate) from the corporate practice group of Donovan & Ho. Shawn leads the corporate practice group of Donovan & Ho, and has been recognised as a Notable Practitioner, whilst the firm has been recognised as a Notable Firm for Corporate and M&A by Asialaw Profiles 2020 and 2021. We are also ranked as a Recommended Firm by IFLR1000 2020 and 2021.
Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.
