PRELIMINARY
Short title and commencement
/akn/my/act/act/2010/709
PERSONAL DATA PROTECTION ACT 2010
The full official text, structured for quick navigation. Copy any provision or jump straight to a section.
- Type
- Act
- Status
- In force
- Enacted
- 2010
- Last amended
- 2024
- Sections
- 146
- Languages
- MS · EN
Quick answer
About this act
PERSONAL DATA PROTECTION ACT 2010 is Malaysia Act, cited as Act 709 2010, currently marked in force and first recorded in 2010.
Opening note
Preamble
- An Act to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto. [15 November 2013, P.U. (B) 464/2013] ENACTED by the Parliament of Malaysia as follows:
Part I
Part I
Section 1
(2)
This Act comes into operation on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.
Application
Section 2
(b)
any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.
Act 709
(2)
Subject to subsection (1), this Act applies to a person in respect of personal data if—
(a)
the person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or
(b)
the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
(3)
A person falling within paragraph (2)(b) shall nominate for the purposes of this Act a representative established in Malaysia.
(4)
For the purposes of subsections (2) and (3), each of the following is to be treated as established in Malaysia:
(a)
an individual whose physical presence in Malaysia shall not be less than one hundred and eighty days in one calendar year;
(c)
a partnership or other unincorporated association formed under any written laws in Malaysia; and
(d)
any person who does not fall within paragraph (a), (b) or (c)
but maintains in Malaysia—
(i)
an office, branch or agency through which he carries on any activity; or
Section 3
(2)
This Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.
Interpretation
Section 4
Personal Data Protection 13
“credit reporting agency” has the meaning assigned to it in the
Credit Reporting Agencies Act 2010 [Act 710];
“this Act” includes regulations, orders, notifications and other subsidiary legislation made under this Act;
“register” means the Register of Data Users, Register of Data
User Forums or Register of Codes of Practice;
“personal data” means any information in respect of commercial transactions, which—
(a)
is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b)
is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c)
is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010;
Act 709
“sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;
“prescribed” means prescribed by the Minister under this Act and where no mode is mentioned, means prescribed by order published in the Gazette;
“Advisory Committee” means the Personal Data Protection
Advisory Committee established under section 70;
“vital interests” means matters relating to life, death or security of a data subject;
“Fund” means the Personal Data Protection Fund established under section 61;
“use”, in relation to personal data, does not include the act of collecting or disclosing such personal data;
“collect”, in relation to personal data, means an act by which such personal data enters into or comes under the control of a data user;
“Minister” means the Minister charged with the responsibility for the protection of personal data;
“disclose”, in relation to personal data, means an act by which such personal data is made available by a data user;
“relevant person”, in relation to a data subject, howsoever described, means—
(a)
in the case of a data subject who is below the age of eighteen years, the parent, guardian or person who has parental responsibility for the data subject;
Personal Data Protection 15
(b)
in the case of a data subject who is incapable of managing his own affairs, a person who is appointed by a court to manage those affairs, or a person authorized in writing by the data subject to act on behalf of the data subject; or
(c)
in any other case, a person authorized in writing by the data subject to make a data access request, data correction request, or both such requests, on behalf of the data subject;
“authorized officer” means any officer authorized in writing by the Commissioner under section 110;
“correction”, in relation to personal data, includes amendment, variation, modification or deletion;
“requestor”, in relation to a data access request or data correction request, means the data subject or the relevant person on behalf of the data subject, who has made the request;
“data processor”, in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes;
“processing”, in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including—
(c)
the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
(d)
the alignment, combination, correction, erasure or destruction of personal data;
“registration” means the registration of a data user under section 16;
Act 709
“data user” means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor;
“relevant data user”, in relation to—
(a)
an inspection, means the data user who uses the personal data system which is the subject of the inspection;
(i)
in the case of an investigation initiated by a complaint, means the data user specified in the complaint;
(ii)
in any other case, means the data user who is the subject of the investigation;
(d)
an enforcement notice, means the data user on whom the enforcement notice is served;
“credit reporting business” has the meaning assigned to it in the Credit Reporting Agencies Act 2010;
“Commissioner” means the Personal Data Protection Commissioner appointed under section 47;
“third party”, in relation to personal data, means any person other than—
(e)
a person authorized in writing by the data user to process the personal data under the direct control of the data user;
Personal Data Protection 17
“relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set of information is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
“data subject” means an individual who is the subject of the personal data;
“appointed date” means the relevant date or dates, as the case may be, on which this Act comes into operation;
“code of practice” means the personal data protection code of practice in respect of a specific class of data users registered by the Commissioner pursuant to section 23 or issued by the
Commissioner under section 24;
“commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010.
Part II
Part II
Division 1
Division 1
Personal Data Protection Principles
Section 5
(2)
Subject to sections 45 and 46, a data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
General Principle
Section 6
(a)
in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or
(b)
in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with the provisions of section 40.
(2)
Notwithstanding paragraph (1)(a), a data user may process personal data about a data subject if the processing is necessary—
(b)
for the taking of steps at the request of the data subject with a view to entering into a contract;
(c)
for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
Personal Data Protection 19
(f)
for the exercise of any functions conferred on any person by or under any law.
(3)
Personal data shall not be processed unless—
(a)
the personal data is processed for a lawful purpose directly related to an activity of the data user;
(b)
the processing of the personal data is necessary for or directly related to that purpose; and
(c)
the personal data is adequate but not excessive in relation to that purpose.
Notice and Choice Principle
Section 7
(a)
that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;
(b)
the purposes for which the personal data is being or is to be collected and further processed;
(c)
of any information available to the data user as to the source of that personal data;
(d)
of the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;
(e)
of the class of third parties to whom the data user discloses or may disclose the personal data;
Act 709
(f)
of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
(g)
whether it is obligatory or voluntary for the data subject to supply the personal data; and
(h)
where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.
(2)
The notice under subsection (1) shall be given as soon as practicable by the data user—
(a)
when the data subject is first asked by the data user to provide his personal data;
(i)
uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or
(3)
A notice under subsection (1) shall be in the national and
English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.
Disclosure Principle
Section 8
Subject to section 39, no personal data shall, without the consent of the data subject, be disclosed—
(i)
the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or
Personal Data Protection 21
(ii)
a purpose directly related to the purpose referred to in subparagraph (i); or
(b)
to any party other than a third party of the class of third parties as specified in paragraph 7(1)(e).
Security Principle
Section 9
(a)
to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
(c)
to any security measures incorporated into any equipment in which the personal data is stored;
(d)
to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
(2)
Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor—
(a)
provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
(b)
takes reasonable steps to ensure compliance with those measures.
Act 709
Retention Principle
Section 10
(2)
It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.
Data Integrity Principle
Section 11
A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
Section 12
Access Principle
A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.
Division 2
Division 2
Registration
Application of this Division
Section 13
(2)
A data user who belongs to a class of data users not specified in the order made under subsection 14(1) shall comply with all the provisions of this Act other than the provisions of this Division relating to the registration of data users and matters connected thereto.
Registration of data users
Section 14
Personal Data Protection 23
(2)
The Commissioner shall, before making his recommendation under subsection (1), consult with—
Section 15
(2)
Every application for registration shall be accompanied with the prescribed registration fee and such documents as may be required by the Commissioner.
(3)
The Commissioner may in writing at any time after receiving the application and before it is determined, require the applicant to provide such additional documents or information within the time as specified by the Commissioner.
(4)
If the requirement under subsection (3) is not complied with, the application for registration shall be deemed to have been withdrawn by the applicant and shall not be further proceeded with by the Commissioner, but without prejudice to a fresh application being made by the applicant.
Act 709
Certificate of registration
Section 16
(a)
register the applicant and issue a certificate of registration to the applicant in such form as determined by the
Commissioner; or
(2)
The certificate of registration may be issued subject to such conditions or restrictions as the Commissioner may think fit to impose.
(3)
Where the Commissioner refuses the application for registration in pursuance of subsection (1), he shall inform the applicant by a written notice that the application has been refused and the reasons for the refusal.
(4)
A person who belongs to the class of data users as specified in the order made under subsection 14(1) and who processes personal data without a certificate of registration issued in pursuance of paragraph 16(1)(a) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
Renewal of certificate of registration
Section 17
(2)
When renewing a certificate of registration, the Commissioner may vary the conditions or restrictions imposed upon the issuance of the certificate of registration or impose additional conditions or restrictions.
Personal Data Protection 25
(3)
The Commissioner may refuse to renew a certificate of registration—
(a)
if the data user has failed to comply with any of the provisions of this Act;
(b)
if the data user has failed to comply with any conditions or restrictions imposed upon the issuance of the certificate of registration; or
(c)
if he is satisfied that the data user is unable to continue the processing of personal data in accordance with this Act.
Revocation of registration
Section 18
(b)
the data user has failed to comply with any conditions or restrictions imposed upon the issuance of the certificate of registration;
(c)
the issuance of the certificate of registration was induced by a false representation of fact by the data user; or
(2)
Notwithstanding subsection (1), the Commissioner shall not revoke the registration of a data user unless the Commissioner is satisfied that, after giving the data user an opportunity of making any representation in writing he may wish to make, the registration should be revoked.
(3)
Where the registration of the data user is revoked, the
Commissioner shall issue a notice of revocation of registration to the data user, and the certificate of registration issued in respect of such registration shall have no effect upon service of the notice of revocation of registration.
Act 709
(4)
A data user whose registration has been revoked under this section and who continues to process personal data thereafter commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
Surrender of certificate of registration
Section 19
(2)
A person who fails to comply with subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Register of Data Users
Section 20
(2)
The Register of Data Users shall contain the names of data users who have been registered in pursuance of this Division and any other particulars regarding such data users as may be determined by the Commissioner.
Division 3
Division 3
Data user forum and code of practice
Data user forum
Section 21
(a)
the membership of the body is open to all data users of that class;
Personal Data Protection 27
(b)
the body is capable of performing as required under the relevant provisions of this Act; and
(2)
The body shall agree in writing to be a data user forum before the designation is registered by the Commissioner in the
Register of Data User Forums.
(3)
The Commissioner may decide that an existing body that was previously designated as a data user forum under subsection (1)
is no longer a data user forum for the purposes of this Act, if he is satisfied that the body no longer meets the requirements as set out in that subsection.
(4)
Where the Commissioner decides that an existing body which has been designated as a data user forum is no longer a data user forum for the purposes of this Act, he shall withdraw the designation and subsequently cancel the registration of the designation in the Register of Data User Forums.
(5)
A designation or withdrawal of designation under this section shall take effect from the date of registration of the designation or the date of cancellation of the registration of the designation, as the case may be, or such later date as specified by the Commissioner.
Register of Data User Forums
Section 22
(2)
The Register of Data User Forums shall contain the names of data user forums which have been designated and registered in pursuance of this Division and any other particulars regarding such data user forums as may be determined by the
Commissioner.
Act 709
Code of practice
Section 23
(2)
The data user forum shall, in preparing a code of practice under subsection (1), consider matters including—
(a)
the purpose for the processing of personal data by the data user or class of data users;
(c)
the views of the relevant regulatory authority, if any, to which the data user is subject to; and
(d)
that the code of practice, upon having regard to all of the matters in paragraphs (a), (b) and (c) and any other matters, offers an adequate level of protection for the personal data of the data subjects concerned.
(3)
The Commissioner may register the code of practice prepared pursuant to subsection (1), if the Commissioner is satisfied that—
(4)
The code of practice under subsection (1) shall take effect on the date of registration of the code of practice by the
Commissioner in the Register of Codes of Practice.
(5)
If the Commissioner refuses to register the code of practice, the Commissioner shall notify the relevant data user forum of his decision in writing and provide the reasons for it.
Personal Data Protection 29
(6)
If the Commissioner neither registers nor refuses to register a code of practice within thirty days from the date of receipt of the code of practice by him for registration, he shall be deemed to have refused the registration of the code of practice.
(7)
The Commissioner may register different codes of practice for different classes of data users.
(8)
The Commissioner and data user shall make available to the public any code of practice registered under subsection (3).
Commissioner may issue code of practice
Section 24
(b)
the Commissioner is satisfied that a code of practice for a specific class of data users is unlikely to be prepared by the relevant data user forum within the period as specified by the Commissioner; or
(c)
there is no data user forum to develop the relevant code of practice for the class of data users.
(2)
The Commissioner shall, before issuing a code of practice under subsection (1), consider matters including—
(a)
the purpose for the processing of personal data by the data user or class of data users;
(b)
the views of the data users or groups representing data users, to which the code of practice is applicable;
(d)
the views of the relevant regulatory authority, if any, to which the data user is subject to; and
(e)
that the code of practice, upon having regard to all of the matters in paragraphs (a), (b) and (c) and any other matters, offers an adequate level of protection for the personal data of the data subjects concerned.
Act 709
(3)
The Commissioner may issue different codes of practice for different classes of data users.
(4)
The code of practice issued by the Commissioner under subsection (1) shall be registered in the Register of Codes of Practice.
(5)
The code of practice under subsection (1) shall take effect on the date of registration of the code of practice by the
Commissioner.
(6)
The Commissioner shall make available to the public any code of practice issued by him under subsection (1).
Applicable code of practice
Section 25
(2)
All data users belonging to a class of data users shall comply with the relevant registered code of practice that is applicable to that class of data users at a given time.
(3)
Where a code of practice is registered by the Commissioner under section 23 or 24, the Commissioner shall notify, in such manner as he may determine, the relevant class of data users to whom the code of practice is applicable—
(a)
of the identity of the code of practice concerned and the date on which the code of practice is to take effect; and
(b)
of the specific requirements under this Act for which the code of practice is issued and registered.
(4)
If there is any uncertainty or ambiguity as to which code of practice is applicable to a particular data user or class of data users, the data user or person concerned may apply to the
Commissioner for his opinion on which code of practice is the applicable code of practice in relation to the circumstances of such data user or person.
Personal Data Protection 31
(5)
The Commissioner shall provide his opinion within thirty days from the date of receipt of an application made under subsection (4).
(6)
The Commissioner shall, when making his opinion under subsection (5), take into account any relevant previous opinions, if any.
(7)
The Commissioner may withdraw an opinion made under this section if the Commissioner is satisfied that the nature of the activity engaged by the data user has changed materially.
Revocation, etc., of code of practice
Section 26
(b)
upon an application by the data user forum or such bodies representing the data users.
(2)
The Commissioner shall, before revoking, amending or revising a code of practice under subsection (1), consult with—
(a)
such data users or bodies representative of data users to which the code of practice shall apply, whether in whole or in part; and
(3)
Where any code of practice has been revoked, amended or revised under subsection (1), the Commissioner—
(a)
shall enter the particulars of such revocation, amendment or revision in the Register of Codes of Practice; and
(b)
shall notify the relevant data user forum, class of data users, data users and the public of such revocation, amendment or revision in such manner as may be determined by him.
Act 709
(4)
The Commissioner shall make available to the public any code of practice as amended or revised by him under this section.
Submission of new code of practice by data user forum
Section 27
(2)
The new code of practice submitted in pursuance of subsection (1) shall be subject to the provisions of this Division.
Register of Codes of Practice
Section 28
(2)
The Register of Codes of Practice shall contain—
(a)
particulars of codes of practice registered under section 23
or 24 and any revocation, amendment or revision to such codes of practice under section 26; and
(b)
any opinion made by the Commissioner under section 25, including particulars of withdrawal of previous opinions.
Non-compliance with code of practice
Section 29
A data user who fails to comply with any provision of the code of practice that is applicable to the data user commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.
Division 4
Division 4
Rights of data subject
Right of access to personal data
Section 30
(2)
A requestor may, upon payment of a prescribed fee, make a data access request in writing to the data user—
(a)
for information of the data subject’s personal data that is being processed by or on behalf of the data user; and
(b)
to have communicated to him a copy of the personal data in an intelligible form.
(3)
A data access request for any information under subsection (2)
shall be treated as a single request, and a data access request for information under paragraph (2)(a) shall, in the absence of any indication to the contrary, be treated as extending also to such request under paragraph (2)(b).
(4)
In the case of a data user having separate entries in respect of personal data held for different purposes, a separate data access request shall be made for each separate entry.
(5)
Where a data user does not hold the personal data, but controls the processing of the personal data in such a way as to prohibit the data user who holds the personal data from complying, whether in whole or part, with the data access request under subsection (2) which relates to the personal data, the first-mentioned data user shall be deemed to hold the personal data and the provisions of this Act shall be construed accordingly.
Compliance with data access request
Section 31
Personal Data Protection 33
(2)
A data user who is unable to comply with a data access request within the period specified in subsection (1) shall before the expiration of that period—
(a)
by notice in writing inform the requestor that he is unable to comply with the data access request within such period and the reasons why he is unable to do so; and
(b)
comply with the data access request to the extent that he is able to do so.
Act 709
(3)
Notwithstanding subsection (2), the data user shall comply in whole with the data access request not later than fourteen days after the expiration of the period stipulated in subsection (1).
Circumstances where data user may refuse to comply with data access request
Section 32
(a)
the data user is not supplied with such information as he may reasonably require—
(i)
in order to satisfy himself as to the identity of the requestor; or
(ii)
where the requestor claims to be a relevant person, in order to satisfy himself—
(A)
as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and
(b)
the data user is not supplied with such information as he may reasonably require to locate the personal data to which the data access request relates;
(c)
the burden or expense of providing access is disproportionate to the risks to the data subject’s privacy in relation to the personal data in the case in question;
(d)
the data user cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless—
(i)
that other individual has consented to the disclosure of the information to the requestor; or
(ii)
it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual;
Personal Data Protection 35
(e)
subject to subsection (3), any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data access request;
(2)
In determining for the purposes of subparagraph (1)(d)(ii)
whether it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual, regard shall be had, in particular, to—
(b)
any steps taken by the data user with a view to seeking the consent of the other individual;
(3)
Paragraph (1)(e) shall not operate so as to excuse the data user from complying with the data access request under subsection 30(2) to any extent that the data user can comply with the data access request without contravening the prohibition concerned.
Notification of refusal to comply with data access request
Section 33
Where a data user who pursuant to section 32 refuses to comply with a data access request under section 30, he shall, not later than twenty-one days from the date of receipt of the data access request, by notice in writing, inform the requestor—
(b)
where paragraph 32(1)(e) is applicable, of the name and address of the other data user concerned.
Act 709
Right to correct personal data
Section 34
(a)
a copy of the personal data has been supplied by the data user in compliance with the data access request under section 30 and the requestor considers that the personal data is inaccurate, incomplete, misleading or not up-to-date; or
(b)
the data subject knows that his personal data being held by the data user is inaccurate, incomplete, misleading or not up-to-date, the requestor or data subject, as the case may be, may make a data correction request in writing to the data user that the data user makes the necessary correction to the personal data.
(2)
Where a data user does not hold the personal data, but controls the processing of the personal data in such a way as to prohibit the data user who holds the personal data from complying, whether in whole or in part, with the data correction request under subsection (1) which relates to the personal data, the first-mentioned data user shall be deemed to be the data user to whom such a request may be made and the provisions of this
Act shall be construed accordingly.
Compliance with data correction request
Section 35
(b)
supply the requestor with a copy of the personal data as corrected; and
Personal Data Protection 37
(i)
the personal data has been disclosed to a third party during the twelve months immediately preceding the day on which the correction is made; and
(ii)
the data user has no reason to believe that the third party has ceased using the personal data for the purpose, including any directly related purpose, for which the personal data was disclosed to the third party, take all practicable steps to supply the third party with a copy of the personal data as so corrected accompanied by a notice in writing stating the reasons for the correction.
(2)
A data user who is unable to comply with a data correction request within the period specified in subsection (1) shall before the expiration of that period—
(a)
by notice in writing inform the requestor that he is unable to comply with the data correction request within such period and the reasons why he is unable to do so; and
(b)
comply with the data correction request to the extent that he is able to do so.
(3)
Notwithstanding subsection (2), the data user shall comply in whole with the data correction request not later than fourteen days after the expiration of the period stipulated in subsection (1).
(4)
A data user is not required to comply with paragraph (1)(c)
in any case where the disclosure of the personal data to a third party consists of the third party’s own inspection of a register—
(5)
Where a data user is requested to correct personal data under subsection 34(1) and the personal data is being processed by another data user that is in a better position to respond to the data correction request—
(a)
the first-mentioned data user shall immediately transfer the data correction request to such data user, and notify the requestor of this fact; and
(b)
sections 34, 35, 36 and 37 shall apply as if the references therein to a data user were references to such other data user.
Circumstances where data user may refuse to comply with data correction request
Section 36
(a)
the data user is not supplied with such information as he may reasonably require—
(i)
in order to satisfy himself as to the identity of the requestor; or
(ii)
where the requestor claims to be a relevant person, in order to satisfy himself—
(A)
as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and that the requestor is the relevant person in relation to the data subject;
(b)
the data user is not supplied with such information as he may reasonably require to ascertain in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date;
(c)
the data user is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date;
Personal Data Protection 39
(d)
the data user is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up-to-date; or
(e)
subject to subsection (2), any other data user controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data correction request.
(2)
Paragraph (1)(e) shall not operate so as to excuse the data user from complying with subsection 35(1) in relation to the data correction request to any extent that the data user can comply with that subsection without contravening the prohibition concerned.
Notification of refusal to comply with data correction request
Section 37
(b)
where paragraph 36(1)(e) is applicable, of the name and address of the other data user concerned.
(2)
Without prejudice to the generality of subsection (1), where personal data to which the data correction request relates is an expression of opinion and the data user is not satisfied that the expression of opinion is inaccurate, incomplete, misleading or not up-to-date, the data user shall—
(i)
of the matters in respect of which the expression of opinion is considered by the requestor to be inaccurate, incomplete, misleading or not up-to-date; and
Act 709
(ii)
in such a way that the personal data cannot be used by any person without the note being drawn to the attention of and being available for inspection by that person; and
(b)
attach a copy of the note to the notice referred to in subsection (1) which relates to the data correction request.
(3)
In this section, “expression of opinion” includes an assertion of fact which is unverifiable or in all circumstances of the case is not practicable to verify.
(4)
A data user who contravenes subsection (2) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.
Withdrawal of consent to process personal data
Section 38
(2)
The data user shall, upon receiving the notice under subsection (1), cease the processing of the personal data.
(3)
The failure of the data subject to exercise the right conferred by subsection (1) does not affect any other rights conferred on him by this Part.
(4)
A data user who contravenes subsection (2) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.
Extent of disclosure of personal data
Section 39
Notwithstanding section 8, personal data of a data subject may be disclosed by a data user for any purpose other than the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances:
(a)
the data subject has given his consent to the disclosure;
Personal Data Protection 41
(i)
is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations; or
(c)
the data user acted in the reasonable belief that he had in law the right to disclose the personal data to the other person;
(d)
the data user acted in the reasonable belief that he would have had the consent of the data subject if the data subject had known of the disclosing of the personal data and the circumstances of such disclosure; or
(e)
the disclosure was justified as being in the public interest in circumstances as determined by the Minister.
Processing of sensitive personal data
Section 40
(a)
the data subject has given his explicit consent to the processing of the personal data;
(i)
for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment;
(ii)
in order to protect the vital interests of the data subject or another person, in a case where—
(A)
consent cannot be given by or on behalf of the data subject; or the data user cannot reasonably be expected to obtain the consent of the data subject;
Act 709
(iii)
in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;
(A)
a healthcare professional; or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;
(v)
for the purpose of, or in connection with, any legal proceedings;
(ix)
for the exercise of any functions conferred on any person by or under any written law; or
(c)
the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
(2)
The Minister may by order published in the Gazette exclude the application of subparagraph (1)(b)(i), (viii) or (ix)
in such cases as may be specified in the order, or provide that, in such cases as may be specified in the order, the condition in subparagraph (1)(b)(i), (viii) or (ix) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
Personal Data Protection 43
(3)
A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
(4)
For the purposes of this section—
“medical purposes” includes the purposes of preventive medicine, medical diagnosis, medical research, rehabilitation and the provision of care and treatment and the management of healthcare services;
“healthcare services” has the meaning assigned to it in the
Private Healthcare Facilities and Services Act 1998 [Act 586];
“healthcare professional” means a medical practitioner, dental practitioner, pharmacist, clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational therapist and other allied healthcare professionals and any other person involved in the giving of medical, health, dental, pharmaceutical and any other healthcare services under the jurisdiction of the Ministry of Health.
Repeated collection of personal data in same circumstances
Section 41
(a)
has complied with the provisions of the
Notice and Choice Principle under section 7 in respect of the collection of personal data from the data subject, referred to as the “first collection”; and
(b)
on any subsequent occasion again collects personal data from that data subject, referred to as the “subsequent collection”, the data user is not required to comply with the provisions of the Notice and Choice Principle in respect of the subsequent collection if—
(A)
to comply with those provisions in respect of that subsequent collection would be to repeat, in the same circumstances, what was done to comply with that principle in respect of the first collection; and not more than twelve months have elapsed between the first collection and the subsequent collection.
Act 709
(2)
For the avoidance of doubt, it is declared that subsection (1)
shall not operate to prevent a subsequent collection from becoming a first collection if the data user concerned has complied with the provisions of the Notice and Choice Principle in respect of the subsequent collection.
Right to prevent processing likely to cause damage or distress
Section 42
(a)
cease the processing of or processing for a specified purpose or in a specified manner; or
(b)
not begin the processing of or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject if, based on reasons to be stated by him—
(A)
the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another person; and
(2)
Subsection (1) shall not apply where—
(i)
for the performance of a contract to which the data subject is a party;
(ii)
for the taking of steps at the request of the data subject with a view to entering a contract;
Personal Data Protection 45
(iii)
for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by contract; or
(c)
in such other cases as may be prescribed by the Minister by order published in the Gazette.
(3)
The data user shall, within twenty-one days from the date of receipt of the data subject notice under subsection (1), give the data subject a written notice—
(a)
stating that he has complied or intends to comply with the data subject notice; or
(b)
stating his reasons for regarding the data subject notice as unjustified, or to any extent unjustified, and the extent, if any, to which he has complied or intends to comply with it.
(4)
Where the data subject is dissatisfied with the failure of the data user to comply with the data subject notice, whether in whole or in part, under paragraph (3)(b), the data subject may submit an application to the Commissioner to require the data user to comply with the data subject notice.
(5)
Where the Commissioner is satisfied that the application of the data subject under subsection (4) is justified or justified to any extent, the Commissioner may require the data user to take such steps for complying with the data subject notice.
(6)
A data user who fails to comply with the requirement of the Commissioner under subsection (5) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Right to prevent processing for purposes of direct marketing
Section 43
(2)
Where the data subject is dissatisfied with the failure of the data user to comply with the notice, whether in whole or in part, under subsection (1), the data subject may submit an application to the Commissioner to require the data user to comply with the notice.
(3)
Where the Commissioner is satisfied that the application of the data subject under subsection (2) is justified or justified to any extent, the Commissioner may require the data user to take such steps for complying with the notice.
(4)
A data user who fails to comply with the requirement of the Commissioner under subsection (3) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
(5)
For the purposes of this section, “direct marketing” means the communication by whatever means of any advertising or marketing material which is directed to particular individuals.
Record to be kept by data user
Section 44
(2)
The Commissioner may determine the manner and form in which the record is to be maintained.
Part III
Part III
EXEMPTION
Section 45
(2)
Subject to section 46, personal data—
(i)
the prevention or detection of crime or for the purpose of investigations;
(iii)
the assessment or collection of any tax or duty or any other imposition of a similar nature, shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and
Access Principle and other related provisions of this
Act;
(b)
processed in relation to information of the physical or mental health of a data subject shall be exempted from the Access Principle and other related provisions of this
Act of which the application of the provisions to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
(c)
processed for preparing statistics or carrying out research shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access
Principle and other related provisions of this Act, provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject;
(d)
that is necessary for the purpose of or in connection with any order or judgement of a court shall be exempted from the General Principle, Notice and Choice Principle,
Disclosure Principle and Access Principle and other related provisions of this Act;
Act 709
(e)
processed for the purpose of discharging regulatory functions shall be exempted from the General Principle,
Notice and Choice Principle, Disclosure Principle and
Access Principle and other related provisions of this Act if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; or
(f)
processed only for journalistic, literary or artistic purposes shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle, Retention
Principle, Data Integrity Principle and Access Principle and other related provisions of this Act, provided that—
(i)
the processing is undertaken with a view to the publication by any person of the journalistic, literary or artistic material;
(ii)
the data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and
(iii)
the data user reasonably believes that in all the circumstances, compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes.
Power to make further exemptions
Section 46
Personal Data Protection 47
(a)
the application of any of the Personal Data Protection Principles under this Act to any data user or class of data users; or
(b)
any data user or class of data users from all or any of the provisions of this Act.
Personal Data Protection 49
(2)
The Minister may impose any terms or conditions as he thinks fit in respect of any exemption made under subsection (1).
(3)
The Minister may at any time, on the recommendation of the Commissioner, by order published in the Gazette, revoke any order made under subsection (1).
Part IV
Part IV
APPOINTMENT, FUNCTIONS AND POWERS OF
COMMISSIONER
Appointment of Commissioner
Section 47
(3)
The Commissioner appointed under subsection (1) shall be a body corporate having perpetual succession and a common seal.
(4)
The Commissioner may sue and be sued in his corporate name.
Functions of Commissioner
Section 48
The Commissioner shall have the following functions:
(a)
to advise the Minister on the national policy for personal data protection and all other related matters;
(b)
to implement and enforce the personal data protection laws, including the formulation of operational policies and procedures;
Act 709
(c)
to promote and encourage associations or bodies representing data users to prepare codes of practice and to disseminate to their members the codes of practice for the purposes of this Act;
(d)
to cooperate with bodies corporate or government agencies for the purpose of performing his functions;
(e)
to determine in pursuance of section 129 whether any place outside Malaysia has in place a system for the protection of personal data that is substantially similar to that as provided for under this Act or that serves the same purposes as this Act;
(f)
to undertake or cause to be undertaken research into and monitor developments in the processing of personal data, including technology, in order to take account any effects such developments may have on the privacy of individuals in relation to their personal data;
(g)
to monitor and supervise compliance with the provisions of this Act, including the issuance of circulars, enforcement notices or any other instruments to any person;
(h)
to promote awareness and dissemination of information to the public about the operation of this Act;
(i)
to liaise and cooperate with persons performing similar personal data protection functions in any place outside
Malaysia in respect of matters of mutual interest, including matters concerning the privacy of individuals in relation to their personal data;
(j)
to represent Malaysia through participation in events that relate to personal data protection as authorized by the
Minister, whether within or outside Malaysia; and
(k)
to carry out such activities and do such things as are necessary, advantageous and proper for the administration of this Act, or such other purposes consistent with this
Act as may be directed by the Minister.
Personal Data Protection 51
Powers of Commissioner
Section 49
(2)
Without prejudice to the generality of subsection (1), the powers of the Commissioner shall include the power—
(b)
to appoint such agents, experts, consultants or any other persons as he thinks fit to assist him in the performance of his functions;
(c)
to formulate human resource development and cooperation programmes for the proper and effective performance of his functions;
(e)
to acquire, purchase, take, hold and enjoy any movable or immovable property of every description for the performance of his functions, and to convey, assign, surrender, yield up, charge, mortgage, demise, transfer or otherwise dispose of, or deal with such property or any interest therein vested in him;
(f)
to perform such other functions as the Minister may assign from time to time; and
(g)
to do all such things as may be incidental to or consequential upon the performance of his functions.
Appointment of Deputy Commissioners and Assistant
Commissioners
Section 50
(2)
The Deputy Commissioners and Assistant Commissioners appointed under subsection (1) shall hold office for such periods, receive such remuneration, allowances or benefits, and shall be subject to such terms and conditions of service as the Commissioner, with the approval of the Minister, may determine.
(3)
The Deputy Commissioners and Assistant Commissioners appointed under subsection (1) shall be subject to the supervision, direction and control of the Commissioner.
Appointment of other officers and servants
Section 51
The Commissioner may employ on such terms and conditions as he thinks desirable such officers and servants as may be necessary to assist him in the performance of his functions and the exercise of his powers under this Act.
Section 52
Loans and advances to officers and servants
The Commissioner may grant loans and advances to the officers and servants under section 51 for such purposes and on such terms and conditions as the Commissioner may determine.
Section 53
Tenure of office
Subject to such conditions as may be specified in his instrument of appointment, the Commissioner shall, unless he sooner resigns or vacates his office or his appointment is sooner revoked, hold office for a term not exceeding three years and may be eligible for reappointment.
Section 54
Revocation of appointment and resignation
(2)
The Commissioner may at any time resign his office by giving a written notice addressed to the Minister fourteen days prior to the intended date of resignation.
Personal Data Protection 53
Temporary exercise of functions and powers of Commissioner
Section 55
(a)
the Commissioner is by reason of illness, leave of absence or any other cause unable to perform his functions for any substantial period; or
(2)
A person appointed under subsection (1) shall, during the period in which he is performing the functions and exercising the powers of the Commissioner under this section, be deemed to be the Commissioner.
Vacation of office
Section 56
The office of the Commissioner shall be vacated—
(b)
if there has been proved against him, or he has been convicted of, a charge in respect of—
(i)
an offence involving fraud, dishonesty or moral turpitude;
(iii)
any other offence punishable with imprisonment
(in itself only or in addition to or in lieu of a fine) for more than two years;
(c)
if his conduct, whether in connection with his duties as a Commissioner or otherwise, has been such as to bring discredit on the office of the Commissioner;
Act 709
(e)
if he is of unsound mind or is otherwise incapable of discharging his duties;
Section 57
The Commissioner shall be paid such remuneration and allowances as the Minister may determine after consultation with the Minister of Finance.
Section 58
Delegation of Commissioner’s functions and powers
(2)
The delegation under subsection (1) shall not preclude the
Commissioner himself from performing or exercising at any time the delegated functions or powers.
Direction by Minister
Section 59
(2)
The Minister may give to the Commissioner directions of a general character consistent with the provisions of this Act relating to the performance of the functions and powers of the
Commissioner and the Commissioner shall give effect to such directions.
Personal Data Protection 55
Returns, reports, accounts and information
Section 60
(2)
Without prejudice to the generality of subsection (1), the
Commissioner shall, as soon as practicable after the end of each financial year, cause to be made and transmitted to the Minister and if so directed by the Minister to any other public authority, a report dealing with the activities of the Commissioner during the preceding financial year, and the report shall be in such form and shall contain such information relating to the proceedings and policies of the Commissioner as the Minister may specify.
Part V
Part V
PERSONAL DATA PROTECTION FUND
Establishment of Fund
Section 61
(3)
The Fund shall consist of—
(a)
such sums as may be provided by Parliament for the purposes of this Act from time to time;
(b)
fees, costs and any other charges imposed by or payable to the Commissioner under this Act;
(c)
all monies derived from the sale, disposal, lease, hire or any other dealings with the movable or immovable property vested in or acquired by the Commissioner;
Act 709
(d)
all monies as may be paid to the Commissioner from time to time for loans given by the Commissioner; and
(e)
all other monies or property which may in any manner become payable to or vested in the Commissioner in respect of any matter incidental to his functions and powers.
Expenditure to be charged on Fund
Section 62
The Fund may be expended for the following purposes:
(b)
paying any expenses incurred for organizing campaigns, research, studies and publication of materials for the protection of personal data;
(c)
paying the remuneration, allowances, benefits and other expenses of the Commissioner, Deputy Commissioners,
Assistant Commissioners, members of the Advisory
Committee, members, officers and servants of the Appeal
Tribunal and officers and servants of the Commissioner, including the granting of loans and advances, superannuation allowances, retirement benefits and gratuities;
(d)
paying any other expenses, expenditure, fees and costs, including fees for the engagement of consultants, and legal fees and costs, properly incurred or accepted, or deemed fit by the Commissioner in the performance of his functions and the exercise of his powers;
(e)
purchasing or hiring equipment and materials, acquiring land and any assets, and carrying out any other works and undertakings in the performance of his functions and the exercise of his powers; and
(f)
generally, paying any expenses for carrying into effect the provisions of this Act.
Personal Data Protection 57
Conservation of Fund
Section 63
It shall be the duty of the Commissioner to conserve the Fund by so performing his functions and exercising his powers under this Act as to secure that the total revenues of the Commissioner are sufficient to meet all sums properly chargeable to its revenue account, including depreciation and interest on capital, taking one year with another.
Section 64
Reserve fund
The Commissioner shall establish and maintain a reserve fund within the Fund.
Section 65
Financial year
The financial year of the Commissioner shall begin on 1 January and end on 31 December of each year.
Section 66
Limitation on contracts
The Commissioner shall not, without the approval of the
Minister and the concurrence of the Minister of Finance, enter into any contract under which the Commissioner is to pay or receive an amount exceeding two million ringgit.
Section 67
Bank accounts
The Commissioner shall open and maintain an account or accounts with such financial institution or financial institutions in
Malaysia as the Commissioner, after consulting with the Minister, thinks fit; and every such account shall be operated upon as far as practicable by cheques signed by such persons as may be authorized by the Minister.
Section 68
Accounts and audit
The Commissioner shall cause proper accounts to be kept and maintained in respect of the Fund and in compliance with the provisions of the Statutory Bodies (Accounts and Annual
Reports) Act 1980 [Act 240].
Act 709
Section 69
Expenditure and preparation of estimates
(2)
Before 1 June of each year, the Commissioner shall submit to the Minister an estimate of the expenditure for the following year in such form and containing such particulars as the Minister may direct.
(3)
The Minister shall, before 1 January of the following year, notify the Commissioner of the amount authorized for expenditure generally or of the amounts authorized for each description of expenditure based on the estimate prepared under subsection (2).
(4)
The Commissioner may at any time submit to the Minister a supplementary estimate of its expenditure for any one year and the Minister may allow the whole or any part of the additional expenditure to be included in the supplementary estimate.
Part VI
Part VI
PERSONAL DATA PROTECTION ADVISORY COMMITTEE
Establishment of Advisory Committee
Section 70
There is established a Personal Data Protection Advisory
Committee.
Section 71
Functions of Advisory Committee
(a)
to advise the Commissioner on all matters relating to personal data protection, and the due administration and enforcement of this Act; and
(b)
to advise the Commissioner on any matter referred by him to the Advisory Committee.
(2)
The Commissioner shall not be bound to act upon the advice of the Advisory Committee.
Personal Data Protection 59
Members of Advisory Committee
Section 72
The Advisory Committee shall consist of the following members to be appointed by the Minister:
Section 73
A member appointed under section 72 shall, unless he sooner resigns or vacates his office or his appointment is sooner revoked, hold office for such period not exceeding three years as the Minister may determine at the time of his appointment, and shall be eligible for reappointment; but no member shall hold office for more than two consecutive terms.
Section 74
Revocation of appointment and resignation
(2)
A member of the Advisory Committee appointed under section 72 may at any time resign from his office by giving a written notice addressed to the Minister fourteen days prior to the intended date of resignation.
Temporary exercise of functions of Chairman
Section 75
(a)
the Chairman is by reason of illness, leave of absence or any other cause unable to perform his functions for any substantial period; or
(2)
A member appointed under subsection (1) shall, during the period in which he is performing the functions of the Chairman under this section, be deemed to be the Chairman.
Vacation of office
Section 76
Advisory Committee to act as the Chairman for the period when—
The office of a member of the Advisory Committee shall be vacated—
(b)
if there has been proved against him, or he has been convicted of, a charge in respect of—
(i)
an offence involving fraud, dishonesty or moral turpitude;
(iii)
any other offence punishable with imprisonment
(in itself only or in addition to or in lieu of a fine) for more than two years;
(c)
if his conduct, whether in connection with his duties as a member of the Advisory Committee or otherwise, has been such as to bring discredit on the Advisory
Committee;
(e)
if he is of unsound mind or is otherwise incapable of discharging his duties;
(f)
in the case of the Chairman, if he absents himself from a meeting of the Advisory Committee without leave in writing of the Minister;
(g)
in the case of a member of the Advisory Committee other than the Chairman, if he absents himself from three consecutive meetings of the Advisory Committee without leave in writing of the Chairman;
Personal Data Protection 61
Section 77
The Chairman and all other members of the Advisory
Committee may be paid such allowances as the Minister may determine after consultation with the Minister of Finance.
Section 78
Time and place of meetings
(2)
The Chairman shall call for a meeting if requested to do so in writing by the Minister or by at least four members of the
Advisory Committee.
Advisory Committee may invite others to attend meetings
Section 79
(2)
A person invited under subsection (1) shall be paid such allowances as may be determined by the Commissioner.
Minutes
Section 80
(2)
Minutes made of meetings of the Advisory Committee shall, if duly signed, be admissible in evidence in all legal proceedings without further proof.
Act 709
(3)
Every meeting of the Advisory Committee in respect of the proceedings of which minutes have been so made shall be deemed to have been duly convened and held and all members thereat to have been duly qualified to act.
Procedure
Section 81
The Advisory Committee may regulate its own procedure.
Section 82
Members to devote time to business of Advisory Committee
The members of the Advisory Committee shall devote such time to the business of the Advisory Committee as is necessary to discharge their duties effectively.
Part VII
Part VII
APPEAL TRIBUNAL
Establishment of Appeal Tribunal
Section 83
There is established an Appeal Tribunal for the purpose of reviewing any of the matters on appeal as set out in section 93.
Section 84
Powers of Appeal Tribunal
(a)
to summon parties to the proceedings or any other person to attend before it to give evidence in respect of an appeal;
(b)
to procure and receive evidence on oath or affirmation, whether written or oral, and examine all such persons as witnesses as the Appeal Tribunal considers necessary;
(c)
where a person is so summoned, to require the production of any information, document or other thing in his possession or under his control which the Appeal Tribunal considers necessary for the purposes of the appeal;
Personal Data Protection 63
(d)
to administer any oath, affirmation or statutory declaration, as the case may require;
(e)
where a person is so summoned, to allow the payment for any reasonable expenses incurred in connection with his attendance;
(f)
to admit evidence or reject evidence adduced, whether oral or documentary, and whether admissible or inadmissible under the provisions of any written law relating to the admissibility of evidence;
(g)
to adjourn the hearing of an appeal from time to time, including the power to adjourn to consider its decision;
and
(h)
generally to direct and do all such matters as may be necessary or expedient for the expeditious decision of the appeal.
(2)
The Appeal Tribunal shall have the powers of a subordinate court with regard to the enforcement of attendance of witnesses, hearing evidence on oath or affirmation and punishment for contempt.
Members of Appeal Tribunal
Section 85
(b)
at least two other members, or such greater number of members as the Minister thinks necessary.
(2)
The Minister shall appoint a person who is a member of the Judicial and Legal Service of the Federation for at least ten years to be the Chairman of the Appeal Tribunal.
(3)
The appointment of the members of the Appeal Tribunal shall be published by notification in the Gazette.
Act 709
Secretary to Appeal Tribunal and other officers, etc.
Section 86
(2)
The Secretary to the Appeal Tribunal shall be responsible for the administration and management of the functions of the
Appeal Tribunal.
(3)
The Minister may appoint such number of officers and servants as the Minister thinks fit to assist the Secretary to the
Appeal Tribunal in carrying out his functions under subsection (2).
(4)
The Secretary to the Appeal Tribunal shall have the general control of the officers and servants of the Appeal Tribunal.
(5)
For the purposes of this Act, the Secretary to the Appeal Tribunal and the officers appointed under subsection (3) shall be deemed to be officers of the Appeal Tribunal.
Tenure of office
Section 87
A member of the Appeal Tribunal appointed under subsection 85(1) shall, unless he sooner resigns or vacates his office or his appointment is sooner revoked—
(b)
shall be eligible for reappointment upon the expiry of his term of office, but shall not be appointed for more than two consecutive terms.
Resignation and revocation of appointment
Section 88
(2)
A member of the Appeal Tribunal appointed under subsection 85(1) may at any time resign from his office by giving a written notice addressed to the Minister fourteen days prior to the intended date of resignation.
Personal Data Protection 65
Temporary exercise of functions of Chairman
Section 89
(a)
the Chairman is by reason of illness, leave of absence or any other cause unable to perform his functions for any substantial period; or
(2)
A member appointed under subsection (1) shall, during the period in which he is performing the functions of the Chairman under this section, be deemed to be the Chairman.
Vacation of office
Section 90
Appeal Tribunal to act as the Chairman for the period when—
The office of a member of the Appeal Tribunal shall be vacated—
(b)
if there has been proved against him, or he has been convicted of, a charge in respect of—
(i)
an offence involving fraud, dishonesty or moral turpitude;
(iii)
any other offence punishable with imprisonment
(in itself only or in addition to or in lieu of a fine) for more than two years;
(c)
if his conduct, whether in connection with his duties as a member of the Appeal Tribunal or otherwise, has been such as to bring discredit on the Appeal Tribunal;
(e)
if he is of unsound mind or otherwise incapable of discharging his duties;
Act 709
(g)
if his performance as a member of the Appeal Tribunal has been unsatisfactory for a significant period of time;
Section 91
(2)
The other members of the Appeal Tribunal appointed under paragraph 85(1)(b) shall be paid—
(b)
lodging, travelling and subsistence allowances, as the Minister may determine.
Disclosure of interest
Section 92
(2)
If the Chairman is of the opinion that the member’s interest is in conflict with his duties as a member of the
Appeal Tribunal, the Chairman shall inform all the parties to the matter of the conflict.
(3)
If none of the parties to the matter objects to the conflict, the member may continue to execute his duties as a member of the Appeal Tribunal in relation to that matter.
Personal Data Protection 67
(4)
If a party to the matter objects to the conflict, the member of the Appeal Tribunal shall not continue to execute his duties as a member of the Appeal Tribunal in relation to that matter.
(5)
The failure by the member to disclose his interest under subsection (1) shall—
(a)
invalidate the decision of the Appeal Tribunal, unless all parties agree to be bound by the decision; and
(b)
subject the member to the revocation of his appointment under section 88.
Appeal to Appeal Tribunal
Section 93
Part II
Part II;
Section 94
(2)
Subject to subsection (3), the Commissioner shall, upon receiving the written request under subsection (1), provide to the aggrieved person, upon the payment of a prescribed fee, a copy of a statement of the grounds for his decision.
(3)
Where a notice of appeal has been filed with the Appeal
Tribunal under subsection 93(1), the Commissioner shall, if he has not already written the grounds for his decision in respect of the matter stated in the notice under subsection 93(1), record in writing the grounds for his decision, and the written grounds shall form part of the record of proceedings before the
Appeal Tribunal.
Stay of decision pending appeal
Section 95
(2)
An aggrieved person may apply in writing to the Appeal
Tribunal for a stay of the decision of the Commissioner on or after the notice of appeal has been filed with the Appeal Tribunal.
Composition of Appeal Tribunal
Section 96
Personal Data Protection 69
(2)
In the absence of the Chairman, the senior member of the
Appeal Tribunal shall preside.
Sitting of Appeal Tribunal
Section 97
(2)
The Chairman may cancel or postpone any sitting of the
Appeal Tribunal or change the place of the sitting which has been appointed under subsection (1).
(3)
The Secretary to the Appeal Tribunal shall by written notice inform the parties to the appeal of any change to the date or place of any sitting of the Appeal Tribunal.
Procedure of Appeal Tribunal
Section 98
The Appeal Tribunal may regulate its own procedure.
Section 99
Decision of Appeal Tribunal
(2)
A decision of the Appeal Tribunal shall be final and binding on the parties to the appeal.
Act 709
Enforcement of decision of Appeal Tribunal
Section 100
A decision given by the Appeal Tribunal may, by leave of the Sessions Court, be enforced in the same manner as a judgment or order to the same effect, and where leave is so given, judgment may be entered in terms of the decision.
(b)
the refusal of the Commissioner to register a code of practice under subsection 23(5);
(c)
the failure of the data user to comply with a data access request or data correction request under
Division 4 of Part II;
(e)
the refusal of the Commissioner to vary or revoke an enforcement notice under section 109; and
(f)
the refusal of the Commissioner to carry out or continue an investigation initiated by a complaint under Part VIII, may appeal to the Appeal Tribunal by filing a notice of appeal with the Appeal Tribunal.
Act 709
(2)
The notice of appeal shall be made in writing to the Appeal
Tribunal within thirty days from the date of the decision of the
Commissioner, or in the case of an enforcement notice, within thirty days after the enforcement notice is served upon the relevant data user, and the appellant shall serve a copy of the notice of appeal upon the Commissioner.
(3)
The notice of appeal shall state briefly the substance of the decision of the Commissioner against which an appeal is filed with the Appeal Tribunal, contain an address at which any notice or document connected with the appeal may be served upon the appellant or his advocate, and shall be signed by the appellant or his advocate.
Record of decision of Commissioner
Part VIII
Part VIII
INSPECTION, COMPLAINT AND INVESTIGATION
Inspection of personal data system
Section 101
(a)
any personal data system used by data users for the purpose of ascertaining information to assist the
Commissioner in making recommendations to the relevant data user relating to the promotion of compliance with the provisions of this Act, in particular the
Personal Data Protection Principles, by the relevant data user; or
(b)
any personal data system used by data users belonging to a class of data users for the purpose of ascertaining information to assist the Commissioner in making recommendations to the class of data users to which the relevant data user belongs relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the class of data users to which the relevant data user belongs.
(2)
For the purposes of this section—
“data user” includes a data processor;
“personal data system” means any system, whether automated or otherwise, which is used, whether in whole or in part, by a data user for the processing of personal data, and includes the record maintained under section 44 and any document and equipment forming part of the system.
Personal Data Protection 71
Relevant data user, etc., to be informed of result of inspection
Section 102
Where the Commissioner has completed an inspection of a personal data system, he shall in such manner and at such time as he thinks fit inform the relevant data user or class of data users to which the relevant data user belongs of—
(b)
any recommendations arising from the inspection that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the relevant data user or the class of data users to which the relevant data user belongs; and
(c)
such other comments arising from the inspection as he thinks fit.
Reports by Commissioner
Section 103
(a)
setting out any recommendations arising from the inspection that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the class of data users to which the relevant data users belong; and
(2)
A report published under subsection (1) shall be so framed as to prevent the identity of any individual from being ascertained.
Complaint
Section 104
Any individual or relevant person may make a complaint in writing to the Commissioner about an act, practice or request—
(b)
that has been done or engaged in, or is being done or engaged in, by the data user specified in the complaint;
(c)
that relates to personal data of which the individual is the data subject; and
(d)
that may be a contravention of the provisions of this Act, including any codes of practice.
Investigation by Commissioner
Section 105
(2)
Where the Commissioner has reasonable grounds to believe that an act, practice or request has been done or engaged in, or is being done or engaged in, by the relevant data user that relates to personal data and such act, practice or request may be a contravention of the provisions of this Act, the Commissioner may carry out an investigation in relation to the relevant data user to ascertain whether the act, practice or request contravenes the provisions of this Act.
(3)
Part IX shall apply in respect of investigations carried out by the Commissioner under this Part.
Restriction on investigation initiated by complaint
Section 106
(a)
the complaint, or a complaint of a substantially similar nature, has previously initiated an investigation as a result of which the Commissioner was of the opinion that there has been no contravention of the provisions of this Act;
(b)
the act, practice or request specified in the complaint is trivial;
Personal Data Protection 73
(d)
any investigation or further investigation is for any other reason unnecessary.
(2)
Notwithstanding the generality of the powers conferred on the Commissioner by this Act, the Commissioner may refuse to carry out or continue an investigation initiated by a complaint—
(i)
the complainant; or
(ii)
in the case where the complainant is a relevant person in relation to a data subject, the data subject or relevant person, as the case may be, has had actual knowledge of the act, practice or request specified in the complaint for more than two years immediately preceding the date on which the
Commissioner received the complaint, unless the
Commissioner is satisfied that in all the circumstances of the case it is proper to carry out or continue the investigation;
(d)
if the Commissioner is satisfied that the relevant data user has not been a data user for a period of not less than two years immediately preceding the date on which the Commissioner received the complaint; or
(3)
Where the Commissioner refuses under this section to carry out or continue an investigation initiated by a complaint, he shall, as soon as practicable but in any case not later than thirty days after the date of receipt of the complaint, by notice in writing served on the complainant inform the complainant of the refusal and of the reasons for the refusal.
Act 709
(4)
An appeal may be made to the Appeal Tribunal against any refusal specified in the notice under subsection (3) by the complainant on whom the notice was served or if the complainant is a relevant person, by the data subject in respect of whom the complainant is the relevant person.
Commissioner may carry out or continue investigation initiated by complaint notwithstanding withdrawal of complaint
Section 107
Where the Commissioner is of the opinion that it is in the public interest so to do, he may carry out or continue an investigation initiated by a complaint notwithstanding that the complainant has withdrawn the complaint and, in any such case, the provisions of this Act shall apply to the complaint and the complainant as if the complaint had not been withdrawn.
Section 108
Enforcement notice
(b)
has contravened such a provision in circumstances that make it likely that the contravention will continue or be repeated, then the Commissioner may serve on the relevant data user an enforcement notice—
(B)
specifying the provision of this Act on which he has based that opinion and the reasons why he is of that opinion;
(C)
directing the relevant data user to take such steps as are specified in the enforcement notice to remedy the contravention or, as the case may be, the matters occasioning it within such period as is specified in the enforcement notice; and
Personal Data Protection 75
(D)
directing, where necessary, the relevant data user to cease processing the personal data pending the remedy of the contravention by the relevant data user.
(2)
In deciding whether to serve an enforcement notice, the
Commissioner shall consider whether the contravention or the matter to which the enforcement notice relates has caused or is likely to cause damage or distress to the data subject of the personal data to which the contravention or matter relates.
(3)
The steps as specified in the enforcement notice to remedy the contravention or matter to which the enforcement notice relates may be framed—
(b)
so as to afford the relevant data user a choice between different ways of remedying the contravention or matter.
(4)
The period specified in the enforcement notice under subsection (1) for taking the steps specified in it shall not expire before the end of the period specified in subsection 93(2) within which an appeal against the enforcement notice may be made and, if such an appeal is made, those steps need not be taken pending the determination or withdrawal of the appeal.
(5)
Notwithstanding subsection (4), if the Commissioner is of the opinion that by reason of special circumstances the steps specified in the enforcement notice should be taken as a matter of urgency—
(a)
he may include a statement to that effect in the enforcement notice together with the reasons why he is of that opinion;
and
(b)
where such a statement is so included, subsection (4) shall not apply but the enforcement notice shall not require those steps to be taken before the end of the period of seven days from the date on which the enforcement notice was served.
Act 709
(6)
An appeal may be made to the Appeal Tribunal against an enforcement notice by the relevant data user in accordance with section 93.
(7)
Where the Commissioner—
(a)
forms an opinion referred to in subsection (1) in respect of the relevant data user at any time before the completion of an investigation; and
(b)
is also of the opinion that, by reason of special circumstances, an enforcement notice should be served on the relevant data user as a matter of urgency, he may so serve the enforcement notice notwithstanding that the investigation has not been completed and, in any such case—
(A)
the Commissioner shall, without prejudice to any other matters to be included in the enforcement notice, specify in the enforcement notice the reasons as to why he is of the opinion referred to in paragraph (b); and
(B)
the other provisions of this Act, including this section, shall be construed accordingly.
(8)
A person who fails to comply with an enforcement notice commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Variation or cancellation of enforcement notice
Section 109
Commissioner is of the opinion that the relevant data user—
The Commissioner may, on his own initiative or on the application of a relevant data user, vary or cancel the enforcement notice served under subsection 108(1) by notice in writing to the relevant data user if the Commissioner is satisfied with the action taken by the relevant data user to remedy the contravention.
Personal Data Protection 77
Part IX
Part IX
ENFORCEMENT
Authorized officers
Section 110
The Commissioner may in writing authorize any officer appointed under sections 50 and 51 or any public officer to exercise the powers of enforcement under this Act.
Section 111
Authority card
(2)
Whenever the authorized officer exercises any of the powers of enforcement under this Act, he shall produce on demand to the person against whom the power is being exercised the authority card issued to him under subsection (1).
Power of investigation
Section 112
(2)
For the avoidance of doubt, it is declared that for the purposes of this Act, the authorized officer shall have all or any of the special powers of a police officer of whatever rank in relation to police investigations in seizable cases as provided for under the Criminal Procedure Code [Act 593], and such powers shall be in addition to the powers provided for under this Act and not in derogation thereof.
Search and seizure with warrant
Section 113
(b)
there is in any premises evidence necessary to the conduct of an investigation into, the commission of an offence under this Act, the Magistrate may issue a warrant authorizing the authorized officer named in the warrant at any reasonable time by day or night and with or without assistance, to enter the premises and if need be by force.
(2)
Without affecting the generality of subsection (1), the warrant issued by the Magistrate may authorize the search and seizure of—
(a)
any computer, book, account, computerized data or other document which contains or is reasonably suspected to contain information as to any offence suspected to have been committed;
(b)
any signboard, card, letter, pamphlet, leaflet or notice representing or implying that the person is registered under this Act; or
(c)
any equipment, instrument or article that is reasonably believed to furnish evidence of the commission of the offence.
(3)
An authorized officer conducting a search under subsection (1)
may, for the purpose of investigating into the offence, search any person who is in or on the premises.
(4)
An authorized officer making a search of a person under subsection (3) or section 114 may seize or take possession of, and place in safe custody all things other than the necessary clothing found upon the person, and any of those things which there is reason to believe were the instruments or other evidence of the offence may be detained until the discharge or acquittal of the person.
(5)
Whenever it is necessary to cause a woman to be searched, the search shall be made by another woman with strict regard to decency.
Personal Data Protection 79
(6)
If, by the reason of its nature, size or amount, it is not practicable to remove any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized under this section, the authorized officer shall by any means seal such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article in the premises or container in which it is found.
(7)
A person who, without lawful authority, breaks, tampers with or damages the seal referred to in subsection (6) or removes any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article under seal or attempts to do so commits an offence and shall, on conviction, be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding six months or to both.
Search and seizure without warrant
Section 114
Magistrate considers necessary, that there is reasonable cause to believe that—
If an authorized officer is satisfied upon information received that he has reasonable cause to believe that by reason of delay in obtaining a search warrant under section 113 the investigation would be adversely affected or evidence of the commission of an offence is likely to be tampered with, removed, damaged or destroyed, the authorized officer may enter the premises and exercise in, upon and in respect of the premises all the powers referred to in section 113 in as full and ample a manner as if he were authorized to do so by a warrant issued under that section.
Section 115
Access to computerized data
(2)
For the purposes of this section, “access”—
(a)
includes being provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of computerized data; and
(b)
has the meaning assigned to it by subsections 2(2)
and (5) of the Computer Crimes Act 1997 [Act 563].
Warrant admissible notwithstanding defects
Section 116
A search warrant issued under this Act shall be valid and enforceable notwithstanding any defect, mistake or omission therein or in the application for such warrant, and any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized under such warrant shall be admissible in evidence in any proceedings under this Act.
Section 117
List of computer, book, account, etc., seized
(i)
a list of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized and shall sign the list; and
(ii)
a written notice of the seizure containing the grounds for the seizure and shall sign the notice;
and
Personal Data Protection 81
(b)
shall as soon as practicable serve a copy of the list of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized and the written notice of the seizure to the occupier of the premises which have been searched, or to his agent or servant at those premises.
(2)
The written notice of the seizure shall not be required to be served in pursuance of paragraph (1)(b) where the seizure is made in the presence of the person against whom proceedings under this Act are intended to be taken, or in the presence of the owner of such property or his agent, as the case may be.
(3)
If the premises are unoccupied, the authorized officer shall post a copy of the list of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized conspicuously on the premises.
Release of computer, book, account, etc., seized
Section 118
(2)
A record in writing shall be made by the authorized officer effecting the release of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article under subsection (1)
specifying in detail the circumstances of and the reason for the release, and he shall send a copy of the record to the Public
Prosecutor within seven days of the release.
No cost or damages arising from seizure to be recoverable
Section 119
No person shall, in any proceedings before any court in respect of any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized in the exercise or the purported exercise of any power conferred under this Act, be entitled to the costs of such proceedings or to any damages or other relief unless such seizure was made without reasonable cause.
Section 120
Obstruction to search
(a)
refuses any authorized officer access to any premise which the authorized officer is entitled to have under this Act or in the execution of any duty imposed or power conferred by this Act;
(b)
assaults, obstructs, hinders or delays any authorized officer in effecting any entry which the authorized officer is entitled to effect under this Act, or in the execution of any duty imposed or power conferred by this Act; or
(c)
refuses any authorized officer any information relating to an offence or suspected offence under this Act or any other information which may reasonably be required of him and which he has in his knowledge or power to give, commits an offence and shall, on conviction, be liable to imprisonment for a term not exceeding two years or to a fine not exceeding ten thousand ringgit or to both.
Personal Data Protection 83
Power to require production of computer, book, account, etc.
Section 121
An authorized officer shall, for the purposes of the execution of this Act, have the power to do all or any of the following:
(a)
to require the production of any computer, book, account, computerized data or other document kept by the data user or any other person and to inspect, examine and to download from them, make copies of them or take extracts from them;
(b)
to require the production of any identification document from any person in relation to any act or offence under this Act;
(c)
to make such enquiries as may be necessary to ascertain whether the provisions of this Act have been complied with.
Power to require attendance of persons acquainted with case
Section 122
(2)
If any person refuses or fails to attend as so required, the authorized officer may report such refusal or failure to a
Magistrate who shall issue a summons to secure the attendance of such person as may be required by the order made under subsection (1).
Examination of persons acquainted with case
Section 123
(2)
Such person shall be bound to answer all questions relating to the case put to him by the authorized officer:
Provided that such person may refuse to answer any question the answer to which would have a tendency to expose him to a criminal charge or penalty or forfeiture.
(3)
A person making a statement under this section shall be legally bound to state the truth, whether or not such statement is made wholly or partly in answer to questions.
(4)
The authorized officer examining a person under subsection (1) shall first inform that person of the provisions of subsections (2) and (3).
(5)
A statement made by any person under this section shall, whenever possible, be taken down in writing and signed by the person making it or affixed with his thumb print, as the case may be, after it has been read to him in the language in which he made it and after he has been given an opportunity to make any corrections he may wish.
Admission of statements in evidence
Section 124
(2)
When any witness is called for the prosecution or for the defence, other than the accused, the court shall, on the request of the accused or the prosecutor, refer to any statement made by that witness to the authorized officer in the course of the investigation under this Act and may then, if the courts thinks fit in the interest of justice, direct the accused to be furnished with a copy of it and the statement may be used to impeach the credit of the witness in the manner provided by the Evidence
Act 1950 [Act 56].
(3)
Where the accused had made a statement during the course of an investigation, such statement may be admitted in evidence in support of his defence during the course of the trial.
Personal Data Protection 85
(4)
Nothing in this section shall be deemed to apply to any statement made in the course of an identification parade or falling within section 27 or paragraphs 32(1)(a), (i) and (j) of the Evidence Act 1950.
(5)
When any person is charged with any offence in relation to—
(b)
the contents, of any statement made by him to an authorized officer in the course of an investigation made under this Act, that statement may be used as evidence in the prosecution’s case.
Forfeiture of computer, book, account, etc., seized
Section 125
(2)
An order for the forfeiture of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized and liable to forfeiture under this Act shall be made by the court before which the prosecution with regard thereto has been held if it is proved to the satisfaction of the court that an offence under this Act has been committed and that the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized was the subject matter of or was used in the commission of the offence, notwithstanding that no person has been convicted of such offence.
(3)
If there is no prosecution with regard to any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized under this Act, such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article shall be taken and deemed to be forfeited at the expiration of a period of one calendar month from the date of service of a notice to the last-known address of
Act 709
the person from whom the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article was seized indicating that there is no prosecution in respect of such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article, unless before the expiration of that period a claim thereto is made in the manner set out in subsections (4), (5) and (6).
(4)
Any person asserting that he is the owner of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article referred to in subsection (3) and that it is not liable to forfeiture may, personally or by his agent authorized in writing, give written notice to the authorized officer in whose possession such computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article is held that he claims the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article.
(5)
On receipt of the notice under subsection (4), the authorized officer shall refer the matter to a Magistrate for his decision.
(6)
The Magistrate to whom the matter is referred under subsection (5) shall issue a summons requiring the person asserting that he is the owner of the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article and the person from whom it was seized to appear before the Magistrate, and upon their appearance or default to appear, due service of the summons having been proved, the Magistrate shall proceed to the examination of the matter and, on proof that an offence under this Act has been committed and that the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized was the subject matter of or was used in the commission of such offence, the Magistrate shall order the computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article to be forfeited, and shall, in the absence of such proof, order its release.
Personal Data Protection 87
(7)
Any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article forfeited or deemed to be forfeited shall be delivered to the Commissioner and shall be disposed of in such manner as the Commissioner thinks fit.
Joinder of offences
Section 126
Notwithstanding anything contained in section 164
of the Criminal Procedure Code, where a person is accused of more than one offence under this Act, he may be charged with and tried at one trial for any number of such offences committed within the space of any length of time.
Section 127
Power of arrest
(2)
An authorized officer making an arrest under subsection (1)
shall without unnecessary delay make over the person so arrested to the nearest police officer or, in the absence of a police officer, take such person to the nearest police station, and thereafter the person shall be dealt with as is provided for by the law relating to criminal procedure for the time being in force as if he had been arrested by a police officer.
Part X
Part X
MISCELLANEOUS
Register
Section 128
(2)
A person may on payment of the prescribed fee—
(3)
Where a person requests that a copy of an entry in the register be provided in an electronic form, the Commissioner may provide the relevant information by way of electronic means.
Transfer of personal data to places outside Malaysia
Section 129
(2)
For the purposes of subsection (1), the Minister may specify any place outside Malaysia if—
(a)
there is in that place in force any law which is substantially similar to this Act, or that serves the same purposes as this Act; or
(b)
that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by this Act.
(3)
Notwithstanding subsection (1), a data user may transfer any personal data to a place outside Malaysia if—
(b)
the transfer is necessary for the performance of a contract between the data subject and the data user;
(c)
the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which—
(i)
is entered into at the request of the data subject;
or
(d)
the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
Personal Data Protection 89
(e)
the data user has reasonable grounds for believing that in all circumstances of the case—
(i)
the transfer is for the avoidance or mitigation of adverse action against the data subject;
(ii)
it is not practicable to obtain the consent in writing of the data subject to that transfer; and
(iii)
if it was practicable to obtain such consent, the data subject would have given his consent;
(f)
the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act;
(g)
the transfer is necessary in order to protect the vital interests of the data subject; or
(h)
the transfer is necessary as being in the public interest in circumstances as determined by the Minister.
(4)
Where the Commissioner has reasonable grounds for believing that in a place as specified under subsection (1) there is no longer in force any law which is substantially similar to this Act, or that serves the same purposes as this Act—
(a)
the Commissioner shall make such recommendations to the Minister who shall, either by cancelling or amending the notification made under subsection (1), cause that place to cease to be a place to which personal data may be transferred under this section; and
(b)
the data user shall cease to transfer any personal data of a data subject to such place with effect from the time as specified by the Minister in the notification.
(5)
A data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Act 709
(6)
For the purposes of this section, “adverse action”, in relation to a data subject, means any action that may adversely affect the data subject’s rights, benefits, privileges, obligations or interests.
Unlawful collecting, etc., of personal data
Section 130
(b)
procure the disclosure to another person of personal data that is held by the data user.
(2)
Subsection (1) shall not apply to a person who shows—
(a)
that the collecting or disclosing of personal data or procuring the disclosure of personal data—
(i)
was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or
(b)
that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;
(c)
that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or
(d)
that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.
Personal Data Protection 91
(3)
A person who collects or discloses personal data or procures the disclosure of personal data in contravention of subsection (1)
commits an offence.
(4)
A person who sells personal data commits an offence if he has collected the personal data in contravention of subsection (1).
(5)
A person who offers to sell personal data commits an offence if—
(b)
he subsequently collects the personal data in contravention of subsection (1).
(6)
For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.
(7)
A person who commits an offence under this section shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.
Abetment and attempt punishable as offences
Section 131
(2)
A person who does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for the offence:
Provided that any term of imprisonment imposed shall not exceed one-half of the maximum term provided for the offence.
Act 709
Compounding of offences
Section 132
(2)
An offer under subsection (1) may be made at any time after the offence has been committed but before any prosecution for it has been instituted, and if the amount specified in the offer is not paid within the time specified in the offer or such extended time as the Commissioner may grant, prosecution for the offence may be instituted at any time after that against the person to whom the offer was made.
(3)
Where an offence has been compounded under subsection (1), no prosecution shall be instituted in respect of the offence against the person to whom the offer to compound was made, and any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article seized in connection with the offence may be released or forfeited by the Commissioner, subject to such terms and conditions as he thinks fit to impose in accordance with the conditions of the compound.
(4)
All sums of money received by the Commissioner under this section shall be paid into the Federal Consolidated Fund.
Offences by body corporate
Section 133
(a)
may be charged severally or jointly in the same proceedings with the body corporate; and
Personal Data Protection 93
(b)
if the body corporate is found to have committed the offence, shall be deemed to have committed that offence unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves—
(i)
that the offence was committed without his knowledge, consent or connivance; and
(ii)
that he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.
(2)
If any person would be liable under this Act to any punishment or penalty for his act, omission, neglect or default, he shall be liable to the same punishment or penalty for every such act, omission, neglect or default of any employee or agent of his, or of the employee of the agent, if the act, omission, neglect or default was committed—
(c)
by the employee of the agent in the course of his employment by the agent or otherwise on behalf of the agent acting on behalf of that person.
Prosecution
Section 134
No prosecution for an offence under this Act shall be instituted except by or with the written consent of the Public
Prosecutor.
Section 135
Jurisdiction to try offences
Sessions Court shall have jurisdiction to try any offence under this Act and to impose full punishment for any such offence under this Act.
Act 709
Section 136
Service of notices or other documents
(b)
by leaving the notice or other document at the last-known address of residence or place of business of the person in a cover addressed to that person; or
(c)
by forwarding the notice or other document by post in an A.R. registered letter addressed to the person at his last-known address of residence or place of business.
(2)
Where the person to whom there has been addressed an A.R.
registered letter containing any notice or other document which may be given under this Act is informed of the fact that there is an A.R. registered letter awaiting him at a post office, and such person refuses or neglects to take delivery of such A.R. registered letter, such notice or other document shall be deemed to have been served upon him on the date on which he was so informed.
Public Authorities Protection Act 1948
Section 137
The Public Authorities Protection Act 1948 [Act 198] shall apply to any action, suit, prosecution or proceedings against the
Commissioner, Deputy Commissioner, Assistant Commissioner, any officer or servant of the Commissioner, any member of the
Advisory Committee, any member, officer or servant of the Appeal
Tribunal, or any authorized officer in respect of any act, neglect or default done or omitted by him or it in such capacity.
Section 138
Public servant
Commissioner, any officer or servant of the Commissioner, any member of the Advisory Committee, any member, officer or servant of the Appeal Tribunal, or any authorized officer while discharging his duty or performing his functions or exercising his powers under this Act in such capacity shall be deemed to be a public servant within the meaning of the Penal Code [Act 574].
Personal Data Protection 95
Section 139
Protection against suit and legal proceedings
No action, suit, prosecution or other proceedings shall lie or be brought, instituted or maintained in any court against—
(a)
the Commissioner, Deputy Commissioner, Assistant
Commissioner or any officer or servant of the
Commissioner;
(d)
any authorized officer, in respect of any act or omission done or omitted by him or it in good faith in such capacity.
Protection of informers
Section 140
(2)
If any computer, book, account, computerized data or other document, signboard, card, letter, pamphlet, leaflet, notice, equipment, instrument or article which is in evidence or is liable to inspection in any civil or criminal proceedings whatsoever contains any entry in which any informer is named or described or which might lead to his discovery, the court shall cause all such entries to be concealed from view or to be obliterated in so far as may be necessary to protect the informer from discovery.
(3)
If in a trial for any offence under this Act the court, after full inquiry into the case, is of the opinion that the informer wilfully made in his complaint a material statement which he knew or believed to be false or did not believe to be true, or if in any other proceedings the court is of the opinion that justice cannot be fully done between the parties in the proceeding without the discovery of the informer, the court may require the production of the original complaint, if in writing, and permit an inquiry and require full disclosure concerning the informer.
Act 709
Obligation of secrecy
Section 141
(a)
the Commissioner, Deputy Commissioner, Assistant
Commissioner, any officer or servant of the Commissioner, any member of the Advisory Committee, any member, officer or servant of the Appeal Tribunal, any authorized officer or any person attending any meeting or deliberation of the Advisory Committee, whether during or after his tenure of office or employment, shall not disclose any information obtained by him in the course of his duties; and
(b)
no other person who has by any means access to any information or documents relating to the affairs of the Commissioner shall disclose such information or document.
(2)
A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.
Things done in anticipation of the enactment of this Act
Section 142
All acts and things done by any person in preparation for or in anticipation of the enactment of this Act and any expenditure incurred in relation thereto shall be deemed to have been authorized under this Act, provided that the acts and things done are consistent with the general intention and purposes of this Act; and all rights and obligations acquired or incurred as a result of the doing of those acts or things including any expenditure incurred in relation thereto, shall on the coming into operation of this Act be deemed to be the rights and obligations of the Commissioner.
Section 143
Power to make regulations
(2)
Without prejudice to the generality of the powers conferred by subsection (1), the Minister may make regulations for all or any of the following purposes:
(a)
to regulate all matters relating to the registration of data users under this Act, including to prescribe the registration fees and renewal fees;
(b)
to regulate all matters necessary for the implementation of the Personal Data Protection Principles;
(c)
to regulate procedures in respect of the inspection of personal data systems, investigation of complaints and issuance of enforcement notices, and all other matters related to it;
(d)
to prescribe the offences which may be compounded and the forms to be used and the method and procedure for compounding the offences;
(e)
to provide and prescribe for any fees payable in connection with the provision of any service or any matter under this Act;
(f)
to prescribe any matter for which this Act makes express provision to be made by regulations;
(g)
to prescribe all other matters as are necessary or expedient to be prescribed for giving effect to this Act.
(3)
The regulations made under this section or any other subsidiary legislation made under this Act may prescribe for any act or omission in contravention of the regulations or other subsidiary legislation to be an offence and may prescribe for penalties of a fine not exceeding two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years or to both.
Prevention of anomalies
Section 144
Personal Data Protection 97
(2)
The Minister shall not exercise the powers conferred by subsection (1) after the expiration of one year from the appointed date.
(3)
In this section, “modifications” means amendments, additions, deletions and substitutions of any provisions of this Act.
Part XI
Part XI
SAVINGS AND TRANSITIONAL PROVISIONS
Personal data processed before the date of coming into operation of this Act
Section 145
Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of this Act, he shall comply with the provisions of this
Act within three months from the date of coming into operation of this Act.
Registration of persons who process personal data before the date of coming into operation of this Act
Section 146
(2)
Subsection (1) shall not apply to a data user who does not belong to the class of data users who shall be required to be registered as data users in pursuance of the provisions of
Division 2 of Part II.
Personal Data Protection 99
Act 709
LIST OF AMENDMENTS
Amending law
Short title
In force from
- NIL -
Act 709
Act 709
LIST OF SECTIONS AMENDED
Section
Amending authority
In force from
- NIL -
KUALA LUMPUR
WJW22/0914 10-08-2022
Common questions
- What is AKTA PERLINDUNGAN DATA PERIBADI 2010?
- PERSONAL DATA PROTECTION ACT 2010 is Malaysia Act, cited as Act 709 2010, currently marked in force and first recorded in 2010.
- Is AKTA PERLINDUNGAN DATA PERIBADI 2010 still in force?
- Yes — AKTA PERLINDUNGAN DATA PERIBADI 2010 is currently in force.
- When did AKTA PERLINDUNGAN DATA PERIBADI 2010 take effect?
- AKTA PERLINDUNGAN DATA PERIBADI 2010 was first recorded in 2010.
- How many sections does AKTA PERLINDUNGAN DATA PERIBADI 2010 have?
- AKTA PERLINDUNGAN DATA PERIBADI 2010 contains 146 sections.
- What amends AKTA PERLINDUNGAN DATA PERIBADI 2010?
- AKTA PERLINDUNGAN DATA PERIBADI 2010 has been amended by AKTA PERLINDUNGAN DATA PERIBADI (PINDAAN) 2024.
- Where can I read the official version of AKTA PERLINDUNGAN DATA PERIBADI 2010?
- The official text of AKTA PERLINDUNGAN DATA PERIBADI 2010 is published at lom.agc.gov.my.