PERSONAL DATA PROTECTION (AMENDMENT) ACT 2024

This Act comes into operation on a date to be appointed by the Minister by notification in the Gazette and the Minister may appoint different dates for the coming into operation of different provisions of this Act.

General amendment

in the definition of “register”, by substituting for the words “Register of Data Users, Register of Data User

Forums” the words “Register of Data Controllers,

Register of Data Controller Forums”;

by inserting after the definition of “register” the following definition:

‘  “biometric data” means any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person;’;

in the definition of “sensitive personal data”, by inserting after the words “alleged commission by him of any offence” the words “, biometric data”;

by inserting after the definition of “authorized officer”

the following definition:

‘  “personal data breach” means any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data;’;

in the definition of “requestor”, by substituting for the words “data access request or data correction request”

the words “data access request, data correction request or data portability request”; and

in the definition of “data subject”, by inserting after the words “the personal data” the words “and shall not include a deceased individual”.

Amendment of section 5

by inserting after subsection (1) the following subsection:

“(1a)  Where the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor shall comply with the Security Principle as specified in section 9.”; and

Personal Data Protection (Amendment)

in subsection (2)—

by inserting after the words “subsection (1)”

the words “or a data processor who contravenes subsection (1a)”; and

in subsection (1), by substituting for the words

“data user shall,” the words “data controller and a data processor shall,”; and

in subsection (2)—

by substituting for the words “the data user, the data user shall,” the words “a data controller, the data processor shall,”;

in paragraph (a), by substituting for the word

“provides” the word “provide”; and

in paragraph (b), by substituting for the word

“takes” the word “take”.

New Division 1a of Part II

Where the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor shall appoint one or more data protection officers who shall be accountable to the data processor for the compliance with this Act.

The data controller shall notify the Commissioner on the appointment of data protection officer in the manner and form as determined by the Commissioner.

The appointment of data protection officer under subsections (1) and (2) shall not discharge the data controller or data processor from all duties and functions under this Act.

Data breach notification 12b.  (1)  Where a data controller has reason to believe that a personal data breach has occurred, the data controller shall, as soon as practicable, notify the Commissioner in the manner and form as determined by the Commissioner.

Where the personal data breach under subsection (1)

causes or likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject in the manner and form as determined by the Commissioner without unnecessary delay.

Personal Data Protection (Amendment)

A data controller who contravenes subsection (1)

commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years or to both.”.

Amendment of section 16

in subsection (1)—

by inserting after the words “a body”

the words “or a data controller”;

in paragraph (c), by substituting for the words

“the body” the words “the body or data controller”;

in subsection (2), by substituting for the words

“The body” the words “The body or data controller”;

in subsection (3)—

by substituting for the words “an existing body”

the words “an existing body or a data controller”;

and

in subsection (4), by substituting for the words

“an existing body” the words “an existing body or a data controller”.

New section 43a

The request for data portability referred to in subsection (1)

is subject to technical feasibility and compatibility of the data format.

Upon receiving the request for data portability under subsection (1), the data controller shall complete the transmission of personal data within the period as may be prescribed.”.

Amendment of section 48

by deleting the words “, after consulting the Minister,”;

and

Personal Data Protection (Amendment)

by substituting for the words “upon as far as practicable by cheques signed by such persons as may be authorized by the Minister.” the words “in such manner as may be authorized by the Commissioner.”.

Amendment of section 129

by deleting subsection (1);

in subsection (2)—

by substituting for the words “For the purposes of subsection (1), the Minister may specify”

the words “A data controller may transfer any personal data of a data subject to”; and

in subsection (3)—

by substituting for the words “subsection (1)”

the words “subsection (2)”;

by deleting subsection (4); and

in subsection (5), by substituting for the words

“subsection (1)” the words “this section”.

Amendment of section 136

Any code of practice registered and issued by the

Commissioner immediately before the commencement of this Act shall be deemed to be issued or made by the Commissioner under the principal Act as amended by this Act and shall remain valid.

Any investigation, trial, proceedings or action pending before the date of coming into operation of this Act shall, on the date of coming into operation of this Act, be continued in accordance with the provisions of the principal Act as if the principal Act had not been amended by this Act.