22 July 2024

Please click HERE to download the full article in PDF.

INTRODUCTION
The amendments to the Personal Data Protection Act 2010 (“PDPA”) have been long discussed. The Government had issued a public consultation paper^{^[1]} in 2020 to elicit feedback. Recently, the Personal Data Protection (Amendment) Bill 2024 (“Amendment Bill”) was tabled to the Dewan Rakyat (House of Representatives) and was subsequently passed without amendments upon its second reading on 16 July 2024. 5 out of the 22 amendments proposed in a public consultation paper were adopted in the Amendment Bill.

In this article, we will briefly highlight the key amendments to the PDPA, and matters that businesses should take note of in anticipation of the coming into effect of the new amendments. The Amendment Bill must be tabled and passed in the Dewan Negara (House of Senate) before it becomes law.

1. Expansion of the “Sensitive Personal Data” Definition

The definition of “sensitive personal data” has been expanded to include “biometric data”. “Biometric data” means any personal data resulting from technical processing relating to the physical, physiological or behavourial characteristics of a person.

Takeaway 1: Businesses must be mindful that processing biometric data, which is now regarded as sensitive personal data, is subject to more stringent requirements under the PDPA.

2. Increased in Sanctions for Non-compliance with Personal Data Protection Principles

The sanction for non-compliance of the Personal Data Protection Principles^{^[2]} is increased to RM1,000,000.00 and/or imprisonment for a term not exceeding 3 years compared to the current sanction of RM300,000.00 and/or imprisonment for a term not exceeding 2 years.

Takeaway 2: Businesses’ existing policies and processes ought to be reviewed to ensure stricter compliance with the Personal Data Protection Principles to avoid hefty sanctions.

3. Direct Liability on Data Processor for Security of Personal Data

Data processors now have direct obligation to comply with the Security Principle^{^[3]}, which stipulates that a data processor who processes personal data solely on behalf of a data controller^{^[4]} shall protect that personal data from, among others, any loss, misuse, modification, unauthorised access by providing practical sufficient technical and organisational security measures for the processing of personal data and taking reasonable steps to ensure compliance with those measures.

Failure of data processors to comply with the Security Principle will subject themselves to the sanctions set out in Paragraph 2 above.

Takeaway 3: This is a welcome change for businesses who rely on data processors e.g. payroll providers or disaster recover centers to help process personal data on its behalf. Notwithstanding this change, data controllers still have the overall responsibility to comply with the Security Principles. It is still important for data controllers to take practical steps to ensure that data processors have the necessary security measures in place to protect the data controller’s personal data.

4. Mandatory Appointment of Data Protection Officer(s)

It is now mandatory for data controllers and data processors to appoint one or more Data Protection Officer(s) (DPO) to oversee data protection within their organisation. The data controller is to notify the Commissioner of the appointment of the DPO.

Takeaway 4: Businesses who have not appointed a DPO will need to identify a candidate who is suitable and skilled for the job. For those businesses who have already done so, they are to notify the Commissioner of such appointment.

5. Mandatory Notification for Data Breach

A data controller now has an obligation to notify the Commissioner, as soon as practicable, if it has a reason to believe that a personal data breach has occurred^{^[5]}. “Personal data breach” is defined as “any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data”.

Where the personal data breach causes or likely to cause any significant harm to the data subject, the data controller shall notify the data subject of such breach without unnecessary delay. The Amendment Bill does not define “significant harm” but it is expected that additional guidelines relating to breach notification will be developed to provide more clarity.

Takeaway 5: Businesses will need to review their existing policies to incorporate personal data breach notification procedures. The DPO will play an important role in developing the process starting from the determining the threshold of a data breach, timeframes for the relevant stakeholders to notify the DPO of any suspected breach, to the notification process to the Commissioner.

6. Data Portability – Transmit Your Data Across Different Entities

The Amendment Bill introduces the right to data portability^{^[6]}. The data subject now has the right to request a data controller to transmit his/her personal data to another data controller within a prescribed time period. The data subject’s request is however subject to technical feasibility and compatibility of the data format.

Takeaway 6: Businesses would need to cater in its existing processes this obligation of data portability in addition to the data subject’s existing rights to access data, correct data and withdraw consent. Data controllers would also need to ascertain the data format in which it would be able to transfer the said personal data to the other data controller.

7. Data Transfer Outside Malaysia Now Permitted

The “whitelist” of countries, as may be Gazetted by the Minister, to which personal data may be transferred to outside of Malaysia has been deleted. Notwithstanding that, data controllers are still able to transfer personal data to a place outside Malaysia if that place has law which is substantially similar to the PDPA or that place ensures adequate level of protection in relation to the processing of data which is at least equivalent to that afforded by the PDPA.

Takeaway 7: Prior to the deletion of the Minister’s power to Gazette the whitelist of countries, data controllers were already permitted to transfer personal data outside of Malaysia under the exceptions provided under Section 129 of the PDPA. This change is unlikely to have a significant impact on businesses since there is no whitelist Gazetted by the Minister currently.

CONCLUSION
The proposed changes enhance data protection in Malaysia and bring Malaysia a step closer to the high standards set by the European Union General Data Protection Regulation (GDPR). Whilst the details regarding the implementation of some of the new amendments have yet to be addressed, e.g breach notification, appointment of DPO and data portability, it is anticipated that these will be detailed out in guidelines to be issued by the Commissioner.

It is highly advisable for businesses to adapt its current processes to new changes brought about by the Amendment Bill. Whilst there will inevitably be cost for compliance which businesses would need to budget for, the cost for non-compliance would be more significant.

Authors

Darren Kor Yit Meng

Phang Sin Yee

Lee Chloee

If you require advice on personal data protection matters, please feel free to contact any member of our team as above. We are here to assist you with all your data protection needs.

[1] Public Consultation Paper No. 01/2020: Review of Personal Data Protection Act 2010 (Act 709).

[2] This encompasses the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle.

[3] Section 9 of the PDPA.

[4] The Amendment Bill changed the terminology of “data users” to “data controllers”.

[5] Section 12B of the Amendment Bill.

[6] Section 43A of the Amendment Bill.

Please email your details to [email protected] if you would like to subscribe to our Knowledge Centre.

Let's Connect!
➭ LINKEDIN: Zul Rafique & Partners
➭ INSTAGRAM: @zrplaw

Personal Data Protection Notice

We at ZUL RAFIQUE & partners recognize the importance of privacy and the sensitivity of personal information. As required under the Personal Data Protection Act 2010, the purpose of this Personal Data Protection Notice (“Notice”) is to inform you how we collect and process your personal data when you appoint or engage us to provide services, when you access and use our website or interact with us including through meetings, seminars, conferences or events.

By appointing or engaging us to provide services to you, by accessing and using our website or by interacting with us, you consent to us using, collecting and processing your personal data in the manner contemplated in this Notice.

This Notice may be amended or updated from time to time. We would advise you to check this Notice on our website from time to time for amendments or updates. By continuing to use or engage our services, to use our website or to communicate with us subsequent to any amendments or updates to this Notice, it would confirm and indicate your acceptance to the amendments or updates to this Notice.

What Personal Data Do We Collect?

Personal data generally means any information that identifies you. Your personal data is collected and processed by us at the start of our services or interaction and, from time to time, in the course of our engagement or interaction.

The type of personal data collected and processed by us includes:

name, date of birth, nationality, gender, NRIC / passport number, residency status, correspondence address, contact details including mobile, office and residential telephone number and facsimile number, e-mail address, banking details, financial / creditworthiness information;
employment category (private sector, government sector, self-employed, non-working or others), name of employer and office address, details of relationship with the company (e.g. promoter, director, shareholder);
such other information relevant or required for:
- our legal engagement;
- provision of legal services for the purposes of the legal engagement or legal transaction; and
- compliance with legal and regulatory requirements; and
any additional information provided by you or third parties about you.

Source of Personal Data

Personal data collected will mainly be from you. However, some personal data may also be collected by us from other available sources including but not limited to credit reporting agencies, government department or agencies, public registries, websites, social media, publications, events, seminars, conferences.

How Do We Use Your Personal Data

Your personal data is collected and processed by us for our business activities including the following purposes:

to verify your identity;
to communicate with you including responding to your enquiries;
all purposes related to or in connection with our legal engagement;
to provide legal services for the purposes of the legal engagement or transaction;
to comply with legal and/or regulatory requirements including court orders;
for our day to day operations and administrative purposes including file management, billing and collection, audits, reporting, investigations etc.;
for the purposes of enforcing or defending our legal rights and/or obtaining legal advice;
to send you materials or publications including newsletter, articles or updates or information about events, conferences, seminars, talks which may be of interest to you;
to promote, offer or market our services to you;
to send as potential referees to (i) editors/researches in ranking legal publication and journals and/or (ii) clients/potential clients who request for referees of past work in relation to any proposal, submissions, tenders or bids;
to assist in the prevention, detection or investigation of crime or possible criminal activities or for the administration of justice;
for security and internal audit purposes;
for such other purposes as may be directed or consented to by you; and
for all other purposes in relation to or incidental to the above.

Disclosure of Your Personal Data

Under certain circumstances, we may be required to disclose your personal data to third parties. Third parties to whom your personal data may be disclosed by us are as follows:

any persons directed by or consented to by you;
any persons required for the purposes of the legal engagements and/or legal transactions including but not limited to counter parties, other advisors, financial institutions, regulatory bodies etc;
any person for the purposes of compliance with legal and regulatory requirements;
our data processors i.e. third party who we engage to process personal data on our behalf including but not limited to archival storage, data entry service providers, computer backup services, disaster recovery services, banks and financial institutions etc.; and
our professional advisors including but not limited to legal advisors, tax advisors, financial advisors, auditors, insurance brokers etc.

Further, we may also be required to transfer your personal data outside of Malaysia for the purposes and to such third parties stated in this Notice. The transfer of your personal data outside Malaysia would also be required if you are travelling, residing or based outside Malaysia.

Obligation to Provide Personal Data

We acknowledge that you have the right in deciding the information you wish to provide to us. The provision of the information listed above is voluntary in nature. However, please note that if you do not provide the information above or limit the way such information is to be processed, it may result in us not being able to:

communicate or correspond with you;
undertake the legal engagement or transaction and/or to provide our services to you; and/or
grant you access to our website.

Data Access and Data Correction

If you wish to request:

for access to your personal information;
for your personal data to be corrected or updated; or
to withdraw your consent or limit the use of your personal data;

please submit your written request to:

Assistant Manager Human Resources and Administration Department

Zul Rafique & Partners
D3-3-8 Solaris Dutamas
No.1 Jalan Dutamas 1
50480 Kuala Lumpur, Malaysia

Telephone : 03-6209 8228
Facsimile : 03-6209 8331

An administrative charge may be imposed for any request under paragraph (a) and (b) above.

Further, we reserve the right to refuse your requests for any reasons permitted under law.

Disclaimer

The accuracy and completeness of your personal data depends on the information you provide. We assume that the information you have provided is accurate, up to date and complete unless you inform us otherwise.

Where you provide any third party information to us including but not limited to employer, colleagues, family information, it is our assumption that such information is accurate, up to date and complete and that you have obtained the necessary consent to disclose the same.

Conflict

In the event that there is any conflict between the English and national language version of this Notice, the English language version shall prevail.

Notis Perlindungan Data Peribadi

Kami di ZUL RAFIQUE & partners menghormati kepentingan privasi dan sensitiviti data peribadi anda. Sebagaimana yang dikehendaki di bawah Akta Perlindungan Data Peribadi 2010, Notis Perlindungan Data Peribadi ini (“Notis”) bertujuan untuk memaklumkan kepada anda bagaimana kami mengumpul dan memproses data peribadi anda apabila anda melantik pihak kami untuk memberikan perkhidmatan. Bukan itu sahaja, Notis ini turut bertujuan untuk memaklumkan kepada anda bagaimana kami memproses data peribadi anda apabila anda mengakses dan menggunakan laman sesawang kami atau berhubung dengan kami melalui mesyuarat, seminar, ataupun persidangan.

Dengan melantik kami untuk memberikan perkhidmatan kami kepada anda dan juga dengan mengakses dan menggunakan laman sesawang atau berinteraksi dengan kami, anda dengan ini telah bersetuju dengan penggunaan, pengumpulan dan pemprosesan data peribadi anda oleh pihak kami mengikut cara yang dinyatakan dalam Notis ini.

Notis ini akan tertakluk kepada pindaan dan pengemaskinian dari masa ke semasa. Oleh itu, adalah disarankan supaya pihak anda menyemak Notis ini di laman sesawang kami dari masa ke semasa untuk memastikan sebarang pindaan atau pengemaskinian yang dilakukan adalah dalam pengetahuan anda. Dengan meneruskan perlantikan dan penggunaan khidmat kami selepas apa-apa pindaan atau pengemaskinian yang dilakukan terhadap Notis ini, ia secara langsung menandakan penerimaan anda terhadap pindaan atau pengemaskinian yang dilakukan terhadap Notis ini.

Apakah Data Peribadi Yang Kami Kumpul?

Data peribadi secara amnya bermaksud apa-apa maklumat yang berkaitan dengan pengenalan diri anda. Tanggungjawab kami terhadap anda memerlukan kami mengumpul dan memproses data peribadi anda. Pemprosesan dan pengumpulan data peribadi anda bermula dari awal perkhidmatan kami bersama anda termasuklah sebarang interaksi diantara pihak kami dan anda, selepas itu, dari semasa ke semasa sepanjang tempoh pengambilan atau penggunaan khidmat kami.

Jenis data peribadi yang dikumpul dan diproses oleh kami adalah:

nama, tarikh lahir, kewarganegaraan, jantina, nombor kad pengenalan/passport, status kependudukan, alamat surat-menyurat, butiran perhubungan termasuk nombor telefon bimbit, pejabat dan kediaman dan faksimili, alamat email, butiran perbankan, maklumat kewangan / kepercayaan kredit;
kategori pekerjaan (sektor awam, kerajaan, bekerja sendiri, tidak bekerja atau lain-lain), nama majikan dan alamat pejabat, butiran hubungan dengan syarikat (sebagai contoh promoter, pengarah, pemegang saham);
maklumat-maklumat lain yang relevan dan perlu untuk:
- melantik kami untuk memberi khidmat guaman
- memberi khidmat guaman; dan
- menepati keperluan undang-undang dan pengawalseliaan.
apa-apa maklumat tambahan yang diberikan oleh anda atau pihak-pihak ketiga berkenaan dengan anda.

Sumber Data Peribadi

Kebanyakan data peribadi yang dikumpul oleh kami adalah data peribadi yang dikemukakan kepada kami oleh anda. Walaubagaimanapun, data peribadi anda juga boleh dikumpul oleh kami dari sumber-sumber yang lain termasuk tetapi tidak terhad kepada agensi pelaporan kredit, agensi atau jabatan kerajaan, pendaftaran awam, laman sesawang, media sosial, penerbitan, seminar, dan persidangan.

Bagaimana Kami Menggunakan Maklumat Peribadi Anda

Sebagai sebuah firma guaman, kami mengumpul dan memproses data peribadi anda untuk tujuan berikut:

pengesahan identiti anda;
berkomunikasi dengan anda termasuk memberikan maklum balas terhadap pertanyaan anda;
semua tujuan berkaitan dengan perlantikan kami;
untuk memberikan khidmat guaman;
untuk mematuhi keperluan undang-undang dan pengawalseliaan termasuklah perintah mahkamah;
bagi operasi harian kami dan tujuan pentadbiran termasuklah pengurusan fail, bil dan kutipan, audit, laporan, penyiasatan dsb.;
bagi tujuan menguatkuasakan dan mempertahankan hak-hak perundangan kami dan/atau mendapatkan nasihat perundangan;
menghantar bahan-bahan atau penerbitan termasuklah surat berita, artikel- artikel atau maklumat berkenaan majlis-majlis, persidangan-persidangan, seminar-seminar dan ceramah-ceramah yang mungkin menarik minat anda;
untuk mempromosi, menawar atau mengiklan perkhidmatan kami kepada anda;
untuk dihantar sebagai sumber rujukan berpotensi kepada (i) editor-editor / penyelidik-penyelidik di dalam penerbitan dan jurnal-jurnal dan/atau (ii) klien-klien / klien-klien berpotensi yang memohon rujukan kerja-kerja terdahulu berkaitan apa-apa cadangan, penghujahan, tawaran atau bidaan;
untuk membantu pencegahan, pengesanan atau penyiasatan jenayah atau kemungkinan aktiviti-aktiviti jenayah atau bagi pentadbiran keadilan;
tujuan audit dalaman dan keselamatan;
bagi tujuan lain sebagaimana yang diarahkan atau yang telah diberikan persetujuan oleh anda; dan
bagi segala tujuan lain berkaitan atau bersampingan dengan perkara-perkara di atas.

Penzahiran Maklumat Peribadi Anda

Di bawah keadaan-keadaan tertentu, kami boleh menzahirkan data peribadi anda kepada pihak ketiga seperti berikut:

mana-mana orang yang diarahkan oleh atau yang telah dipersetujui oleh anda;
mana-mana orang yang berkenaan bagi tujuan-tujuan perlantikan khidmat undang-undang dan/atau transaksi undang-undang termasuk tetapi tidak terhad kepada pihak lawan, perunding-perunding lain, institusi-institusi kewangan, badan-badan pengawalseliaan dsb;
mana-mana orang bagi tujuan pematuhan undang-undang dan pengawalseliaan;
Pihak pemproses data iaitu pihak ketiga yang akan berkhidmat bagi memproses data peribadi bagi pihak kami termasuk tetapi tidak terhad kepada storan arkib, pemberi khidmat kemasukan data, perkhidmatan-perkhidmatan sokongan komputer, perkhidmatan-perkhidmatan pemulihan bencana, bank-bank dan institusi-institusi kewangan dsb; dan
penasihat-penasihat profesional kami, termasuk tetapi tidak terhad kepada penasihat undang-undang, penasihat-penasihat cukai, penasihat-penasihat kewangan, juruaudit-juruaudit, broker-broker insurans dsb.

Kami juga boleh memindah data peribadi anda keluar dari Malaysia bagi tujuan-tujuan dan kepada pihak ketiga yang dinyatakan dalam Notis ini. Data peribadi anda juga akan dipindah keluar dari Malaysia jika anda berada di luar Malaysia.

Kewajipan untuk Memberi Data Peribadi

Kami mengakui bahawa anda mempunyai hak untuk menentukan maklumat yang diberikan kepada kami. Maklumat yang disenaraikan di atas adalah secara sukarela. Jika anda tidak memberi maklumat di atas atau mengehadkan cara bagaimana maklumat tersebut diproses, kami tidak dapat:

berkomunikasi atau berhubung dengan anda;
bertindak di dalam perlantikan atau transaksi undang-undang dan/atau memberi perkhidmatan kami kepada anda; dan atau
memberikan anda akses kepada laman sesawang kami.

Akses dan Pembetulan Data

Jika anda ingin:

mengakses maklumat peribadi anda;
memperbetulkan atau mengemaskini data peribadi anda; atau
menarikbalik persetujuan anda atau mengehadkan penggunaan data peribadi anda,

sila hantar permintaan bertulis anda kepada:

Penolong Pengurus Jabatan Sumber Manusia dan Pentadbiran

Zul Rafique & Partners
D3-3-8 Solaris Dutamas
No.1 Jalan Dutamas 1
50480 Kuala Lumpur, Malaysia

Telefon : 03-6209 8228
Faksimile : 03-6209 8331

Caj pentadbiran akan dikenakan bagi permintaan di bawah perenggan (a), (b) dan (c) di atas.

Kami berhak untuk menolak permintaan anda jika dibenarkan di bawah undang-undang.

Penafian

Ketepatan dan kelengkapan data peribadi anda bergantung kepada maklumat yang anda berikan. Kami menganggap bahawa maklumat yang anda berikan adalah tepat, terkini dan lengkap melainkan jika anda memaklumkan sebaliknya kepada kami.

Kami menganggap bahawa maklumat pihak ketiga yang anda berikan kepada kami termasuk tetapi tidak terhad kepada maklumat majikan, maklumat rakan-rakan sekerja atau maklumat keluarga adalah tepat, terkini dan lengkap dan anda telah mendapatkan persetujuan yang sewajarnya untuk menzahirkan maklumat tersebut.

Percanggahan

Jika terdapat percanggahan diantara versi Bahasa Inggeris dan Bahasa Kebangsaan pada Notis ini, versi Bahasa Inggeris akan diguna pakai.

What your business should take note about the New Amendments to Data Protection in 2024