New Guidelines from Malaysia’s Personal Data Protection Department

The PDPD is an agency under the Ministry of Communications and Multimedia Commission with the main responsibility to oversee the processing of personal data of individuals involved in commercial transactions by User Data that is not misused and misapplied by the parties concerned. The new documentation in  the first step included a Guide to Preparation of Personal Data Protection Notice which aims to serve as reference for data users to prepare simple, comprehensive and tailored privacy notices for compliance with PDPA requirements. Although the guide does not have legal force, data users are encouraged to abide by the requirements set out in it as best practice.

Further, in February 2022 the PDPD published (i) the Code of Practice for Private Hospitals in the Healthcare Industry which applies to all private hospitals that are licensed under the Private Healthcare Facilities & Services Act 1998 and (ii) the Code of Practice for the Utilities Sector which applies to certain water supply entities. Non-compliance with the code of practice in the prescribed sectors is an offence under the PDPA, and data users can be sanctioned with a fine up to MYR 100,000 (~ USD 24,000) and/or imprisonment up to one year.

Also in February 2022, the Personal Data Protection Commissioner released (i) Circular No. 1/2022 on the Requirement to Register as Data User under the Personal Data Protection Act 2010 (Act 709) and (ii) Circular No. 3/2022 on the Obligation to Renew Certificate of Registration as Data User under the Personal Data Protection Act 2010 (Act 709), both reminding prescribed classes of data users of their respective obligations under the PDPA. If data users under the prescribed classes process personal data without certificate of registration, such PDPA offence may attract liability to a fine up to MYR 500,000 and/or imprisonment up to three years. Failure of renewal may also result in a fine up to MYR 250,000 and/or imprisonment up to two years.