Companies and organizations have several obligations under the Personal Data Protection Act (PDPA) to ensure the protection of individuals’ personal data.
These include obtaining valid consent from individuals before collecting, using or disclosing their personal data, ensuring that personal data is accurate and not excessive, implementing appropriate technical and organizational measures to protect personal data against unauthorized or accidental access, processing, erasure, loss or destruction, notifying the commissioner of any data breaches that occur, and allowing individuals to access, correct, and delete their personal data as well as object to the processing of their data for certain purposes.
Organizations also have the obligation to appoint a Data Protection Officer (DPO) if required, and to comply with the data protection principles and guidelines issued by the Commissioner. Organizations found to be in violation of the PDPA can face fines and penalties.
The Personal Data Protection Act (PDPA) provides several rights to individuals regarding their personal data. Some of these rights include:
1. Right to access personal data: Individuals have the right to request access to their personal data that is held by organizations. This includes the right to see the data, as well as to obtain a copy of it.
2. Right to correct personal data: Individuals have the right to request that their personal data be corrected if it is inaccurate or incomplete. This includes the right to have errors or omissions corrected and to have incomplete data completed.
3. Right to withdraw consent: Individuals have the right to withdraw their consent for the collection, use, or disclosure of their personal data at any time.
4. Right to object to direct marketing: Individuals have the right to object to the use of their personal data for direct marketing purposes.
5. Right to limit the use or disclosure of personal data: Individuals have the right to limit the use or disclosure of their personal data by organizations.
6. Right to complain to the Commissioner: Individuals have the right to complain to the Personal Data Protection Commissioner if they believe their rights under the PDPA have been violated.
7. Right to know the purpose of collection: Individuals have the right to know the purpose of the collection of their personal data
8. Right to know the third party to which the personal data will be transferred.
The Personal Data Protection Act (PDPA) and its regulations are enforced by the Personal Data Protection Commissioner (PDPC). The PDPC is responsible for enforcing the PDPA and ensuring that organizations comply with the act. The PDPC has the authority to conduct investigations and audits, issue enforcement notices and fines, and take legal action against organizations that violate the PDPA. The PDPC also has the power to impose administrative fines of up to MYR 1 million, and the power to seek an injunction against the company or organization that violates the Act. Additionally, the PDPC offers guidance, education and awareness programs to help organizations understand and comply with the PDPA. The PDPC also works closely with other regulatory bodies, such as the Ministry of Domestic Trade and Consumer Affairs, to ensure compliance and enforcement of the PDPA.
Non-compliance with the Personal Data Protection Act (PDPA) can result in several penalties, including:
1. Administrative fines: Organizations found to be in violation of the PDPA can be subject to administrative fines of up to MYR 1 million per offense.
2. Injunctions: The Personal Data Protection Commissioner (PDPC) has the power to seek an injunction against organizations that violate the PDPA. This can include ordering an organization to stop certain activities or to take specific actions to comply with the PDPA.
3. Criminal penalties: In serious cases, individuals or organizations that violate the PDPA can face criminal penalties, including fines and/or imprisonment.
4. Public warning: The PDPC may issue a public warning against organizations that violate the PDPA.
5. Disclosure of non-compliance: The PDPC may also disclose the non-compliance of organizations to the public.
6. Prosecution and conviction: The PDPC can take legal action against organizations that violate the PDPA, leading to prosecution and conviction.
A Data Protection Officer (DPO) plays a crucial role in companies and organizations in Malaysia by ensuring compliance with the Personal Data Protection Act (PDPA) and related regulations.
The DPO is responsible for monitoring the organization’s compliance with the PDPA, providing advice and guidance on data protection issues, and working with the organization’s management to implement policies and procedures to protect personal data. The DPO also serves as a liaison with the Personal Data Protection Commissioner (PDPC) and other regulatory bodies, and is responsible for ensuring that the organization has adequate technical and organizational measures in place to protect personal data. Additionally, DPOs are responsible for carrying out regular data protection impact assessments and conducting training sessions for employees to ensure compliance with the PDPA. DPOs should have the necessary knowledge and experience on data protection and security matters.
Organizations that are required by the PDPA to appoint a DPO are businesses that process sensitive personal data, and data processors with more than 250 employees.
Malaysia’s Personal Data Protection Act (PDPA) is similar to other data protection laws in other countries in that it aims to protect individuals’ personal data and ensure that organizations handle personal data in a responsible and secure manner.
It is based on the EU General Data Protection Regulation (GDPR) and is designed to align with international standards on data protection. Like other data protection laws, the PDPA requires organizations to obtain valid consent from individuals before collecting, using or disclosing their personal data, and requires organizations to implement appropriate technical and organisational measures to protect personal data against unauthorised or accidental access, processing, erasure, loss or destruction. The PDPA also gives individuals certain rights, such as the right to access, correct, and delete their personal data, and the right to object to the processing of their data for certain purposes. However, the PDPA differs in some aspects, such as the enforcement mechanism, the fines, and the rights of the individuals.
It also applies to businesses operating outside of Malaysia when they process personal data of individuals in Malaysia.