2024 Part 1: Personal Data Protection in Malaysia Hanwha Q Cells Malaysia Sdn. Bhd. LEGAL PLAYBOOK P L A Y - Positive - Literature - Activity for - You #JomPlay
Table of CONTENTS Introduction ........................................................................ 1 Key Definitions ................................................................. 2 Principles of Personal Data Protection .................... 4 Rights of Data Subjects ................................................. 8 Right to Access Right to Correct Right to Withdraw Consent Right to Prevent Processing Compliance Requirements ........................................... 9 01 02 03 Objective Scope Personal Data Sensitive Personal Data Data Subject Data User Processing General Principle Notice and Choice Principle Disclosure Principle Security Principle Retention Principle Data Integrity Principle Access Principle Exemptions to the Principles 04 Registration Consent Notice Data Security Data Retention and Disposal Data Access and Correction 05 i
Table of CONTENTS Data Breach Management ........................................... 10 Training and Awareness ................................................ 11 Audit and Monitoring ..................................................... 12 Enforcement and Penalties ......................................... 15 Policy Review and Updates ......................................... 13 Contact Information ..................................................... 14 Breach Notification Response Plan 06 07 08 Employee Training Awareness Campaigns Internal Audits Compliance Monitoring 09 Regulatory Actions Offences and Penalties 10 Periodic Review Continuous Improvement 1 1 Data Protection Officer (DPO) Inquiries and Complaints ii Conclusion ....................................................................... 20 1 2
Introduction This playbook provides guidelines and best practices for ensuring compliance with Malaysia’s Personal Data Protection Act 2010 (PDPA) within our organization. 2024 This playbook applies to all departments and employees handling Personal Data in commercial transactions within Malaysia. Scope Objective 1
Data Subject Data User Data Processor An individual who is the subject of the Personal Data. Any person who processes Personal Data or has control over or authorizes the processing of Personal Data. Any person, other than an employee of the Data User, who processes the Personal Data solely on behalf of the Data User, and does not process the Personal Data for any of his own purposes 2024 2 Key Definitions As provided under Section 4 of PDPA
Personal Data Any information, in respect of a commericial transaction, that relates directly or indirectly to an individual who is identified or identifiable from that information, or from that and other information in the possession of the Data User. This includes information such as name, address, identification number, email, phone number, and any other data that can be linked to an individual. Sensitive Personal Data A subset of Personal Data consisting of information about an individual's physical or mental health, political opinions, religious beliefs, or other beliefs of a similar nature, the commission or alleged commission of any offense, or any other Personal Data as may be prescribed by the Minister. This data requires higher protection due to its sensitive nature. Commercial Transaction Any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010. Processing Any operation or set of operations carried out on Personal Data, including collection, recording, holding, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating, or otherwise making available. Key Definitions 2024 3 As provided under Section 4 of PDPA
Principles of Personal Data Protection under PDPA 2024 4 2 3 NoticeandChoicePrinciple, Section7 Data Users must inform Data Subjects of the purpose for which their data is being collected and obtain their consent. DisclosurePrinciple, Section8 Personal data shall not be disclosed without the consent of the Data Subject for purposes other than the one it was collected for. 4 SecurityPrinciple, Section9 Data Users must take practical steps to protect Personal Data from loss, misuse, modification, unauthorized or accidental access, or disclosure. 5 RetentionPrinciple, Section10 Personal data shall not be kept longer than necessary and must be destroyed or permanently deleted if no longer required. 6 DataIntegrityPrinciple, Section11 Data Users must ensure that Personal Data is accurate, complete, not misleading, and up-to-date. 7 AccessPrinciple, Section12 Data Subjects must be given access to their Personal Data and allowed to correct it if it is inaccurate, incomplete, misleading, or not up-to-date. 1 GeneralPrinciple, Section6 Personal Data shall not be processed unless the Data Subject has given consent to the processing.
Exemptions to the Principles 2024 5 Section of the PDPA Purpose of Processing Personal Data Exemption 45(1) Personal, family or household affairs, including recreational purposes. Total exemption 45(2)(a) Prevention or detection of crime or for investigation; 1. Apprehension or prosecution of offenders; or 2. Assessment or collection of any tax or duty or similar nature. 3. General Principle 1. Notice and Choice Principle 2. 3.Access Principle 45(2)(b) Prevent serious harm to physical or mental health of the Data Subject o any other individual. Access Principle 45(2)(c) Preparing statistics or carrying out research, provided: - that such Personal Data is not processed for any other purpose; and 1. that the resulting statistics or the results of the research are not made available in a form which identifies the Data Subject. 2. General Principle 1. Notice and Choice Principle 2. Disclosure Principle 3. 4.Access Principle
Exemptions to the Principles 2024 6 Section of the PDPA Purpose of Processing Personal Data Exemption 45(2)(d) Necessary for the purpose of or in connection with any order or judgement of a court General Principle 1. Notice and Choice Principle 2. Disclosure Principle 3. 4.Access Principle 45(2)(e) Discharging regulatory functions General Principle 1. Notice and Choice Principle 2. Disclosure Principle 3. 4.Access Principle
Exemptions to the Principles 2024 7 Section of the PDPA Purpose of Processing Personal Data Exemption 45(2)(f) Journalistic, literary or artistic purposes, provided that: - the processing is undertaken with a view to the publication by any person of the journalistic, literary or artistic material; the Data User reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and the Data User reasonably believes that in all the circumstances, compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes. General Principle 1. Notice and Choice Principle 2. Disclosure Principle 3. Retention Principle 4. Data Integrity Principle 5. 6.Access Principle
Rights of Data Subjects 2024 8 Data Subjects have the right to access their Personal Data held by Data Users. Right toAccess Right toCorrect Right toWithdraw Consent Right toPrevent Processing Data Subjects can request correction of their Personal Data if it is inaccurate, incomplete, misleading, or not up-to-date. Data Subjects may withdraw consent for the processing of their Personal Data. Data Subjects can object to the processing of their Personal Data for certain purposes.
Compliance Requirements 2024 9 1 2 Registration Data Users must register with the Personal Data Protection Commissioner if they process Personal Data in specified sectors. Consent Obtain explicit consent from Data Subjects for data processing activities. For incapable or minor Data Subjects, consent must be obtained from an authorized person/body or their legal guardian, respectively. Data Users and Data Processors have an obligation to record and manage the consent obtained properly. 3 Notice Provide clear and easily accessible information regarding data collection, processing purposes, and Data Subjects’ rights. The privacy notice placement must be at appropriate and noticeable location on the premise and/or website. 4 DataSecurity Implement appropriate technical and organizational measures to protect Personal Data, e.g.: - Access control is well established and practiced; 1. ID and password management is well established and maintained; and 2. Documents are kept at secure locations and/or databases. 3. 5 DataRetentionand Disposal Establish policies for the retention and secure disposal of Personal Data, including proper storage, policy on data retention and disposal, secure location, demonstrate good practice of record disposal. 6 DataAccessand Correction Ensure procedures are in place for Data Subjects to access and correct their Personal Data.
2024 10 Data Breach Management Develop and implement a data breach response plan, including containment, investigation, notification, and remediation procedures. Response Plan Data Users must notify the Personal Data Protection Commissioner and affected Data Subjects in the event of a data breach. Breach Notification 1 2
2024 11 Training and Awareness Promote data protection awareness through ongoing campaigns and communication. Awareness Campaigns Conduct regular training programs for employees on data protection principles, policies, and procedures. Employee Training 1 2
2024 12 Audit and Monitoring Implement continuous monitoring mechanisms to ensure ongoing compliance with data protection obligations. Compliance Monitoring Conduct regular internal audits to assess compliance with PDPA requirements. 1 Internal Audits 2
2024 13 Policy Review and Updates Foster a culture of continuous improvement in data protection practices. Continuous Improvement Regularly review and update data protection policies and procedures to ensure alignment with regulatory changes and best practices. Periodic Review
2024 14 Contact Information Establish clear channels for Data Subjects to submit inquiries and complaints regarding Personal Data processing. Inquiries and Complaints Appoint and provide contact details of the DPO responsible for overseeing data protection compliance. Data Protection Officer (DPO)
2024 15 Enforcement and Penalties Violation of the PDPA and certain provisions of the PDP Regulations 2013 attracts criminal liability. The prescribed penalties include the imposition of fines or a term of imprisonment, or both. Directors, CEOs, managers or other similar officers will have joint and several liability for non-compliance by the body corporate, subject to a due diligence defence. Offences and Penalties Understand the enforcement powers of the Personal Data Protection Commissioner, including audits, investigations, and sanctions. Regulatory Actions
Section of the PDPA Offences Penalty 5(2) Personal Data Protection Principles Failure to comply with any of the PDPA Principles. Fine not exceeding RM300,000.00; or 1. Imprisonment for a term not exceeding 2 years; or 2. 3.Both. 16(4) Certificate of registration Data User specified under Section 14(1) processing Personal Data without a certificate of registration issued by the Commissioner. Fine not exceeding RM500,000.00; or 1. Imprisonment for a term not exceeding 3 years; or 2. 3.Both. 18(4) Revocation of registration Data User continues to process Personal Data after registration has been revoked. Fine not exceeding RM500,000.00; or 1. Imprisonment for a term not exceeding 3 years; or 2. 3.Both. 19(2) Surrender of certificate of registration Failure to surrender the certificate to the Commissioner after it is revoked. Fine not exceeding RM200,000.00; or 1. Imprisonment for a term not exceeding 2 years; or 2. 3.Both. 2024 16 Offences and Penalties
Section of the PDPA Offences Penalty 29 Noncompliance with code of practice Failure to comply with any provision of the code of practice that is applicable to the Data User. Fine not exceeding RM100,000.00; or 1. Imprisonment for a term not exceeding 1 year; or 2. 3.Both. 37(4) Notification of refusal to comply with data correction request Failure to comply with Section 37(2) PDPA, which is to annotate the Personal Data at a conspicuous place with the requestor's expression of opinion that it is incomplete, misleading, or not up-to-date when refusing a data correction request. Fine not exceeding RM100,000.00; or 1. Imprisonment for a term not exceeding 1 year; or 2. 3.Both. 38(4) Withdrawal of consent to process Personal Data Failure to cease the processing of Personal Data upon receipt of notice of the Data Subject’s withdrawal of consent. Fine not exceeding RM100,000.00; or 1. Imprisonment for a term not exceeding 1 year; or 2. 3.Both. 2024 17 Offences and Penalties
Section of the PDPA Offences Penalty 40(3) Processing of Sensitive Personal Data Processing of Sensitive Personal Data without complying with the conditions stated under Section 40(1) PDPA. Fine not exceeding RM200,000.00; or 1. Imprisonment for a term not exceeding 2 years; or 2. 3.Both. 42(6) Right to prevent processing likely to cause damage or distress Failure to comply with the Commissioner’s requirement to cease processing Personal Data that is likely to cause damage or distress. Fine not exceeding RM200,000.00; or 1. Imprisonment for a term not exceeding 2 years; or 2. 3.Both. 108(8) Enforcement notice Failure to comply with the Commissioner’s enforcement notice. Fine not exceeding RM200,000.00; or 1. Imprisonment for a term not exceeding 2 years; or 2. 3.Both. 129(5) Transfer of Personal Data to places outside Malaysia Transfer Personal Data to a place outside Malaysia which has not been specified by the Minister and published in the Gazette. Fine not exceeding RM300,000.00; or 1. Imprisonment for a term not exceeding 2 years; or 2. 3.Both. 2024 18 Offences and Penalties
Section of the PDPA Offences Penalty 130(3) & (7) Unlawful collecting, etc., of Personal Data Collect or disclose or procure to disclose the Personal Data that without the consent of the Data User. Fine not exceeding RM500,000.00; or 1. Imprisonment for a term not exceeding 3 years; or 2. 3.Both. 130(4), (5) & (7) Unlawful collecting, etc., of Personal Data Sell or offer to sell Personal Data Fine not exceeding RM500,000.00; or 1. Imprisonment for a term not exceeding 3 years; or 2. 3.Both. 131(1) & (2) Abetment and attempt punishable as offences Abet the commission of or attempt to commit or does any preparatory act to or in furtherance of the commission of any offence under the PDPA. Liable to punishment provided for the offence provided that any term of imprisonment imposed shall not exceed one-half of the maximum term provided for the office. 2024 19
2024 20 Conclusion In conclusion, this playbook outlines essential guidelines and best practices for adhering to Malaysia's PDPA within our organization. Compliance with these legal requirements is crucial, as failure to do so can result in hefty monetary penalties and/or imprisonment By following these principles and procedures, we not only meet legal requirements but also uphold our commitment to protecting the privacy and rights of individuals in Malaysia.
- END -