The General Code of Practice of Personal Data Protection (“General CoP“) introduces new legal requirements to be complied with by data users caught within its ambit. It also seeks to provide best practice recommendations with respect to the implementation of principles under the Personal Data Protection Act 2010 and its subsidiary legislation (PDPA).
Some of the new legal requirements include providing additional mandatory information in a personal data protection notice, complying with data subjects’ written request not to process their personal data for direct marketing within reasonable time, maintaining a personal data system and establishing a PDPA compliance framework.
In more detail
The General CoP was issued by the Personal Data Protection Commissioner (“Commissioner“) and became effective from 15 December 2022.
Non-compliance with the provisions of the General CoP is an offense under the PDPA, which may attract a fine not exceeding MYR 100,000 (~ USD 24,000) and/or imprisonment for a term not exceeding one year (“Penalties“). Where the offense is committed by a body corporate, its directors and other officers in the management could be personally liable.
Who does it apply to?
The General CoP appears to apply to classes of data users who are not presently, subject to a specific code of practice under the PDPA. To recap, the Commissioner had in the past registered a number of sector-specific codes of practice under the PDPA, including for the following (“Selected Sectors“):
- Private hospitals in the healthcare industry
- The utilities sector (water)
- The utilities sector (electricity)
- Licensees under the Communications and Multimedia Act 1998
- The banking and financial sector
- The insurance and takaful Industry
- The aviation sector
Data users1 who fall within the Selected Sectors above would need to comply with their respective codes of practice. The General CoP is therefore aimed at classes of data users under the PDPA who do not fall within any of the Selected Sectors above (“Affected Data Users“). These may include, among others, certain businesses involved in tourism, education, direct selling, real estate and professional services (e.g., legal, audit, accountancy, engineering, architecture).
What are the new legal requirements?
Some of the new legal requirements introduced by the General CoP are briefly discussed below.
- Additional Mandatory Information For Personal Data Protection Notices
On top of those specified in the PDPA, the General CoP requires a personal data protection notice issued by Affected Data Users to, among others, also address the following:
- If any sensitive personal data (i.e., relating to mental/physical health, political opinions, religious beliefs or commission of offense) will be processed
- If personal data of children below the age of 18 years will be processed
- If there is any regulatory requirement to collect certain personal data
- What practical and security measures are taken to ensure personal data and its disclosure is safe and secured
- The name of third parties to whom personal data is disclosed and for what purpose
These additional details have earlier been set out in the Guide to Prepare Personal Data Protection Notice published by the Commissioner’s office in January 2022, but the guide did not appear to have legal force. This uncertainty has now been put to rest with the General CoP.
- Direct Marketing
“Direct marketing” is defined under the PDPA as the communication by whatever means of any advertising or marketing material which is directed to particular individuals. The PDPA expressly allows data subjects to notify a data user to cease or not begin to process their personal data, for purposes of direct marketing (“Cessation Notice”).
The General CoP now mandates that Affected Data Users must comply with the Cessation Notice within a reasonable time frame. Failing which, the Penalties will apply. Affected Data Users can therefore no longer attempt to ignore Cessation Notices.
- Personal Data System
“Personal data system” is defined under the PDPA to essentially mean a system used by a data user for the processing of personal data and it includes the records maintained for such processing.
The General CoP has in effect, confirmed the need for an Affected Data User to among others, establish a personal data system and which system, will need to include certain prescribed records (e.g., consent records, security policies).
- Compliance Framework
The General CoP also expressly requires Affected Data Users to develop and implement a compliance framework with appropriate compliance policies and procedures to ensure compliance with the General CoP and the PDPA.
The General CoP provides more clarity over the implementation of the general principles under the PDPA, especially for the Affected Data Users. It is also directionally, in line with the prevailing Malaysian Government’s emphasis on ensuring that personal data is processed appropriately and safely by data users.
Given the potential criminal exposure for non-compliance, businesses who are subject to the General CoP should undertake a thorough internal review of its personal data protection policies and frameworks to determine if they are in compliance with the new legal requirements under the General CoP.
1 “Data users” essentially mean those who have control over or authorize the processing of any personal data (excluding data processors). “Data processors” refer to those who process the personal data solely on behalf of the data user and not for any of their own purposes.
* * * * *
This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.