General Code of Practice of Personal Data Protection imposes new requirements on data users

3 March 2023

On 15 December 2022, the latest General Code of Practice of Personal Data Protection (“Code”) issued by the Personal Data Protection Commissioner (“Commissioner”) came into effect, providing further guidance on the processing of personal data in Malaysia. Since the Personal Data Protection Act 2010 (“PDPA”) came into force on 15 November 2013, the Commissioner has registered various codes of practice governing the processing of personal data in specific sectors, such as the banking and finance sector as well as the telecommunications sector.

The Code applies to classes of data users (i.e. persons who process personal data for their own purposes) who are not currently subject to any other codes of practice registered under the PDPA. Sectors which will be subject to the Code include, among other things:

  • Retail and wholesale dealings as defined under the Control Supplies Act 1961
  • Direct selling carried out by a licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993
  • Education
  • Professional services (accounting, architecture, audit, engineering and legal)
  • Tourism and hospitalities
  • Real estate

Non-compliance with the Code could result in an offence carrying a financial penalty of up to RM100,000, and/or imprisonment of up to one year, and any person responsible for the management of a corporate offender may also be personally liable.

This Alert summarises the key requirements under the Code, which would be in addition to the existing requirements of the PDPA and other subsidiary legislation.

Key requirements under the Code

Consent

The Code provides further clarity on the manner in which consent obtained from data subjects can be recorded and maintained. Such consent may be obtained in various forms, including through a clickable box, by conduct or performance, or verbally. In particular, the Code also stipulates that the personal data protection notice should not be used as a platform for data users to obtain a blanket consent.

PDP notice

Apart from the information statutorily required to be included in a personal data protection notice pursuant to section 7 of the PDPA (“Notice”), the Code now provides that the Notice should also include the following:

  • Whether any personal data relating to minors or sensitive personal data will be processed;
  • Whether there are any regulatory requirements to collect certain personal data;
  • Practical measures to be taken by the data user to secure personal data; and
  • Names of third parties to whom personal data is disclosed.

The Code also provides further clarity on the manner in which the Notice could be provided to data subjects, e.g. by posting a copy of Notice on the data user’s website or by issuing an email to the data subjects with a link to the data user’s Notice and contact details.

Security requirements

In respect of the security requirements under the PDPA, the Code has clarified that the practical steps to be taken by a data user to secure personal data would vary from case-to-case, depending on the nature of the personal data being processed and the degree of sensitivity of the personal data involved. An example provided by the Commissioner refers to the requirement for security measures to be implemented for high-risk processing activities, which may include, but are not limited to, robot process automation, artificial intelligence, data analysis and prospective emerging technologies.

If the data user receives a data access request from a data subject, the data user would need to ensure that the steps set out in the Code, such as providing a standard request form as prescribed in the Code, are complied with.

A data user is required to maintain a personal data system that can be inspected by the Commissioner when requested. The system would need to include records of, among other things, the data subjects’ consent, the personal data protection notice provided to the data subjects and a list of third parties to whom personal data is disclosed.

For the purposes of complying with the PDPA and the Code, organisations who process personal data for their own purposes in commercial transactions are recommended to implement an internal monitoring framework and to conduct self-audits from time-to-time to ensure any non-compliance with applicable requirements are promptly addressed. 

Reference materials

The Code is available on the Department of Personal Data Protection website www.pdp.gov.my by clicking here.

This article has been prepared with the assistance of Associate Siah An Gel.