The Personal Data Protection Commissioner (“Commissioner”) recently issued the new General Code of Practice of Personal Data Protection (“General CoP”) on its website, which came into effect on 15 December 2022. The General CoP is issued pursuant to section 24(1) of the Personal Data Protection Act 2010 (“PDPA”). Below is a brief summary of the General CoP with some key points.
The General CoP sets out new legal requirements as well as best practices applicable to classes of data users that currently do not have a code of practice that has been registered with the Commissioner in place. To date, only the following sectors have codes of practices that have been registered with the Commissioner:
Accordingly, the General CoP applies to the following classes of data users:
Licensees under the Postal Services Act 2012.
Licensees under the Private Healthcare Facilities and Services Act 1998 (other than licensees who are private hospitals), holders of the certificates of registration of private medical clinics/dental clinics and bodies corporate registered under the Registration of Pharmacists Act 1951.
Licensed persons who carry on or operate tourism training institutions, licensed tour operators, licensed travel agents, licensed tourist guides and persons who carry on or operate as registered tourists accommodation premises under the Tourism Industry Act 1992.
Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996 and private schools or private educational institutions registered under the Education Act 1996.
Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993.
Companies registered under the Companies Act 2016 (or Companies Act 1965) and persons who have entered into partnership under the Partnership Act 1961 who:
Licensed housing developers under the Housing Development (Control and Licensing) Act 1966, the Housing Development (Control and Licensing) Enactment 1978, Sabah, and the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.
Licensees under the Pawnbrokers Act 1972.
Licensees under the Moneylenders Act 1951.
In addition to the requirements prescribed under Section 7 of the PDPA, the General CoP requires additional information to be stipulated in the personal data protection notices, including but not limited to the following:
Pursuant to the General CoP, the relevant data users are required to develop and implement appropriate compliance policies and procedures (compliance framework) to ensure compliance with the General CoP and the PDPA. The General CoP further recommends that the relevant data users continuously monitor their compliance with the General CoP, the PDPA, and regulations and standards thereunder by implementing an internal monitoring framework and conducting self-audits.
Where processing of personal data is carried out by a data processor on the relevant data user’s behalf, it is recommended that the relevant data user include in the agreement with the data processor certain provisions to bind such data processor including (a) provisions in relation to confidentiality, non-disclosure and technical and/or organizational security measures; (b) conditions under which personal data may be processed; and (c) representations, undertakings, warranties and/or indemnities which are to be provided by the data processor.
The PDPA requires data users to cease, or not begin, the processing of personal data for direct marketing purposes upon the data subject’s written request. The General CoP now requires the relevant data users to comply with such written request within a “reasonable time frame” although the General CoP does not explain how long a “reasonable time frame” would be.
Penalty for non-compliance with the General CoP
Non-compliance by a relevant data user with the mandatory provisions of the General CoP is an offence and upon conviction, may render such data user liable to a fine not exceeding RM100,000 or imprisonment for a term not exceeding one year, or both.
Key Contributors:
Tong Lai Ling
Partner – Technology, Multimedia & Telecommunications
Direct line : +603-2632 9878
Email : tonglailing@rdl.com.my
Karen Ting Shi Chien
Associate – Technology, Multimedia & Telecommunications
Direct line : +603-2632 9953
Email : karenting@rdl.com.my