(1) This Act may be cited as the Personal Data Protection Act 2010.
(2) This Act comes into operation on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.
(1) This Act applies to-
(a) any person who processes; and
(b) any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.
(2) Subject to subsection (1), this Act applies to a person in respect of personal data if-
(a) the person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or
(b) the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
(3) A person falling within paragraph (2)(b) shall nominate for the purposes of this Act a representative established in Malaysia.
(4) For the purposes of subsections (2) and (3), each of the following is to be treated as established in Malaysia:
(a) an individual whose physical presence in Malaysia shall not be less than one hundred and eighty days in one calendar year;
(b) a body incorporated under the Companies Act 1965 [Act 125];
(c) a partnership or other unincorporated association formed under any written laws in Malaysia; and
(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in Malaysia-
(i) an office, branch or agency through which he carries on any activity; or
(ii) a regular practice.
(1) This Act shall not apply to the Federal Government and State Governments.
(2) This Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.
In this Act, unless the context otherwise requires-
"credit reporting agency" has the meaning assigned to it in the Credit Reporting Agencies Act 2010 [Act 710];
"this Act" includes regulations, orders, notifications and other subsidiary legislation made under this Act;
"register" means the Register of Data Users, Register of Data User Forums or Register of Codes of Practice;
"personal data" means any information in respect of commercial transactions, which-
(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010;
"sensitive personal data" means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;
"prescribed" means prescribed by the Minister under this Act and where no mode is mentioned, means prescribed by order published in the Gazette;
"Advisory Committee" means the Personal Data Protection Advisory Committee established under section 70;
"vital interests" means matters relating to life, death or security of a data subject;
"Fund" means the Personal Data Protection Fund established under section 61;
"use", in relation to personal data, does not include the act of collecting or disclosing such personal data;
"collect", in relation to personal data, means an act by which such personal data enters into or comes under the control of a data user;
"Minister" means the Minister charged with the responsibility for the protection of personal data;
"disclose", in relation to personal data, means an act by which such personal data is made available by a data user;
"relevant person", in relation to a data subject, howsoever described, means-
(a) in the case of a data subject who is below the age of eighteen years, the parent, guardian or person who has parental responsibility for the data subject;
(b) in the case of a data subject who is incapable of managing his own affairs, a person who is appointed by a court to manage those affairs, or a person authorized in writing by the data subject to act on behalf of the data subject; or
(c) in any other case, a person authorized in writing by the data subject to make a data access request, data correction request, or both such requests, on behalf of
the data subject;
"authorized officer" means any officer authorized in writing by the Commissioner under section 110;
"correction", in relation to personal data, includes amendment, variation, modification or deletion;
"requestor", in relation to a data access request or data correction request, means the data subject or the relevant person on behalf of the data subject, who has made the request;
"data processor", in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes;
"processing", in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including-
(a) the organization, adaptation or alteration of personal data;
(b) the retrieval, consultation or use of personal data;
(c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
(d) the alignment, combination, correction, erasure or destruction of personal data;
"registration" means the registration of a data user under section 16;
"data user" means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor;
"relevant data user", in relation to-
(a) an inspection, means the data user who uses the personal data system which is the subject of the inspection;
(b) a complaint, means the data user specified in the complaint;
(c) an investigation-
(i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint;
(ii) in any other case, means the data user who is the subject of the investigation;
(d) an enforcement notice, means the data user on whom the enforcement notice is served;
"credit reporting business" has the meaning assigned to it in the Credit Reporting Agencies Act 2010;
"Commissioner" means the Personal Data Protection Commissioner appointed under section 47;
"third party", in relation to personal data, means any person other than-
(a) a data subject;
(b) a relevant person in relation to a data subject;
(c) a data user;
(d) a data processor; or
(e) a person authorized in writing by the data user to process the personal data under the direct control of the data user;
"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set of information is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
"data subject" means an individual who is the subject of the personal data;
"appointed date" means the relevant date or dates, as the case may be, on which this Act comes into operation;
"code of practice" means the personal data protection code of practice in respect of a specific class of data users registered by the Commissioner pursuant to section 23 or issued by the Commissioner under section 24;
"commercial transactions" means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010.