Advertisement
Personal Data Protection Act 2010 [Act 709]

15 Application for registration

(1) A person who belongs to the class of data users as specified in the order made under subsection 14(1) shall submit an application for registration to the Commissioner in the manner and form as determined by the Commissioner.

(2) Every application for registration shall be accompanied with the prescribed registration fee and such documents as may be required by the Commissioner.

(3) The Commissioner may in writing at any time after receiving the application and before it is determined, require the applicant to provide such additional documents or information within the time as specified by the Commissioner.

(4) If the requirement under subsection (3) is not complied with, the application for registration shall be deemed to have been withdrawn by the applicant and shall not be further proceeded with by the Commissioner, but without prejudice to a fresh application being made by the applicant.

16 Certificate of registration

(1) After having given due consideration to an application under subsection 15(1), the Commissioner may-

(a) register the applicant and issue a certificate of registration to the applicant in such form as determined by the Commissioner; or

(b) refuse the application.


(2) The certificate of registration may be issued subject to such conditions or restrictions as the Commissioner may think fit to impose.

(3) Where the Commissioner refuses the application for registration in pursuance of subsection (1), he shall inform the applicant by a written notice that the application has been refused and the reasons for the refusal.

(4) A person who belongs to the class of data users as specified in the order made under subsection 14(1) and who processes personal data without a certificate of registration issued in pursuance of paragraph 16(1)(a) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.

17 Renewal of certificate of registration

(1) A data user may make an application for the renewal of the certificate of registration not later than ninety days before the date of expiry of the certificate of registration in the manner and form as determined by the Commissioner and the application shall be accompanied with the prescribed renewal fee and such documents as may be required by the Commissioner, but no application for renewal shall be allowed where the application is made after the date of expiry of the certificate of registration.

(2) When renewing a certificate of registration, the Commissioner may vary the conditions or restrictions imposed upon the issuance of the certificate of registration or impose additional conditions or restrictions.

(3) The Commissioner may refuse to renew a certificate of registration-

(a) if the data user has failed to comply with any of the provisions of this Act;

(b) if the data user has failed to comply with any conditions or restrictions imposed upon the issuance of the certificate of registration; or

(c) if he is satisfied that the data user is unable to continue the processing of personal data in accordance with this Act.

18 Revocation of registration

(1) The Commissioner may revoke the registration of a data user if the Commissioner is satisfied that-

(a) the data user has failed to comply with any of the provisions of this Act;

(b) the data user has failed to comply with any conditions or restrictions imposed upon the issuance of the certificate of registration;

(c) the issuance of the certificate of registration was induced by a false representation of fact by the data user; or

(d) the data user has ceased to carry on the processing of personal data.


(2) Notwithstanding subsection (1), the Commissioner shall not revoke the registration of a data user unless the Commissioner is satisfied that, after giving the data user an opportunity of making any representation in writing he may wish to make, the registration should be revoked.

(3) Where the registration of the data user is revoked, the Commissioner shall issue a notice of revocation of registration to the data user, and the certificate of registration issued in respect of such registration shall have no effect upon service of the notice of revocation of registration.

(4) A data user whose registration has been revoked under this section and who continues to process personal data thereafter commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.

19 Surrender of certificate of registration

(1) Where the certificate of registration is revoked in pursuance of section 18, the holder of the certificate shall, within seven days from the date of service of the notice of revocation of registration, surrender the certificate to the Commissioner.

(2) A person who fails to comply with subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

20 Register of Data Users

(1) The Commissioner shall maintain a Register of Data Users in accordance with section 128.

(2) The Register of Data Users shall contain the names of data users who have been registered in pursuance of this Division and any other particulars regarding such data users as may be determined by the Commissioner.

Division 3 - Data user forum and code of practice

21 Data user forum

(1) The Commissioner may designate a body as a data user forum in respect of a specific class of data users for the purposes of this Act by notifying that body in writing, if the Commissioner is satisfied that-

(a) the membership of the body is open to all data users of that class;

(b) the body is capable of performing as required under the relevant provisions of this Act; and

(c) the body has a written constitution.


(2) The body shall agree in writing to be a data user forum before the designation is registered by the Commissioner in the Register of Data User Forums.

(3) The Commissioner may decide that an existing body that was previously designated as a data user forum under subsection (1) is no longer a data user forum for the purposes of this Act, if he is satisfied that the body no longer meets the requirements as set out in that subsection.

(4) Where the Commissioner decides that an existing body which has been designated as a data user forum is no longer a data user forum for the purposes of this Act, he shall withdraw the designation and subsequently cancel the registration of the designation in the Register of Data User Forums.

(5) A designation or withdrawal of designation under this section shall take effect from the date of registration of the designation or the date of cancellation of the registration of the designation, as the case may be, or such later date as specified by the Commissioner.

22 Register of Data User Forums

(1) The Commissioner shall maintain a Register of Data User Forums in accordance with section 128.

(2) The Register of Data User Forums shall contain the names of data user forums which have been designated and registered in pursuance of this Division and any other particulars regarding such data user forums as may be determined by the Commissioner.

23 Code of practice

(1) A data user forum may prepare a code of practice-

(a) on its own initiative; or

(b) upon request by the Commissioner.


(2) The data user forum shall, in preparing a code of practice under subsection (1), consider matters including-

(a) the purpose for the processing of personal data by the data user or class of data users;

(b) the views of the data subjects or groups representing data subjects;

(c) the views of the relevant regulatory authority, if any, to which the data user is subject to; and

(d) that the code of practice, upon having regard to all of the matters in paragraphs (a), (b) and (c) and any other matters, offers an adequate level of protection for the personal data of the data subjects concerned.


(3) The Commissioner may register the code of practice prepared pursuant to subsection (1), if the Commissioner is satisfied that-

(a) the code of practice is consistent with the provisions of this Act; and

(b) the matters as set out in subsection (2) have been given due consideration.


(4) The code of practice under subsection (1) shall take effect on the date of registration of the code of practice by the Commissioner in the Register of Codes of Practice.

(5) If the Commissioner refuses to register the code of practice, the Commissioner shall notify the relevant data user forum of his decision in writing and provide the reasons for it.

(6) If the Commissioner neither registers nor refuses to register a code of practice within thirty days from the date of receipt of the code of practice by him for registration, he shall be deemed to have refused the registration of the code of practice.

(7) The Commissioner may register different codes of practice for different classes of data users.

(8) The Commissioner and data user shall make available to the public any code of practice registered under subsection (3).

24 Commissioner may issue code of practice

(1) The Commissioner may issue a code of practice, if-

(a) a code of practice is not prepared under paragraph 23(1)(a);

(b) the Commissioner is satisfied that a code of practice for a specific class of data users is unlikely to be prepared by the relevant data user forum within the period as specified by the Commissioner; or

(c) there is no data user forum to develop the relevant code of practice for the class of data users.


(2) The Commissioner shall, before issuing a code of practice under subsection (1), consider matters including-

(a) the purpose for the processing of personal data by the data user or class of data users;

(b) the views of the data users or groups representing data users, to which the code of practice is applicable;

(c) the views of the data subjects or groups representing data subjects;

(d) the views of the relevant regulatory authority, if any, to which the data user is subject to; and

(e) that the code of practice, upon having regard to all of the matters in paragraphs (a), (b) and (c) and any other matters, offers an adequate level of protection for the personal data of the data subjects concerned.


(3) The Commissioner may issue different codes of practice for different classes of data users.

(4) The code of practice issued by the Commissioner under subsection (1) shall be registered in the Register of Codes of Practice.

(5) The code of practice under subsection (1) shall take effect on the date of registration of the code of practice by the Commissioner.

(6) The Commissioner shall make available to the public any code of practice issued by him under subsection (1).


SEARCH LEGISLATION
Title:


Number:

ADS