Advertisement
Personal Data Protection Act 2010 [Act 709]

Part VIII   cite [+]

INSPECTION, COMPLAINT AND INVESTIGATION

101 Inspection of personal data system   cite [+]

(1) The Commissioner may carry out an inspection of-

(a) any personal data system used by data users for the purpose of ascertaining information to assist the Commissioner in making recommendations to the relevant data user relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the relevant data user; or

(b) any personal data system used by data users belonging to a class of data users for the purpose of ascertaining information to assist the Commissioner in making recommendations to the class of data users to which the relevant data user belongs relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the class of data users to which the relevant data user belongs.


(2) For the purposes of this section-

"data user" includes a data processor;

"personal data system" means any system, whether automated or otherwise, which is used, whether in whole or in part, by a data user for the processing of personal data, and includes the record maintained under section 44 and any document and equipment forming part of the system.

102 Relevant data user, etc., to be informed of result of inspection   cite [+]

Where the Commissioner has completed an inspection of a personal data system, he shall in such manner and at such time as he thinks fit inform the relevant data user or class of data users to which the relevant data user belongs of-

(a) the results of the inspection;

(b) any recommendations arising from the inspection that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the relevant data user or the class of data users to which the relevant data user belongs; and

(c) such other comments arising from the inspection as he thinks fit.

103 Reports by Commissioner   cite [+]

(1) The Commissioner may, after completing the inspection of any personal data system used by data users belonging to a class of data users, publish a report-

(a) setting out any recommendations arising from the inspection that the Commissioner thinks fit to make relating to the promotion of compliance with the provisions of this Act, in particular the Personal Data Protection Principles, by the class of data users to which the relevant data users belong; and

(b) in such manner as he thinks fit.


(2) A report published under subsection (1) shall be so framed as to prevent the identity of any individual from being ascertained.

104 Complaint   cite [+]

Any individual or relevant person may make a complaint in writing to the Commissioner about an act, practice or request-

(a) specified in the complaint;

(b) that has been done or engaged in, or is being done or engaged in, by the data user specified in the complaint;

(c) that relates to personal data of which the individual is the data subject; and

(d) that may be a contravention of the provisions of this Act, including any codes of practice.

105 Investigation by Commissioner   cite [+]

(1) Where the Commissioner receives a complaint under section 104, the Commissioner shall, subject to section 106, carry out an investigation in relation to the relevant data user to ascertain whether the act, practice or request specified in the complaint contravenes the provisions of this Act.

(2) Where the Commissioner has reasonable grounds to believe that an act, practice or request has been done or engaged in, or is being done or engaged in, by the relevant data user that relates to personal data and such act, practice or request may be a contravention of the provisions of this Act, the Commissioner may carry out an investigation in relation to the relevant data user to ascertain whether the act, practice or request contravenes the provisions of this Act.

(3) The provisions of Part IX shall apply in respect of investigations carried out by the Commissioner under this Part.

106 Restriction on investigation initiated by complaint   cite [+]

(1) The Commissioner may refuse to carry out or continue an investigation initiated by a complaint if he is of the opinion that, having regard to all the circumstances of the case-

(a) the complaint, or a complaint of a substantially similar nature, has previously initiated an investigation as a result of which the Commissioner was of the opinion that there has been no contravention of the provisions of this Act;

(b) the act, practice or request specified in the complaint is trivial;

(c) the complaint is frivolous, vexatious or is not made in good faith; or

(d) any investigation or further investigation is for any other reason unnecessary.


(2) Notwithstanding the generality of the powers conferred on the Commissioner by this Act, the Commissioner may refuse to carry out or continue an investigation initiated by a complaint-

(a) if-

(i) the complainant; or

(ii) in the case where the complainant is a relevant person in relation to a data subject, the data subject or relevant person, as the case may be,

has had actual knowledge of the act, practice or request specified in the complaint for more than two years immediately preceding the date on which the Commissioner received the complaint, unless the Commissioner is satisfied that in all the circumstances of the case it is proper to carry out or continue the investigation;

(b) if the complaint is made anonymously;

(c) if the complainant cannot be identified or traced;

(d) if the Commissioner is satisfied that the relevant data user has not been a data user for a period of not less than two years immediately preceding the date on which the Commissioner received the complaint; or

(e) in any other circumstances as he thinks fit.


(3) Where the Commissioner refuses under this section to carry out or continue an investigation initiated by a complaint, he shall, as soon as practicable but in any case not later than thirty days after the date of receipt of the complaint, by notice in writing served on the complainant inform the complainant of the refusal and of the reasons for the refusal.

(4) An appeal may be made to the Appeal Tribunal against any refusal specified in the notice under subsection (3) by the complainant on whom the notice was served or if the complainant is a relevant person, by the data subject in respect of whom the complainant is the relevant person.

107 Commissioner may carry out or continue investigation initiated by complaint notwithstanding withdrawal of complaint   cite [+]

Where the Commissioner is of the opinion that it is in the public interest so to do, he may carry out or continue an investigation initiated by a complaint notwithstanding that the complainant has withdrawn the complaint and, in any such case, the provisions of this Act shall apply to the complaint and the complainant as if the complaint had not been withdrawn.

108 Enforcement notice   cite [+]

(1) Where, following the completion of an investigation about an act, practice or request specified in the complaint, the Commissioner is of the opinion that the relevant data user-

(a) is contravening a provision of this Act; or

(b) has contravened such a provision in circumstances that make it likely that the contravention will continue or be repeated,


then the Commissioner may serve on the relevant data user an enforcement notice-

(A) stating that he is of that opinion;

(B) specifying the provision of this Act on which he has based that opinion and the reasons why he is of that opinion;

(C) directing the relevant data user to take such steps as are specified in the enforcement notice to remedy the contravention or, as the case may be, the matters occasioning it within such period as is specified in the enforcement notice; and

(D) directing, where necessary, the relevant data user to cease processing the personal data pending the remedy of the contravention by the relevant data user.


(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention or the matter to which the enforcement notice relates has caused or is likely to cause damage or distress to the data subject of the personal data to which the contravention or matter relates.

(3) The steps as specified in the enforcement notice to remedy the contravention or matter to which the enforcement notice relates may be framed-

(a) to any extent by reference to any approved code of practice; or

(b) so as to afford the relevant data user a choice between different ways of remedying the contravention or matter.


(4) The period specified in the enforcement notice under subsection (1) for taking the steps specified in it shall not expire before the end of the period specified in subsection 93(2) within which an appeal against the enforcement notice may be made and, if such an appeal is made, those steps need not be taken pending the determination or withdrawal of the appeal.

(5) Notwithstanding subsection (4), if the Commissioner is of the opinion that by reason of special circumstances the steps specified in the enforcement notice should be taken as a matter of urgency-

(a) he may include a statement to that effect in the enforcement notice together with the reasons why he is of that opinion; and

(b) where such a statement is so included, subsection (4) shall not apply but the enforcement notice shall not require those steps to be taken before the end of the period of seven days from the date on which the enforcement notice was served.


(6) An appeal may be made to the Appeal Tribunal against an enforcement notice by the relevant data user in accordance with section 93.

(7) Where the Commissioner-

(a) forms an opinion referred to in subsection (1) in respect of the relevant data user at any time before the completion of an investigation; and

(b) is also of the opinion that, by reason of special circumstances, an enforcement notice should be served on the relevant data user as a matter of urgency,


he may so serve the enforcement notice notwithstanding that the investigation has not been completed and, in any such case-

(A) the Commissioner shall, without prejudice to any other matters to be included in the enforcement notice, specify in the enforcement notice the reasons as to why he is of the opinion referred to in paragraph (b); and

(B) the other provisions of this Act, including this section, shall be construed accordingly.


(8) A person who fails to comply with an enforcement notice commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

109 Variation or cancellation of enforcement notice   cite [+]

The Commissioner may, on his own initiative or on the application of a relevant data user, vary or cancel the enforcement notice served under subsection 108(1) by notice in writing to the relevant data user if the Commissioner is satisfied with the action taken by the relevant data user to remedy the contravention.


SEARCH LEGISLATION
Title:


Number:

ADS