Personal Data Protection Act 2010 FAQ

What are the main purposes of the Personal Data Protection Act (PDPA) 2010?
The main purposes of PDPA 2010 are to regulate the processing of personal data in respect of commercial transactions and to safeguard the interests of data subjects.

When is the effective date of the PDPA 2010 and who is the governing authority?
The PDPA 2010 comes into operation on 15 November 2013 and the governing authority is the Personal Data Protection Commissioner under the Minister of Communications and Multimedia.

Who is required to comply with the PDPA 2010?
The PDPA 2010 applies to any person who processes, has control over or authorizes the processing of, any personal data in respect of commercial transactions.

Who is the data user?
A data user is any person who processes, has control over or authorizes the processing of, any personal data in respect of commercial transactions.

Who is the data subject?
A data subject is an individual who is the owner of the personal data.

What amounts to processing?
Collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the organization, adaptation, alteration of personal data, the retrieval, consultation or use of personal data, the disclosure of personal data by transmission, transfer, dissemination or otherwise making available of the personal data, or the alignment, combination, correction, erasure or destruction of personal data.

How do I ensure I do not breach the PDPA 2010?
The processing of personal data by a data user shall comply with the following principles of Personal Data Protection:

  • General Principle
  • Notice and Choice Principle
  • Disclosure Principle
  • Access Principle
  • Security Principle
  • Data Integrity Principle
  • Retention Principle

For detailed description of the above principles, please log on to MIA website at http://www.mia.org.my/new/about_personal.asp

What are the main classes of data users?
The Personal Data Protection (Class of Data Users) Order 2013 specifies the classes of data users that must be registered under the PDPA 2010. The main classes of data users are:-

  • Communications
  • Banking and financial institutions
  • Insurance
  • Health
  • Tourism and hospitalities
  • Transportation
  • Education
  • Direct selling
  • Services (which further specifies five sectors including accounting and auditing)
  • Real estate
  • Utilities

In respect of the class of services, who is required to register as data users under the PDPA 2010?
A company registered under the Companies Act 1965 [Act 125] or a person who entered into a partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:

  1. legal;
  2. audit;
  3. accountancy;
  4. engineering; or
  5. architecture

As such, pursuant to section 15(1) of the PDPA 2010, member firms (in partnerships) who offer services in auditing and accountancy are required to register themselves with the Personal Data Protection Commissioner.

What are the consequences for non-compliance?
Under section 16(4) of the PDPA 2010, a person who fails to register, and process personal data without a certificate of registration, commits an offence and shall on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.

Are sole proprietorships and limited liability partnerships required to register as data user?
No, nevertheless these entities are required to comply with the principles of the personal data protection.

Currently, I'm running a separate company (Sdn Bhd) that provides tax services or company secretarial services. Would this be considered as an accounting firm that requires registration as a data user under the PDPA 2010?
Based on the Personal Data Protection (Class of Data Users) Order 2013 and also the definition of public practice services under rule 2 of the MIA (Membership & Council) Rules 2001, at this point of time, the said company which offers solely taxation or company secretarial related services need not be registered.

Nonetheless, as a matter of good practice, it would be prudent if the company is registered as a data user. However, even if the company does not get registered, the company is still obliged to comply with the provisions of the Act.

When is the deadline to register with the Personal Data Protection Commissioner?
Based on the Personal Data Protection Department website, registration as data users is open until 15 February 2014 and there will be no extension of time.

How to register?
Please refer the Registration Flow Chart attached to the MIA Circular MF21/2013 dated 11 December 2013, which can be viewed from the link HERE and download the registration form 15(1) via the link provided in the circular.

How to submit the completed registration form?

  1. The submission may be made physically at the registration counter at Personal Data Protection Department; or
  2. Sent by post to the following address:
    Kaunter Pendaftaran
    Bahagian Pendaftaran & Operasi
    Jabatan Perlindungan Data Peribadi
    Aras 6, Kompleks KKMM, Lot 4G9
    Persiaran Perdana, Presint 4
    Pusat Pentadbiran Kerajaan Persekutuan
    62100, Putrajaya

What should I be receiving upon the submission of the registration form?
Upon submission, a receipt acknowledgment slip (''SLIP'') will be provided.

How do I know that my submission has been approved?
Notification of the approval of the registration will be sent to you via email. Thus please ensure you have provided a valid and current email address.

Do I have to make any payment upon submission of the registration form?
There is no payment required upon submission of the registration form, but you have to pay the prescribed fee of RM200 (for partnerships) within 21 days upon receipt of the notification of the approval of registration via email.

How to make the payment?

  1. Payment can be made via remittance, postal order, bank draft or cheque under the name of ''Pesuruhjaya Perlindungan Data Peribadi'' and crossed with the following: ''TIDAK BOLEH DINIAGAKAN'' or ''A/C PAYEE ONLY''
  2. The above may be presented physically at the registration counter or posted to the following address:
    Kaunter Pendaftaran
    Bahagian Pendaftaran & Operasi
    Jabatan Perlindungan Data Peribadi
    Aras 6, Kompleks KKMM, Lot 4G9
    Persiaran Perdana, Presint 4
    Pusat Pentadbiran Kerajaan Persekutuan
    62100, Putrajaya

What will I received as acknowledgment of registration?
You will receive a certificate of registration as the acknowledgment of registration.

What is the validity period of the certificate of registration?
The validity period of the certificate of registration is two years. PDP Department will send a reminder for renewal via email 3 months prior to the expiry date.

Do I have to renew the certificate of registration?
The certificate of registration is renewable every two years. The renewal shall be made three months before the expiry of the certificate of registration.

How much is the renewal fee?
RM 200 for every renewal.

How to apply for replacement certificate of registration in the case of lost or damaged?
You may apply for replacement of the certificate of registration by writing to the Commissioner.

Do I have to pay for the replacement of the certificate?
Yes, a prescribed fee of RM30 is charged for the replacement of the certificate.