* Personal Data Protection Act 2010

Original Language Title: * Personal Data Protection Act 2010

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
Laws of MALAYSIA ONLINE VERSION of the PRINT TEXT that UPDATES 709 Act PERSONAL DATA PROTECTION ACT 2010 As at 15 June 2016 2 PERSONAL DATA PROTECTION ACT 2010 Royal Assent Date............ 2 June 2010 the date of publication in the Gazette............ 10 June 2010 3 laws of MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 ARRANGEMENT of SECTIONS part I preliminary section 1. Short title and commencement 2. Application of the 3. Disapplication of 4. Interpretation part II PERSONAL DATA PROTECTION Chapter I principles of Personal Data protection 5. The principles of Personal Data protection 6. General principle 7. The principles of notice and choice of 8. Principles of Disclosure 9. Security principles 10. Principles of Keeping 11. Data integrity principle 12. The principle of Access 4 laws of Malaysia ACT 709 Chapter 2 registration of section 13. The adoption of this Term 14. User registration data 15. Application for registration 16. Certificate of registration 17. Renewal of certificate of registration 18. Cancellation of registration 19. Surrender of certificate of registration 20. Express User Data term of 3 Forum user data and code of practice 21. Forum user data 22. Express Data User Forum 23. 24 code of practice. Commissioner may issue code of practice 25. Applicable code of practice 26. Cancellation, etc., code of practice 27. Production of the new code of practice by forum user data 28. Express code of practice 29. Non-compliance with code of practice of Division 4 of the rights of data subjects, 30. The right to access personal data of 31. Compliance with data access request 32. The circumstances of the data user may refuse to comply with data access request Personal Data protection 5 Section 33. Notification of refusal to comply with a data access request 34. The right to rectify the personal data 35. Compliance with data correction request 36. The circumstances of the data user may refuse to comply with data correction request 37. Notification of refusal to comply with data correction request 38. Withdrawal of consent to process personal data 39. The extent of the disclosure of personal data of 40. The processing of sensitive personal data 41. The collection of personal data repeatedly in the same circumstances of 42. Right to prevent processing likely to cause damage or distress 43. Right to prevent processing for purposes of direct marketing 44. Records to be kept by the user data PART III EXEMPTION of 45. Exclusions 46. The power to make an extra exemption PART IV appointment, FUNCTIONS and POWERS of COMMISSIONER 47. Appointment of Commissioner of 48. Functions of Commissioner 49. Power of Commissioner 50. Appointment of Deputy Commissioner and Assistant Commissioner of 51. The appointment of other officers and servants 52. Lending and money advances to officers and servants 6 laws of Malaysia ACT 53 Section 709. 54. The term of Office Revocation of appointment and resignation of 55. Temporary exercise of functions and powers of Commissioner 56. Vacation of Office 57. Remuneration and allowances 58. Delegation of functions and powers of Commissioner 59. Directions by Minister 60. Statements, reports, accounts and information part V PERSONAL DATA PROTECTION FUND 61. 62. The establishment of the Fund Expenses shall be charged on 63 Fund. Preservation of the 64 Fund. 65 reserve fund. Financial year 66. The contractual restriction to 67. Bank account 68. Accounts and audit 69. Expenditure and preparation of estimates PART VI PERSONAL DATA PROTECTION ADVISORY COMMITTEE of 70. Establishment of Advisory Committee of 71. The functions of the Advisory Committee 72. Members of the Advisory Committee of 73. The term of Office 74. Revocation of appointment and resignation of 75. Temporary exercise of the functions of the Chairman of the protection of Personal Data of 7 Section 76. Vacation of Office 77. 78 allowance. Time and place of the meeting 79. The Advisory Committee may invite others to meetings 80. Minute 81. Code 82. Members should devote time to the business of the Advisory Committee of the APPEAL TRIBUNAL 83 PART VII. The establishment of a Tribunal of appeal 84. Power of Tribunal Appeal 85. Membership of the Tribunal Appeal 86. The Secretary to the Appeal Tribunal and other officers, etc.
87. The term of Office 88. Resignation and revocation 89. Temporary exercise of functions of Chairman of the 90. Vacation of Office 91. 92 allowance. Disclosure of interest 93. An appeal to the Appeal Tribunal 94. The record of decision of the Commissioner of 95. Suspension of decision pending appeal 96. Membership of the Tribunal of appeal 97. The Appeal Tribunal 98 Conference. The Appeal Tribunal procedures 99. The decision of the Tribunal Appeal 8 laws of Malaysia ACT 100 Section 709. Enforcement of the decision of the Tribunal Appeal PART VIII inspections, COMPLAINTS and INVESTIGATIONS 101. System checks personal data of 102. User related data, etc., shall be informed of the results of the examination of 103. Report by the Commissioner of 104. 105 complaints. Investigation by Commissioner of 106. Restrictions on investigations are initiated through a complaint 107. The Commissioner may carry out or continue an investigation initiated through a complaint even though the complaint withdrawn 108. Enforcement notice 109. Changes or cancellation notice of enforcement of PART IX ENFORCEMENT 110. Authorized officers 111. 112 power card. Power of investigation of 113. Search and seizure warrants with 114. Search and seizure without a warrant 115. Access to computerized data 116. A warrant is admissible even if flawed 117. List of computers, books, accounts, etc., seized 118. The release of a computer, books, accounts, etc., seized 119. There are no costs or damages arising from seizure can be obtained 120. Obstacles to the Personal Data Protection General search 9 Section 121. Power to require production of computers, books, accounts, etc.
122. The power to require the attendance of the person who has knowledge of the case 123. Examination of the people with knowledge of the case of 124. Admissibility of statements as evidence 125. Forfeiture of a computer, books, accounts, etc., seized 126. Mergers error 127. The power of arrest part X 128 RANGE. Express 129. Transfer of personal data to places outside Malaysia 130. The collection, etc., of personal data against the law 131. Pensubahatan and the attempt is punishable as an offence of 132. Compounding of offences

133. Offences by body corporate 134. Prosecution 135. Jurisdiction to try the offence of 136. Service of notice or other document 137. Public authorities Protection Act 1948 138. Public servants 139. Protection against legal and legal proceedings 140. Whistleblower 141. Obligations of confidentiality of 142. Things done in anticipation of this Act are made 143. The power to make regulations 144. Prevention of anomalies 10 laws of Malaysia ACT 709 PART XI PROVISIONS SAVINGS and TRANSITIONAL Section 145. Personal data that is processed before the date of coming into operation of this Act 146. Registration of persons who process personal data prior to the date of coming into operation of this Act 11 laws of MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 an act to regulate the processing of personal data in commercial transactions and to provide for matters related and incidental to it.

[15th November 2013; P.u. (B) 464/2013] enacted by the Parliament of Malaysia as follows: part I preliminary short title and commencement 1. (1) this Act may be cited as the Personal Data Protection Act 2010.

(2) of this Act come into force on such date as the Minister may, by notification in the Gazette, and the Minister may prescribe different dates for different provisions in this Act.


Application 2. (1) this Act shall apply to — (a) any person that processes; and (b) any person who has control over or allow processing, 12 laws of Malaysia ACT 709 any personal data in respect of commercial transactions.

(2) subject to subsection (1), this Act shall apply to a person in respect of personal data if — (a) such person was established in Malaysia, and that personal data are processed, whether in the context of the establishment or not, by that person or any other person employed or used services by the establishment;
or (b) that person not established in Malaysia, but using the equipment in Malaysia in order to process the personal data other than for the purpose of transit through Malaysia.

(3) a person covered by paragraph (2) (b) shall nominate for the purposes of this Act a representative established in Malaysia.

(4) for the purposes of subsection (2) and (3), each of the following shall be considered as established in the United Kingdom: (a) an individual who presence physically in Malaysia shall be not less than one hundred and eighty days in a calendar year;

(b) a body incorporated under the companies Act 1965 [Act 125];

(c) a partnership or other unincorporated association formed under any written law in Malaysia; and (d) any person who is not covered by paragraph (a), (b) or (c) but maintain in Malaysia — the protection of Personal Data 13 (i) of an Office, branch or agency through it he carries on any activity;
or (ii) a permanent practice.


Disapplication of 3. (1) this Act does not apply for the Federal Government and the State Government.

(2) this Act does not apply to any personal data processed outside Malaysia unless the personal data is intended to be processed further in Malaysia.


Interpretation 4. In this Act, unless the context otherwise requires — "credit reporting agency" has the meaning assigned to it in the Credit Reporting Agencies Act 2010 [Act 710];

"This Act" includes the regulations, orders, notices and other subsidiary legislation made under this Act;

"register" means the register of Users Data, Express Data Users Forum or register code of practice;

"personal data" means any information relating to the commercial transaction, which — (a) is being processed as a whole or in part through equipment handled automatically in response to instructions given for that purpose;
14 laws of Malaysia ACT 709 (b) recorded with the intention that it should be processed as a whole or in part through the equipment; or (c) are recorded as part of a filing system or with the intention that it should form part of a filing system that is relevant, related directly or indirectly by a data subject, identified or can be identified from that information or from that information and other information in the possession of a user data, including any sensitive personal data and statement of opinion on the subject of the data;
but does not include any information that is processed for the purpose of a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act, 2010;

"sensitive personal data" means any personal data that contains information about the health or physical or mental condition of a data subject, political opinion, religious beliefs or other beliefs of a similar nature, abuse or allegations of the Commission of any offence by it or any other personal data as the Minister may by order published in the Gazette;

"prescribed" means prescribed by the Minister under this Act and if there is no way referred to, means prescribed by order published in the Gazette;

"Advisory Committee" means the Advisory Committee of Protection of Personal Data established under section 70;

"vital interests" means relating to the life, death or the safety of a data subject;

"Fund" means the Fund Protection of Personal Data established under section 61;
Personal Data Protection 15 "use", in relation to personal data, does not include acts of collect or disclose such personal data;

"collect", in relation to personal data, means the acts through it the personal data included into or are under the control of a user data;

"Minister" means the Minister charged with the responsibility for the protection of personal data;

"disclose", in relation to personal data, means the acts through it the personal data provided by a data user;

"relevant person", in relation to a data subject,

in any manner whatsoever or howsoever described, means — (a) in the case of a data subject who is under the age of eighteen years, parents, guardians or persons having parental responsibility against the data subject;

(b) in the case of a data subject who is incapable of managing his own affairs, one appointed by the Court to manage his affairs, or a person authorized in writing by the data subject to act on behalf of the data subject;
or (c) in any other case, a person authorized in writing by the data subject to make a data access request, request correction of data, or both the request, on behalf of the data subject;

"authorized officer" means any officer authorized in writing by the Commissioner under section 110;

16 laws of Malaysia ACT 709 "rectification", in relation to personal data, including the amendment, alteration, modification or deletion;

"applicant", in relation to a data access request or data correction request, means the data subject or connected persons on behalf of the data subject, which makes the request;

"data processors", in relation to personal data, means any person, other than an employee user data, that processes personal data solely on behalf of the user data, and not to process the personal data for any purpose devices;

"processing", in relation to personal data, means to collect, record, hold or store personal data or carrying out any operation or set of such personal data handling, including — (a) the compilation, adaptation or alteration of personal data;

(b) recover, referring to or using personal data;

(c) disclosure of personal data through the delivery, transfer, dissemination or otherwise making it available; or (d) alignment, merging, correction, deletion or destruction of personal data;

"registration" means the registration of a user data under section 16;

"user data" means a person who either alone or in association or conjunction with others to process any personal data or have control over or allow the processing of any personal data, but does not include a data processors;

Personal Data protection 17 "user related data", in respect of — (a) an examination of the means user data using personal data that is the subject of the examination;

(b) a complaint, means the data user specified in the complaint;

(c) an investigation — (i) in the case of an investigation initiated by a complaint, means the data user specified in the complaint;

(ii) in any other case, means the data user that is the subject of the investigation;

(d) an enforcement notice, means the data user against whom the enforcement notice served;

"the credit reporting business" has the meaning assigned to it in the Credit Reporting Agencies Act, 2010;

"Commissioner" means the Commissioner of Data protection personal appointed under section 47;

"third party", in relation to personal data, means any person other than — (a) a data subject;

(b) a related relating to a data subject;

(c) a data user;

(d) a data processors; or 18 laws of Malaysia ACT 709 (e) a person authorized in writing by the user data for the processing of personal data under the direct control of the data user;

"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed through the equipment handled automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual can be accessed easily;

"data subject" means an individual who is the subject of the personal data;

"due date" means the date or dates that are related, as the case may be, at which this Act comes into operation;

"code of practice" means the personal data protection code of practice in respect of a class of user specific data registered by the Commissioner pursuant to section 23 or issued by the Commissioner under section 24;

"commercial transaction" means a transaction of a commercial, whether contractual or not, which may include any matter relating to the supply or exchange of goods or services, agencies, investment, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agency 2010.






Protection of Personal Data 19 SECTION II PERSONAL DATA PROTECTION Term 1 principles of Personal Data protection principles of the Personal Data protection 5. (1) the processing of personal data by a data user shall comply with the principles of Personal Data protection the following, namely — (a) General principles;

(b) the principles of Notice and choice;

(c) principles of Disclosure;

(d) security principals;

(e) the principle of Storage;

(f) the principle of the integrity of the Data; and (g) the principles of Access, as specified in section 6, 7, 8, 9, 10, 11 and 12.

(2) subject to section 45 and 46, a user data who contravenes subsection (1) commits an offence and shall, on conviction, to a fine not exceeding three hundred thousand dollars or to imprisonment for a term not exceeding two years or to both.




20 laws of Malaysia ACT 709 general principles 6. (1) a data user may not — (a) in the case of personal data other than sensitive personal data, processing of personal data of a data subject unless the data subject has given consent for the processing of the personal data; or (b) in the case of sensitive personal data, the processing of sensitive personal data of a data subject except in accordance with the provisions of section 40.

(2) Notwithstanding paragraph (1) (a), a data user may process the personal data of a data subject if the processing must — (a) for the performance of a contract which is the subject of the data

is a party to it;

(b) to take steps at the request of the data subject with a view to make a contract;

(c) to comply with any legal obligation of the user data that is the subject thereof, other than an obligation imposed by a contract;

(d) in order to protect the vital interests of the data subject;

(e) administering justice; or (f) to carry out any function that is provided to any person by or under any law.

(3) Personal Data shall not be processed unless — Protection of Personal Data 21 (a) the personal data processed for the purpose of legal in touch directly with the data user;

(b) the processing of personal data is necessary for or in connection with that purpose; and (c) the personal data are adequate but not excessive in relation to that purpose.


The principles of Notice and choice 7. (1) a data user shall by notice in writing inform the data subject person — (a) that the data subject's personal data is being processed by or on behalf of the data user, and shall provide a description of the personal data to the data subjects;

(b) the purposes for which the personal data are or are to be collected and processed further;

(c) any information available on the data about the source of the personal data;

(d) the right of the data subject to request access to and to request correction of the personal data and how to contact the users the data of any queries or complaints in respect of the personal data;

(e) those third parties to whom the data user to disclose or may disclose the personal data;




22 laws of Malaysia ACT 709 (f) options and the ways offered by the data user to data subjects in order to restrict the processing of personal data, including personal data relating to other people who can be identified from the personal data;

(g) whether compulsory or voluntary for the data subject to provide the personal data; and (h) if necessary for the data subject to provide personal data that, as a result of him if he does not give the personal data.

(2) the notice under subsection (1) shall be given as soon as reasonably practicable by the data users — (a) when the subject of the data requested by the user the first time the data to provide his/her personal data;

(b) when the user that the data was first collected personal data of the data subject; or (c) in any other case, before the data users – (i) use the personal data of the data subject for the purpose other than the purpose for which the personal data is collected; or (ii) disclose such personal data to third parties.

(3) a notice under subsection (1) shall be in the national language and English, and the person is to be given a clear way and easily accessible to make its choice, if necessary, in the national language and English.




Personal Data protection Disclosure Principle 23 8. Subject to section 39, there are personal data may, without the consent of the data subject, the consolidation of — (a) for any purpose other than — (i) the purposes for which the personal data to be disclosed at the time of collection of the personal data; or (ii) a purpose directly related to the purpose referred to in subparagraph (i); or (b) to any other third party from a third party as stated in paragraph 7 (1) (e).


Security principles 9. (1) a data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, access or unauthorised disclosure or accidental, alteration or destruction with regard to — (a) the nature of the personal data and the harm resulting from the loss, misuse, modification, access or unauthorised disclosure or accidental , alteration or destruction of that;

(b) the place or site where personal data is stored;

(c) any security measures that are incorporated into any equipment in which personal data is stored;
24 laws of Malaysia ACT 709 (d) the steps taken to ensure the reliability, integrity and reliability of the personnel that have access to the personal data; and (e) the steps taken to ensure secure transfer of the personal data.

(2) if the processing of personal data is carried out by a data processor on behalf of user data, the data user shall, for the purpose of protecting the personal data of any loss, misuse, modification, access or unauthorised disclosure or accidental, alteration or destruction, ensuring that the data processor — (a) provide sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and (b) take reasonable steps to ensure compliance with the move.


Principles of Keeping 10. (1) the Personal Data processed for any purpose shall not be kept longer than necessary to fulfill that purpose.

(2) be the duty of a data user to take all reasonable steps to ensure that all personal data will be destroyed or deleted permanently if the personal data is no longer required for the purposes for which the personal data to be processed.


Data integrity principle 11. A user data shall take reasonable steps to ensure that personal data are accurate, Personal Data protection, do not confuse complete 25 and updated taking into account the purpose, including any purpose directly related to, for which personal data is collected and processed further.


The principle of Access 12. Someone the subject data shall be given access to his/her personal data held by a data user and can correct the personal data if the personal data is inaccurate, incomplete, misleading or not up to date, unless compliance with the request for access or correction refuses to be given under this Act.

Term 2 Registration Application this Chapter 13. (1) this Chapter shall apply to a user data that is in a class of data users specified in an order made under subsection 14 (1).

(2) a data user who is in a class of

user data is not specified in an order made under subsection 14 (1) shall comply with all provisions of this Act in addition to the provisions of this Chapter relating to user registration data and things associated with it.


User registration data 14. (1) the Minister may, on the recommendation of the Commissioner, by order published in the Gazette, specify the user groups that you want data to be registered as a user data under this Act.
26 laws of Malaysia ACT 709 (2) the Commissioner shall, before making a syornya under subsection (1), consult with — (a) any body that represents the user data that is in a class of it; or (b) any other interested person.


Application for registration 15. (1) a person who is in a class of data users specified in an order made under subsection 14 (1) shall submit an application for registration to the Commissioner in the manner and in the form specified by the Commissioner.

(2) every application for registration shall be accompanied by the prescribed registration fees and any documents as may be required by the Commissioner.

(3) the Commissioner may in writing at any time after receipt of the application and before the application is determined, require the applicant to provide any document or additional information within the time specified by the Commissioner.

(4) If the requirements under subsection (3) are not complied with, the application for registration shall be deemed to have been withdrawn by the applicant and cannot be forwarded by the Commissioner, but without prejudice to a new application made by the applicant.


Certificate of registration 16. (1) after consideration is given to an application under subsection 15 (1), the Commissioner may — Protection of Personal Data 27 (a) register the applicant and issue a certificate of registration to the applicant in such form as may be determined by the Commissioner; or (b) refuse the application.

(2) the certificate of registration shall be issued subject to such conditions or restrictions as it deems appropriate to imposed by the Commissioner.

(3) if the Registrar rejects the application for registration pursuant to subsection (1), he shall notify the applicant by a written notice that the application is rejected and the reasons therefor.

(4) a person who is in a class of data users specified in an order made under subsection 14 (1) and the processing of personal data without a certificate of registration issued pursuant to paragraph 16 (1) (a) commits an offence and shall, on conviction, to a fine not exceeding five hundred thousand dollars or to imprisonment for a term not exceeding three years or to both.


Renewal of certificate of registration 17. (1) a data user may make an application for renewal of certificate of registration not later than ninety days before the date of expiry of the registration in the manner and in the form specified by the Commissioner and the application shall be accompanied by the prescribed renewal fee and any documents required by the Commissioner, but no application for renewal may be allowed if the application is made after the date of expiry of the registration.

(2) upon renewal of a certificate of registration, the Commissioner can change the conditions or restrictions imposed 28 laws of Malaysia ACT 709 during the registration certificate issued or impose additional conditions or restrictions.

(3) the Commissioner may refuse to renew a certificate of registration — (a) if the data user fails to comply with any provision of this Act;

(b) if the data user fails to comply with any conditions or restrictions imposed upon the certificate of registration issued; or (c) if he is satisfied that the data user cannot proceed with the processing of personal data in accordance with this Act.


Cancellation of registration 18. (1) the Commissioner may cancel the registration of a user data if the Commissioner is satisfied that — (a) the data user fails to comply with any provision of this Act;

(b) the data user fails to comply with any conditions or restrictions imposed upon the certificate of registration issued;

(c) the issuance of a certificate of registration that is driven by the fact that false representations by the data user;
or (d) the data user has stopped carrying out processing of personal data.

(2) Notwithstanding subsection (1), the Commissioner may not cancel the registration of a user data unless 29 Personal Data Protection Commissioner is satisfied that, after giving the user the data an opportunity to make any representations in writing that he pleases to pick from, the registration should be cancelled.

(3) if the data user registration is cancelled, the Commissioner shall issue a notice of revocation of registration to users of the data, and the certificate of registration issued in respect of the registration shall not have effect when served notice of revocation of registration.

(4) a data user whose registration has been cancelled under this section and which continue to memproseskan personal data then guilty of an offence and shall, on conviction, to a fine not exceeding five hundred thousand dollars or to imprisonment for a term not exceeding three years or both of each.


Surrender of certificate of registration 19. (1) if the certificate of registration is revoked under section 18, the holder of the certificate shall, within seven days from the date of service of the notice of revocation of registration, deliver such certificate to the Commissioner.

(2) a person who fails to comply with subsection (1) commits an offence and shall, on conviction, to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.


Express User Data 20. (1) the Commissioner shall maintain a register of Data Users in accordance with section 128.

(2) the register shall contain the Data User name of the user data has been registered in accordance with this Term and 30 laws of Malaysia ACT 709 such other particulars in respect of the data user as determined by the Commissioner.

Chapter 3 Forum user data and user data code of practice Forum 21. (1) the Commissioner may nominate a body as a forum user data with respect to a class of users

data specifically for the purposes of this Act by notifying the body in writing, if the Commissioner is satisfied that — (a) membership of the body is open to all user data in the class;

(b) the body is unable to perform as required under the applicable provisions of this Act; and (c) of the body that have the Constitution writing.

(2) the Body shall agree in writing to be a forum user data before a nomination is registered by the Commissioner in the register Forum User Data.

(3) the Commissioner may decide that an existing body previously named as a forum user data under subsection (1) shall not be a forum user data for the purposes of this Act, if he is satisfied that that body no longer meets the requirements set out in that subsection.

(4) if the Commissioner decides that an existing body that has been named as a forum user data will no longer be a forum user data for the purposes of this Act, he shall withdraw the nomination and later Personal Data protection the naming registration Cancel 31 in Express Forum User Data.

(5) a nomination or the withdrawal of a nomination under this section shall have effect from the date of registration of the nomination or the nomination date of cancellation of registration, as the case may be, or any later date specified by the Commissioner.


Express User Forum Data 22. (1) the Commissioner shall maintain a register of Data Users Forum in accordance with section 128.

(2) the Data User Forum Register shall contain the name of the consumer forum data has been named and registered pursuant to this Chapter and any other details regarding the forum users the data as determined by the Commissioner.


23 code of practice. (1) a data user forum can provide a code of practice — (a) on its own initiatives; or (b) upon request of the Commissioner.

(2) Consumer Forum data shall, in preparing a code of practice under subsection (1), consider including — (a) the purpose for the processing of personal data by the data user or class of user data;

(b) the views of the subject or body of data that represents the subject of the data;
32 laws of Malaysia ACT 709 (c) the views of the relevant regulatory authority, if any, to which the user of the data subject;
and (d) that the code of practice that, when taking into account all matters referred to in paragraph (a), (b) and (c) and any other matters, providing an adequate level of protection for personal data of data subjects concerned.

(3) the Commissioner may register a code of practice prepared under subsection (1), if the Commissioner is satisfied that — (a) the code of practice is in accordance with the provisions of this Act; and (b) the matters specified in subsection (2) has been given consideration.

(4) the code of practice under subsection (1) shall come into operation on the date of registration of the code of practice by the Commissioner in the register code of practice.

(5) if the Commissioner refuses to register the code of practice, the Commissioner shall notify the relevant data user forums on its decision in writing and provide the reasons for its decision.

(6) if the Commissioner did not register nor refused to register a code of practice within thirty days from the date of receipt of the code of practice by him for registration, the Commissioner shall be deemed to have refused to register the code of practice.

(7) the Commissioner may register a different code of practice for users of different data.

Personal Data protection 33 (8) the Commissioner shall make and user data available to the public any code of practice registered under subsection (3).


Commissioner may issue code of practice 24. (1) the Commissioner may issue a code of practice, if — (a) a code of practice is not available under paragraph 23 (1) (a);

(b) the Commissioner is satisfied that a code of practice for a class of user specific data is not likely to be provided by the relevant data user forum within the period specified by the Commissioner; or (c) there is no forum user data to develop a code of practice in relation to the data user.

(2) the Commissioner shall, before issuing a code of practice under subsection (1), consider including — (a) the purpose for the processing of personal data by the data user or class of user data;

(b) the views of the users data or groups that represent users of data, for which the applicable code of practice;

(c) the views of data subjects or groups representing the data subjects;

(d) the views of the relevant regulatory authority, if any, to which the user of the data subject;
and 34 laws of Malaysia ACT 709 (e) that the code of practice that, when taking into account all matters referred to in paragraph (a), (b) and (c) and any other matters, providing an adequate level of protection for personal data about the data subject concerned.

(3) the Commissioner may issue a code of practice that are different for different data users.

(4) the code of practice issued by the Commissioner under subsection (1) shall be registered in the register code of practice.

(5) the code of practice under subsection (1) shall come into operation on the date of registration of the code of practice by the Commissioner.

(6) the Commissioner shall make available to the public any code of practice issued by him under subsection (1).


Code of practice applicable 25. (1) the Commissioner shall ensure that there is only one code of practice that is registered for a class of data users at any given time.

(2) all data users belonging to a class of data users shall comply with the relevant code of practice registered applicable to those users of the data at any time.

(3) where a code of practice registered by the Commissioner under section 23 or 24, shall notify the Commissioner, in such manner as may be determined by it, the relevant data user for which the code of practice applies — (a) about the identity of the relevant code of practice and a code of practice shall be date comes into operation; and the protection of Personal Data of 35 (b) of the specific requirements under this Act for which the code of practice issued and registered.

(4) where there is any uncertainty or ambiguity about

where a code of practice applicable to the data user or class of user specific data, the data user or person in question may apply to the Commissioner to get her view about the code of practice which one which is a code of practice that apply in relation to the circumstances of the user data or the person.

(5) the Commissioner shall give its view within thirty days from the date of receipt of an application made under subsection (4).

(6) the Commissioner shall, when giving her view under subsection (5), taking into account any relevant previous views, if any.

(7) the Commissioner may withdraw a view made under this section if the Commissioner is satisfied that the nature of the activities in which the data user involved has changed materially.


Cancellation, etc., code of practice 26. (1) the Commissioner may cancel, amend or revise, either whole or in part, any code of practice that is registered under this Act — (a) on his own pleasure; or (b) upon an application by forum user data or any body that represents the user data.

(2) the Commissioner shall, before the Cancel, amend or revise a code of practice under subsection (1), consult with — 36 laws of Malaysia ACT 709 (a) any user data or bodies representing data users to which the code of practice shall apply, whether whole or in part; and (b) any other interested person, the Commissioner may think fit.

(3) if any of the code of practice was revoked, amended or revised under subsection (1), the Commissioner — (a) must include details about the cancellation, amendment or revision that the register code of practice;
and (b) shall notify the relevant data user forum, the user data, user data and the public regarding the cancellation, amendment or revision of it in such manner as determined by the Commissioner.

(4) the Commissioner shall make available to the public any code of practice which amended or revised by him under this section.


Production of the new code of practice by forum user data 27. (1) a data user forums may submit a new code of practice to replace an existing code of practice.

(2) the new code of practice submitted pursuant to subsection (1) shall be subject to the provisions of this Chapter.



Personal Data protection code of practice 28 37 Express. (1) the Commissioner shall maintain a register code of practice in accordance with section 128.

(2) Check the code of practice shall include — (a) of the code of practice registered under section 23 or 24 and any cancellation, amendment or revision to the code of practice under section 26; and (b) any point of view made by the Commissioner under section 25, including details of the withdrawal of the previous views.


Non-compliance with code of practice 29. A user data fails to comply with any provision of the code of practice applicable to the data user commits an offence and shall, on conviction, to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.

Chapter 4 rights of data subjects the right to access personal data of 30. (1) an individual is entitled to be notified by a user of the data whether personal data of which the individual is the subject of the data being processed by or on behalf of users of the data.

(2) an applicant shall, on payment of the prescribed fee, to make a data access request in writing to user data — 38 laws of Malaysia ACT 709 (a) for information about the data subject of the personal data being processed by or on behalf of users of the data;
and (b) so that it is delivered to him a copy of the personal data in the form that can be understood.

(3) a request to access data for any information under subsection (2) shall be considered as a single request, and a request to access data for information under paragraph (2) (a) shall, if there is no any instructions to the contrary, be deemed to be extended also to the request under paragraph (2) (b).

(4) in the case of a user data have separate entries with respect to personal data held for different purposes, a separate data access request shall be made for each separate entry.

(5) where a data user does not hold personal data, but controlling the personal data processing in such a way that prohibits user data in the personal data of comply with, either whole or in part, the request access data under subsection (2) relating to the personal data, user data are first mentioned shall be deemed to hold the personal data and the provisions of this Act shall be construed accordingly.


Compliance with data access request 31. (1) subject to subsection (2) and section 32, a data user shall comply with a data access request under section 30 not later than twenty one days from the date of receipt of the request to access the data.

(2) a data user who is unable to comply with a data access request within the period specified in subsection (1) shall before the expiry of such period — Personal Data protection 39 (a) by notice in writing notify the applicant that he could not comply with the request to access the data within it and the reasons he cannot do so; and (b) comply with the request to access the data as far as he can do so.

(3) Notwithstanding subsection (2), a data user shall comply with the request to access the data in its entirety not later than fourteen days after the expiry period specified in subsection (1).


The circumstances of the data user may refuse to comply with data access request 32. (1) a data user may refuse to comply with a data access request under section 30 if — (a) the data user is not given any information required to reliably by him — (i) to his satisfaction about the identity of the applicant; or (ii) if the applicant is claiming that he is a relevant, to his satisfaction — (A) about the identity of the data subjects related to it the applicant claim that he is the person who related; and


(B) that the applicant is connected persons in relation to the data subjects;

40 laws of Malaysia ACT 709 (b) the data user is not given any such information as is required to reliably by him to track personal data which the data access request was in relation to;

(c) the burden or expense of providing access is not commensurate with the risks to the data subject's privacy in relation to personal data in the case may be;

(d) the user data could not comply with the request to access data without disclose personal data relating to other individuals that can be identified from that information, unless — (i) that other person has given consent to the disclosure of that information to the applicant; or (ii) it is reasonable in all the circumstances to comply with the request to access the data without the consent of the other person;

(e) subject to subsection (3), any other data user controls the processing of the personal data which the data access request relates to what a way that prohibits user data that first-mentioned that than comply with, either in whole or in part, with the request to access the data;

(f) providing access would be a violation of an order of a court;

(g) grant access will disclose confidential commercial information; or (h) any access to personal data is regulated by other laws.
Personal Data protection 41 (2) in determining for the purposes of subparagraph (1) (d) (ii), whether it is reasonable in all the circumstances to comply with the request to access the data without the consent of the other person, attention must be given, in particular, to — (a) any obligation of confidentiality to the other person;

(b) any action taken by the user data with a view to obtaining the agreement of the other person;

(c) whether the other person is capable of giving consent; and (d) any refusal to provide consent by the other individual.

(3) paragraph (1) (e) shall not be effective until the allow user data to non-compliance with data access request under subsection 30 (2) to any extent that the data user can comply with the request to access data without violating the prohibition concerned.


Notification of refusal to comply with a data access request 33. If a user data in accordance with section 32 refused to comply with a data access request under section 30, he shall, not less than twenty-one days from the date of receipt of the data access request, by notice in writing, inform the applicant — (a) of the refusal and the reasons for such refusal; and (b) if paragraph 32 (1) (e) applies, of the name and address of the other data user concerned.

42 laws of Malaysia ACT 709 Right to correct personal data 34. (1) where — (a) a copy of the personal data given by the user data on compliance with data access request under section 30 and the applicant considers that the personal data is inaccurate, incomplete, misleading or not up to date; or (b) subject the data to know that his personal data held by the data user is inaccurate, incomplete, misleading or not booked, beggar or the subject of the data, as the case may be, shall make a data correction request in writing to user data so that the data user make the necessary correction to the personal data.

(2) If a data user does not hold the personal data, but controlling the personal data processing in such a way that prohibits user data in the personal data of comply with, either in whole or in part, request correction of data under subsection (1) relating to the personal data, the user data of the first-mentioned data user shall be deemed to him such request can be made and the provisions of this Act shall be construed accordingly.


Compliance with data correction request 35. (1) subject to subsection (2), (3) and (5) and section 36, if a data user is satisfied that personal data to it a data correction request was in relation to inaccurate, incomplete, misleading or not booking, he shall, not less than twenty-one days from the date of receipt of the request for correction of the data — Data protection personal 43 (a) make the necessary correction to the personal data;

(b) give the applicant a copy of the personal data has been corrected; and (c) subject to subsection (4), if — (i) the personal data have been disclosed to a third party within twelve months immediately before the day on which the correction is made; and (ii) the data user does not have any reason to believe that the third party has stopped using personal data for the purpose, including any purpose directly attributable, to whom the personal data was disclosed to the third party, take all practical steps to give the third party a copy of the personal data that have been corrected in such a way together with a written notice stating the reasons for the correction.

(2) a data user who is unable to comply with data correction request within the period specified in subsection (1) shall before the expiry of such period: (a) by notice in writing notify the applicant that he could not comply with data correction request within that period and the reasons why he could not do so; and (b) comply with the data correction request to any point that could be made by him.

44 the laws of Malaysia ACT 709 (3) Notwithstanding subsection (2), a data user shall comply with the overall request for correction of the data no later than fourteen days after the expiry period specified in subsection (1).

(4) a data user is not required to comply with paragraph (1) (c) in any case where the disclosure of personal data to third parties consist of examining its own Express by third parties that — (a) in which the personal data is entered or otherwise recorded; and (b) available for examination by the public.

(5) If a user data is requested to correct personal data under subsection 34 (1) and the personal data is

processed by other data users who are in a better position to provide feedback to the data correction request — (a) a data user first-mentioned it shall immediately transfer the data correction request to the user data, and notify the applicant of this fact; and (b) of section 34, 35, 36 and 37 shall apply instead-by sound it to one user data is sound to other data users.


The circumstances of the data user may refuse to comply with data correction request 36. (1) a data user may refuse to comply with data correction request under section 34 if — (a) the data user is not given any information required to reliably by him — the protection of Personal Data (i) for 45 to his satisfaction about the identity of the applicant; or (ii) if the applicant is claiming that he is a relevant, to his satisfaction — (A) about the identity of the data subjects related to it the applicant claim that he is one of the; and (B) that the applicant is connected persons in relation to the data subjects;

(b) the data user is not given any information required to reliably by him to determine how the personal data which the data correction request was in relation to inaccurate, incomplete, misleading or not up to date;

(c) the data user is not satisfied that the personal data which the data correction request was in relation to inaccurate, incomplete, misleading or not up to date;

(d) the data user is not satisfied that corrective is the subject of a request for correction of the data are accurate, complete, not misleading or booking;
or (e) subject to subsection (2), any other data user controls the processing of the personal data which the data correction request relates to what a way that prohibits user data that first-mentioned that of the 46 laws of Malaysia ACT 709 comply with, whether wholly or partly, the data correction request.

(2) paragraph (1) (e) shall not be effective until the allow user data to fails to comply with subsection 35 (1) in relation to a data correction request is to any extent that the data user can comply with that subsection without breaking the prohibition concerned.


Notification of refusal to comply with data correction request 37. (1) where a data user who pursuant to section 36 refuse to comply with data correction request under section 34, he shall, not less than twenty-one days from the date of receipt of the data correction request, by notice in writing, inform the applicant — (a) of the refusal and the reasons for such refusal; and (b) if paragraph 36 (1) (e) applies, of the name and address of the other data user concerned.

(2) without prejudice to the generality of subsection (1), if the personal data which the data correction request was in relation to a statement of opinion and the data user is not satisfied that the opinion statement is inaccurate, incomplete, misleading or not up to date, the user data shall be — (a) make an entry, either attached to the personal data or elsewhere — (i) concerning matters in respect of which the opinion statement is regarded by the applicant as inaccurate , incomplete, misleading or not up to date; and the protection of Personal Data of 47 (ii) in such a way so that personal data could not be used by any person without the entry brought to attention and available for inspection by such person; and (b) attach a copy of the record of the notice referred to in subsection (1) in relation to the data correction request.

(3) in this section, "expression of opinion" includes a statement of the facts which cannot be verified or in all circumstances on that point penentusahannya could not be implemented.

(4) a data user who contravenes subsection (2) commits an offence and shall, on conviction, to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.


Withdrawal of consent to process personal data of 38. (1) any data subject may by written notice to withdraw the consent to the processing of personal data in respect of which he is the data subject.

(2) the data User shall, on receipt of the notice under subsection (1), stop processing the personal data.

(3) failure of the data subject to exercise the rights conferred by subsection (1) does not affect any other rights conferred upon him by this section.

(4) a data user who contravenes subsection (2) commits an offence and shall, on conviction, to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.



48 laws of Malaysia ACT disclosure Point 709 39 personal data. Notwithstanding section 8, a person's personal data the subject data can be disclosed by a user of the data for any purpose other than the purpose for which the personal data should be disclosed at the time of pengumpulannya or for any other purpose that is directly related to that purpose, only under the following circumstances: (a) the data subject has given consent for the disclosure;

(b) the disclosure of — (i) necessary for the purpose of preventing or detecting a crime, or for the purpose of investigation;
or (ii) required or permitted by or under any law or by order of a court;

(c) user data and act upon reasonable belief that he has a right in law to disclose the personal data to others it;

(d) user data and act upon reasonable belief that he will get the consent of the data subject if the data subject is aware of the personal data and the disclosure of the circumstances of the disclosure; or (e) the disclosure berjustifikasi because it is public interest in the circumstances determined by the Minister.



Personal Data protection of sensitive personal data Processing 49 40. (1) subject to subsection (2) and section 5, a user data cannot process any sensitive personal data

a data subject except in accordance with the following conditions: (a) the data subject has given consent expressly for the processing of the personal data;

(b) processing that needs to — (i) for the purpose of carrying out or exercising any rights or obligations conferred or imposed by law on the user data related to recruitment;

(ii) to protect the vital interests of the data subject or of another person, in which case if — (A) consent cannot be given by or on behalf of the data subject; or (B) the user data could not be reasonably expected to obtain the consent of the data subject;

(iii) to protect the vital interests of others in case the consent by or on behalf of the data subject was not given reasonably;

(iv) for the purpose of medicine and conducted by — (A) A health care professional;
or (B) any person in circumstances that have the duty of confidentiality 50 laws of Malaysia ACT 709 equivalent obligation of confidentiality which would arise if that person is a health care professional;

(v) for the purpose of, or in connection with, any legal proceedings;

(vi) for the purpose of obtaining legal advice;

(vii) for the purpose of proving, exercise or defend a right in law;

(viii) for the administration of Justice;

(ix) the furtherance of any function which is provided to any person by or under any written law; or (x) for any other purpose by the Minister thinks fit; or (c) information contained in personal data is being announced to the public as a result of steps taken willfully by the subject of the data.

(2) the Minister may by order published in the Gazette exempt application of subparagraph (1) (b) (i), (viii) or (ix) in any of the matters specified in the order, or provides that, in any of the matters specified in the order, conditions in subparagraph (1) (b) (i), (viii) or (ix) should not be used as met unless such further conditions as may be specified in the order are also met.

(3) any person who contravenes subsection (1) commits an offence and shall, on conviction, to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
Personal Data protection 51 (4) for the purposes of this section — "medical purpose" includes the purposes of preventive medicine, medical diagnosis, medical research, rehabilitation and provision of care and treatment and management of health care services;

"health care services" has the meaning assigned to it in the Facilities and private healthcare Service 1998 [Act 586];

"health care professional" means a medical practitioner, dental practitioners, pharmacists, clinical psychologists, nurses, midwives, medical assistants, physiotherapists, occupational therapists and health care professionals relating to others and any other people involved in providing medical services, health, dentistry, pharmaceuticals and any other health care services under the jurisdiction of the Ministry of health.


The collection of personal data repeatedly in the same circumstances of 41. (1) If a user data — (a) has complied with the provisions of the principles of Notice and choice under section 7 in respect of the collection of personal data from the data subject, called "first collection"; and (b) at any time later gathered again the personal data of the data subject, called "next collection", users that the data was not required to comply with the principles of Notice and choice with respect to subsequent collection if — 52 laws of Malaysia ACT 709 (A) to comply with the provisions in respect of the following collection will cause repetition, in the same circumstances, what has been done to comply with the principles in respect of the collection of the first; and (B) not more than twelve months have passed between his first collection with the following collection.

(2) for the avoidance of doubt, it is hereby declared that subsection (1) shall not be effective to prevent the accumulation of the next became first collection if the user data have been in compliance with the provisions of the principles of Notice and choice with respect to the following collection.


Right to prevent processing likely to cause damage or distress 42. (1) subject to subsection (2), a data subject may, at any time by written notice to a user data, called "the data subject notice", require that the user data at the end of such period is reasonable in the circumstances, to — (a) discontinue the processing or processing for a specific purpose or particular manner; or (b) not start processing or processing for a specific purpose or in the manner specified, any personal data in respect of which he is the data subject if, based on the reasons stated by him — the protection of Personal Data 53 (A) the processing of the personal data or processing personal data for such purposes or in a manner that causes or is likely to cause substantial damage or substantial distress that to him or to others; and (B) damage or distress that is or would be inappropriate.

(2) subsection (1) shall not apply if — (a) the data subject has given consent;

(b) the processing of personal data it should be — (i) to carry out a contract of which the data subject is a party;

(ii) to take, at the request of the data subject, with a view to make a contract;

(iii) to comply with any legal obligation with which the data user is subject, other than an obligation imposed by contract; or (iv) to protect the vital interests of the data subject; or (c) in such other matters as the Minister may by order published in the Gazette.

(3) a data User shall, within twenty-one days from the date of receipt of the data subject notice under subsection (1), provide the data subject a written notice — 54 laws of Malaysia ACT 709



(a) stating that he has complied or intends to comply with the notice of the data subject; or (b) stating the reasons he considers the data subject notice as not berjustifikasi, or to any extent not berjustifikasi, and the extent, if any, which he has complied or intends to be bound by them.

(4) If the data subject is not satisfied by reason of user data does not comply with the notice of the subject of the data, either in whole or in part, under paragraph (3) (b), the data subject may submit an application to the Commissioner to require the data user to comply with the data subject notice.

(5) if the Commissioner is satisfied that the subject application data under subsection (4) the berjustifikasi or berjustifikasi to any extent, the Commissioner may require the data user to take such steps to comply with the data subject notice.

(6) a data user who does not comply with the requirements of the Commissioner under subsection (5) commits an offence and shall, on conviction, to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.


Right to prevent processing for purposes of direct marketing 43. (1) any data subject may, at any time by written notice to user data, the user requires the data at the end of such period is reasonable in the circumstances to discontinue or not start his/her personal data processing for the purpose of direct marketing.

(2) if the data subject is not satisfied by reason of user data does not comply with the notice, whether in whole or in part, under subsection (1), the data subject can Personal Data protection 55 submit an application to the Commissioner to require the data user to comply with the notice.

(3) if the Commissioner is satisfied that the subject application data under subsection (2) that berjustifikasi or berjustifikasi to any extent, the Commissioner may require the data user to take such steps to comply with the notice.

(4) a data user who does not comply with the requirements of the Commissioner under subsection (3) commits an offence and shall, on conviction, to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

(5) for the purposes of this section, "direct marketing" means to communicate by any means whatsoever of any advertising or marketing material which is directed to a specific individual.


Records to be kept by the user data 44. (1) a data user shall keep and maintain a record of any application, notice, demand or any other information relating to personal data that have been or are being processed by it.

(2) the Commissioner may determine the manner and the form of the record shall be maintained in accordance therewith.


PART III EXEMPTION Exemption 45. (1) the Personal Data processed by an individual only for the purpose of personal affairs, family or household 56 laws of Malaysia ACT 709 individual, including for the purpose of recreation, shall be exempted from the provisions of this Act.

(2) subject to section 46, of personal data — (a) processed for — (i) the prevention or detection of crime or for the purpose of investigation;

(ii) the arrest or prosecution of offenders; or (iii) the assessment or collection of any tax or duty or of any imposition of a similar kind, shall be exempted from the General principles, the principles of notice and choice, the principles of disclosure and Access Principles and other provisions of this Act that are relevant;

(b) processed in relation to information on the physical or mental health of a data subject shall be exempted from the principle of access and the other provisions of this Act the relevant application of the provision to subject data may cause severe harm to the physical or mental health of the data subject or any other person;

(c) processed for preparing statistics or carrying out research to be exempted from the General principles, the principles of notice and choice, the principles of disclosure and Access Principles and other provisions of this Act that are relevant, provided that the personal data is not processed for any other purpose, and that the resulting statistics or research findings, it is not made available in a form that identifies the data subject;

Personal Data protection 57 (d) as may be necessary for the purpose of or in connection with any order or judgment of a court shall be exempted from the General principles, the principles of notice and choice, the principles of disclosure and Access Principles and other provisions of this Act that are relevant;

(e) that is processed for the purpose of discharging its functions Regulation shall be exempted from the General principles, the principles of notice and choice, the principles of disclosure and Access Principles and other provisions of this Act, if the application of the provisions related to personal data may affect the discharge of such functions properly; or (f) processed only for the purposes of journalism, art or literature shall be exempted from the General principles, the principles of notice and choice, the principle of disclosure, the storage Principles, principles of Data integrity and Access Principles and other provisions of this Act that are relevant, provided that — (i) the processing is carried out for the purpose of broadcasting material journalism, literature or the arts by any person;

(ii) user data trust reasonably that, taking into account the importance the public interest in freedom of expression, publication of the public interest; and (iii) the data user trust reasonably that in all the circumstances of that, compliance with the provisions in respect of which exemption is claimed shall be in accordance with the purposes of journalism, literature or the arts.


58 laws of Malaysia ACT 709 power to make additional exclusions 46. (1) the Minister may, on the recommendation of the Commissioner, by order published in the Gazette exempt — (a) the adoption of any principle of Protection of Personal Data under this Act for any user data or class of user data; or (b) any data user or class of user data from all or any provisions of this Act.

(2) the Minister may impose such terms or conditions as he thinks fit in respect of any exemption made under subsection (1).


(3) the Minister may at any time, on the recommendation of the Commissioner, by order published in the Gazette, revoke any order made under subsection (1).


PART IV of the appointment, FUNCTIONS and POWERS of the COMMISSIONER appointment of Commissioner 47. (1) the Minister shall appoint any person as "Personal Data Protection Commissioner" for the purpose of exercising the functions and powers granted to the Commissioner under this act upon such terms and conditions as it thinks fit.

(2) the appointment of the Commissioner shall be published in the Gazette.

(3) the Commissioner appointed under subsection (1) is a body corporate that have perpetual succession and a common seal.

Personal Data protection 59 (4) the Commissioner may sue and be sued in the name of him.


Functions of the Commissioner 48. The Commissioner shall have the following functions: (a) advise the Minister on national policies for the protection of personal data and all other matters that are relevant;

(b) implement and enforce legal protection of personal data, including the formulation of policies and operational procedures;

(c) promote and encourage the associations or bodies representing data users to prepare a code of practice and disseminate the code of practice to its members for the purposes of this Act;

(d) cooperate with the body corporate or Government Agency for the purposes of its functions;

(e) determine in accordance with section 129 whether any place outside Malaysia has a system for personal data protection such largely with provided under this Act or that can be used for similar purposes as this Act;

(f) carry out or cause to be carried out research and monitoring development in the processing of personal data, including technology, to take into account the possibility of any effect the development of individual privacy in relation to personal data;

60 laws of Malaysia ACT 709 (g) monitor and supervise compliance with provisions of this Act, including the issuance of circulars, notices of commencement or any other instrument to any person;

(h) promote awareness and dissemination of information to the public on the coming into operation of this Act;

(i) liaise and cooperate with the people performing such personal data protection in any place outside of Malaysia in respect of matters of mutual interest, including matters pertaining to the privacy of individuals in relation to personal data;

(j) represents Malaysia through participation in events relating to the protection of personal data as permitted by the Minister, whether within or outside Malaysia; and (k) carry out any activity and do any thing to, give the pros and should be for the administration of this Act, or any other purpose in accordance with this act as directed by the Minister.


Powers of Commissioner of 49. (1) the Commissioner shall have all the power to do all things necessary or expedient for or in connection with the performance of its functions under this Act.

(2) without prejudice to the generality of subsection (1), the authority of the Commissioner shall include power — (a) to collect any fees prescribed by the Minister;

Protection of Personal Data 61 (b) to appoint any of its agents, experts, consultants or any other persons as he thinks fit to assist it in the performance of its functions;

(c) to formulate human resource development and cooperation programme for the implementation of its functions with the fit and effective;

(d) to enter into contracts;

(e) to acquire, purchase, take, hold and enjoy any movable or immovable for performance of its functions, and to memindahhakkan, assign, surrender, refund, charge, mortgage, mendemiskan, transferred or otherwise disposed of, or make any arrangement regarding such property or any interest therein vested in them;

(f) to perform any other functions assigned by the Minister from time to time; and (g) to do all things incidental to or arising from the performance of its functions.


Appointment of Deputy Commissioner and Assistant Commissioner 50. (1) the Commissioner may, with the approval of the Minister, from time to time, appoint such number of public officers as Deputy Commissioner and such number of persons as the Assistant Commissioner as may be necessary to assist the Commissioner in the performance of its functions and exercise of its powers under this Act.

(2) the Deputy Commissioner and Assistant Commissioner appointed under subsection (1) shall hold office for such period, receive such remuneration, allowances or benefits, and 62 laws of Malaysia ACT 709 shall be subject to such terms and conditions of service as determined by the Commissioner, with the approval of the Minister.

(3) the Deputy Commissioner and Assistant Commissioner appointed under subsection (1) shall be subject to the supervision, direction and control of the Commissioner.


The appointment of other officers and servants 51. The Commissioner may employ upon such terms and conditions as he thinks fit any officers and servants as may be necessary to assist the Commissioner in the performance of its functions and exercise of its powers under this Act.


Lending and money advances to officers and servants 52. The Commissioner can provide loans and advances to officers and servants under section 51 for any purpose and upon such terms and conditions as determined by the Commissioner.


53. The term of Office Subject to any conditions specified in the instrument of appointment, the Commissioner shall, unless he sooner resigns or his or her appointment revoked clear in advance, hold office for a term not exceeding three years and are eligible for reappointment.


Revocation of appointment and resignation of 54. (1) the Minister may at any time revoke the appointment of the Commissioner and shall state the reason for the revocation.
Personal Data protection 63 (2) the Commissioner may at any time resign his Office by giving a written notice addressed to the Minister of fourteen days before the date of resignation which intended it.


Temporary exercise of functions and powers of Commissioner 55. (1) the Minister may appoint temporarily a

Deputy Commissioner to exercise the functions and powers of the Commissioner during the period when — (a) Commissioner for reasons of illness, absent with permission or for any other reason unable to perform his functions for any prolonged period; or (b) the Commissioner is empty.

(2) a person appointed under subsection (1) shall, during the period he perform the functions and exercise the powers of the Commissioner under this section, be deemed to be Commissioner.


Vacation of post 56. Commissioner shall be vacated: (a) if he dies;

(b) if there has been proved against him, or if he has been convicted of, a charge in respect of — (i) an offence involving fraud, dishonesty or moral turpitude;

64 the laws of Malaysia ACT 709 (ii) an offence under any law relating to corruption;
or (iii) any other offence punishable with imprisonment (whether imprisonment only, or in addition to a penalty or in lieu of a fine) for a term exceeding two years;

(c) if his actions, whether in connection with his duties as a Commissioner or otherwise, is such a way that defame Commissioner;

(d) if he becomes bankrupt;

(e) if he is of unsound mind or otherwise unable to meet its obligations;

(f) if his appointment is revoked by the Minister; or (g) if his resignation is accepted by the Minister.


Remuneration and allowances 57. The Commissioner shall be paid such remuneration and allowances as determined by the Minister after consultation with the Minister of finance.


Delegation of functions and powers of Commissioner 58. (1) the Commissioner may, subject to such conditions, limitations or restrictions as it thinks fit to impose, delegate any of its functions or powers imposed or conferred upon him under this Act, except the power of the pewakilannya, to the Deputy Commissioner or Assistant Commissioner, and any Personal Data protection 65 functions or powers so delegated may be exercised and performed by the officer in the name and on behalf of the Commissioner.

(2) a delegation under subsection (1) does not preclude the Commissioner from discharging or run on its own at any time for any function or power delegated it.


Directions by Minister 59. (1) the Commissioner is responsible to the Minister.

(2) the Minister may give directions of a General Commissioner in accordance with the provisions of this Act relating to the implementation of the functions and powers of the Commissioner and the Commissioner shall give effect to such directions.


Statements, reports, accounts and information 60. (1) the Commissioner shall give to the Minister and any public authority as directed by the Minister, statements, reports, accounts and information relating to its activities as required or directed by the Minister.

(2) without prejudice to the generality of subsection (1), the Commissioner shall, as soon as practicable after the end of each financial year, cause prepared and sent to the Minister and, if directed by the Minister to any other public authority, a report which deals with the activities of the Commissioner during the year before that, and the report shall be in such form and shall contain any information relating to the proceedings and policy Commissioner as specified by the Minister.



66 laws of Malaysia ACT 709 part V PERSONAL DATA PROTECTION FUND the establishment of the Fund 61. (1) for the purposes of this Act, a fund known as the "Personal Data Protection Fund" was established.

(2) the Fund shall be controlled, maintained and operated by the Commissioner.

(3) the Fund shall consist of — (a) any sum of money allocated by Parliament for the purposes of this Act, from time to time;

(b) the fees, costs and any other charges imposed by or payable to the Commissioner under this Act;

(c) all moneys derived from the sale, disposal, leasing, rental or any other transactions of movable or immovable vested in or acquired by the Commissioner;

(d) all money paid to the Commissioner from time to time for loans given by the Commissioner; and (e) all sums of money or other property which can in any way be payable to or vested in the Commissioner in respect of any matter incidental to the functions and powers.



Personal Data protection shall be charged 67 expenses Fund at 62. The Fund can be spent for the following purposes: (a) paying any legal expenses incurred by the Commissioner;

(b) pay any expenses incurred for organizing campaigns, research, study and publication of materials for the protection of personal data;

(c) pay the remuneration, allowances, benefits and other expenses for the Commissioner, Deputy Commissioner, Assistant Commissioner, members of the Advisory Committee, members, officers and servants of the Appeal Tribunal and officers and servants of the Commissioner, including the granting of loans and downpayment, retirement allowance, retirement benefits and rewards;

(d) pay any expenses, expenses, fees and other costs, including fees for the use of consultants, and legal fees and costs, made or received properly, or may be deemed fit by the Commissioner in the performance of its functions and exercise of its powers;

(e) buy or rent equipment and materials, acquire land and any assets, and to carry out any work and other efforts in the performance of its functions and exercise of its powers; and (f) generally, to pay any expenses of carrying out the provisions of this Act.


Conservation Fund 63. Be the duty of the Commissioner to maintain the Fund by its functions and 68 laws of Malaysia ACT 709 exercise of its powers under this Act so as to ensure that the total revenues Commissioner sufficient to pay all sums properly chargeable on revenue account, including depreciation and interest on capital, from year to year.


64 reserve fund. The Commissioner shall establish and maintain a reserve fund in the Fund.


Financial year 65. Financial year the Commissioner shall commence on 1 January and ends on 31 December of each year.



The contractual restriction to 66. The Commissioner may not, without the approval of the Minister and the consent of the Minister of finance, make any contract under which the Commissioner is required to pay or receive an amount in excess of two million dollars.


Bank account 67. The Commissioner shall open and maintain an account or accounts with any financial institution or financial institutions in Malaysia may think fit the Commissioner, after consultation with the Minister; and every such account shall be operated as far as practicable through cheque signed by any person authorized by the Minister.



Personal Data protection audit and Accounts 69 68. The Commissioner shall cause to be kept proper accounts and maintained in respect of the Fund and in compliance with the provisions of the Act statutory bodies (accounts and annual reports) 1980 [Act 240].


Expenses and the preparation of the estimate of 69. (1) the expenditure of the Commissioner to the extent of any amount allowed by the Minister for any one year shall be paid out of the Fund.

(2) before 1 June each year, the Commissioner shall submit an estimate of expenditure for the following year to the Minister, in such form and containing such particulars as directed by the Minister.

(3) the Minister shall, before 1 January of the following year, told Commissioners the amount authorised for expenditure generally or the amount authorised for expenditure on the basis of an estimate of each description provided under subsection (2).

(4) the Commissioner may at any time submit a supplementary expenditure estimates for any one year to the Minister and the Minister may allow the whole or any part of the additional expenditure included in the supplementary estimates.

PART VI PERSONAL DATA PROTECTION ADVISORY COMMITTEE establishment of Advisory Committee of 70. A Personal Data Protection Advisory Committee was established.
70 laws of Malaysia ACT 709 71 Advisory Committee Functions. (1) the functions of the Advisory Committee are — (a) to advise the Commissioner on all matters relating to the protection of personal data, and proper administration and enforcement of this Act; and (b) to advise the Commissioner on any matter referred by him to the Advisory Committee.

(2) the Commissioner is not bound to act on the advice of the Advisory Committee.


Members of the Advisory Committee 72. The Advisory Committee shall consist of the following members appointed by the Minister: (a) the Chairman;

(b) three members from the public sector; and (c) at least seven but not more than eleven other members.

The term of Office 73. A member appointed under section 72 shall, unless he sooner resigns or his or her appointment revoked clear in advance, hold office for such period not exceeding three years as determined by the Minister at the time of his appointment, and shall be eligible for reappointment; but no Member may hold office for a period of more than two terms in a row.
Personal Data protection 71 revocation of appointment and resignation of 74. (1) the Minister may at any time revoke the appointment of any member of the Advisory Committee and shall state the reason for the revocation.

(2) a member of the Advisory Committee appointed under section 72 may at any time resign his Office by giving a written notice addressed to the Minister of fourteen days before the date of resignation which intended it.


Temporary exercise of functions of Chairman of the 75. (1) the Minister may appoint temporarily any member of Advisory Committee to act as Chairman during the period when — (a) the Chairman for the sick, absent with permission or for any other reason unable to perform his functions for any prolonged period; or (b) the Chairman is empty.

(2) a member appointed under subsection (1) shall, during the period he function of Chairman under this section, be deemed to be the Chairman.


Vacation of post 76. The position of a member of the Advisory Committee shall be empty — (a) if he dies;

(b) if there has been proved against him, or if he has been convicted of, a charge in respect of — 72 laws of Malaysia ACT 709 (i) an offence involving fraud, dishonesty or moral turpitude;

(ii) an offence under any law relating to corruption; or (iii) any other offence punishable with imprisonment (whether imprisonment only, or in addition to a penalty or in lieu of a fine) for a term exceeding two years;

(c) if his actions, whether related to its obligations as a member of the Advisory Committee or otherwise, is such a way that defame the Advisory Committee;

(d) if he becomes bankrupt;

(e) if he is of unsound mind or otherwise unable to meet its obligations;

(f) in the case of the Chairman, if he did not attend a meeting of the Advisory Committee without the consent of the Minister in writing;

(g) in the case of a member of the Advisory Committee in addition to the Chairman, if he fails to attend meetings of the Advisory Committee three times in a row without the permission of the Chairman in writing;

(h) if his appointment is revoked by the Minister; or (i) if his resignation is accepted by the Minister.




Personal Data Protection Allowance 73 77. The Chairman and all members of other Advisory Committee may be paid such allowance as determined by the Minister after consultation with the Minister of finance.


Time and place of the meeting 78. (1) the Advisory Committee shall hold as many meetings as are necessary to carry out its functions efficiently and the meeting shall be held at any place and at any time the Chairperson shall, provided that the Chairman may not allow more than two months elapse between meetings.

(2) the Chairman shall call a meeting if he is requested to do so in writing by the Minister or by at least four members of the Advisory Committee.


The Advisory Committee may invite others to meetings


79. (1) the Advisory Committee may invite any person to attend any meeting or penimbangtelitian Advisory Committee for the purpose of advising it on any matter under discussion.

(2) any person invited under subsection (1) shall be paid such allowance as determined by the Commissioner.


Minute 80. (1) the Advisory Committee shall cause minutes of all its meetings in order to be maintained and stored in a proper form.
74 laws of Malaysia ACT 709 (2) minutes made of meetings of the Advisory Committee shall, if duly signed, accepted in all legal proceedings as evidence without further proof.

(3) every meeting of the Advisory Committee relating to commissioning: has been made shall be deemed to have been duly convened and held and all members at a meeting duly qualified to act.


Procedure 81. The Advisory Committee may regulate its own procedure.


Members should devote time to the business of 82 Advisory Committee. Members of the Advisory Committee should devote time to the business of the Advisory Committee as may be necessary to meet their obligations effectively.


PART VII TRIBUNAL APPEAL Appeal Tribunal establishment of 83. An Appeal Tribunal established for the purpose of reviewing any matter within its terms of Appeal set out in section 93.


Power of Tribunal Appeal 84. (1) the Appeal Tribunal shall have power — Data protection personal 75 (a) to convene the parties to the proceedings or any other person to appear before it to give evidence in respect of an appeal;

(b) to seek and receive evidence in vowed or pledged, either written or verbal, and examine all such persons as witnesses as may be deemed necessary by the Appeal Tribunal;

(c) If a person called so, to require the production of any information, document or other thing in his possession or under his control which are deemed necessary by the Tribunal of appeal for the purposes of the appeal;

(d) to handle any oath, affirmation, or statutory declaration, in accordance with the requirements of the State;

(e) If a person called so, to allow the payment of any reasonable expenses incurred in connection with his presence;

(f) to receive evidence or reject the evidence presented, whether oral or dokumentar, and whether it is acceptable or not acceptable under the provisions of any written law relating to the admissibility of evidence;

(g) to postpone the hearing of the appeal, including the power to postpone for considering its decision; and (h) generally to direct and to do all things necessary or expedient in order to speed up the results of the appeal.

76 laws of Malaysia ACT 709 (2) the Appeal Tribunal shall have the powers of a court in respect of the enforcement of attendance of the witness, the hearing of evidence in vowed or pledged and pass sentence as insult.


Membership of the Tribunal Appeal 85. (1) the Appeal Tribunal shall consist of the following members who shall be appointed by the Minister: (a) a Chairman; and (b) at least two other members, or any number of larger members as deemed necessary by the Minister.

(2) the Minister shall appoint a person who is a member of the Federal judicial and legal service for at least ten years to be the Chairman of the Appeal Tribunal.

(3) appointment of members of the Appeal Tribunal shall be published by notification in the Gazette.


The Secretary to the Appeal Tribunal and other officers, etc.

86. (1) the Minister shall appoint a Secretary to the Appeal Tribunal on such terms and conditions as it thinks fit.

(2) the Secretary to the Appeal Tribunal shall be responsible for the Administration and management of the function of the Appeal Tribunal.

(3) the Minister may appoint such number of officers and servants as the Minister thinks fit to assist the Secretary of the Tribunal of appeal in the exercise of its functions under subsection (2).

Protection of Personal Data 77 (4) the Secretary to the Appeal Tribunal shall have general control of officers and servants of the Appeal Tribunal.

(5) for the purposes of this Act, the Secretary of the Tribunal of appeal and an officer appointed under subsection (3) shall be deemed to be an officer of the Tribunal of appeal.


87. The term of Office A member of the Appeal Tribunal appointed under subsection 85 (1) shall, unless he sooner resigns or his or her appointment revoked clear in advance — (a) hold office for a term not exceeding three years; and (b) shall be eligible for re-election after the expiration of his Office, but shall not be appointed for more than two consecutive periods.


Resignation and revocation 88. (1) the Minister may at any time revoke the appointment of a member of the Tribunal of appeal and shall state the reason for the revocation.

(2) a member of the Appeal Tribunal appointed under subsection 85 (1) may at any time resign his Office by giving a written notice addressed to the Minister of fourteen days before the date of resignation which intended it.





78 laws of Malaysia ACT 709 temporary exercise of functions of Chairman 89. (1) the Minister may appoint temporarily any member of the Appeal Tribunal to act as Chairman during the period when — (a) the Chairman for the sick, absent with permission or for any other reason unable to perform his functions for any prolonged period; or (b) the Chairman is empty.

(2) a member appointed under subsection (1) shall, during the period he function of Chairman under this section, be deemed to be the Chairman.


Vacation of Office 90. Office of a member of the Appeal Tribunal shall be empty — (a) if he dies;

(b) if there has been proved against him, or if he has been convicted of, a charge in respect of — (i) an offence involving fraud, dishonesty or moral turpitude;

(ii) an offence under any law relating to corruption; or


(iii) any other offence punishable with imprisonment (whether imprisonment only, or in addition to a penalty or in lieu of a fine) for a term exceeding two years;

Personal Data protection 79 (c) if his actions, whether related to its obligations as a member of the Appeal Tribunal or otherwise, is such a way that defame the Appeal Tribunal;

(d) if he becomes bankrupt;

(e) if he is of unsound mind or otherwise unable to meet its obligations;

(f) if he fails to comply with its obligations under section 92;

(g) if its performance as a member of the Appeal Tribunal is not satisfactory for the term notable;

(h) if his appointment is revoked by the Minister; or (i) if his resignation is accepted by the Minister.


91 allowance. (1) the Chairman of the Appeal Tribunal appointed under paragraph 85 (1) (a) shall be paid such allowances and other allowances as determined by the Minister.

(2) members of the Appeal Tribunal other appointed under paragraph 85 (1) (b) shall be — (a) a daily allowance during the Conference assembled Tribunal Appeals; and (b) received allowances for accommodation, travel and living, which is determined by the Minister.



80 laws of Malaysia ACT 92 709 disclosure of interest. (1) a member of the Appeal Tribunal shall disclose, with as soon as practicable, to the Chairman of any interest, either substantial or not, which may conflict with the obligation of the Member as a member of the Appeal Tribunal in a particular matter.

(2) if the Chairman is of the opinion that the Member's interest in conflict with his duties as a member of the Appeal Tribunal, the Chairman shall notify all parties to the matter regarding the conflict.

(3) If no party to object to the matter of the conflict, the Member can continue to perform its obligations as a member of the Tribunal of appeal in respect of that matter.

(4) where a party to the protest about the conflict, members of the Appeal Tribunal cannot continue the implementation of its obligations as a member of the Tribunal of appeal in respect of that matter.

(5) the failure by the Member to disclose his interest under subsection (1) shall — (a) the Appeal Tribunal decision menidaksahkan, unless all parties agree to be bound by the decision; and (b) make the Member subject to the revocation of his appointment under section 88.


An appeal to the Tribunal of appeal 93. (1) any person aggrieved by a decision of the Commissioner under this Act relating to matters, including Personal Data protection — 81 (a) user registration data under Chapter 2 part II;

(b) the refusal of the Commissioner to register a code of practice under subsection 23 (5);

(c) the data user's failure to comply with a data access request or data correction request under Chapter 4 of part II;

(d) the issuance of a notice of enforcement under section 108;

(e) the refusal of the Commissioner to vary or revoke a notice of enforcement under section 109; and (f) the refusal of the Commissioner to carry out or continue an investigation initiated by a complaint under part VIII, may appeal to the Appeal Tribunal by filing a notice of appeal with the Appeal Tribunal.

(2) the notice of appeal shall be made in writing to the Appeal Tribunal within thirty days from the date the decision of the Commissioner, or in the case of an enforcement notice, within thirty days after the enforcement notice served upon the relevant data user, and the appellant shall serve a copy of the notice of appeal to the Commissioner.

(3) the notice of appeal shall state briefly the content of the decision of the Commissioner against whom an appeal is filed with the Appeal Tribunal, contains the address at which any notices or documents pertaining to the appeal may be served upon the appellant or Attorney belanya, and shall be signed by the appellant or Attorney belanya.


82 the laws of Malaysia ACT 709 Records results of Commissioner 94. (1) the person aggrieved referred to in subsection 93 (1) may, on their own initiatives, request in writing of the Commissioner a statement regarding the reasons for the decision of the Commissioner.

(2) subject to subsection (3), the Commissioner shall, when he received a written request under subsection (1), provide the person aggrieved, on payment of the prescribed fee, a copy of the statement of reasons for its decision.

(3) when a notice of appeal has been filed with the Appeal Tribunal under subsection 93 (1), the Commissioner shall, if he is not yet write a reason for its decision in respect of the matters specified in the notice under subsection 93 (1), record in writing reasons for the decision, and the written reasons shall form part of the record of the proceedings before the Appeal Tribunal.


Suspension of decision pending appeal of 95. (1) a decision of the Commissioner shall be valid, binding and enforceable pending the results of the appeal by the Appeal Tribunal, unless an appeal against an enforcement notice has been made to the Appeal Tribunal in accordance with subsection 93 (2), or suspension of the decision of the Commissioner has applied under subsection (2) and authorised by the Appeal Tribunal.

(2) any person aggrieved may apply in writing to the Appeal Tribunal for a stay of the decision of the Commissioner on or after notice of appeal is filed with the Appeal Tribunal.




Personal Data protection Appeals Tribunal Membership 83 96. (1) every Appeal Tribunal proceedings shall be heard and disposed of by three members of or any odd number of larger members of the Appeal Tribunal as decided by the Chairman in any particular case.

(2) in the absence of the Chairman, the members of the Appeal Tribunal more right shall be the Chairman.


The Appeal Tribunal Conference 97. (1) the Appeal Tribunal shall be convened on such date and at any place designated by the Chairman.

(2) the Chairman may cancel or postpone any Conference Tribunal Appeal or change the place appointed under subsection (1).

(3) the Secretary to the Appeal Tribunal shall by notice in writing notify the parties to the appeal of any

change the date or place of any Appellate Tribunal Conference.


The Appeal Tribunal procedure 98. The Appeal Tribunal may regulate its own procedure.


The decision of the Tribunal Appeal 99. (1) the decision of the Appeal Tribunal on any matter shall be decided by a majority of the members of the Appeal Tribunal.

(2) a decision of the Appeal Tribunal shall be final and binding on the parties to the appeal.

84 laws of Malaysia ACT the Appeal Tribunal decision Enforcement 709 100. A decision rendered by the Appeal Tribunal may, with the permission of the sessions Court, become enforceable in a manner similar to a judgment or order that has a similar effect, and if such permission is granted, the judgment can be included in accordance with the terms of the decision.


PART VIII inspections, COMPLAINTS and INVESTIGATIONS Inspections of personal data systems 101. (1) the Commissioner may conduct an inspection of — (a) any personal data systems used by data users for the purpose of determining the information to assist the Commissioner in making a recommendation to the user related data in relation to the promotion of compliance with provisions of this Act, in particular the principles of Personal Data protection, by the relevant data user; or (b) any personal data systems used by data users which belong to the class of data users for the purpose of determining the information to assist the Commissioner in making a recommendation to the user data in which the user related data in relation to the promotion of compliance fall under the provisions of this Act, in particular the principles of Personal Data protection, by the data user in which the relevant data user belongs to.


Personal Data protection 85 (2) for the purposes of this section — "user data" including data processors;

"personal data system" means any system, whether automated or otherwise, used, whether in whole or in part, by a data user for the processing of personal data, and including the record maintained under section 44 and any documents and equipment forming part of the system.


User related data, etc., shall be informed of the results of the examination of 102. If the Commissioner has completed an inspection of a system of personal data, he shall in such manner and at any time it deems fit to inform the relevant data user or class of user data in which the relevant data user belongs to regarding — (a) the results of the examination;

(b) any recommendations available from the examination by the Commissioner thinks fit to make relating to the promotion of compliance with provisions of this Act, in particular the principles of Personal Data protection, by the relevant data user or class of user data in which the relevant data user belongs to; and (c) any other reviews as a consequence of such examination as he thinks fit.


Report by the Commissioner of 103. (1) the Commissioner may, after inspections of any personal data systems used by 86 laws of Malaysia ACT 709 users data that belongs to a class of data users, publish a report — (a) that any recommendations available from the examination by the Commissioner thinks fit to make relating to the promotion of compliance with provisions of this Act, in particular the principles of Personal Data protection, by the data user in which user data related to belong; and (b) in such manner as it thinks fit.

(2) a report under subsection (1) shall be made with such appearance that prevent the identity of any person from being able to be determined from it.


104 complaints. Any individual or person may make a complaint in writing to the Commissioner about an Act, practice or request — (a) specified in the complaint;

(b) which has been done or made, or is being done or made by the user of the data specified in the complaint;

(c) in relation to personal data of which that individual is the data subject; and (d) which may violate the provisions of this Act, including any code of practice.




Data protection personal Investigation by Commissioner 105 87. (1) if the Commissioner receives a complaint under section 104, the Commissioner shall, subject to section 106, carry out an investigation in relation to the relevant data user to ascertain whether acts, practices or request specified in the complaint violate the provisions of this Act.

(2) if the Commissioner has reasonable grounds to believe that an Act, practice or request has been done or made, or is being done or made by the user related data in relation to personal data and acts, practices or the request might be in violation of this Act, the Commissioner may conduct an investigation in relation to the data user to ascertain whether acts , practices or the request violates the provisions of this Act.

(3) section IX shall apply in respect of surveys conducted by the Commissioner under this section.


Restrictions on investigations are initiated through the 106 complaints. (1) the Commissioner may refuse to carry out or continue an investigation initiated by a complaint if he or she is of the opinion that, having regard to all the circumstances of the case — (a) the complaint, or a complaint of a substantially similar nature, has previously started an investigation as a result of which the Commissioner is of the opinion that there has been any breach of the provisions of this Act;

(b) an Act, practice or request specified in the complaint is trivial;

88 the laws of Malaysia ACT 709 (c) the complaint is trivial, inconvenient or not made in good faith; or (d) any investigation or further investigation is for any other reason is not necessary.

(2) Notwithstanding the generality of the power conferred upon the Commissioner by this Act, the Commissioner may refuse to carry out or continue an investigation initiated by a complaint — (a) if — (i) the complainant; or (ii) in the case of the complainant is a relevant

relating to a data subject, the data subject or connected persons, as the case may be, have a real knowledge of the acts, practices or request specified in the complaint for the period exceeding two years immediately before the date of the Commissioner received the complaint, unless the Commissioner is satisfied that in all the circumstances of the case it is desirable to carry out or continue the investigation;

(b) if the complaint is made anonymous complainant is known;

(c) if the complainant cannot be identified or located;

(d) if the Commissioner is satisfied that the relevant data user not be a user data for a period of not less than two years immediately before the date of the Commissioner received the complaint; or (e) in any other circumstances as he thinks fit.
Personal Data protection 89 (3) if the Commissioner refuses under this section to carry out or continue an investigation initiated by a complaint, he shall, as soon as practicable but in any case not later than thirty days after the date of receipt of the complaint, by notice in writing delivered to the complainant informing the complainant of such refusal and of the reasons for such refusal.

(4) an appeal may be made to Tribunal for Appeals against any refusal specified in the notice under subsection (3) by the complainant to whom the notice is delivered or if the complainant is a relevant, by data subjects in respect of which the complainant is a relevant person.


The Commissioner may carry out or continue an investigation initiated through a complaint even though the complaint withdrawn 107. If the Commissioner is of the opinion that it is in the public interest to do so, he may carry out or continue an investigation initiated by a complaint even though the complainant has withdrawn the complaint and, in any such case, the provisions of this Act shall apply in respect of the complaint and the complainant as if the complaint had not been withdrawn.


Enforcement notice 108. (1) If, following the settlement of an investigation of an Act, practice or request specified in the complaint, the Commissioner is of the opinion that the user data — (a) contravenes a provision of this Act; or 90 laws of Malaysia ACT 709 (b) breach of such provision in the circumstances make likely that infringement shall be continuous or repeated, then the Commissioner may serve an enforcement notice to the user data — (A) stating that he considers such;

(B) that the provisions of this Act which he or she is of the opinion and the reasons why he is of such opinion;

(C) directing the relevant data user to take such steps as set out in the enforcement notice to meremedi the infringement or, according to circumstances, the thing that makes her in any period specified in the notice of enforcement; and (D) directing, if necessary, the relevant data user to discontinue the processing of personal data pending the user related data breach such meremedi.

(2) the Commissioner shall, in determining whether to serve a notice of enforcement, consider whether the breach or enforcement notice things with it that was in touch has caused or is likely to cause damage or distress to the subject data for personal data thereto infringement or the matter is related to.

(3) the measures set out in the notice of enforcement to meremedi violations or enforcement notice things with it that was in touch may be made — (a) up to any extent by reference to any approved code of practice; or Personal Data protection 91 (b) so as to give users relevant data a choice between different ways of meremedi violations or the matter.

(4) the period specified in the notice of enforcement under subsection (1) to take the measures set out therein could not be due before the end of the period specified in subsection 93 (2) of the period in which an appeal against the enforcement notice can be made and, if such an appeal is made, the move is not to be taken pending the determination or withdrawal of the appeal.

(5) Notwithstanding subsection (4), if the Commissioner is of the opinion that by reason of special circumstances the steps specified in the notice of the enforcement should be taken on the basis of keterdesakan — (a) he or she can enter a statement that such enforcement notice in it, together with the reasons why he is of such opinion; and (b) if the statement was admitted as such, subsection (4) shall not apply but the enforcement notice does not require the steps that can be taken before the end of the period of seven days from the date of the enforcement notices served.

(6) an appeal may be made to Tribunal appeal against an enforcement notice by the user related data in accordance with section 93.

(7) where the Commissioner — (a) has the opinion referred to in subsection (1) in respect of the relevant data user at any time before an investigation was completed; 92 and the laws of Malaysia ACT 709 (b) is also of the opinion that, by reason of special circumstances, an enforcement notice should be served on the relevant data user on the basis of keterdesakan, he may serve notice of enforcement is even the investigation has not been completed and, in any such case — (A) the Commissioner shall, without prejudice to any other matters to be included in the enforcement notice, stating in the enforcement notice reasons about why he has the opinion referred to in paragraph (b);
and (B) the other provisions of this Act, including this section, shall be construed accordingly.

(8) a person who fails to comply with an enforcement notice commits an offence and shall, on conviction, to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.


Changes or cancellation notice enforcement 109. The Commissioner may, on his own or on initiatives

application a user related data, vary or revoke the enforcement notice submitted under subsection 108 (1) by notice in writing to the relevant data user if the Commissioner is satisfied with the actions taken by the user of the data related to the violation of meremedi.





Personal Data protection 93 PART IX ENFORCEMENT Officer authorized 110. The Commissioner may in writing authorize any officer appointed under section 50 and 51 or any public officer to exercise the powers of enforcement under this Act.


111. Card power (1) the Commissioner shall issue to each authorized officers a power card shall be signed by the Commissioner.

(2) where the authorized officer exercising any powers of enforcement under this Act, he shall, when requested, indicate to the person against whom that power is being exercised authority card issued to him under subsection (1).


Power of investigation of 112. (1) an authorized officer may investigate the Commission of any offence under this Act.

(2) for the avoidance of doubt, declared that for the purposes of this Act, the authorized officer shall have all or any of the special powers of a police officer of any rank in relation to police investigation in the case can capture as provided under the criminal procedure code [Act 593], and that power is in addition to the powers assigned under this Act and not a reduction thereof.

94 laws of Malaysia ACT 709 Search and seizure warrants with 113. (1) if it appears on a person's Magistrate, based on information given in writing of the authorized officers and after such inquiry as may be deemed necessary by the Magistrate that there is reasonable cause to believe that — (a) any premises was used for; or (b) in any premises evidence necessary to conduct an investigation of the Commission, of an offence under this Act, the Magistrate may issue a warrant empowering authorized officers named in the warrant at any reasonable time during the day or night and with or without assistance, to enter the premises and if necessary using force.

(2) without prejudice to the generality of subsection (1), the warrant issued by a magistrate can give the power of search and seizure — (a) any computer, books, accounts, computerised data or other documents that contain or are reasonably suspected to contain information about any suspected offence has been committed;

(b) any signs, cards, letters, pamphlets, sheet or a notice stating or implying that the person is registered under this Act; or (c) any equipment, apparatus or thing reasonably believed to be able to give evidence of the Commission of the offence.

Personal Data Protection 95 (3) An authorized officer who is carrying out a search under subsection (1) may, for the purpose of investigating the offence, examine any person residing in or in the premises.

(4) An authorized officer who checked against a person under subsection (3) or section 114 may seize or take possession of, and keep in safe custody of all things other than clothes to be found on that person, and any such thing about it is no reason to believe that the thing is equipment or other evidence of the offence may be detained until the person is discharged or released.

(5) when necessary to cause someone female examined, the examination should be performed by a woman with full courtesy.

(6) If, by reason of the nature, size or the lesser amount, transfer of any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing seized under this section shall not be implemented, of authorized officers shall in any way prevent a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet notice, fittings, equipment or items that in premises or container in which it was found.

(7) any person who, without lawful authority, break, interrupt or impair lak referred to in subsection (6) or transfer any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing dilak or attempting to do so commits an offence and shall, on conviction, to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding six months or to both.


96 laws of Malaysia ACT 709 Search and seizure without a warrant 114. If an officer is authorised are satisfied on information received that she had reasonable cause to believe that by reason of the delay in obtaining a search warrant under section 113 of the investigation will be affected or evidence of the Commission of an offence may be interrupted, removed, defaced or destroyed, the authorized officer may enter the premises and perform in, on and in respect of premises that all the powers referred to in section 113 in a way that fully and adequately as if he authorised to do so by a warrant issued under that section.


Access to computerized data 115. (1) An authorized officer who is carrying out a search under sections 113 and 114 shall be given access to computerised data either stored in a computer or otherwise.

(2) for the purposes of this section, "access" — (a) include the given password, code encryption, encrypting code, software or hardware to be and any other means required to enable computerized data is understood; and (b) has the meaning assigned to it by section 2 (2) and (5) computer crime Act 1997 [Act 563].


A warrant is admissible even if flawed 116. A search warrant issued under this Act is valid and enforceable notwithstanding any defect, error or omission therein or in the application of Personal Data protection 97 the warrant, and any computer, books, accounts, computerised data

or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or goods seized under the warrant shall be admissible as evidence in any proceedings under this Act.


List of computers, books, accounts, etc., seized 117. (1) except as provided in subsection (2), if any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing seized pursuant to this Act, the authorized officers that make the search — (a) must provide — (i) a list of computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice , equipment, equipment or goods seized and shall sign the list; and (ii) a written notice of the seizure that contains the reason for the seizure and shall sign the notice; and (b) shall as soon as practicable serve a copy of the list of computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or goods seized and written notice of the seizure to the occupier of the premises have been searched, or ask your agent or pekhidmatnya in the premises.

(2) written notice of seizure, it is not required to be served pursuant to paragraph (1) (b) if the seizure is made in the presence of the person against whom proceedings under Act 98 laws of Malaysia ACT this 709, or intended to be taken in the presence of the owner of such property or his agent, as the case may be.

(3) where the premises not occupied, authorized officers shall post up a copy of the list of computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or goods seized it in conspicuous place in the premises.


The release of a computer, books, accounts, etc., seized 118. (1) where any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items have been seized under this Act, the authorized officers making the seizure shall, after referring to the Prosecutor, releasing a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items that the person specified by him as legally entitled to it If computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items that cannot be dilucuthakkan under this Act, and shall not otherwise required for the purposes of any proceedings under this Act or for the purpose of any prosecution under any other written law, and if such authorized officer who made the seizure , or the Federal Government, the Commissioner or any person acting on behalf of the Federal Government or the Commissioner is not liable to any proceedings by any person if the seizure and release of a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items that have been made in good faith.

(2) a written record shall be made by authorized officers who made the release of computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing under subsection (1) which sets out in detail the circumstances and Personal Data Protection 99 reasons for the release, and he shall send a copy of the record to the public prosecutor within seven days from the release.


There are no costs or damages arising from seizure can be obtained 119. No person shall, in any proceedings before any court in respect of any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or goods seized in exercising or purporting to exercise any of the powers conferred under this Act, be entitled to the costs of the proceedings or to any damages or other relief unless the seizure is made without reasonable cause.


Barriers against search 120. Any person who — (a) refuses to give any officer authorized access to any premises which authorized officers is entitled to it under this Act or in the discharge of any duty imposed or power conferred by this Act;

(b) mengamang preventing menggalang or delay any officer authorized the making of any entry of authorized officers is entitled to make under this Act, or in the discharge of any duty imposed or power conferred by this Act; or (c) refuse to give any authorized officer any information relating to an offence or suspected offence under this Act 100 laws of Malaysia ACT 709 or any other information that could reasonably be required of them and is in its knowledge or in his power to give, commits an offence and shall, on conviction, to imprisonment for a term not exceeding two years or to a fine not exceeding ten thousand ringgit or both.


Power to require production of computers, books, accounts, etc.

121. an authorized officer shall, for the purposes of the implementation of this Act, have the power to do all or any of the following: (a) require the production of any book, account, computer, computer data or other document kept by the data user or any other person and to examine, review and download from it, make copies thereof or take extracts therefrom;

(b) require the production of any document identification of any person in relation to any act or an offence under this Act;

(c) make any necessary investigation to see whether the provisions of this Act have been complied with.


The power to require the attendance of the person who has knowledge of the 122 cases. (1) An authorized officer who is carrying out an investigation under this Act may by order in writing require the attendance before it of any person whose Personal Data protection at 101



the opinion of the authorized officer has knowledge of the facts and circumstances of the case, and such person shall attend as so required.

(2) if any person refuses or does not attend as so required, the authorized officers can report refusal or abstention to the magistrate shall issue a summons to secure the attendance of such person as may be required by an order made under subsection (1).


Examination of the people with knowledge of the case 123. (1) An authorized officer who is carrying out an investigation under this Act may examine orally any person alleged to have knowledge of the facts and circumstances of the case and shall change into writing any statement made by the person examined.

(2) such person shall be bound to answer all questions relating to such case put to him by an officer authorized: provided that such person may refuse to answer any question that the answer may tend to expose him to a criminal charge or penalty or forfeiture.

(3) a person who makes a statement under this section shall be legally bound to state the truth, whether the statement was made in whole or in part in answering the questions or not.

(4) authorized officers that examine a person under subsection (1) shall first inform that person of the provisions of subsection (2) and (3).

102 the laws of Malaysia ACT 709 (5) a statement made by any person under this section shall, where possible, recorded in writing and signed by the person making it or affixed cap head jarinya, as the case may be, after the statement was read out to him in a language he made it and after she is given an opportunity to make any corrections he wanted.


Admissibility of statements as evidence of 124. (1) except as provided in this section, no statement made by any person to an authorized officer in the course of an investigation made under this Act may be used as evidence.

(2) if any witness called for the prosecution or defense, other than the accused, the Court shall, at the request of the accused or the Prosecutor, referring to any statement made by the witness to the authorized officers in the course of an investigation under this Act and may then, if deemed fit by the Court in the interest of Justice, direct that the accused be given a copy of the statement and the statement can be used to challenge the credibility of the witness in the manner provided by the Act Evidence 1950 [Act].

(3) if the accused has made a statement during the course of an investigation, the statement is admissible as evidence to support his defence during the course of the trial.

(4) no nothing in this section shall be deemed to apply to any statement made in the course of the parade cam or covered by section 27 or paragraph 32 (1) (a), (i) and (j) of the description of 1950.

(5) upon any person charged with any offence relating to Personal Data protection — 103 (a) manufacturing; or (b) the content of, any statement made by him to the person authorized officers in the course of an investigation made under this Act, the statement can be used as evidence in the prosecution case.


Forfeiture of a computer, books, accounts, etc., seized 125. (1) any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items seized can be dilucuthakkan.

(2) an order for forfeiture of a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or goods seized and may be dilucuthakkan under this Act shall be made by the Court before which prosecution therefor held if it is proved to the satisfaction of the Court that an offence under this Act has been committed and that the computer , books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing seized is a matter for or was used in the Commission of the offence, although no one has been convicted of the offence.

(3) If no prosecution in respect of any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing seized under this Act, computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment and items shall be taken and deemed to be forfeited upon the expiry of one calendar month from the date of delivery of the notice to the address last known to the person from whom the computer , books, accounts, computerised data or other documents, signage, 104 laws of Malaysia ACT 709 cards, letters, pamphlets, sheet, notice, fittings, equipment or goods is seized stating that no prosecution in respect of a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or goods that, unless before the expiry of such period a claim therefor is made in the manner specified in subsection (4) , (5) and (6).

(4) any person who asserts that he is the owner of a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing referred to in subsection (3) and that it cannot be dilucuthakkan may, personally or by his agent authorized in writing, notice to the authorized officers that are in his possession a computer, books computerized data, accounts, or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items held that he was studying computers, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items that.

(5) where notice under subsection (4) is received, authorized officers shall refer the matter to the Magistrate for

its decision.

(6) a magistrate to whom the matter is referred under subsection (5) shall issue a summons requiring the person who pointed out that he is the owner of a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items and people from whom it seized to appear before the Magistrate, and when they are present or when they are not present , having proved that the summons has been duly served, the Magistrate shall proceed with examination of the matter and, upon proof that an offence under this Act has been committed and that a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing seized is a matter for or used in the Commission of the offence, the protection of Personal Data 105 , A magistrate shall order that a computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items that dilucuthakkan, and shall, in the absence of such proof, ordered its divestment.

(7) any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or thing dilucuthakkan or be deemed to be forfeited shall be submitted to the Commissioner and shall be disposed of in such manner as the Commissioner may think fit.


Mergers error 126. Notwithstanding anything contained in section 164 criminal procedure code, if a person is accused of more than one offence under this Act, he may be charged with and tried in a trial for as much offence committed within a time no matter whatever its duration.


The power of arrest 127. (1) An authorized officer or police officer may arrest without warrant any person who is reasonably believed by him have done or tried committing an offence under this Act.

(2) An authorized officer who made the arrest under subsection (1) shall without unnecessary delay hand over the person arrested to the nearest police officer or, if no police officer, leading the person to the nearest police station, and then that person shall be dealt with as provided by the law relating to criminal procedure in force as if he was arrested by a police officer.
106 the laws of Malaysia ACT part X 709 VARIOUS Express 128. (1) the Commissioner shall maintain in both physical and electronic two forms a register as required under this Act.

(2) a person can be when dibayarnya fee prescribed — (a) inspect the register; or (b) make copies of or take extracts from an entry in the register that.

(3) where a person is calling for a copy of the entry in the register is given in electronic form, the Commissioner can provide relevant information through electronic means.


Transfer of personal data to places outside Malaysia 129. (1) a data user may not transfer any personal data of a data subject to a place outside Malaysia unless to any place specified by the Minister, on the recommendation of the Commissioner, by notification published in the Gazette.

(2) for the purposes of subsection (1), the Minister may determine any place outside Malaysia if — (a) in the place there was in force any law substantially similar to this Act, or that can be used for the purposes of this Act the same; Personal Data protection or 107 (b) place that ensure an adequate level of protection in relation to the processing of personal data at least equivalent to the level of protection provided by this Act.

(3) Notwithstanding subsection (1), a data user may transfer any personal data to a place outside Malaysia if — (a) the data subject has given his consent to the transfer;

(b) the transfer is necessary for the performance of a contract between the data subject with the data user;

(c) the transfer is necessary for the completion or implementation of a contract between the user of the data with a third party that — (i) made upon request of the data subject; or (ii) is in the interest of the data subject;

(d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or to establish, exercise or defend a right in law;

(e) the data user has reasonable grounds to believe that in all the circumstances on that point — (i) the transfer is to avoid or reduce any harmful actions against the data subject;

108 the laws of Malaysia ACT 709 (ii) it is not practical to obtain consent of the data subject in writing of the transfer; and (iii) if it is practicable to obtain such consent, the data subject will give consent;

(f) the data user has taken all reasonable precautions and have carried out all the due diligence to ensure that the personal data shall not be processed in that place in such a way that, if the place is Malaysia, would be a violation of this Act;

(g) the transfer is necessary to protect the vital interests of the data subject; or (h) the need to transfer it by reason of public interest in the circumstances determined by the Minister.

(4) if the Commissioner has reasonable grounds to believe that in a place specified under subsection (1) there is no longer in force any law that is largely similar to this Act, or that can be used for the same meaning as this Act — (a) the Commissioner shall make such recommendations to the Minister who shall, either cancel or amend notification made under subsection (1) , cause that place cease to be a place to which the personal data can be transferred under this section; and (b) the data user shall stop transferring any personal data of a data subject to that place with effect from the period specified by the Minister in the notification.


Personal Data protection 109 (5) a data user who contravenes subsection (1) commits an offence and shall, on conviction, to a fine not exceeding three hundred thousand dollars or to imprisonment for a term not exceeding two years or to both.

(6) for the purposes of this section, "action prejudicial", relating to a data subject, means any action which may bring harmful effects to the rights, benefits, privileges, obligations or interests of the data subject.


The collection, etc., of personal data illegal 130. (1) a person shall not in disedarinya or recklessly, without the consent of user data — (a) collect or disclose personal data held by the data user; or (b) result in the disclosure of personal data held by the data user to others.

(2) subsection (1) shall not apply to someone who shows — (a) that the collection or disclosure of such personal data or description render the personal data disclosure — (i) is necessary for the purpose of preventing or detecting a crime or for the purpose of investigation; or (ii) is required or permitted by or under any law or by order of a court;

110 laws of Malaysia ACT 709 (b) that he acted on the reasonable belief that he has a right in law to collect or disclose the personal data or to cause that disclosure of personal data to others;

(c) that he acted on the reasonable belief that he will get the agreement of the user data if the data users find out about the collection or disclosure of such personal data or description render the personal data disclosure and the circumstances thereof; or (d) that the collection or disclosure of such personal data or disclosure of personal data about cause it's berjustifikasi because it is public interest in the circumstances determined by the Minister.

(3) a person who collect or disclose personal data or cause the disclosure of personal data in contravention of subsection (1) commits an offence.

(4) any person who sells personal data commits an offence if he has been collecting the personal data in contravention of subsection (1).

(5) a person who offers to sell personal data commits an offence if — (a) he has been collecting the personal data in contravention of subsection (1); or (b) he then collects the personal data in contravention of subsection (1).

(6) for the purposes of subsection (5), an advertisement indicating that personal data is for sale or is likely to be sold is an offer to sell the personal data.

Personal Data protection 111 (7) a person who commits an offence under this section shall, on conviction, to a fine not exceeding five hundred thousand dollars or to imprisonment for a term not exceeding three years or to both.


Pensubahatan and the attempt is punishable as an offence of 131. (1) a person who is an accomplice in the Commission of or attempt to commit any offence under this Act shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for the offence.

(2) any person who commits any act in preparation to do, or as an extension to the Commission of any offence under this Act shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for the offence: provided that such term of imprisonment imposed shall not exceed half of the maximum term provided for that offence.


Compounding of offences 132. (1) the Commissioner may, with the consent in writing of the Prosecutor, compound any offence committed by any person under this Act and the set became an offence can compound with make an offer in writing to the person suspected to have committed the offence to compound the offence when paid to the Commissioner of an amount not exceeding fifty per cent of the amount of the maximum fine for the offence within the time stated in the offer of literary skills.

(2) an offer under subsection (1) may be made at any time after the offence committed but before any prosecution for him started, and if the amount specified 112 laws of Malaysia ACT 709 in the offer is not paid within the time stated in the offer or any time extension granted by the Commissioner, a prosecution for the offence may be commenced at any time after that to the person to whom the offer is made.

(3) If an offence has been compounded under subsection (1), no prosecution shall be instituted in respect of the offence against the person to whom the offer is made, compound and any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items seized in connection with the offence be released or dilucuthakkan by the Commissioner, subject to such terms and conditions as he thinks fit to impose upon such terms as the compound.

(4) All sums received by the Commissioner under this section shall be paid into the Federal Consolidated Fund.


Offences by body corporate 133. (1) where a body corporate commits an offence under this Act, any person who at the time of the Commission of the offence was a Director, Chief Executive Officer, Chief Operating Officer, General Manager, Secretary or other similar officer of the body corporate or purporting to act on any such nature or in such a way or up to any extent is responsible for the management of any Affairs of the body corporate or assist in the management of such — (a) may separately or in association in proceedings of the same together with the body corporate; and the protection of Personal Data 113 (b) if the body corporate is found to have committed the offence, shall be deemed to have committed the offence unless, having regard to the type of functions on the properties and all the circumstances, he proves — (i) that the offence was committed without the knowledge, consent or pembiarannya; and


(ii) that he took all reasonable precautions and has conducted all due diligence to avoid the Commission of the offence.

(2) if any person under this Act shall be liable to any penalty or penalties for the Act, omission, neglect or disbelief, he shall be liable to the same punishment or penalty for every act, omission, neglect or default of any employee or his agent, or employee of the agent, if the Act, omission, neglect or default that was done — (a) by an employee of that person within its employment;

(b) by the agent while acting on behalf of that person; or (c) by the agent within the employee's employment with the agent or otherwise on behalf of the agent acting on behalf of that person.


Prosecution 134. No prosecution for an offence under this Act shall be instituted except by or with the written consent of the public prosecutor.


114 laws of Malaysia ACT 709 jurisdiction to try the offence of 135. Notwithstanding any other written law to the contrary, the sessions Court shall have jurisdiction to try any offence under this Act and impose a sentence full of any such offences under this Act.


Service of notice or other document 136. (1) service of a notice or any other document to any person shall be executed — (a) by sending submit the notice or other document to that person;

(b) by leaving the notice or other document at the residential address or place of business of that person's last known in an envelope addressed to the person; or (c) by sending the notice or other document by post in a registered letter acknowledgement of receipt addressed to that person at the address of his residence or place of business last known.

(2) if the person to have directed a registered letter Acknowledgement containing any notice or other document may be given under this Act to be notified about the fact that there is a registered letter Acknowledgement that is being menunggunya in a post office, and such person refuses or ignore to take registered letter Acknowledging that, notice or other document shall be deemed to have been duly delivered to him at the date she was told the same.




Personal Data protection 115 Public authorities Protection Act 1948 137. Public authorities Protection Act 1948 [Act 198] shall apply to any action, suit, prosecution or proceedings against the Commissioner, Deputy Commissioner, Assistant Commissioner, any officers or servants of the Commissioner, any member of the Advisory Committee, any Member, officer or Appeal Tribunal servants, or any officer authorized in respect of any act, neglect or default done or omitted by him on such properties.


Public servants 138. Commissioner, Deputy Commissioner, Assistant Commissioner, any officers or servants of the Commissioner, any member of the Advisory Committee, any Member, officer or the Appeal Tribunal, servants or any authorized officer while on its obligations or performing its functions or exercise of its powers under this act upon such property shall be deemed to be public servants within the meaning of the Penal Code [Act 574].


Protection against legal and legal proceedings 139. No action, suit, prosecution or other proceedings may be taken or brought, instituted or made in any court against — (a) the Commissioner, Deputy Commissioner, Assistant Commissioner or any of its officers or servants of the Commissioner;

(b) any member of the Advisory Committee;

(c) any Member, officer or Appeal Tribunal servants; or 116 laws of Malaysia ACT 709 (d) any officer authorized, in respect of any act or omission done or omitted by him in good faith on such properties.


The whistleblower protection 140. (1) except as provided in subsection (2) and (3), no witness in any civil or criminal proceedings pursuant to this Act shall be required or permitted to disclose the name or address of any informer or the content and type of information received from it or to declare any matter that may cause she known.

(2) if any computer, books, accounts, computerised data or other documents, signs, cards, letters, pamphlets, sheet, notice, fittings, equipment or items which constitute or which may be inspected in any civil or criminal proceedings whatsoever contains any entries that naming or describing any whistleblower it or that may cause she known, the Court shall cause all such entries is closed from sight or deleted to the extent necessary to protect the informant of known.

(3) if in any proceedings for any offence under this Act, the Court, after a full investigation of the case, is of the opinion that the informant intentionally make in aduannya a statement of material which he knows or believes is false or does not believe to be true, or if in any other proceedings the Court is of the opinion that justice cannot be carried out solely between the parties in the proceedings without the informant known , the Court may require the production of the original complaint, if written, and allow the investigation and require full disclosure concerning the informer.
Personal Data protection the confidentiality Obligation 141 117. (1) except for any of the purposes of this Act or for the purpose of any civil or criminal proceedings under any written law or if otherwise authorized by the Minister may — (a) the Commissioner, Deputy Commissioner, Assistant Commissioner, any officers or servants of the Commissioner, any member of the Advisory Committee, any Member, officer or Appeal Tribunal servants, any authorized officer or any person attending any meeting or deliberation of the Advisory Committee either during or after the term of Office or its employment, cannot disclose any information obtained by him while performing his duties; and (b) no other have been through such a way gain access to any information or

document relating to the Affairs of the Commissioner may disclose information or document.

(2) any person who contravenes subsection (1) commits an offence and shall, on conviction, to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.

Things done in anticipation of this Act are made 142. All such acts and things done by any person in preparation for or in anticipation of this Act made and any expenses incurred in connection therewith shall be deemed to have been authorized under this Act, provided that such acts and things done that is 118 laws of Malaysia ACT 709 in accordance with the intentions and general purpose of this Act; and all rights and obligations acquired or incurred as a result of the Commission of the Act or the thing include any expenses incurred in connection therewith, shall be when this Act comes into force are deemed to be rights and obligations of the Commissioner.

The power to make regulations 143. (1) the Minister may make such regulations as are necessary or expedient for the purposes of the implementation of the provisions of this Act.
(2) without prejudice to the generality of the powers conferred by subsection (1), the Minister may make regulations for all or any of the following purposes: (a) to regulate all matters relating to user registration data under this Act, including prescribing registration fees and renewal fees;

(b) regulating all matters necessary for the implementation of the principle of the protection of Personal Data;

(c) regulate the procedure in respect of inspections of personal data systems, investigation of complaints and the issuance of a notice of enforcement, and all other matters related to it;

(d) prescribing offences can be compounded and the form to be used and the methods and procedures for the compounding of such offence;

(e) allocate and set any fees payable in connection with the provision of any service or any matter under this Act;

(f) prescribing any matter to which this Act makes provision for real to be made through regulations;
Personal Data protection 119 (g) prescribing all other things as are necessary or expedient to set for implementing this Act.

(3) regulations made under this section or any subsidiary legislation made under this Act may specify any act or omission which is berlanggaran with the regulations or other subsidiary legislation is to be an offence and may prescribe penalties to a fine not exceeding two hundred and fifty thousand ringgit or to imprisonment for a term not exceeding two years or to both.


Prevention of 144 anomalies. (1) the Minister may, by order published in the Gazette, make any modifications to the provisions of this Act that it is necessary or expedient for the purpose of removing any inconvenience or prevent such anomalies as a result of the coming into operation of this Act.

(2) the Minister may not exercise the powers conferred by subsection (1) after the expiration of one year from the date specified.

(3) in this section, "modifications" means the amendment, addition, deletion and replacement of any of the provisions of this Act.


PART XI SAVINGS and TRANSITIONAL PROVISIONS of the Personal Data that is processed before the date of coming into operation of this Act 145. If a user data have collected personal data of the data subject or any third party before the date of coming into operation of this Act, he shall comply with the provisions of 120 laws of Malaysia ACT 709 of this Act within three months from the date of coming into operation of this Act.


Registration of persons who process personal data prior to the date of coming into operation of this Act 146. (1) subject to subsection (2), any person who at the date of coming into operation of this Act, whether he was alone or in association or conjunction with another person, processing of any personal data or have control or allow the processing of any personal data, shall within three months from the date of coming into operation of this Act to be registered as a user data in accordance with the provisions of this Act.

(2) subsection (1) shall not apply for a user data who do not belong to the class of data users are required to register as a user data in accordance with the provisions of Chapter 2 of part II.





121 laws of MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 LIST AMENDMENT of laws amend short title effect from-No-122 laws of MALAYSIA Act 709 PERSONAL DATA PROTECTION ACT 2010 LIST SECTION AMENDED Section Power amend with effect from-no-