Malaysia
| OVERVIEW | Malaysia recently passed the Personal Data Protection Act ("PDPA") |
| ENACTED | 2010 |
| GENERAL PRIVACY LAWS | The Constitution of Malaysia does not specifically recognize a right to privacy. |
| PERSONAL DATA PROTECTION LAWS AND REGULATIONS |
Personal Data Protection Act. The PDPA applies only to personal data processed in Malaysia. Federal and State governments are excluded from complying, whereas credit reporting or referencing agencies will be separately regulated by another law. |
| TYPE OF DATA PROTECTED | The Act protects ‘Personal Data’. In order to qualify as "personal data," the data must relate, either directly or indirectly, to a data subject who can be identified from the data. The data must also be capable of being recorded and be capable of automatic or manual processing. "Sensitive personal data", which requires explicit data subject consent, include medical history, religious beliefs, political opinions and the commission or alleged commission of any offence. |
| WORKPLACE PRIVACY LAWS | There are no laws or regulations regarding workplace monitoring. |
| TRANSBORDER TRANSFERS | The PDPA specifies that no personal data may be transferred outside Malaysia unless the place has been specified by the Minister. Notwithstanding, such transfer may take place if, among others, the data subject has given consent, the transfer is necessary for the performance of a contract with the data user, the data user has taken reasonable steps to ensure that the data will not be processed in a manner which would contravene the PDPA, or the transfer is necessary to protect the data subject's vital interests. |
| FINES AND SANCTIONS | The penalties for breaching the PDPA include the imposition of fines, and/or a term of imprisonment not exceeding two years. Directors, CEOs, COOS, managers or other similar officers have joint and several liability for non-compliance by the body corporate, subject to the due diligence defense. The Commissioner is not empowered to order compensation for damage, and there is no express right to pursue a civil claim for non-compliance. |
| OTHER PRIVACY LAWS AND REGULATIONS | A number of internal security laws raise implications for privacy. These include laws regarding surveillance, identity cards and the Internal Security Act. |
