Malaysia: Public consultation on the Personal Data Protection Regulations 2013

(a) Amendments of existing definitions:

• "Data user" is changed to "data controller" to align with the amendments to the PDPA.
• "Standard" is revised by replacing the term "minimum requirement issued" to "measures determined" [by the Commissioner…], to emphasise that the standards issued by the Personal Data Protection Commissioner ("Commissioner") constitute binding rules for effective compliance instead of mere minimum requirements and to support a shift towards a more outcome-based approach.

(b) Introduction of new definitions:

• "Business contact information" which is defined as "an individual's name, position name or title, business telephone number, business address, business e-mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes". This is similar to the definition provided under the Personal Data Protection Guideline on the Appointment of Data Protection Officer (DPO) issued by the Commissioner ("DPO Guideline").
• "Personal data protection notice" which is defined as "notice in writing that the Data Controller is required to provide to Data Subject in compliance with section 7 of the Act".

(a) Data subject consent: Providing clearer guidance on how to obtain valid consent from data subjects before personal data is processed.

(b) Recognition of legal exceptions: Introducing provisions that recognise that personal data may be processed without consent in certain situations, in line with the exceptions under the PDPA.

(c) Notice and choice obligation: Data controllers are required to inform data subjects about the collection and processing of personal data through a personal data protection notice.

(d) Verification of consent: Data controllers are required to take reasonable verification steps when obtaining consent from parents, guardians, or individuals with responsibility over the data subject.

The business contact information of the appointed DPO or the individual responsible for handling personal data will need to be displayed.

This is to ensure consistency with the DPO Guideline.

(a) Expanded obligation: Data processors are now under the obligation to develop and implement a security policy (and not just data controllers).

(b) Data breach management: There is an explicit requirement for the security policy to include procedures for managing data breaches which a mandatory component of such policy.

(a) Contractual obligation: Data controllers are required to enter into a written contract with data processors when there is processing of personal data by a third party.

(b) Essential and clear contractual terms: The contract must contain essential details including:

• The subject matter, duration, nature and purpose of the data processing;
• The types of personal data being processed;
• The security measures to be implemented; and
• The obligations of the data processor and the rights of the data controller.

(a) Expanding liability and accountability: A new provision is introduced to place direct liability on data processors who may be subject to penalties in the event of a breach of the Security Principle.

(b) Introduction of a new sub-clause: Any data processor who contravenes regulation 6 of the Regulations (relating to the requirements of a security policy) may be subject to penalties.

(a) Inspection obligations for data processor: Clarifying and reinforcing inspection obligations for data processors, particularly in relation to security policies they are required to develop and implement.

(b) Scope of inspection powers: Broadening and clarifying the scope of information that may be requested during inspections by explicitly including "documents, records or other information relating to personal data processing" thereby strengthening the authority for the Commissioner and inspection officers to obtain the necessary information to make recommendations to the data controller under inspection.