Page 1

FEDERAL GOVERNMENT GAZETTE
FEDERAL GOVERNMENT
GAZETTE

14 November 2013
14 November 2013
PU (A) 335

DATA PROTECTION REGULATIONS
PERSONAL 2013

PERSONAL DATA PROTECTION REGULATIONS 2013

POSTED BY/
PUBLISHED BY
ATTORNEY GENERAL'S DEPARTMENT/
ATTORNEY GENERAL'S CHAMBERS

Page 2
PU (A) 335

PERSONAL DATA PROTECTION ACT 2010
PERSONAL DATA PROTECTION REGULATIONS 2013
__________________________
ARRANGEMENT OF REGULATIONS
___________________________
PART I
THE BEGINNING

Rules
1.

Name and commencement

2.

Interpretation

PART II
PRINCIPLES OF PERSONAL DATA PROTECTION

General Principles
3.

Data subject consent

Principles of Notice and Choice

4.

Details about the data user

Principles of Disclosure
5.

Disclosure list

Safety Principles

6.

Security policy

2

Page 3
PU (A) 335
Principles of Storage

7.

Storage standards
Principles of Data Integrity

8.

Standard data integrity

Principles of Access

9.

Data access request

10. Refusal of requests to access data
11. Receipt of data correction requests
12. Penalty

PART III
INSPECTION

13. Notice of inspection
14. Personal data systems shall be open for inspection

PART IV
ENFORCEMENT NOTICE

15. Application for change or revocation of enforcement notice

3

Page 4
PU (A) 335
PERSONAL DATA PROTECTION ACT 2010
PERSONAL DATA PROTECTION REGULATIONS 2013

IN exercise of the powers conferred by section 143 of the Data Protection Act
Personal 2010 [ Act 709 ], the Minister makes the following regulations:

PART I
THE BEGINNING
Name and commencement
1.

(1) These regulations may be cited as Regulations

Personal Data Protection in 2013 .

(2) These Regulations come into force on 15 November 2013.

Interpretation
2.

In these Regulations, unless the context so requires

others-

"Inspecting officer" means an officer employed by
Commissioner under section 51 of the Act for the purpose of conducting an inspection
under section 101 of the Act;

"Standard" means a minimum requirement issued by the Commissioner,
which provides, for common and repeated use, rules, lines
guidelines or characteristics for the activity or results of the activity, whose goal is
the achievement of an optimal level of order in a given context.

4

Page 5
PU (A) 335

PART II
PRINCIPLES OF PERSONAL DATA PROTECTION
General Principles

Data subject consent
3.

(1) A data user shall obtain the consent of

a data subject in connection with the processing of personal data in any form
that the consent may be duly recorded and maintained by
users of that data.

(2) If the form of consent in subregulation (1) is provided
involving also other matters, the desire to obtain consent shall
presented differently in its submission than the other matter.

(3) A data user shall obtain the said consent
in subregulation (1) of a parent, guardian or person having
parental responsibility to the data subject, if the data subject is underage
eighteen years.

(4) A data user shall obtain the said consent
in subregulation (1) of a person appointed by the court to
manage the affairs of the data subject or a person authorized in writing
by the data subject to act on his behalf if the data subject is incapacitated
to manage his own affairs.

(5) The burden of proof for the consent referred to in subregulation (1)
should be located on the data user.

5

Page 6
PU (A) 335

Principles of Notice and Choice

Details about the data user
4.

For the purposes of paragraph 7 (1) (d) of the Act, data users shall at least-

lack of providing detailed data subjects as follows:

(a)

the appointment of contact persons;

(b)

phone number;

(c)

fax number, if any;

(d)

email address, if any; and

(e)

any other relevant information.

Principles of Disclosure

Disclosure list
5.

Data users shall keep and maintain a list of disclosures

to third parties for the purposes of paragraph 8 (b) of the Act in relation to personal data
data subjects that have been or are being processed by it.

Safety Principles

Security policy
6.

(1) Data users shall develop and implement a policy

security for the purposes of section 9 of the Act.

(2) The data user shall ensure the security policy mentioned
in subparagraph (1) comply with the safety standards prescribed from time to time
current by the Commissioner.
6

Page 7
PU (A) 335

(3) Data users shall ensure that internal security standards
processing of personal data is complied with by any running data processor
processing of personal data on behalf of the user of that data.

Principles of Storage

Storage standards
7.

For the purposes of section 10 of the Act, the personal data of a data subject shall

stored in accordance with the storage standards set from time to time by
Commissioner.

Principles of Data Integrity

Standard data integrity
8.

For the purposes of section 11 of the Act, data users shall process personal data

in accordance with data integrity standards established from time to time by
Commissioner.

Principles of Access

Data access request
9.

(1) If a data subject does not require a copy of personal data,

the data subject shall inform the user in writing of his or her intent
data when making a request to access his personal data.

(2) When a data user receives a request to access data from
data subject pursuant to subsection 30 (2) of the Act, the data user shall acknowledge
acceptance of the request.

7

Page 8
PU (A) 335
Refusal of request to access data
10. For the purposes of paragraphs 32 (1) (a) and (b) of the Act, “any information which
reasonably required by him ”means name, identity card number, address
and such other relevant information as may be determined by
Commissioner.

Receipt of data correction request
11.

Upon receipt of a request for data correction pursuant to subsection 34 (1) of the Act,

the data user must acknowledge receipt of the request.

Penalty
12.

Any data user who violates subregulation 3 (1), rules 6, 7

and 8 commits an offense and may, on conviction, be fined not more than two
one hundred and fifty thousand ringgit or imprisonment for a term not exceeding two
years or both.

PART III
INSPECTION
Notice of inspection
13. The Commissioner may notify the data user in writing of his intentions
to conduct inspections under section 101 of the Act.

Personal data systems should be open for inspection
14. (1) The personal data system shall at all reasonable times
open for inspection by the Commissioner or any inspecting officer.

(2) For the purpose of inspection under section 101 of the Act, the Commissioner or
the inspecting officer may require submission to him—

(a)

in relation to general principles, the record of consent from the subject
maintained data with respect to data processing
personalized by data users;
8

Page 9
PU (A) 335

(b)

in relation to the principles of notice and choice, record written notice
issued by the data user to the data subject
in accordance with section 7 of the Act;

(c)

in relation to the principle of disclosure, a list of disclosures to
third party for the purposes of paragraph 8 (b) of the Act in respect of
personal data that has been or is being processed by him;

(d)

in relation to security principles, security policies that
developed and implemented by the data user for the purpose
section 9 of the Act;

(e)

in relation to the principle of retention, compliance records
according to storage standards;

(f)

in relation to data integrity principles, compliance records
according to data integrity standards; or

(g)

any other relevant information deemed necessary by
Commissioner or inspecting officer.

PART IV
ENFORCEMENT NOTICE
Application for change or revocation of enforcement notice
15. An application for variation or revocation of an enforcement notice by
users of data relevant to the Commissioner under section 109 of the Act shall
made in writing.

9

Page 10
PU (A) 335
Created October 24, 2013
[KPKK/PUU 800-8/15; PN (PU2) 712]

DATO 'SRI AHMAD SHABERY CHEEK
Minister of Communications and Multimedia

10

Page 11
PU (A) 335
PERSONAL DATA PROTECTION ACT 2010
PERSONAL DATA PROTECTION REGULATIONS 2013
______________________________
ARRANGEMENT OF REGULATIONS
_______________________________
PART I
PRELIMINARY

Regulation
1.

Citation and commencement

2.

Interpretation

PART II
PERSONAL DATA PROTECTION PRINCIPLES

General Principle

3.

Consent of data subject

Notice and Choice Principle

4.

Details of user data

Disclosure Principle

5.

List of disclosure

Security Principle
6.

Security policy

11

Page 12
PU (A) 335
Retention Principle

7.

Standard retention

Data Integrity Principle

8.

Data integrity standard

Access Principle

9.

Data access request

10. Refusal of data access request
11. Receipt of data correction request
12. Penalty

PART III
INSPECTION

13. Notice of inspection
14. Personal data system to be open for inspection

PART IV
ENFORCEMENT NOTICE

15. Application of variation or cancellation of enforcement notice

12

Page 13
PU (A) 335
PERSONAL DATA PROTECTION ACT 2010
PERSONAL DATA PROTECTION REGULATIONS 2013

IN exercise of the powers conferred by section 143 of the Personal Data Protection
Act 2010 [ Act 709 ], the Minister makes the following regulations:

PART I
PRELIMINARY
Citation and commencement
1.

(1) These regulations may be cited as the Personal Data Protection

Regulations 2013 .

(2)

These Regulations come into operation on 15 November 2013.

Interpretation
2.

In these Regulations, unless the context otherwise requires—

“Inspection officer” means an officer employed by the Commissioner under
section 51 of the Act for the purposes of carrying out an inspection under section 101 of
the Act;

“Standard” means a minimum requirement issued by the Commissioner, that
provides, for common and repeated use, rules, guidelines or characteristics for activities
or their results, aimed at the achievement of the optimum degree of order in a given
context.

13

Page 14
PU (A) 335
PART II
PERSONAL DATA PROTECTION PRINCIPLES
General Principle

Consent of data subject
3.

(1) A data user shall obtain consent from a data subject in relation to the

processing of personal data in any form that such consent can be recorded and
maintained properly by the data user.

(2) If the form in which such consent in subregulation (1) is to be given also
concerns another matter, the requirement to obtain consent shall be presented
distinguishable in its appearance from such other matter.

(3) A data user shall obtain consent referred to in subregulation (1) from the
parent, guardian or person who has parental responsibility on the data subject, if the data
subject is under the age of eighteen years.

(4) A data user shall obtain consent the consent referred to in
subregulation (1) from a person who is appointed by a court to manage the affairs of the
data subject or a person authorized in writing by the data subject to act on his behalf if
the data subject is incapable of managing his own affairs.

(5) The burden of proof for such consent referred to in subregulation (1) shall
lie on the data user.

Notice and Choice Principle

Details of user data
4.

For the purposes of paragraph 7 (1) (d) of the Act, the data user shall at least

provide the data subject the details as follows:

(a)

designation of the contact person;
14

Page 15
PU (A) 335
(b)

phone number;

(c)

fax number, if any;

(d)

e-mail address, if any; and

(e)

such other related information.

Disclosure Principle

List of disclosure
5.

The data user shall keep and maintain a list of disclosure to third parties for the

purposes of paragraph 8 (b) of the Act in relation to personal data of the subject data that
has been or is being processed by him.

Security Principle

Security policy
6.

(1) The data user shall develop and implement a security policy for the

purposes of section 9 of the Act.

(2) The data user shall ensure the security policy referred to in
subregulation (1) complies with the security standard set out from time to time by the
Commissioner.

(3) The data user shall ensure that the security standard in the processing of
personal data be complied with by any data processor that carry out the processing of
the personal data on behalf of the data user.

15

Page 16
PU (A) 335
Retention Principle

Standard retention
7.

For the purposes of section 10 of the Act, the personal data of a data subject shall

be retained in accordance with the retention standard set out from time to time by the
Commissioner.

Data Integrity Principle

Data integrity standard
8.

For the purposes of section 11 of this Act, the data user shall process the personal

data in accordance with the data integrity standard set out from time to time by the
Commissioner.

Access Principle

Data access request
9.

(1) Where a data subject does not require a copy of the personal data, he shall

inform the data user in writing of his intention upon making a data access request of his
personal data.

(2) Upon receiving the data access request pursuant to subsection 30 (2) of the
Act, the data user shall acknowledge the receipt of such request.

Refusal of data access request
10.

For the purposes of paragraphs 32 (1) (a) and (b) of the Act, “such information as

he may reasonably require ”means name, identification card number, address and such
other related information as the Commissioner may determine.

Receipt of data correction request
11.

Upon receiving the data correction request pursuant to subsection 34 (1) of the

Act, the data user shall acknowledge the receipt of such request.

16

Page 17
PU (A) 335
Penalty
12. Any data user who contravenes subregulation 3 (1), regulations 6, 7 and 8
commits an offense and shall, on conviction, be liable to a fine not exceeding two
hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years
or to both.

PART III
INSPECTION
Notice of inspection
13. The Commissioner may notify the data user in writing of his intention to carry
out an inspection under section 101 of the Act.

Personal data system to be open for inspection
14. (1) The personal data system shall at all reasonable times be open to the
inspection of the Commissioner or any inspection officer.

(2) For the purposes of inspection under section 101 of the Act, the
Commissioner or the inspection officer may require the production before him—

(a)

in relation to general principle, the record of the consent from a
data subject maintained in respect of the processing of personal
data by the data user;

(b)

in relation to notice and choice principle, the record of a written
notice issued by the data user to the data subject in accordance
with section 7 of the Act;

(c)

in relation to disclosure principle, the list of disclosure to third
parties for the purposes of paragraph 8 (b) of the Act in respect of
personal data that has been or is being processed by him;

17

Page 18
PU (A) 335
(d)

in relation to security principle, the security policy developed and
implemented by the data user for the purposes of section 9 of the
Act;

(e)

in relation to retention principle, the record of compliance in
accordance with the retention standard;

(f)

in relation to data integrity principle, the record of compliance in
accordance with the data integrity standard; or

(g)

such other related information which the Commissioner or any
inspection officer deems necessary.

PART IV
ENFORCEMENT NOTICE
Application of variation or cancellation of enforcement notice
15. An application of variation or cancellation of enforcement notice by the relevant
data user to the Commissioner under section 109 of the Act shall be made in writing.

Made 24 October 2013
[KPKK/PUU 800-8/15; PN (PU2) 712]

DATO 'SRI AHMAD SHABERY CHEEK
Minister of Communications and Multimedia

18

