Malaysia legislation
Section 6
Section 6
(a)
in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or
(b)
in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with the provisions of section 40.
(2)
Notwithstanding paragraph (1)(a), a data user may process personal data about a data subject if the processing is necessary—
(a)
for the performance of a contract to which the data subject is a party;
(b)
for the taking of steps at the request of the data subject with a view to entering into a contract;
(c)
for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
Personal Data Protection 19
(d)
in order to protect the vital interests of the data subject;
(e)
for the administration of justice; or
(f)
for the exercise of any functions conferred on any person by or under any law.
(3)
Personal data shall not be processed unless—
(a)
the personal data is processed for a lawful purpose directly related to an activity of the data user;
(b)
the processing of the personal data is necessary for or directly related to that purpose; and
(c)
the personal data is adequate but not excessive in relation to that purpose.
Notice and Choice Principle