mylaw.my

Malaysia legislation

Section 4

of PERSONAL DATA PROTECTION ACT 2010

Section 4

Personal Data Protection 13

“credit reporting agency” has the meaning assigned to it in the

Credit Reporting Agencies Act 2010 [Act 710];

“this Act” includes regulations, orders, notifications and other subsidiary legislation made under this Act;

“register” means the Register of Data Users, Register of Data

User Forums or Register of Codes of Practice;

“personal data” means any information in respect of commercial transactions, which—

(a)

is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(b)

is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

(c)

is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010;

Act 709

“sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;

“prescribed” means prescribed by the Minister under this Act and where no mode is mentioned, means prescribed by order published in the Gazette;

“Advisory Committee” means the Personal Data Protection

Advisory Committee established under section 70;

“vital interests” means matters relating to life, death or security of a data subject;

“Fund” means the Personal Data Protection Fund established under section 61;

“use”, in relation to personal data, does not include the act of collecting or disclosing such personal data;

“collect”, in relation to personal data, means an act by which such personal data enters into or comes under the control of a data user;

“Minister” means the Minister charged with the responsibility for the protection of personal data;

“disclose”, in relation to personal data, means an act by which such personal data is made available by a data user;

“relevant person”, in relation to a data subject, howsoever described, means—

(a)

in the case of a data subject who is below the age of eighteen years, the parent, guardian or person who has parental responsibility for the data subject;

Personal Data Protection 15

(b)

in the case of a data subject who is incapable of managing his own affairs, a person who is appointed by a court to manage those affairs, or a person authorized in writing by the data subject to act on behalf of the data subject; or

(c)

in any other case, a person authorized in writing by the data subject to make a data access request, data correction request, or both such requests, on behalf of the data subject;

“authorized officer” means any officer authorized in writing by the Commissioner under section 110;

“correction”, in relation to personal data, includes amendment, variation, modification or deletion;

“requestor”, in relation to a data access request or data correction request, means the data subject or the relevant person on behalf of the data subject, who has made the request;

“data processor”, in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes;

“processing”, in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including—

(a)

the organization, adaptation or alteration of personal data;

(b)

the retrieval, consultation or use of personal data;

(c)

the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or

(d)

the alignment, combination, correction, erasure or destruction of personal data;

“registration” means the registration of a data user under section 16;

Act 709

“data user” means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor;

“relevant data user”, in relation to—

(a)

an inspection, means the data user who uses the personal data system which is the subject of the inspection;

(b)

a complaint, means the data user specified in the complaint;

(c)

an investigation—

(i)

in the case of an investigation initiated by a complaint, means the data user specified in the complaint;

(ii)

in any other case, means the data user who is the subject of the investigation;

(d)

an enforcement notice, means the data user on whom the enforcement notice is served;

“credit reporting business” has the meaning assigned to it in the Credit Reporting Agencies Act 2010;

“Commissioner” means the Personal Data Protection Commissioner appointed under section 47;

“third party”, in relation to personal data, means any person other than—

(a)

a data subject;

(b)

a relevant person in relation to a data subject;

(c)

a data user;

(d)

a data processor; or

(e)

a person authorized in writing by the data user to process the personal data under the direct control of the data user;

Personal Data Protection 17

“relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set of information is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

“data subject” means an individual who is the subject of the personal data;

“appointed date” means the relevant date or dates, as the case may be, on which this Act comes into operation;

“code of practice” means the personal data protection code of practice in respect of a specific class of data users registered by the Commissioner pursuant to section 23 or issued by the

Commissioner under section 24;

“commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010.

Read in full context — PERSONAL DATA PROTECTION ACT 2010