Your Rights under the Personal Data Protection Act
As a consumer, do you know that your personal data is protected under Personal Data Protection Act?
INTRODUCTION
When initiating processes such as opening a bank account, subscribing to an online entertainment plan, enrolling in a gym club membership, or accessing specific commercial websites, individuals will observe the requisite action of signing a physical form or ticking a small box in an online form. This signifies their acknowledgment and acceptance of the use of personal data, encompassing details like name, identification number, address, phone number, and more, by the respective commercial entity.
Notably, despite the act of acceptance, a significant portion of the populace remains unaware that the document they are endorsing is, in fact, the ‘privacy policy’ or ‘privacy notice’ of the commercial entity. This document contains crucial information delineating how the entity handles the personal data of its customers.
This lack of awareness can be attributed to the limited understanding among the general public regarding their rights concerning personal data protection. Additionally, the intricate and lengthy nature of privacy policies, coupled with legal terminology, inevitably impedes the effective comprehension and acceptance of these policies by consumers.
PERSONAL DATA PROTECTION ACT
In the interest of safeguarding individuals’ privacy, the Personal Data Protection Act 2010 (the Act) was enacted to govern the processing of personal data by commercial entities. According to the Act, individuals using services are designated as ‘data subjects,’ while the entities managing the data are referred to as ‘data users.’ This legislation outlines a range of statutory requirements, offenses, and penalties aimed at preventing the abuse and misuse of personal data belonging to the data subjects by the data users.
The fundamental principle stipulates that a data user should refrain from processing personal data unless explicit consent has been granted by the data subject. Moreover, the Act outlines various overarching principles, including: –
- Disclosure principle – No personal data shall be disclosed for any purpose other than the purpose for which the personal data was to be disclosed at the time of collection of the personal data.
- Security principle – A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental loss or disclosure, alteration, or destruction.
- Retention principle – The personal data shall not be kept longer than is necessary for the fulfilment of that purpose.
- Data integrity principle- A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date.
- Access principle – A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading, or not up-to-date.
CONSUMER’S RIGHTS TO PERSONAL DATA
As a data subject, even subsequent to the submission of your personal data to the relevant data user, you retain certain rights under the Personal Data Protection Act. These encompass the right to be informed of the processing of your data by an organisation, the rights to access and rectify your personal data, the right to withdraw consent for the processing of personal data, and the right to prevent data processing for direct marketing purposes.
However, if you discover that your personal data is not handled or processed by the relevant data user in compliance with the requirements of the Personal Data Protection Act, there is no specific provision granting the right to claim damages against the said data user under the Act. The sole recourse available is to lodge a complaint with the Personal Data Protection Commissioner. Upon filing a complaint, an investigation will be initiated to address the matter.
As of now, Malaysia has not recognised the misuse or abuse of personal data as a form of actionable tort with private remedies available to the data subject. Breaching the Personal Data Protection Act (PDPA) can result in criminal liability, and a data user found in violation may face charges brought by the prosecutor before a criminal court.
– – – – – – – – – – – –
Disclaimer
Articles published in this website are for general informational purpose only and shall not constitute any form of legal advice to any specific case. Kindly contact us if you are currently experiencing a legal dilemma related to this topic and need further legal consultation.