AKTA PERLINDUNGAN DATA PERIBADI (PINDAAN) 2024

Personal Data Protection (Amendment) 1 LAWS OF MALAYSIA PERSONAL DATA PROTECTION (AMENDMENT) ACT 2024 Laws of Malaysia 2 Date of Royal Assent ... ... 9 October 2024 Date of publication in the ... ... 17 October 2024 Gazette Publisher’s Copyright C PERCETAKAN NASIONAL MALAYSIA BERHAD All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording and/or otherwise without the prior permission of Percetakan Nasional Malaysia Berhad (Appointed Printer to the Government of Malaysia). Personal Data Protection (Amendment)

An Act to amend the Personal Data Protection Act 2010. [ ] ENACTED by the Parliament of Malaysia as follows: Short title and commencement

1. (1) This Act may be cited as the Personal Data Protection (Amendment) Act 2024.

(2) This Act comes into operation on a date to be appointed by the Minister by notification in the Gazette and the Minister may appoint different dates for the coming into operation of different provisions of this Act. General amendment

2. The Personal Data Protection Act 2010 [Act 709], which is referred to as the “principal Act” in this Act, is amended by substituting for the words “data user” and “data users” wherever appearing including in the shoulder note the words “data controller” and “data controllers” except in the definition of “register” under section 4, and section 9. LAWS OF MALAYSIA PERSONAL DATA PROTECTION (AMENDMENT) ACT 2024 Laws of Malaysia 4 Amendment of section 4

3. The principal Act is amended in section 4—

(a) in the definition of “register”, by substituting for the words “Register of Data Users, Register of Data User Forums” the words “Register of Data Controllers, Register of Data Controller Forums”;

(b) by inserting after the definition of “register” the following definition:   ‘  “biometric data” means any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person;’;

(c) in the definition of “sensitive personal data”, by inserting after the words “alleged commission by him of any offence” the words “, biometric data”;

(d) by inserting after the definition of “authorized officer” the following definition:   ‘  “personal data breach” means any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data;’;

(e) in the definition of “requestor”, by substituting for the words “data access request or data correction request” the words “data access request, data correction request or data portability request”; and

(f) in the definition of “data subject”, by inserting after the words “the personal data” the words “and shall not include a deceased individual”. Amendment of section 5

4. Section 5 of the principal Act is amended—

(a) by inserting after subsection (1) the following subsection:   “(1a)  Where the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor shall comply with the Security Principle as specified in section 9.”; and Personal Data Protection (Amendment)

(b) in subsection (2)—

(i) by inserting after the words “subsection (1)” the words “or a data processor who contravenes subsection (1a)”; and

(ii) by substituting for the words “three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both” the words “one million ringgit or to imprisonment for a term not exceeding three years or to both”. Amendment of section 9

5. Section 9 of the principal Act is amended—

(a) in subsection (1), by substituting for the words “data user shall,” the words “data controller and a data processor shall,”; and

(b) in subsection (2)—

(i) by substituting for the words “the data user, the data user shall,” the words “a data controller, the data processor shall,”;

(ii) by deleting the words “, ensure that the data processor”; and

(iii) in the English language text—

(A) in paragraph (a), by substituting for the word “provides” the word “provide”; and

(B) in paragraph (b), by substituting for the word “takes” the word “take”. Laws of Malaysia 6 New Division 1a of Part II

6. The principal Act is amended in Part II by inserting after section 12 the following division: “Division 1a Accountability of personal data Appointment of data protection officer 12a.  (1)  A data controller shall appoint one or more data protection officers who shall be accountable to the data controller for the compliance with this Act.

(2)  Where the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor shall appoint one or more data protection officers who shall be accountable to the data processor for the compliance with this Act.

(3)  The data controller shall notify the Commissioner on the appointment of data protection officer in the manner and form as determined by the Commissioner.

(4)  The appointment of data protection officer under subsections (1) and (2) shall not discharge the data controller or data processor from all duties and functions under this Act. Data breach notification 12b.  (1)  Where a data controller has reason to believe that a personal data breach has occurred, the data controller shall, as soon as practicable, notify the Commissioner in the manner and form as determined by the Commissioner.

(2)  Where the personal data breach under subsection (1) causes or likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject in the manner and form as determined by the Commissioner without unnecessary delay. Personal Data Protection (Amendment)

(3)  A data controller who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years or to both.”. Amendment of section 16

7. Subsection 16(3) of the principal Act is amended in the national language text by substituting for the word “Pendaftar” the word “Pesuruhjaya”. Amendment of section 21

8. Section 21 of the principal Act is amended—

(a) in subsection (1)—

(i) by inserting after the words “a body” the words “or a data controller”;

(ii) by substituting for the words “that body” the words “that body or data controller”;

(iii) in paragraph (a), by substituting for the words “the body” the words “the body or data controller”;

(iv) in paragraph (b), by substituting for the words “the body” the words “the body or data controller”; and

(v) in paragraph (c), by substituting for the words “the body” the words “the body or data controller”;

(b) in subsection (2), by substituting for the words “The body” the words “The body or data controller”;

(c) in subsection (3)—

(i) by substituting for the words “an existing body” the words “an existing body or a data controller”; and Laws of Malaysia 8

(ii) by substituting for the words “the body” the words “the body or data controller”; and

(d) in subsection (4), by substituting for the words “an existing body” the words “an existing body or a data controller”. New section 43a

9. The principal Act is amended by inserting after section 43 the following section: “Rights to data portability 43a.  (1)  Subject to subsection (2), a data subject may request the data controller to transmit his personal data to another data controller of his choice directly by giving a notice in writing by way of electronic means to the data controller.

(2)  The request for data portability referred to in subsection (1) is subject to technical feasibility and compatibility of the data format.

(3)  Upon receiving the request for data portability under subsection (1), the data controller shall complete the transmission of personal data within the period as may be prescribed.”. Amendment of section 48

10. Paragraph 48(e) of the principal Act is deleted. Amendment of section 67

11. Section 67 of the principal Act is amended—

(a) by deleting the words “, after consulting the Minister,”; and Personal Data Protection (Amendment)

(b) by substituting for the words “upon as far as practicable by cheques signed by such persons as may be authorized by the Minister.” the words “in such manner as may be authorized by the Commissioner.”. Amendment of section 129

12. Section 129 of the principal Act is amended—

(a) by deleting subsection (1);

(b) in subsection (2)—

(i) by substituting for the words “For the purposes of subsection (1), the Minister may specify” the words “A data controller may transfer any personal data of a data subject to”; and

(ii) in paragraph (a), by deleting the words “, or that serves the same purposes as this Act”;

(c) in subsection (3)—

(i) by substituting for the words “subsection (1)” the words “subsection (2)”;

(ii) in paragraph (f), by inserting the word “or” at the end of the paragraph;

(iii) in paragraph (g), by substituting for the words “; or” at the end of the paragraph a full stop; and

(iv) by deleting paragraph (h);

(d) by deleting subsection (4); and

(e) in subsection (5), by substituting for the words “subsection (1)” the words “this section”. Laws of Malaysia 10 Amendment of section 136

13. Subsection 136(1) of the principal Act is amended by inserting after paragraph (a) the following paragraph:   “(aa)  by way of electronic means;”. Saving

14. (1) Any order, directions, circular or notice issued or made by the Commissioner immediately before the commencement of this Act shall be deemed to be issued or made by the Commissioner under the principal Act as amended by this Act and shall remain valid.

(2) Any code of practice registered and issued by the Commissioner immediately before the commencement of this Act shall be deemed to be issued or made by the Commissioner under the principal Act as amended by this Act and shall remain valid.

(3) Any investigation, trial, proceedings or action pending before the date of coming into operation of this Act shall, on the date of coming into operation of this Act, be continued in accordance with the provisions of the principal Act as if the principal Act had not been amended by this Act.