Data Protection Principles under PDP Law

By: Sonny Zulhuda

Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.

In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.

Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).

In Personal Data Protection Bill that was recently passed by Malaysian Lower House of Representatives, the principles of personal data protection is laid down in Part II, sections 5-12.

Those principles are;

  • General Principle
  • Notice and Choice Principle
  • Disclosure Principle
  • Security Principle
  • Retention Principle
  • Data Integrity Principle
  • Access Principle

section 6 – General Principle

It provides, among others, that data user shall not process personal without the consent of the data subject concerned. More stringent requirements are imposed on the category of ‘sensitive personal data.’ By virtue of this principle, too, the processing of personal can only be done for a lawful purpose directly related to data user’s activity. It also requires that the data processed must not be excessive (imagine if a bank requires from its customer to declare the history of his illnesses, a data which is not directly related and is likely excessive)

section 7 – Notice and Choice Principle

It prescribes, among others, that when collecting personal data, data user shall properly notify the data subjects as to the purpose of that collection/processing, as well as the related rights of data subject with regards to that processing.

section 8 – Disclosure Principle

This principle puts forward the restriction on disclosure of the personal data.

section 9 – Security Principle

This is another set of compliance issue with regards to the security measures that have to be adopted by the data users. The bottom line is that data users are responsible to the security, integrity and reliability of the personal data that they process or store.

section 10 – Retention Principle

How long organisations or companies can keep the personal data? This question is addressed by this principle. There is no number anyway, but the word ‘necessary’ is central here. One may wonder how is that being ascertained? And what will happen if the time is over for the retention?

section 11 – Data Integrity Principle

Wondering why your bank’s circulars never reach you despite their assurance that they had posted them to your address? Your address may be incomplete! This section provides that it is the duty of data user to ensure the accuracy and completeness of the personal data they collect.

section 12 – Access Principle

PDP law is pushing for more accountability. No joke, but this law requires data users to provide certain mechanism where individuals should be able to have access to and correction upon their personal data. A good thing for consumer protection in general.

In sum, this Personal Data Protection Principles will become a central concern of organisations and companies across the industries and businesses in the years to come. They simply need to reformulate their business processes!


  1. I understand that this Act does not apply to government but what about agencies like JPJ, EPF etc. Are they immune or subjected to this? As such, can they transfer information in between them? i.e JPJ send our data to JPN.

    1. With the absence to the contrary or exception, govt agencies like JPJ and JPN would not be subjected to this Act. Therefore, yes, JPJ would be able to transfer our data to JPN without necessarily infringing the Act. It remains unclear whether statutory bodies like EPF will also be excluded. My opinion is that they should not.

  2. Hi…may I know is there any principle in Malaysia stated that data users should provide an option for data subject to withdraw their membership/database?

    1. Yes.. Let me quote s. 38 of the PDP Act 2010:

      Withdrawal of consent to process personal data

      38. (1) A data subject may by notice in writing withdraw his consent to the processing of personal data in respect of which he is the data subject.

      (2) The data user shall, upon receiving the notice under subsection (1), cease the processing of the personal data.

      (3) The failure of the data subject to exercise the right conferred by subsection (1) does not affect any other rights conferred on him by this Part.

      (4) A data user who contravenes subsection (2) commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s