Personal informations is mentioning to the information, either right or non, about an person who can be recognized from that information, or from that informations and other information to which the administration has or is likely to hold entree.
The PDPA establishes a information protection jurisprudence that comprises a assortment of regulations taking the usage, aggregation, attention, and revelation of personal informations. It recognizes every bit the rights of persons to protect their personal informations, including rights of rectification and entree, usage or unwrap personal informations for sensible and legitimate intents and besides the demands of administrations to roll up, .
Presents, immense Numberss of personal informations are gathered, used and even transferred to 3rd party administrations for a scope of grounds. It is possible that this current tendency is likely to lift exponentially because of the analysis and processing of immense sums of personal informations with the progressively sophisticated engineering.
Concerns from persons about how their personal informations is being used with said tendency has turning. Therefore, a information protection act or regulation to pull off the aggregation, revelation and usage of personal informations is indispensable to cover withthese concerns and to prolong individuals’ trust in administrations that handle the information.
This PDPA will do certain a guideline criterion of protection for personal informations across the economic system by carry throughing regulative models and sector-specific legislative. With this being said, that administrations will traveling hold to obey with the PDPA every bit good as the general jurisprudence and other applicable Torahs that are being applied to the peculiar industry that they belong to, when pull offing personal informations in their control.
There are 3 chief constructs that must be taken into history in the PDPA which are:
- Consent – Organisations may roll up, usage or unwrap personal informations merely with the person ‘s cognition and consent.
- Purpose – Organisations may roll up, usage or unwrap personal informations in an appropriate mode for the fortunes, and merely if they have informed the person of intents for the aggregation, usage or revelation.
- Reasonableness – Organisations may roll up, usage or unwrap personal informations merely for intents that would be considered appropriate to a sensible individual in the given fortunes.
Personal Data Protection Act affects the personal informations life rhythm direction procedure from the point personal information is gathered, used, stored and destroyed. This Act applies to clients, employees and 3rd party service providers’ personal informations. Companies’ method of making concern will perfectly affected as concern procedures are obligated to be refined to carry through with the PDPA demands. Most significantly, a cardinal depository may be required for consent direction. The procedure becomes more complex when cross boundary line personal informations transportation is involved.
2.0 COMPARISON BETWEEN MALAYSIA AND BELGIUM PDPA
EU Data protection Directive 95/46/EC was implemented in Belgium with the Data Protection Acted which was dated on 8 December 1992 ( “Act” ) . Data Protection Authority ensured the enforcement.
Malaya implemented Personal Data Protection Act 2010.
2.0.2 PERSONAL DATA DEFINITION
Personal informations means any information that is associated to an identifiable identified or natural individual.
A individual can be considered to be an identifiable individual when he or she can be identified, straight or indirectly, in peculiar by mention to an designation figure or to one or more factors specific to his or her physiological, physical, economic, mental, societal or cultural individuality.
“Personal informations” means any information in regard of commercial minutess which are:
- is recorded as portion of a related filing system or with the purpose that it should organize portion of a relevant filing system,
- is recorded with the purpose that it should wholly or partly be processed by agencies of such equipment,
- is being processed wholly or partly by agencies of equipment runing automatically in response to instructions given for that intent,
These three relates indirectly or straight to a information topic, who is identifiable or identified from that information or from that and other information in the ownership of a information user, which includes any sensitive personal informations and look of sentiment about the informations topic, but does non consist any information that is processed for the intent of a recognition coverage concern carried on by a recognition coverage bureau under the Credit Reporting Agencies Act 2010.
2.0.3 SENSITIVE PERSONAL DATA DEFINITION
The Belgian Data Protection Act categorizes between three classs of sensitive personal informations, for which separate regulations apply:
- Personal informations associating to struggles which have been submitted to courts and tribunals every bit good as to administrative judicial organic structures, sing intuitions, prosecutions or strong beliefs in affairs of offense, administrative countenances or security steps.
- Personal informations edifying a person’s racial or cultural beginning, political sentiments, spiritual or philosophical beliefs, sex life or trade brotherhood rank ;
- Health related informations personal informations ;
“Sensitive personal data” means any personal informations dwelling of information as to the mental or physical wellness or status of a information topic, his spiritual beliefs or other beliefs of a similar nature, his political sentiments, alleged committee or the committee by him of whichever offense or any other personal informations as the Minister of Information, “Minister” of Communications and Culture may find by order published in the Gazette.
Data accountants who process personal informations by usual agencies must inform the DPA so that their processing of personal informations can be registered and made public unless there is an freedom. Affray to the processing of personal informations will imply the presentment to be amended.
The presentment shallinter aliainclude the undermentioned information ( as outlined in the DPA standard presentment signifier ) :
- the controller’s contact inside informations and if relevant the contact inside informations of the controller’s representative ;
- the intent ( s ) of the processing ;
- whether classs of sensitive personal informations are processed and if so, which categories ;
- the types of personal informations being processed ;
- the manner in which information topics will be informed of the processing and the section which informations topics may reach to utilize their right to entree ;
- the classs of receivers of the informations and the warrants which must be applied to the communicating to 3rd parties ;
- a general description of security steps ; and
- in instances where the information will be transferred outside the European Economic Area classs of informations to be transferred and for each class of informations, the state of finish.
- the informations keeping footings ;
Harmonizing to Malaysia PDP Act, the enrollments by category of informations users are prescribed by the Minister. Commissioner will find whether to O.K. the application and it must be renewed from clip to clip.
2.0.5 BREACH OF NOTIFICATION
The Act does non do available for a information security breach presentment duty.
At present, there are no specific legislative demands for informations users to advise governments sing informations protection breaches in Malaysia.
The DPA is authorised to look into any ailments, and execute as a 3rd party in instance of ailments. The DPA can besides engage experts, may necessitate the proviso of paperss, and may besides necessitate entree to some topographic points. The DPA must advise the public prosecuting officer in instance of condemnable actions,
Failure to follow with the Act may be reprehensively sanctioned with mulcts up to EUR 600,000 or imprisonment.
Presently, there are no exact legislative commissariats for the enforcement of personal informations protection in Malaysia.
Under the PDPA, the Commissioner has the power to implement and implement the personal information protection Torahs and to command and detect conformity with the commissariats of the PDPA.
On the other manus, there is no express right under the PDPA leting aggrieved informations topics to follow a civil claim against informations users for breaches of the PDPA.
Failure to set up with the Act sums to a serious offense. Upon strong belief, the informations user is responsible to pay a all right non transcending RM300,000 or to imprisonment for a term non more than two old ages or both. Subject to the due diligence defense mechanism, managers, directors or other similar officers have joint and several liability for non-compliance by the organic structure corporate.
Processors and informations accountants must use suited organizational and proficient steps to protect personal informations against or improper or inadvertent devastation or inadvertent loss, unauthorized revelation or entree, change, in peculiar where the processing involves the transmittal of informations over a web, and against all other improper signifiers of processing.
The DPA has issued non-binding guidelines in regard of such security steps.
Soon, there are no specific legislative demands for the infliction of security steps for the protection of personal informations in Malaysia.
Data users have an duty to take “practical” stairss to protect personal informations under PDPA.
If the states provide “adequate protection” , transportation of a information subject’s personal informations to non EU/European Economic Area states will be allowed.
Companies which remain to the US/EU Safe Harbor rules are deemed to offer equal protection for the transportation of informations to the United States.
Data accountants might reassign personal informations out of the European Economic Area to states which are non deemed to offer equal protection if any of these undermentioned exclusions apply:
- the transportation is necessary for the public presentation of a contract between the informations topic and the informations accountant, or for the public presentation of undertakings at the petition of the informations capable prior to come ining into such a contract ;
- the information topic has consented to the transportation ;
- the transportation is necessary in order to protect the critical involvements of the informations topic ;
- the transportation is necessary for the decision or public presentation of a contract with a 3rd party in the involvement of the informations topic ;
- the transportation is necessary or lawfully required in order to protect an of import public involvement ; or
- there is statutory authorization for demanding informations from a public registry.
- the transportation is necessary in order to set up, exercising or support a legal claim.
The DPA could let transportations even though if mentioned conditions are non satisfied if the accountant cites excess precautions with regard to the protection of the rights of the informations topic. These precautions could bury alia consequence from contractual clauses, e.g. by standard contractual clauses approved by the European Commission, or via an organisation’s Binding Corporate Rules.
At present, the DPA normally requests a transcript of informations transportation understandings, in peculiar to verify whether any alterations were made to the EU theoretical account clauses in the context of a presentment process. Formal blessing of EU theoretical account clauses based informations transportation understandings is non required
However, the DPA recently indicated that in the close hereafter, this might alter and an mandate edict might be required for each contract based international transportation of personal informations – apart from of whether the international transportation is based on the EU Model Clauses.
aAt this clip, there are no specific legislative demands for the transportation of personal informations in Malaysia.
A informations user may non reassign personal informations to legal powers outside of Malaysia unless that legal power has been specified by the Minister under the PDPA.
However, there are exclusions to this limitation, such as where:
- Consent was obtained.
- Necessary for public presentation of a contract between informations capable and informations user.
- Purpose of legal proceedings or to obtain legal advice.
- Protect critical involvement of informations topic and for public involvement.
2.0.9 COLLECTION AND Processing
Data accountants could roll up and treat personal informations when any of these undermentioned conditions are met:
- the processing is necessary to carry through a contract to which the information topic is party, or to take stairss at the petition of the informations capable prior to come ining into such a contract ;
- the information topic consents ;
- the processing is necessary to protect the critical involvements of the informations topic ;
- the processing is necessary to enable the accountant to carry through a legal duty ;
- the processing is necessary to enable the accountant or 3rd parties to whom the information is disclosed to protect a legitimate involvement, except where such involvement is overridden by the involvements of the informations topic ;
- the processing is necessary to exert official authorization ;
- the processing is necessary to execute a undertaking in the public involvement.
A different list of specific conditions applies where sensitive personal informations is processed,
Any of the above conditions is depended upon, the accountant foremost must give the informations topic with certain information, unless there are freedoms. The presentment will include information on the individuality of the accountant, the intents of the processing, the being of the right to object in the instance of personal informations processing for direct selling intents, and besides the right to entree and rectification, the receivers or classs of receivers of the personal informations, and whether or non it is mandatory to react to the informations controller’s petition to subject personal informations and any possible cost of non reacting.
At present, there are no specific legislative demands for the aggregation and processing of personal informations in Malaysia.
Data users are by and large required to obtain the consent of informations topics for the processing ( which includes aggregation and revelation ) of their personal informations under the PDPA that is capable to certain exclusions, Furthermore, there are besides other duties forced on the informations user in relation to the processing of personal informations, including, for illustration, demands to inform the informations topics refering the intent for which their personal informations are collected.
2.0.10 DATA PROTECTION OFFICERS
In Belgium, there is no legal status for administrations to use a information protection officer. However, it is recommended to make so.
The Act requires processors and accountants to take sufficient organizational and proficient security methods.
The DPA has issued “Security Guidelines” , which replicate what is to be considered as representing ‘adequate administration and proficient security measures’ as portion of this duty. They do hold an of import moral value even thought the Security Guidelines are non portion of the Act itself and are non adhering,
The Security Guidelines suggested accountants to use a so called “information security officer” . This security officer will be responsible for the execution of the personal informations security policy.
At this clip, there is no demand for information users to name a information protection officer in Malaysia. There is besides no such demand under the PDPA.
2.0.11 ONLINE PRIVACY
By agencies of amendment of article 129 of the Belgian Electronic Communication Act, Article 5 ( 3 ) of the E-Privacy Directive has been implemented into Belgian Law.
The storage and usage of cookies and related engineerings requires: a ) consent of the website user ; and B ) clear and comprehensive information.
Consent is non required for cookies that are:
- purely necessary for the proviso of a service requested by the user ;
- used for the exclusive intent of transporting out the transmittal of a communicating over an electronic communications web.
Compulsory counsel on the informed consent demand is likely to be issued in the close hereafter.
188.8.131.52 Location informations
Mobile web operators can treat location informations of a endorser or an terminal user merely to the country the location information has been anonymised or if the processing is carried out in the model of the proviso of a service refering location or traffic informations harmonizing to Article 123 of the Belgian Electronic Communication Act.
The processing of location informations in the model of a service sing location or traffic informations is capable to steadfast conditions set Forth in article 123.
In add-on, processing of location informations have got to besides follow with the general regulations set by the Data Protection Act.
184.108.40.206 Traffic informations
Mobile web operators are obligated to anonymise or cancel traffic informations of their users and endorsers every bit shortly as such informations is no longer needed for the transmittal of the communicating ( which i subject to conformity with cooperation duties with certain governments ) , harmonizing to article 122 of the Belgian Electronic Communication Act.
Concentrating on conformity with precise information duties and capable to precise restrictions, operators could treat certain location informations for the intents of:
- selling of the operator’s ain electronic communicating services or services with traffic or location informations ( capable to the subscriber’s or terminal user’s anterior consent ) ;
- fraud sensing ;
- invoicing and interconnectedness payments.
There are no commissariats in the PDPA that specifically address the issue of on-line privateness ( including location and cookies informations ) . Nonetheless, presently any electronic processing of personal informations in Malaysia will be capable to the PDPA and the Commissioner can publish extra supervising on this issue.
2.0.12 ELECTRONIC Selling
The Act will use to most electronic selling activities, as there is likely to be treating and usage of personal informations involved. The Act does non prohibit the usage of personal informations for the intents of electronic selling but provides persons with the right to object to the processing of their personal informations ( “opt out” ) for direct selling intents.
The Malaysia PDPA applies to electronic selling activities affecting the processing of personal informations for the demands of commercial minutess. There are no specific commissariats in the PDPA that trade with electronic selling. Nevertheless, the PDPA provides that a informations topic might, at any clip by notice in composing to a information user, need the informations user at the terminal of such period as is logically in the state of affairss to discontinue or non to get down treating his personal informations for intents of direct selling. Direct selling here means the communicating by anything agencies of any selling or advertisement stuff which is directed to peculiar persons.
- Sample CASES
Based on the figure above, which is based on on-line article, 10,000 informations invasion instances were recorded until the terminal of 2013, a important rise of 100 instances compared to 2012. In 2013 itself, about 900 instances were reported.