Categories: PDPA 2010 CircularPublished On: 11/12/2013

Circular No. MF21/2013



The Minister of Communications and Multimedia has notified in the Federal Government Gazette [P.U. (B) 464] that the date on which the Personal Data Protection Act 2010 (PDPA) comes into operation is on 15 November 2013. The PDPA is a legislation that seeks to regulate the processing of personal data by data users in commercial transactions, so as to safeguard the interests of data subjects.

The following order and new regulations relating to the PDPA have also come into operation on 15 November 2013:

  1. Personal Data Protection Regulations 2013, which provide some clarification on the seven personal data protection principles;
  2. Personal Data Protection (Class of Data Users) Order 2013, which provide details on the class of data users that must be registered under the PDPA;
  3. Personal Data Protection (Registration of Data User) Regulations 2013, which provide details on the process of registration as a data user and documents needed for submission; and
  4. Personal Data Protection (Fees) Regulations 2013, which deal with fees payable under the PDPA.

We wish to draw your attention to the Personal Data Protection (Class of Data User) Order 2013 that specifies the class of data users that are required to be registered under the PDPA pursuant to section 14(1) of the PDPA, specifically clause 9(a)(ii) and (iii) in the Schedule to the said order which specifies the following class of data user:

A company registered under the Companies Act 1965 [Act 125] or a person who entered into a partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:

  1. legal;
  2. audit;
  3. accountancy;
  4. engineering; or
  5. architecture.

As such, pursuant to section 15(1) of the PDPA, member firms (in partnerships) are required to register themselves with the Personal Data Protection Commissioner.

Under section 16(4) of the PDPA, a person who fails to register, and process personal data without a certificate of registration, commits an offence and shall on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.

Kindly note that member firms in other business forms such as sole proprietorships and limited liability partnerships are still required to comply with the principles of the personal data protection, although there is no data user registration requirement at present, based on the requirement under section 13(2) of the PDPA.

Registration Process

The registration process is summarised in the Registration Flow Chart attached to this circular.

Kindly note that registration is required to be done by 15 February 2014.

For further details or enquiries, you may contact the Personal Data Protection Department/Registration Unit at 03-8911 5113 or 03-8911 7925.

Please be guided accordingly.

Chief Executive Officer