Under the Personal Data Protection Act 2010 ("PDPA"), there are 13 specified classes of data users ("Specified Classes") that are subject to additional requirements under the PDPA, including the requirement to draw up binding Codes of Practice to set out data protection requirements that are tailored to their particular industries (e.g., banking, insurance, education, etc).
For the Specified Classes that have yet to establish Data User Forums and have yet to register their respective Codes of Practice with the Commissioner, the Personal Data Protection Commissioner ("Commissioner") has since issued the General Code of Practice of Personal Data Protection ("General COP"), which came into effect on 15 December 2022.
The General COP clarifies certain PDPA provisions and introduces several new requirements for the Specified Classes. Key provisions include: (i) additional information to be included in privacy notices; (ii) minimum clauses for agreements with data processors; and (iii) guidance on using personal data for direct marketing.
Failure to comply with the General COP can result in a fine of up to RM100,000 or imprisonment of up to one year, or both, for representatives of organisations that belong to Specified Classes that must comply with the General COP.
While the General COP is not binding upon other data users, the provisions outlined in the General COP are instructive about the Commissioner’s latest expectations in relation to the minimum measures required to be implemented by data users under the PDPA.
For more information, click here to read our Legal Update.
