Words written on the front: This article has a total of more than 1600 words, and the estimated reading time is 2 minutes!
With the intensification of economic globalization and the deepening of economic and cultural exchanges between China and Southeast Asian countries, Southeast Asia has become one of the important targets for Chinese enterprises to carry out overseas business. However, due to the large differences in the digital commerce environment between different countries in Southeast Asia, companies investing in the region often face data compliance challenges. The purpose of this article is to provide a cross-border data compliance guide for Chinese companies expanding overseas in Malaysia.
Data protection law and regulation system
Malaysia** attaches great importance to the digital economy, industry and cyber security issues. The Personal Data Protection** enacted in 2010 fills a legal gap in Malaysia in terms of personal information protection. At present, Malaysia's data protection law system is mainly composed of the Personal Data Protection Act 2010 (PDPA) promulgated in 2010 and its related supporting regulations, as well as legislation in specific fields.
Key features of the Personal Data Protection**
Definition and Criteria for Identification of "Personal Data":
According to Article 4 of the PDPA, personal data is defined as all information related to the course of a business transaction that is directly or indirectly related to the data subject and can be used to identify the data subject. However, the European Union's General Data Protection Regulation (GDPR) defines "personal data" as information about any identified or identifiable natural person, and its protection is not limited to data from business transactions**.
In terms of the criteria for identifying personal data, the PDPA and the EU GDPR are consistent, emphasizing the "identifiable" and "structured" characteristics of data. "Identifiability" is considered to be a key attribute of personal data and a core criterion for determining whether a particular data is personal data. The "structured" nature requires that personal data must be processed by automated means, or recorded manually but ultimately automated and stored in a carrier such as a filing system.
Right to be forgotten (right to erasure).
Article 17 of the GDPR explicitly provides for the first time the "right to be forgotten (right to erasure)". In accordance with this provision, the data subject has the right to request the deletion by the data controller of data published on the Internet by himself or herself or by a third party that is related to him/herself, unreasonable or that may have a negative impact on his or her social evaluation. In accordance with the provisions of Article 17, paragraph 1, the data subject has the right to request that the data controller delete his/her personal information in six cases, including when the personal data controller no longer has any legal basis or reason for processing the personal information, and when the data subject withdraws consent and authorization, and the data controller is obliged to implement this request without delay. Therefore, the deletion of data is not limited to statutory reasons, but can also be due to the withdrawal of consent and authorization by the data subject.
In contrast, the PDPA does not give data subjects the right to be forgotten. Although article 10 of the Act mentions that personal data will no longer be retained when it is no longer necessary, this does not mean that individuals have the right to be forgotten. In the PDPA, data deletion must be based on statutory grounds, i.e. the retention of the data is no longer necessary, and cannot be based solely on the withdrawal of consent or authorization of the data subject.
Right to data portability
According to Article 20 of the GDPR, the right to data portability means that the data subject has the right to obtain personal data concerning him or her that he or she has provided to the data controller, and that such data shall be collated, commonly used and machine-readable. The data subject shall have the right to transmit these data from one data controller to another without hindrance.
Unlike the EU GDPR, the PDPA does not provide for the right to data portability. While Article 30 of the PDPA provides that data subjects have the right to view personal data in the form of documents and to request that a copy of their personal information be transmitted to them in an intelligible form by the data subject, it does not expressly give the data subject the right to transfer his or her personal data to third parties, including other data users.
Data Protection Officer Settings
In accordance with the EU GDPR, data protection officers must have in-depth knowledge of personal data protection laws and practices, and can report directly to the top management of the data controller or processor. In addition, the Data Protection Officer must perform his or her duties in complete confidentiality and must not engage in activities that may give rise to a conflict of interest. The data controller or processor must provide the supervisory authority with the details of the data protection officer*** and shall provide the necessary resources for the data protection officer to perform his or her duties and maintain his or her expertise. In contrast, although the PDPA requires the establishment of a data protection officer, it does not set a similar provision.
Mandatory registration of data users
In order to effectively regulate and regulate the data collection behavior of data users, the PDPA has implemented a mandatory registration system for data users in specific industries. The nature of this registration system is similar to the industrial and commercial registration of enterprises in China, and the relevant regulatory authorities only record through formal examination, but do not conduct substantive examination.
Malaysia uses ex post facto surveillance to regulate the behaviour of data users and emphasises the importance of information disclosure. The Personal Data Protection (Data Users) Categories Directive and the Personal Data Protection (Data User Registration) Ordinance promulgated in 2013 provide specific provisions for the registration and management of data users.
Thank you for your visit, and look forward to your attention to help you solve the problem of enterprises going overseas!