Malaysia: Implemented Personal Data Protection Act 2010 (Act 709) including data protection regulation

On 15 November 2013, the Personal Data Protection Act 2010 (Act 709) entered into force. The Act applies to anyone who processes or controls the processing of personal data in commercial transactions, a so-called data user. The Act specifies exemptions from the application in Section 45, for example for personal or recreational purposes or the purpose of investigations. The Act details personal data protection principles, namely the General Principle which lays out the legal bases necessary for data processing, the Notice and Choice Principle requiring a data user to inform the data subject of the purpose and scope of the data processing, and the Disclosure Principle stating that no data shall be disclosed for different purposes or to a third party without the consent of the data subject. Further, the Retention Principle regulates the allowed period to keep the data, while the Data Integrity Principle mandates the data user to keep accurate data and the Access Principle allows the data subject to access their data and correct it, if necessary.