Do You Need to Register as a Data Controller Under the PDPA?

Does your business fall under one of the 13 categories required to register as a Data Controller under the Personal Data Protection Act 2010 (PDPA)?

Many businesses are aware that the Personal Data Protection Act 2010 (PDPA) regulates the processing of personal data in Malaysia.

However, what many business owners may not realise is that certain businesses are also required to register as Data Controllers with the Personal Data Protection Department (JPDP) pursuant to Section 13 of the PDPA.

As a result, having a Privacy Notice or PDPA Policy alone may not be sufficient. Depending on the nature of your business, you may also be required to register with the PDPA Department before commencing or continuing your operations.

Who Is Required to Register as a Data Controller Under the PDPA?

The Malaysian Ministry of Communications and Multimedia has prescribed certain classes of Data Controllers that are required to register under the PDPA.

If your business falls within any of the categories below, you should assess whether registration is mandatory.

1. Tourism and Hospitality

Businesses operating within the tourism industry, including:

• Travel agencies, tour operators or tour guides

• Tourist accommodation providers, such as hotels, resorts, homestays

• Tourism training institutions

These businesses are typically licensed and regulated under Tourism Industry Act 1992

2. Healthcare

Healthcare providers and certain healthcare-related entities, including:

• Private hospitals, medical centres, private GP or specialist clinic, private dental clinics, that are licensed and regulated under Private Healthcare Facilities and Services Act 1998.

• Pharmacist registered under Registration of Pharmacists Act 1951

3. Services

Professional Services

Businesses providing:

• Legal services, such as law firms

• Audit services

• Accounting services

• Engineering services

• Architectural services

  
  

Retail and Wholesale Businesses

Companies conducting:

• Retail dealing, such as retail shops, supermarkets, e-commerce retailers

• Wholesale dealings

  
  

Employment Agencies

Businesses operating private employment or recruitment agencies, under Private Employment Agencies Act 1981.

4. Education

Private educational institutions, including higher educational institutions, schools, universities, colleges, international schools or private training institutions.

These are the education services that typically registered under the Private Higher Educational Institutions Act 1996 and Education Act 1996.

5. Real Estate

Property and housing developer who are under

• Housing Development (Control and Licensing) Act 1966.

• Housing Development (Control and Licensing) Enactment 1978, Sabah.

• Housing Developers (Control and Licensing) Ordinance 1993, Sarawak

6. Direct Selling

Direct selling, Multi-level Marketing (MLM), network companies, licensed under the Direct Sales and Anti-Pyramid Scheme Act 1993.

7. Pawnbrokers

Pawnshops and pawnbroking businesses that are licensed under the Pawnbrokers Act 1972. 

8. Moneylenders

Moneylenders or consumer lending businesses that are licensed under the Moneylenders Act 1951.

9. Communications

Businesses involved in telecommunications, communications or postal services that are licensed under Communications and Multimedia Act 1998 and Postal Services Act 2012.

For example, telecommunications providers, internet service providers (ISPs), mobile network operators, postal and courier service providers.

10. Banking and Financial Institutions

Banking and financial institution that are licensed under Malaysian banking laws such as:

• Financial Services Act 2013

• Islamic Financial Services Act 2013

• Development Financial Institution Act 2002.

For example, commercial banks, investment banks, Islamic banks, development financial institutions.

11. Insurance

Insurers licensed under Financial Services Act 2013.

Takaful operator licensed under Islamic Financial Services Act 2013.

12. Transportation

Certain transportation operators prescribed under the relevant Order.

The Order specifically lists various airline operators such as Malaysia Airlines, AirAsia, AirAsia X, Firefly and others.

13. Utilities

Certain utility providers specified under the relevant Order, such as electricity, water supply and utility service providers.

The Order specifically includes entities such as Tenaga Nasional Berhad and various state water supply operators.

The complete Personal Data Protection (Class of Data Users) Orders are available in links below.

Personal Data Protection (Class of Data Users) Order 2013

Personal Data Protection (Class of Data Users) (Amendment) Order 2016

Frequently Asked Questions

Does every business need to register under the PDPA?

No.

Many businesses are required to comply with the PDPA because they process personal data in the course of commercial transactions. However, only businesses that fall within the prescribed classes of Data Controllers are required to register under the PDPA registration framework.

Is having a Privacy Notice or PDPA Policy enough?

Not necessarily.

Having a Privacy Notice, Privacy Policy or PDPA Policy is only one aspect of PDPA compliance. Businesses that fall within the prescribed classes should also determine whether registration as a Data Controller is mandatory.

What happens if a business fails to register?

Businesses that are required to register but fail to do so may be exposed to enforcement action and penalties under the PDPA.

Accordingly, it is important to assess your registration obligations before assuming that registration is not required.

Practical Tip for Business Owners in PDPA

One of the most common misconceptions we encounter is that a business is automatically PDPA compliant simply because it has a Privacy Notice or PDPA Policy on its website.

In reality, PDPA compliance and Data Controller registration are separate requirements.

If your business falls within any of the 13 categories above, you should assess whether registration with the Personal Data Protection Department is required in addition to implementing the necessary PDPA compliance measures.

Where there is uncertainty, obtaining professional advice early may help avoid compliance issues and regulatory risks later on.

Need Assistance With PDPA Data Controller Registration?

Determining whether a business falls within a prescribed class of Data Controllers is not always straightforward. In some cases, the answer may depend on the nature of the business activities being carried out and the applicable regulatory framework.

At LAWENCO, we assist businesses in assessing their obligations under the Personal Data Protection Act 2010 (PDPA), including whether registration as a Data Controller is required. Where registration is necessary, we are happy to assist with the preparation and submission of the registration application.

If you are unsure whether your business falls within one of the prescribed categories, feel free to contact us for a discussion.

Written by,

Lawrence Tan 

Registered Trademark, Patent and Design Agent

LL.B (HONS), CLP

Advocate & Solicitor

Disclaimer:

This article is intended for general informational purposes only and does not constitute legal advice. The application of the Personal Data Protection Act 2010 (PDPA) may vary depending on the specific circumstances of each business. Readers should seek professional legal advice before acting or relying on any information contained in this article.