PDPA Basics
What does PDPA stand for?
Personal Data Protection Act
Give an example of sensitive personal data under the PDPA.
(Any of) Religious beliefs, political opinions, health information, sexual life, biometric data, genetic data
What is the right of access under the PDPA?
The right of a data subject to request access to their personal data held by a data user.
What is a "data leak"?
The unauthorized or accidental disclosure of personal data
Who is responsible for enforcing the PDPA in Malaysia?
The Commissioner of the Personal Data Protection Department (PDPD)
When did the PDPA come into effect in Malaysia?
2010
True or False: A company can process sensitive personal data without consent if it is necessary to comply with a legal obligation.
True
If a data subject believes their personal data is inaccurate, what right can they exercise under the PDPA?
The right to correction.
Name one security measure that data users should implement to protect personal data.
(Any of) Access controls, encryption, data masking, regular backups, security awareness training
What is the maximum fine that can be imposed on a company for a serious breach of the PDPA?
RM 500,000
What is the main purpose of the PDPA?
To regulate the processing of personal data in commercial transactions
What is the general rule regarding the processing of sensitive personal data?
It requires explicit consent from the data subject.
True or False: A data subject can withdraw their consent to the processing of their personal data at any time.
True
True or False: A data user is not required to report a data breach to the authorities if it is unlikely to cause harm to the data subjects.
False (Data breaches must be reported to the Commissioner)
True or False: A company can be held liable for a data breach even if it was caused by a third-party vendor.
True (if the company failed to take reasonable steps to prevent the breach)
True or False: The PDPA applies to all organizations in Malaysia, regardless of size or industry.
False (It only applies to commercial transactions)
Can a company collect information about an employee's religious beliefs for the purpose of organizing a company event?
No, this would likely be considered excessive and unnecessary.
What is the purpose of the right to data portability?
To allow data subjects to transfer their personal data from one data user to another.
What is the purpose of a Data Protection Impact Assessment (DPIA)?
To identify and assess the risks to personal data associated with a particular processing activity.
What is a "compliance notice" under the PDPA?
A notice issued by the Commissioner requiring a data user to take specific steps to comply with the PDPA.
What is a "data user" under the PDPA?
A person or organization who processes personal data.
A hospital wants to share a patient's medical records with a research institution. What must they obtain from the patient before doing so?
Explicit consent.
A data subject wants to prevent a company from using their personal data for direct marketing purposes. What right can they exercise?
The right to prevent processing for direct marketing
A company stores customer data on a cloud server. What security measures should they consider to protect this data?
Encryption, access controls, strong passwords, regular security assessments of the cloud provider.
What are some of the consequences a company might face for non-compliance with the PDPA?
Fines, imprisonment, reputational damage, loss of customer trust.