Privacy Policy for Malaysian Business
A privacy policy, in the context of data protection law, is a statement or a legal document (in privacy law) that discloses some or all of the ways a party collects, uses, discloses, and manages a customer or client’s data. It fulfils a legal obligation to safeguard customer or client privacy. In Malaysia, businesses handling personal data must comply with the Personal Data Protection Act 2010 (PDPA). The PDPA requires businesses to have a written privacy policy which must be made available to individuals upon request.
Frequently Asked Question
What should be included in a privacy policy for Malaysian businesses?
At a minimum, your privacy policy should include:
– the types of personal data you collect and process
– the purposes for which you collect and use personal data
– how do you collect personal data
– with whom you share personal data
– how long do you retain personal data
– what rights do individuals have in relation to their personal data
– how individuals can contact you about your handling of their personal data.
You may also want to consider including other clauses such as:
– the legal basis on which you process personal data (e.g. consent, contract, etc.)
– whether you transfer personal data outside of Malaysia and, if so, where it is transferred to
– what security measures do you have in place to protect personal data
– what third-party service providers do you use, and how they are allowed to use personal data.
Including these clauses is not compulsory but may be advisable depending on your business and the type of personal data you process. You should speak to a lawyer about which clauses are appropriate for your business.
What are the consequences of not having a privacy policy?
If you do not have a privacy policy, you will miss out on an opportunity to set out clear expectations between you and your customers or clients about how their personal data will be used. Not having a privacy policy may also result in your customers’ misunderstandings about your business- for example, they may think that you will share their personal data with third parties when you actually do not.
Your customers may also have certain legal rights under the PDPA, which they could assert against you if there is no privacy policy in place. In summary, not having a privacy policy risks creating confusion and uncertainty between you and your customers and may result in legal problems down the line. It is, therefore, advisable to have a clear and well-drafted privacy policy for your business.
If you need assistance drafting a privacy policy for your business, please contact us. Our team of experienced lawyers can help you tailor-make a privacy policy that is specific to your business and the services you provide.
Does Privacy Policy need to be GDPR compliant?
The General Data Protection Regulation (GDPR) is a set of regulations implemented by member states of the European Union in order to protect digital data privacy. The GDPR applies to businesses with EU customers, regardless of whether the business is based inside or outside the EU.
If you have EU customers, you will need to comply with the GDPR unless an exception applies. One potential exception is if your business does not have an establishment in the EU but offers goods or services to individuals in the EU- in this case, you will only be subject to the GDPR if you process personal data for certain purposes related to offering goods or services (e.g. marketing) or monitoring behavior that takes place within the EU.
If you are not sure whether the GDPR applies to your business, you should seek legal advice. Even if the GDPR does not apply to your business, you may still need to comply with other data protection laws, such as the Personal Data Protection Act 2010 in Malaysia.