Our trustee team has decades of trustee services administration experience with one of the earliest foreign bank owned and managed trustee companies in Malaysia. We have built and maintain strong relationships with clients over the long term.
We serve our clients without any conflict of interest and in compliance with the requirements under Malaysian law and the relevant regulatory authorities.
Read MoreWe provide continuity in existence, experience, expertise, manpower and accountability in carrying out its role as executor, trustee and custodian.
Read MoreEfficient and effective implementation of the estate plan. Wealth protection and preservation.Reasonable implementation costs during the lifetime and/or at a designated time determined by the client;
General data protection laws
The Personal Data Protection Act 2010 (“PDPA“).
Entry into force
The PDPA came into force on 15 November 2013.
Details of the competent national regulatory authority
Personal Data Protection Commissioner (“PDP Commissioner”)
Aras 6, Kompleks Kementerian Komunikasi dan Multimedia
Lot 4G9, Persiaran Perdana, Presint 4
Pusat Pentadbiran Kerajaan Persekutuan
62100 Putrajaya
Malaysia
www.pdp.gov.my
Notification or registration scheme and timing
Data users that fall under any one or more of the classes specified in the Personal Data Protection (Class of Data Users) Order 2013 (“Order”) are required to register with the PDP Commissioner. The relevant classes include banking and financial institutions, insurers, healthcare service providers, airline operators and utilities service providers.
Applicants must fill in Form 15(1) and submit it to the PDP Commissioner. Data users had a grace period of three months from the date the PDPA came into force (i.e. up to 14 February 2014) to submit their applications for registration.
Exemptions
No, there are no exemptions for registration for data users who fall under any one or more classes prescribed in the Order. However, only those who fall within any one or more of the classes are required to register.
Appointment of a data protection officer
There is currently no obligation for a data user to appoint a data protection officer.
What is personal data?
Personal data is defined as information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, and includes any sensitive personal data and expressions of opinion about the data subject. This definition is therefore similar to the standard definition of personal data.
However, the PDPA only protects personal data that is used in connection with commercial transactions.
Is information about legal entities personal data?
No. However, as there have been no guidelines on what constitutes personal data, information regarding sole or individual proprietors and individual partners may be considered to be personal data.
What are the rules for processing personal data?
In order to legitimately process personal data, the seven Personal Data Protection Principles must be complied with.
Under the General Principle, in order for personal data to be processed, a data user must first seek and obtain the consent of data subjects. Alternatively, the processing must be necessary: (i) for the purposes of a contract with the data subject; (ii) for the taking of steps at the request of the data subject with a view to entering into a contract (iii) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; (iv) in order to protect the vital interests of the data subject; (v) for the administration of justice; or (vi) for the exercise of any functions conferred on any person by or under any law. This principle also states that a data user may only process the personal data for purposes connected to the purpose for which the personal data was provided to the data user.
Data subjects also have a right under the PDPA to withdraw their consent to the processing of personal data by a data user.
The Disclosure Principle states that personal data of a data subject cannot be disclosed to any third party without the knowledge and consent of the data subject. Under the Data Integrity Principle, a data user must take reasonable steps to ensure that personal data processed is accurate, complete, not misleading, and up-to-date. The Retention Principle obliges a data user not to keep personal data for any longer than is required.
Data users are also subject to the Notice and Choice Principle, Security Principleand Access Principle, which are discussed in further detail below.
The PDPA contains a number of exemptions including exemptions for processing for personal purposes, journalistic purposes and judicial purposes.
Are there any formalities to obtain consent to process personal data?
No. The PDPA does not define “consent”, nor does it prescribe any formalities in terms of the consent. However, the Personal Data Protection Regulations 2013 provide that the data user must keep a record of consents from data subjects.
2024 © All Rights Reserved By GLOBAL ASSET TRUSTEE (M) BERHAD