Personal Data Protection Notice

APPLICATION

This Act applies to— (a) any person who processes; and (b) any person who has control over or authorize the processing of, any personal data in respect of commercial transactions.

Subject to subsection (1), this Act applies to a person in respect of personal data if— (a) the person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or (b) the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.

This Personal Data Protection Notice explains on how Accord Innovations uses your personal data.

Accord Innovations is fully committed to ensure that our processing of personal data complies with the Personal Data Protection Act 2010 (PDPA).

This Notice relates to your personal data that you have voluntarily provided to Accord Innovations during your access to our services.

1. PERSONAL DATA PROTECTION PRINCIPLES

1. The processing of personal data by a data user shall be in compliance with the following Personal Data Protection Principles, namely

  1. the General Principle;
  2. the Notice and Choice Principle;
  3. the Disclosure Principle;
  4. the Security Principle;
  5. the Retention Principle;
  6. the Data Integrity Principle;
  7. the Access Principle

    8. A data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

  1. GENERAL PRINCIPLE

    A data user shall not

    1.0 in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or

    1.1 in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with the provisions of section 40.

    Notwithstanding paragraph (1) a data user may process personal data about a data subject if the processing is necessary—

    2. for the performance of a contract to which the data subject is a party; or the taking of steps at the request of the data subject with a view to entering into a contract;

    for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; in order to protect the vital interests of the data subject; for the administration of justice; or for the exercise of any functions conferred on any person by or under any law.

3. NOTICE AND CHOICE PRINCIPLE

1. A data user shall by written notice inform a data subject

1.0 that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;

1.1 the purposes for which the personal data is being or is to be collected and further processed;

1.3 of the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data; Personal Data Protection 19

1.4 of the class of third parties to whom the data user discloses or may disclose the personal data;

1.5 of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;

1.6 whether it is obligatory or voluntary for the data subject to supply the personal data; and

1.7 where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.

2. The notice under subsection (1) shall be given as soon as practicable by the data user

2.0 when the data subject is first asked by the data user to provide his personal data;

2.1 when the data user first collects the personal data of the data subject; or

2.2 in any other case, before the data user—

2.2.1 uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or

2.2.2 discloses the personal data to a third party.

A notice under subsection (1) shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages. Disclosure Principle 8. Subject to section 39, no personal data shall, without the consent of the data subject, be disclose for any purpose other than— (i) the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or (ii) a purpose directly related to the purpose referred to in subparagraph (iii); or 20 Laws of Malaysia ACT 709 to any party other than a third party of the class of third parties as specified in paragraph 7(1)(e).

4. SECURITY PRINCIPLE

A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard— to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction; to the place or location where the personal data is stored; to any security measures incorporated into any equipment in which the personal data is stored; to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and to the measures taken for ensuring the secure transfer of the personal data.

1. Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor—

2.0 provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and

2.1 takes reasonable steps to ensure compliance with those measures.

5. RETENTION PRINCIPLE

1. The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. Personal Data Protection 21

2. It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed. Data Integrity Principle 11. A data user shall take reasonable steps to ensure that the

personal data is accurate, complete, not misleading and kept up to date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

6. ACCESS PRINCIPLE

A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.