On 16 February 2022, the Department of Personal Data Protection (JPDP) issued the following circulars:

• Circular 1/2022: Requirement to Register as a Data User under the Personal Data Protection Act 2010 (Registration Circular); and
• Circular 3/2022: Obligation to Renew the Certificate of Registration as a Data User under the Personal Data Protection Act 2010 (Renewal Circular).

Registration Circular

The objective of the Registration Circular is to advise data users falling within the classes of data users specified under the Personal Data Protection (Class of Data Users) Order 2013 (Order) on the requirement to register with the JPDP as a data user pursuant to s 14 of the Personal Data Protection Act 2010 (PDPA). A “data user” is defined under the PDPA as a person, who either alone or jointly or in common with other persons, processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processer. Pursuant to s 14, data users falling within the classes of data users as specified by the Minister of Communications and Multimedia must register themselves as such. These classes of data users are set out in the Order and include the following sectors:

1. Communications, which include licensees under the Communications and Multimedia Act 1998 (CMA) and the Postal Services Act 2012, respectively;
2. Banking and financial institutions, which include licensed financial institutions under the Financial Services Act 2013 (FSA) and the Islamic Financial Services Act 2013 (IFSA) respectively, as well as a development financial institution under the Development Financial Institution Act 2002;
3. Insurance, which includes licensed insurers and takaful operators under the FSA and IFSA, respectively;
4. Health, which includes licensees and registered clinics under the Private Healthcare Facilities and Services Act 1998 as well as body corporates registered under the Registration of Pharmacists Act 1951;
5. Tourism and hospitality, which includes licensees and any operator of an accommodation premises under the Tourism Act 1992;
6. Transportation, which is limited to airlines;
7. Education, which includes educational institutions registered under the Private Higher Educational Institutions Act 1996 and the Education Act 1996, respectively;
8. Direct selling, which includes licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993;
9. Services, which include those carrying out various services including legal, accountancy and architecture, entities carrying out retail dealing and wholesale dealing as defined under the Control Supplies Act 1961 as well as private employment agencies;
10. Real estate, which includes housing developers;
11. Utilities, which include utility providers such as Tenaga Nasional Berhad;
12. Pawnbrokers licensed under the Pawnbrokers Act 1972; and
13. Moneylenders licensed under the Moneylenders Act

Data users falling within two or more of the sectors listed above are required to make separate applications to register for each and every class they fall under.

Registration for data users can be made online and is subject to an annual fee ranging from RM100 to RM400, depending on the corporate structure of the data user. The validity period of the registration can be made for up to 10 years. A certificate of registration will be issued by the JPDP upon successful registration by the data user. Notwithstanding the aforementioned, the Personal Data Protection Commissioner (Commissioner) is empowered under s 16 of the PDPA to refuse an application.

Data users falling with the classes of data users specified under the Order that fail to register with the JPDP commit an offence under the PDPA, which is punishable by a fine not exceeding RM500,000 or imprisonment not exceeding three years, or both.

Renewal Circular

The Renewal Circular provides guidance on the process of renewing the certificate of registration of a data user. Pursuant to s 17 of the PDPA, renewal applications must be made prior to the expiry of the certificate of registration, being not later than 90 days before such expiry. Any renewal application submitted after 90 days will not be accepted, and the data user will need to apply afresh for a certificate of registration.

The term of the renewed certificate of registration may be made for up to 10 years, and will be subject to an annual fee ranging between RM100 and RM400, depending on the corporate structure of the data user.