Home banner a03220e2 5398 45ca 93ec 57754f8a0f43


Can friends "refer" your contact to companies without your permission in Malaysia?

over 5 years ago JS Lim





This article is for general informational purposes only and is not meant to be used or construed as legal advice in any manner whatsoever. All articles have been scrutinized by a practicing lawyer to ensure accuracy.




There are some things is life that can be considered unsolvable mysteries, such as the JFK assassination, alien abductions, and…. How the heck that telemarketer got your phone number??

Image from memegenerator

Most of them are from your banks, or might be trying to sell you insurance, but have you ever been called by a company which you’ve never done business with before? Where on earth did they get your number from eh? Bigger mystery!

[READ MORE - How do I use the Malaysian PDPA to stop telemarketers from calling me?]

There’s a possibility some of these guys got your details through data breaches like the time personal details behind 46.2 million Malaysian numbers were offered on the Lowyat forums. But the real cause might not even be something that serious. You might just find that what happened was a friend of yours recently gave your contact details to a company as a referral, in exchange for some free products or services…

[READ MORE - Are Malaysian Telcos responsible for the Lowyat data breach? Can we sue them?]

You might not like your friend sharing your number without your permission, but is there any legal action you can take? And do you go after your friend, or the company?


Your friend is probably off the hook

Image from 4thyearofvetschool

Most countries don’t have any laws about giving out a person’s contact details, and Malaysia is no different. So...your friend probably won’t get into any legal trouble (unfortunately…)

It’s not like there aren’t safeguards in place to protect our personal information, but while we have the Personal Data Protection Act 2010 (PDPA) in place to protect our personal information, this law only applies to people and companies that collect personal relation to commercial transactions only. So the PDPA will not apply to your friend unless he makes a living out of giving your number to other people, or gave your personal details out as part of a business transaction.

But, if your friend somehow has enough of your information to sign you up for a membership (as a prank maybe), that could end up as a case of “cheating by personation” under Section 416 of the Penal Code - basically it’s pretending to be someone else in order to get a person to do something. Otherwise, contact details are generally seen as free and open for people to obtain.


But...the company that got your contact is not allowed to use it

Image from giphy

While your friend probably doesn’t use your contact details to do business, the company that got your details is a collector of personal data for commercial purposes - to get and maintain customers. The company can certainly use your friend’s details since they were freely given, but the company can’t use your contact information unless you consented to it.

Personal Data Protection Act 2010 - General Principle (in part)
“A data user shall not…...process personal data about a data subject unless the data subject has given his consent to the processing of the personal data…”

This means it’s illegal for them to call you, since they didn’t exactly get your permission to collect or use your data. There are 7 principles in the PDPA which protect your personal info, among which, you’re supposed to know if your contact details were being collected, what info exactly was collected, and exactly what the company wants to use it for. In essence, companies that operate in Malaysia need your permission to collect and use your information.

Personal Data Protection Act 2010 - Section 30(1)
“An individual is entitled to be informed by a data user whether personal data of which that individual is the data subject is being processed by or on behalf of the data user.”

In usual cases where you’re applying to open an account with a service provider, these notifications will normally be in the fine print of your registration forms and/or contract. But if you’re not informed in one way or another, the company could get into big trouble, with fines of up to several hundred thousand ringgit depending on the severity of the offence.

You can learn more about how the PDPA works in our article linked below.

[READ MORE - How do I use the Malaysian PDPA to stop telemarketers from calling me?]


You can report offending companies to…

Image from AskLegal

If an unauthorized company has gotten their hands on your contact info without your knowledge, you can (and should) report them to the Department of Personal Data Protection.

You can either file a report at their website, or send them an email. Detail the incident as clearly as you can, and attach any files or pictures you may have to help their investigation (for example, if the unauthorized company reached out over email).

The same goes for if you suspect your personal details were sold illegally (and not traded by your friend for a coupon). On the off chance that you’ve suffered losses (whether reputational, financial, harassment, etc.) from your information being misused, you can also seek compensation through the courts - contact your lawyer to see what can be done.

personal data protection act
friend gave your contact details without permission
illegal referral
226471 154970547902448 7202539 n
JS Lim

Jie Sheng knows a little bit about a lot, and a lot about a little bit. He swings between making bad puns and looking overly serious at screens. People call him "ginseng" because he's healthy and bitter, not because they can't say his name properly.