How do I use the Malaysian PDPA to stop telemarketers from calling me?

You’re going through your day, working on that upcoming project your boss has high hopes on you for. It’s almost noon and you’re almost finished with that little bit more before you go for your lunch break. That’s when it happens, a number you don’t recognize is calling you.

You pick up and find out it’s a telemarketer trying to hard-sell you their new product. You’re puzzled that they have your number. You signed up for a credit card recently, but this telemarketer isn’t even from your bank! How did they contact you???

Image from memegenerator.

This is a scenario all too common for us Malaysians. While banks are allowed to use your information for their own marketing (unless you tell them not to!), some other groups may not have gotten your number through legit means. We tend to accuse our bank or telecommunication service providers of selling our information - though we’re not sure who the culprits actually are - but did you know that these companies can get into big trouble if they're found guilty of misusing your personal data?

But wait, what exactly is "Personal data"?

Under the Malaysian Personal Data Protection Act 2010 (The PDPA), you’re given many rights and responsibilities to do with your personal information. As long as you are identified or identifiable, companies and individuals need your permission to use your personal data for commercial purposes.

Image from buyrsmoney.

It’s a bit technical because of the distinction between data that makes you “identified” and “identifiable", but basically:

Identified: any data that you specifically own, or narrows down who you are (eg. name, address, contact number, NRIC number, etc.)

Identifiable: any data that is specific to you but may not tell others who you are (eg. “the branch manager of ____”, an email named wecantgivelegaladvice@asklegal.my)

This is provided in Section 4 of the PDPA, which further states that any information that may identify you (such as letters and emails to/from you), sensitive personal data, and opinions about you are protected information. This does not include data collected about your credit rating by credit reporting agencies though.

Section 4 of the PDPA 2010 - Interpretation - “personal data” (in part)

“relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject;”

Opinions about you include facts and particulars like “he injured his foot last week”, or “she earns RM400,000 per year”. When it comes to sensitive personal data, it’s defined in Section 4 yet again:

“sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;”

Sensitive information cannot be used without your consent in writing. There are exceptions for employment, medical use, and legal administration where sensitive information may be required under Section 40(1)(b). We’d list them here but it’s a LONG list.

Companies have 7 responsibilities with your personal data

You may be familiar with notices Malaysian companies sent you like this one from Touch N Go. The PDPA imposes 7 principles that Malaysian companies holding your personal data are responsible for. These are provided in Sections 6 through 12 of the Act.

Image from Touch N Go.

I) General Principle

As mentioned before, your consent is needed to use your personal data. There are a few exceptions which include to supply goods and services to you (like delivering items to your address), to protect your interests, or when required by law enforcement.

II) Notice and Choice Principle

The company given your personal data must inform you of:

1. What data they have about you
2. What they’re using it for
3. Where they got it from
4. That you have a right to access and correct your personal data
5. How to file questions or complaints about your data with them
6. What third parties they will disclose your data to (such as their subsidiary company)
7. Limits you can place on your data’s usage (e.g. they can use it to contact you but not for marketing)
8. Whether you must give them your data and why

III) Disclosure Principle

This is pretty straightforward. Companies may not use your personal data for anything, or share with any third party that they have not told you about.

IV) Security Principle

Companies must take reasonable security measures and practices to ensure your personal data is safe and is not misused, including by their own employees. What’s reasonable depends on the situation; for example, credit card numbers and NRIC numbers must be given higher protection.

V) Retention Principle

Companies must not keep your personal data for longer than necessary. For instance, if you’re no longer their customer and the records are not required for anything else, your data must be disposed of.

VI) Data Integrity Principle

It’s a company’s duty to make sure they keep your personal data updated and accurate. You may recall staff from your service providers asking if your contact details have changed each time you visit. This is not to annoy you but rather to fulfill their legal duty!

VII) Access Principle

Companies are required to give you the ability to access and update your personal data. It’s a freedom and convenience to update your information as you need.

What to do if your data is misused

You may be in 1 of the 3 scenarios below:

1. You don’t want your data being used for direct marketing.

2. Your data has been used by someone you didn’t give permission to.

3. The company did not fulfill one or more of the 7 responsibilities.

In the first case, you’ll first want to inform the company to not use your information for direct marketing under Section 43(1) of the PDPA. Companies usually have an option for you to not be contacted for direct marketing in the contract you signed, which you may or may not have noticed. You can always opt out of their direct marketing later if you did not at first. In the case of online newsletters, there will be an option in the newsletter itself (probably in small print at the bottom) that allows you to unsubscribe.

Here's an example of where to find the "unsubscribe" button in an email.

If a company continues to contact you for direct marketing, read on.

In all of the above situations, you may contact the Personal Data Protection Commissioner by sending a report at their website, or by email. Be as specific as you can and attach any files or pictures you may have to help their investigation. There are various offences that a company can be convicted of (yes, companies can commit crimes) for which the people responsible can be jailed and the company fined several hundred thousand ringgit, depending on the offence.

Also, if you know that one or more individuals got your contact information without your permission, get their particulars and report them to the PDP Commissioner. If they are found guilty of buying your details from an insider, each of them including the insider will be liable to fines and jail terms.

You may also contact your lawyer to seek remedy through the courts especially if you have suffered financial loss. Please note that each case is unique and you should consult your lawyer for more information.