Malaysia - What Is Personal Data Under The GDPR?

14 November, 2018

As mentioned in our previous article, the General Data Protection Regulations (“GDPR”) apply to organizations that control or process personal data of subjects in the European Union.

We have written various articles on the Personal Data Protection Act 2010 of Malaysia (“PDPA”), including the meaning of personal data under the PDPA. What about the term ‘Personal Data” used in the GDPR? Does it mean the same thing?

Definition of Personal Data under the GDPR

The GDPR defines personal data as “any information relating to an identified or identifiable natural person”[1].

As such, personal data includes information relating to an individual who:

Can be identified or who are identifiable, directly from the information in questions (i.e. an identifier); or
Who can be indirectly identified from that information in combination with other information.

Identified & Identifiable

If, by looking solely at the information one is processing, an individual can be distinguished from other individuals, then the individual is identified or identifiable.

To determine whether an individual is identifiable, one should consider the means reasonably likely to be used to identify the individual.[2]

Reasonable likeliness, meanwhile, takes into account objective factors such as the cost and effort required for identification, including the available technology at the time of processing.

To boil it down, if it is easy for one to identify an individual from the information being processed, the information will be personal data in the context of the GDPR.

Identifiers

The GDPR helpfully lists out non-exhaustive examples of identifiers, including names, identification numbers, location data, online identifiers or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

Online Identifiers

Interestingly, the GDPR specifically lists online identifiers as an example of identifiers.

Online identifiers are provided by a user’s device, applications, tools and protocols, and include internet protocol addresses, cookie identifiers and radio frequency identification tags. Used together with other unique identifiers and information received by the servers, online identifiers may be used to create profiles of natural persons.

Contrast with the PDPA

Under the PDPA, personal data means information processed in respect of commercial transactions, from which a data subject can “be identified or is identifiable”. [3]

As we can see from above, the GDPR takes a similar approach to the PDPA by not setting out hard and fast rules as to what classes of information are personal data. Both focus on the identifiability of a data subject to determine whether or not a class of information would constitute personal data.

However, the GDPR apply to automated processing of personal data which form or are intended to form part of a filing system. As such, the application of the GDPR does not seem to be limited to “commercial transactions”.

The GDPR further specifically lists out examples of identifiers, and the recitals of the GDPR give more guidance on the determining the “identifiability” of any class of information.

A note on pseudonymisation vs anonymization

The GDPR introduces the concept of pseudonymisation, which means the processing of personal data which renders a specific data subject unidentifiable without additional information.[4]

Pseudonymisation should be contrasted with anonymization, the latter of which means irreversibly destroying any ways to identify data subjects, when the personal data is no longer needed by the organizations. The GDPR does not apply to personal data anonymized by the processing organization. However, the GDPR will apply to pseudonymized data, as it is still possible for organizations to re-identify an individual with the pseudonymized information.

Nevertheless, pseudonymisation remains one of the organizational measures recommended in the GDPR to ensure the security of personal data. [5]

For further information, please contact:

Donovan Cheah, Partner, Donovan & Ho

donovan@dnh.com.my

[1] Article 4(1), GDPR

[2] Recital 26, GDPR

[3] Section 4, PDPA

[4] Article 4(5), GDPR

[5] Article 32, GDPR

Malaysia – What Is Personal Data Under The GDPR?

Thailand – Thai SEC Proposes Changes To Takeover Rules.

Thailand Reaffirms Alcoholic Beverage Packaging And Labeling Requirements.

- Atthachai Homhuan - Director, Regulatory Affairs, Tilleke & Gibbins

Privy Council Clarifies Cayman Islands Law On Shareholder Standing To Bring Personal Claims Against A Company Alleging That Shares Were Allotted For An Improper Purpose.

Jersey To Significantly Increase Compensation In Employment Cases.

India – AKP Banking & Finance Digest- November 18, 2024.

- Anuroop Omkar - AK & Partners,

Oil & Gas Sector Investment Kazakhstan Mitigating Risks In M&A Transactions.

- Raushana Chaltabayeva - Unicase Law,

Kazakhstan – Financing Renewable Energy Projects Bankability Of PPA.

- Saniya Perzadayeva - Unicase Law Firm,

Malaysia – What Companies Need To Understand About Transfer Pricing.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

CONVENTUS LAW

OTHERS

Malaysia – What Is Personal Data Under The GDPR?

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

Footer

CONVENTUS LAW

OTHERS