˂  Back

Handling Requests from Data Subjects: Practical Guide for Data Protection Officers

It is a very common misconception among data users that compliance with the Personal Data Protection Act 2010 (the “PDPA 2010”) ends upon providing data subjects with a copy of the data users’ personal data protection notice and having received express consents from data subjects for the processing of their personal data. Data users often overlook the fact that the PDPA 2010 also provides for certain rights of data users vis-à-vis their personal data that are being processed by the data users, such rights of which include rights to access or correct personal data, rights to limit the processing of their personal data, etc. When faced with a request from data subjects in relation to the processing of their personal data, data users who do not have adequate protocol or internal policy in dealing with such request might find themselves unable to respond to the request appropriately, which may result in a breach of the PDPA 2010.

 

In this article, we are going to provide a quick step-by-step guide to assist data users with the handling of requests from data subjects to ensure compliance with statutory requirements under the PDPA 2010.

 

  1. 1. Assessing the Type of Request
  2.  It goes without saying that the first thing to do for a data user upon receiving a request from data subjects is to ascertain the nature of the request. Under the PDPA, data subjects have certain statutory rights to request (i) access to their personal data that is being processed by the data user; (ii) correction of their personal data; (iii) withdrawal of their consent to the processing of their personal data; and (iv) cessation of processing of their personal data for direct marketing purposes. With the recent introduction of the Personal Data Protection (Amendment) Bill 2024, data subjects may have an additional statutory right to request for the porting of their personal data from one data user to another data user.
  3.  
  4. Depending on the type of request submitted by a data subject, how the data user should respond to the request would also differ.
  5.  
  6. 2. Assessing the Sufficiency of the Request
  7. Upon receiving a request from data subjects, data users generally have twenty-one (21) days under the PDPA 2010 to respond to the same. That said, the ability of a data user to respond to a request from data subject in some instances also depends on whether the data subject has provided the data user with sufficient information that may be required.
  8.  
  9. Some examples of the circumstances where data users may have difficulty in complying with a data subject request are:
  10. (i) where the data subject has not provided sufficient information to identify himself or herself;
  11. (ii) where the data subject has not provided information required by the data user to locate the relevant personal data;
  12. (iii) where the data user is not satisfied that the personal data in its possession is inaccurate, incomplete, misleading or not up-to-date; or
  13. (iv) where the request is in relation to the porting of personal data, there is an incompatibility or technical infeasibility in the data format used by the porting data user and the receiving data user.
  14.  
  15. Where such an impediment exists, the data user should communicate with the data user to request the necessary information to enable the data user to comply with the request.
  16.  
  17. The above stated circumstances do not apply however where the requests from data subjects relate to the withdrawal of consent for personal data processing, limiting the processing of personal data for certain specific purposes.
  18.  
  19. 3. Complying with the Request
  20. Upon complying with the request, any changes to the personal data in the data users’ possession should be logged accordingly to record the changes. Data users should also confirm the compliance with the request from data subjects by communicating the actions taken to the data subjects.
  21.  
  22. 4. Establish Protocols on Data User Request
  23. Given the fixed timeline to comply with or respond to a data subject request under the PDPA 2010, it is fundamental that data users establish a clear protocol internally to deal with or handle data subject requests. This is to ensure that appropriate attention is given to the data subject requests and that appropriate measures can be taken to respond to each and every request.
  24.  
  25. Such personal data request handling protocol should document the internal process in managing and dealing with personal data request, what are the measures or mechanisms in place to process the personal data request, the manner of implementation of the consequences of complying with the personal data request, etc.

 

Handling personal data requests is no small feat, especially for a company that handles a large amount of personal data processing. A small slipup in responding to a personal data request may translate to financial penalty and/or imprisonment. Companies and data protection officers should take this task seriously to ensure compliance with the requirements of the PDPA 2010 at all times.

 

If your organisation needs help with crafting a protocol for the handling of personal data requests from data subjects, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.


About the authors

Lo Khai Yi
Partner
Co-Head of Technology & Corporate Practice Group
Technology, Media & Telecommunications, Intellectual
Property, Corporate/M&A, Projects and Infrastructure,
Privacy and Cybersecurity
ky.lo@hhq.com.my.

.

Ong Johnson
Partner
Head of Technology & Corporate Practice Group

Transactions and Dispute Resolution, Technology,
Media & Telecommunications, Intellectual Property,
Fintech, Privacy and Cybersecurity
johnson.ong@hhq.com.my


More of our Tech articles that you should read:

Our Services