STANDARD

PERLINDUNGAN DATA
PERIBADI 2015
PERSONAL DATA
PROTECTION
STANDARD 2015

PESURUHJAYA PERLINDUNGAN DATA PERIBADI MALAYSIA

The Personal Data Protection Commissioner Malaysia
02 Standard Perlindungan Data Peribadi 2015

ISI KANDUNGAN
04 Standard Perlindungan Data Peribadi 2015

05 BAHAGIAN I

PERMULAAN

Standard
05 1. Nama dan permulaan kuat kuasa
05 2. Tafsiran
05 3. Pemakaian

05 BAHAGIAN II

05 Standard Keselamatan
05 Standard Penyimpanan
05 Standard Integriti Data

06 PERATURAN-PERATURAN PERLINDUNGAN DATA PERIBADI 2013

STANDARD PERLINDUNGAN DATA PERIBADI 2015

06 BAHAGIAN I

PERMULAAN

06 1. Tajuk ringkas dan permulaan kuat kuasa.

06 2. Tafsiran
06 3. Pemakaian

07 BAHAGIAN II

07 Standard Keselamatan
07 4. Penetapan standard keselamatan bagi data peribadi yang diproses secara
elektronik.
10 5. Penetapan standard keselamatan bagi data peribadi yang diproses bukan secara
elektronik.

12 Standard Penyimpanan
12 6. Penetapan standard penyimpanan bagi data peribadi yang diproses secara
elektronik dan data peribadi yang diproses bukan secara elektronik.

13 Standard Integriti Data

13 7. Penetapan standard integriti data bagi data peribadi yang diproses secara
elektronik dan data peribadi yang bukan diproses secara elektronik.
Personal Data Protection Standard 2015 03

CONTENTS
14 Personal Data Protection Standard 2015

15 PART I

PRELIMINARY

Standard
15 1. Short title and commencement
15 2. Interpretation
15 3. Application

15 PART II

15 Security Standard
15 Retention Standard
15 Data Integrity Standard

16 PERSONAL DATA PROTECTION REGULATIONS 2013

PERSONAL DATA PROTECTION STANDARD 2015

16 PART I

PRELIMINARY

16 1. Short title and commencement

16 2. Interpretation
16 3. Application

17 PART II

17 Security Standard
17 4. Establishment of the security standard for personal data processed electronically.
20 5. Establishment of the security standards for personal data processed non-
electronically.

22 Retention Standard
22 6. The standard for retention of personal data which is processed electronically and
non-electronically.

23 Data Integrity Standard

23 7. Establishment of data integrity standard for personal data processed
electronically and non-electronically.
Standard
Perlindungan
Data Peribadi
2015
Standard Perlindungan Data Peribadi 2015 05

PERATURAN-PERATURAN PERLINDUNGAN DATA PERIBADI 2013

STANDARD PERLINDUNGAN DATA PERIBADI 2015
BAHAGIAN I
PERMULAAN
Standard

1. Nama dan permulaan kuat kuasa

2. Tafsiran
3. Pemakaian

BAHAGIAN II
STANDARD PERLINDUNGAN DATA PERIBADI

1. Standard Keselamatan
Penetapan Standard Keselamatan Bagi Data Peribadi Yang Diproses
Secara Elektronik
Penetapan Standard Keselamatan Bagi Data Peribadi Yang Diproses
Bukan Secara Elektronik

2. Standard Penyimpanan
Penetapan Standard Penyimpanan Bagi Data Peribadi Yang
Diproses Secara Elektronik dan Bukan Secara Elektronik

3. Standard Integriti Data

Penetapan Standard Integriti Data Bagi Data Peribadi Yang
Diproses Secara Elektronik dan Bukan Secara Elektronik
 06 Standard Perlindungan Data Peribadi 2015

PERATURAN-PERATURAN PERLINDUNGAN DATA PERIBADI 2013

STANDARD PERLINDUNGAN DATA PERIBADI 2015

PADA menjalankan kuasa yang diberikan oleh perkara 6, 7 dan 8, Peraturan-Peraturan Perlindungan
Data Peribadi 2013 [P.U. (A) 335], Pesuruhjaya membuat penetapan-penetapan yang berikut:

BAHAGIAN I
PERMULAAN
1. Tajuk ringkas dan permulaan kuat kuasa

1.1 Standard ini bolehlah dinamakan Standard Perlindungan

Data Peribadi 2015.
1.2 Standard ini mula berkuat kuasa serta-merta dari tarikh yang
disiarkan oleh Pesuruhjaya.

2. Tafsiran

Dalam standard ini, melainkan jika konteksnya mengkehendaki makna lain-

“standard’ ertinya suatu kehendak minimum yang dikeluarkan oleh
Pesuruhjaya, yang memperuntukkan, bagi kegunaan biasa dan berulang,
kaedah-kaedah, garis panduan atau ciri-ciri bagi aktiviti atau keputusan
aktiviti itu, yang matlamatnya adalah pencapaian peringkat susunan yang
optimum dalam sesuatu konteks yang diberikan.

3. Pemakaian

3.1 Standard ini terpakai bagi-

a. mana-mana orang yang memproses; dan
b. mana-mana orang yang mempunyai kawalan terhadap atau
membenarkan pemprosesan apa-apa data peribadi berkenaan dengan
transaksi komersil.
Standard Perlindungan Data Peribadi 2015 07

BAHAGIAN II
Standard Keselamatan

4. Penetapan standard keselamatan bagi data peribadi yang diproses

secara elektronik
4.1 Pengguna Data hendaklah menyediakan langkah-langkah keselamatan yang praktikal
ketika pemprosesan data peribadi untuk melindungi data peribadi itu daripada apa-apa
kehilangan, salahguna, ubahsuaian, akses atau penzahiran tanpa kebenaran atau tidak
sengaja, pengubahan atau pemusnahan dengan mengambilkira faktor berikut:

KESELAMATAN DATA PERIBADI SECARA ELEKTRONIK

BIL. PERKARA

Mendaftarkan semua kakitangan yang terlibat dalam

1. pemprosesan data peribadi.

Pendaftaran kakitangan

Menamatkan hak akses kakitangan kepada sistem data

peribadi selepas kakitangan berhenti kerja, diberhentikan
2. kerja, ditamatkan kontrak atau perjanjian, atau
diselaraskan mengikut perubahan dalam organisasi.
Takat Kuasa

Mengawal dan menghadkan takat kuasa kakitangan untuk

3. mengakses data peribadi bagi tujuan mengumpul, memproses
dan menyimpan data peribadi.

Menyediakan ID pengguna dan kata laluan untuk

4. kakitangan yang diberi kebenaran mengakses data
peribadi.

Membatalkan ID pengguna dan kata laluan dengan serta

5. merta apabila kakitangan yang diberi kebenaran mengakses
data peribadi tidak lagi mengendalikan data peribadi.

Hak Akses
08 Standard Perlindungan Data Peribadi 2015

BIL. PERKARA

Menetapkan prosedur keselamatan fizikal seperti

yang berikut:
i. mengawal pergerakan keluar dan masuk ke
tempat penyimpanan data;
ii. menyimpan data peribadi di lokasi yang
6. bersesuaian iaitu selamat daripada ancaman
fizikal atau semulajadi serta tidak terdedah.
iii. menyediakan kamera litar tertutup di tempat
penyimpanan data (sekiranya perlu), dan
iv. menyediakan kawalan keselamatan 24 jam
sehari (sekiranya perlu).

Mengemaskini Back up/Recovery

System dan perisian anti-virus bagi
7. melindungi data peribadi daripada insiden
pencerobohan dan sebagainya.

Melindungi sistem komputer

daripada ancaman malware bagi
8. mengelakkan serangan ke atas
data peribadi.

Pemindahan data peribadi melalui peranti

media mudah alih (removable media device)
dan perkhidmatan pengkomputeran awan
9. (cloud computing service) adalah tidak
dibenarkan kecuali dengan kebenaran bertulis
pegawai yang diberi kuasa oleh pengurusan
tertinggi organisasi pengguna data.

Merekodkan sebarang pemindahan data peribadi yang menggunakan peranti media

10. mudah alih (removable media device) dan perkhidmatan pengkomputeran awan
(cloud computing service).
Standard Perlindungan Data Peribadi 2015 09
BIL. PERKARA

Pemindahan data peribadi melalui

perkhidmatan pengkomputeran
awan (cloud computing service) perlu
11. mematuhi Prinsip-Prinsip Perlindungan
Data Peribadi di Malaysia dan negara-
negara lain yang mempunyai undang-
undang perlindungan data peribadi.

Menyelenggara rekod akses ke atas data peribadi secara

berkala dengan sempurna dan rekod tersebut hendaklah
12. dikemukakan apabila diarahkan oleh Pesuruhjaya.

Memastikan semua kakitangan yang terlibat dalam

13. pemprosesan data peribadi sentiasa menjaga kerahsiaan data
peribadi subjek data.

Suatu kontrak perlu diadakan di antara

pengguna data dengan pihak yang dilantik
oleh pengguna data bagi mengendalikan
dan menjalankan aktiviti pemprosesan
14.
data peribadi. Ini bagi maksud menjamin
keselamatan ke atas data peribadi daripada
kehilangan, salah guna, ubah suaian, akses
dan penzahiran tanpa kebenaran.
 10 Standard Perlindungan Data Peribadi 2015

5. Penetapan standard keselamatan bagi data peribadi yang diproses

bukan secara elektronik.
5.1 Pengguna Data hendaklah menyediakan langkah-langkah keselamatan yang praktikal
ketika pemprosesan data peribadi untuk melindungi data peribadi itu daripada apa-apa
kehilangan, salahguna, ubahsuaian, akses atau penzahiran tanpa kebenaran atau tidak
sengaja, pengubahan atau pemusnahan dengan mengambil kira faktor berikut:

KESELAMATAN DATA PERIBADI YANG DIPROSES BUKAN SECARA

ELEKTRONIK
BIL. PERKARA

Mendaftarkan kakitangan yang menguruskan data peribadi

1. dalam sistem/buku pendaftaran sebelum dibenarkan mengakses
data peribadi.

Menamatkan hak akses kakitangan kepada data peribadi selepas

kakitangan berhenti kerja, diberhentikan kerja, ditamatkan
2. kontrak atau perjanjian, atau diselaraskan mengikut perubahan
dalam organisasi.

Mengawal dan menghadkan takat kuasa mengakses data peribadi

3. bagi tujuan mengumpul, memproses dan menyimpan data peribadi.

Menetapkan prosedur keselamatan fizikal seperti

yang berikut:
i. menyimpan semua data peribadi secara teratur
dalam fail;
ii. menyimpan semua fail yang mengandungi data
peribadi di tempat yang berkunci;
4. iii. menyimpan semua kunci yang berkaitan di
tempat yang selamat;
iv. menyediakan rekod penyimpanan kunci; dan
v. menyimpan data peribadi di lokasi yang
bersesuaian iaitu selamat daripada ancaman
fizikal atau semulajadi serta tidak terdedah.
Standard Perlindungan Data Peribadi 2015 11

BIL. PERKARA

Menyelenggara rekod akses ke atas data peribadi secara berkala

5. dengan sempurna dan rekod tersebut hendaklah dikemukakan
apabila diarahkan oleh Pesuruhjaya.

Memastikan semua kakitangan yang terlibat dalam

6. pemprosesan data peribadi sentiasa menjaga kerahsiaan data
peribadi subjek data.

Pemindahan data peribadi secara konvensional seperti

7. melalui pos, serahan tangan, faks dan sebagainya hendaklah
direkodkan.

Memastikan semua kertas terpakai,

dokumen cetakan atau lain-lain dokumen
yang jelas menunjukkan data peribadi
8.
perlu dimusnahkan dengan teliti dan efisien
seperti menggunakan mesin rincih atau
lain-lain kaedah yang bersesuaian.

Mengadakan program kesedaran mengenai tanggungjawab

9. melindungi data peribadi kepada semua kakitangan yang
terlibat (sekiranya perlu).
 12 Personal Data Protection Standard 2015

Standard Penyimpanan

6. Penetapan standard penyimpanan bagi data peribadi yang diproses

secara elektronik dan data peribadi yang diproses bukan secara
elektronik

DATA 1 DATA 2 DATA 3 DATA 4 DATA 5 DATA

TAHUN TAHUN TAHUN TAHUN TAHUN LAMA

6.1 Pengguna data mengambil langkah yang munasabah untuk memastikan bahawa segala
data peribadi dimusnahkan atau dipadamkan secara kekal. Jika data peribadi itu tidak lagi
dikehendaki bagi maksud yang baginya data peribadi itu hendak diproses dengan:
BIL. PERKARA

1. Menentukan semua perundangan yang berkaitan dengan pemprosesan dan

penyimpanan data peribadi dipenuhi sebelum memusnahkan data peribadi.

Tidak menyimpan data peribadi lebih lama daripada yang

2. diperlukan melainkan terdapat peruntukan undang-undang
lain yang memerlukan penyimpanan yang lebih lama.

Menyediakan dan menyelenggara rekod pelupusan data

3. peribadi dan rekod tersebut hendaklah dikemukakan
apabila diarahkan oleh Pesuruhjaya.

Melupuskan borang pungutan data peribadi yang digunakan untuk

4. transaksi komersil dalam tempoh tidak melebihi empat belas (14)
hari, melainkan borang tersebut mempunyai nilai perundangan
yang berkaitan dengan transaksi komersial tersebut.

5. Menyemak dan melupuskan semua data peribadi yang tidak

diperlukan di dalam pangkalan data.

Mempunyai jadual pelupusan data peribadi yang tidak aktif 2016

6. bagi tempoh 24 bulan. Jadual pelupusan data peribadi
tersebut perlu diselenggara dengan sempurna.

Penggunaan peranti media mudah alih (removable media device)

7. untuk tujuan penyimpanan data peribadi adalah tidak dibenarkan
tanpa kebenaran bertulis daripada pengurusan atasan organisasi.
Personal Data Protection Standard 2015 13

Standard Integriti Data

7. Penetapan standard integriti data bagi data peribadi yang diproses secara
elektronik dan data peribadi yang bukan diproses secara elektronik

7.1 Pengguna data hendaklah mengambil langkah yang

munasabah untuk memastikan bahawa data peribadi
adalah tepat, lengkap, tidak mengelirukan dan terkini
dengan mengambilkira maksud, termasuk apa-apa
maksud yang berhubungan secara langsung, yang
baginya data peribadi itu dikumpulkan dan diproses
selanjutnya. Langkah-langkah tersebut adalah:

BIL. PERKARA

Menyediakan borang kemaskini data peribadi untuk

1. diisi oleh subjek data sama ada secara dalam talian
atau secara konvensional.

Mengemaskini data peribadi dengan segera setelah

2. mendapat notis pembetulan data peribadi daripada
subjek data.

Memastikan semua perundangan berkaitan

3. dipenuhi dalam menentukan jenis dokumen
yang diperlukan bagi menyokong kesahihan
data peribadi subjek data.

Memaklumkan mengenai pengemaskinian Notice of

4. data peribadi sama ada melalui portal atau updating
of personal
mempamerkan pemakluman di premis atau dengan data

lain-lain kaedah yang bersesuaian.

PERSONAL
DATA
PROTECTION
STANDARD
2015
Personal Data Protection Standard 2015 15

PERSONAL DATA PROTECTION REGULATIONS 2013

PERSONAL DATA PROTECTION STANDARD 2015
PART I
PRELIMINARY
Standard

1. Short title and commencement

2. Interpretation
3. Application

PART II
PERSONAL DATA PROTECTION STANDARD 2015

1. Security Standard
Establishment of the Security Standard For Personal Data Processed
Electronically
Establishment of the of Security Standard For Personal Data
Processed Non-Electronically

2. Retention Standard
Establishment of the Retention Standard For Personal Data
Processed Electronically And Non-Electronically.

3. Data Integrity Standard

Establishment of the Data Integrity Standard For Personal Data
Processed Electronically And Non-Electronically.
 16 Personal Data Protection Standard 2015

PERSONAL DATA PROTECTION REGULATIONS 2013

PERSONAL DATA PROTECTION STANDARD 2015

In exercise of the powers conferred by the articles 6,7 and 8 of the Personal Data Protection
Regulations 2013 [PU (A) 335], the Commissioner makes the following settings:

PART I
PRELIMINARY
1. Short title and commencement

1.1 This Standard may be cited as the Personal Data

Protection Standard 2015.
1.2 This Standard comes into operation immediately as of the
date published by the Commissioner.

2. Interpretation
In this Standard, unless the context otherwise requires-
“standard” means a minimum requirement issued by the
Commissioner, that provides, for common and repeated use, rules,
guidelines or characteristics for activities or their results, aimed
at the achievement of the optimum degree of order in a given
context.

3. Application

3.1 This Standard applies to -

a. any person who processes; and
b. any person who has control over or authorizes the processing
of, any personal data in respect of commercial transactions.
Personal Data Protection Standard 2015 17

PART II
Security Standard

4. Establishment of the security standard for personal data processed

electronically
4.1 A data user shall, take practical steps to protect the personal data from any loss, misuse,
modifications, unauthorized or accidental access or disclosure, alteration or destruction by
having regard-
DATA SECURITY FOR PERSONAL DATA PROCESSED
ELECTRONICALLY
NO. Descriptions

Register all employees involved in the processing of

personal data.
1. * The registration of employees is necessary to assure
their accountability with the personal data they have
access to. Registration of employees’

Terminate an employee’s access rights to personal data after

his/her resignation, termination, termination of contract or
2. agreement, or adjustment in accordance with changes in the
organization.
* An employee’s access right to personal data must be
ceased immediately upon termination of employment. Access right to personal data

Control and limit employees’ access to personal data

system for the purpose of collecting, processing and
3. storing of personal data.
* Access to personal data shall be relevant and not
excessive to fulfill the purpose. Employee’s access to personal data

Provide user ID and password for authorized employees to

access personal data.
4. * Establish access rights via logons, with a policy that
requires strong password and change of password
regularly. Create unique user ID for employee’s

Terminate user ID and password immediately when an

5. employee who is authorized access to personal data is no
longer handling the data.

Termination of employee’s user ID

18 Personal Data Protection Standard 2015

NO. DESCRIPTIONS

Establish physical security procedures as follow:

i. control the movement in and out of the data
storage site;
ii. store personal data in an appropriate location
which is unexposed and safe from physical or
6. natural threats;
iii. provide a closed-circuit camera at the data
storage site (if necessary), and
iv. provide a 24 hour security monitoring
(if necessary).

Update the Back up/Recovery System

and anti-virus to prevent personal data
7. intrusion and such.

Anti virus must be kept up-to-date

Safeguard the computer

systems from malware
8. threats to prevent attacks on
personal data.
Secure computer operating system, databases
and backup system

The transfer of personal data through

removable media device and cloud
computing service is not permitted unless
with written consent by an officer authorized
9. by the top management of the data user
organization.
* Obtain consent from the top
management prior to using removable
media device for transfer of data.

Record any transfer of data through removable media device and cloud computing service.
10. * The use of removable media and cloud computing services for data transfer must be
recorded to prevent misuse of personal data and unauthorized transfer.
Personal Data Protection Standard 2015 19
BIL. DESCRIPTIONS

Personal data transfer through cloud

computing service must comply with the
personal data protection principles in
11. Malaysia, as well as with personal data
protection laws of other countries.
* Do take note on the laws of other
countries in regards of personal data.

Maintain a proper record of access to personal data

periodically and make such record available for
submission when directed by the Commissioner.
* Record of access to personal data must be
12. created and property maintained. This is to keep
track any unautrhorized or suspicious access to
personal data system.

Ensure that all employees involved in processing personal

data always protect the confidentiality of the data subject’s
13. personal data.
* Instill the importance of data confidentiality among
employee’s.

Bind an appointed third party by the data user

with a contract for operating and carrying out
personal data processing activities. This is to
ensure the safety of personal data from loss,
14. misuse, modification, unauthorized access and
disclosure.
* To prevent harm to individuals from
wrongful collection and misuse of their
personal data, choose data processor
that provides sufficient guarantees of its
security measures during the handling of
personal data.
 20 Personal Data Protection Standard 2015

5. Establishment of the security standards for personal data processed

non-electronically

5.1 A data user shall, take practical steps to protect the personal data from any loss, misuse,
modifications, unauthorized or accidental access or disclosure, alteration or destruction by
having regard-

DATA SECURITY FOR PERSONAL DATA PROCESSED

NON-ELECTRONICALLY
NO. Descriptions

Register all employees involved in the processing of personal data.

1. * The registration of employees is necessary to assure their
accountability with the personal data they have access to.

Terminate an employee’s access rights to personal data after

his/her resignation, termination, termination of contract or
agreement, or adjustment in accordance with changes in the
2. organization.
* An employee’s access right to personal data must be ceased
immediately upon termination of employment.

Control and limit employees’ access to personal data system for

the purpose of collecting, processing and storing of personal data.
3. * Access to personal data shall be relevant and not excessive to
fulfill the purpose.

Establish physical security procedures as follow:

i. store all personal data orderly in files;

ii. store all files containing personal data in a
locked place;
iii. keep all the related keys in a safe place;
4. iv. provide record for keys storage; and
v. store personal data in an appropriate location
which is unexposed and safe from physical or
natural threats.
Personal Data Protection Standard 2015 21

NO. DESCRIPTIONS

Maintain a proper record of access to personal data periodically

and make such record available for submission when directed
5. by the Commissioner.
* In the event of personal data breach, the commissioner
may ask data user to present a record of access to personal
data for investigation purposes.

Ensure that all employees involved in processing personal

data always protect the confidentiality of the data subject’s
6. personal data.
* Instill the importance of data confidentiality among
employee’s.

Record personal data transferred conventionally such as

7. through mail, delivery, fax and etc.

Ensure that all used papers, printed

documents or other documents
exhibiting personal data are destroyed
8.
thoroughly and efficiently by
using shredding machine or other
appropriate methods.

Conduct awareness programmes to all employees (if

9. necessary) on the responsibility to protect personal data.
 22 Personal Data Protection Standard 2015

Retention Standard

6. The standard for retention of personal data which is processed

electronically and non-electronically

1 YEAR 2 YEAR 3 YEAR 4 YEAR 5 YEAR OLDER

DATA DATA DATA DATA DATA DATA

6.1 A data user shall, take all reasonable steps to ensure that all personal data is destroyed
or permanently deleted if it is no longer required for the purpose for which it was to be
processed by having regard–
NO. DESCRIPTIONS

1. Determine the retention period in all legislation relating to the processing

and retention of personal data are fulfilled before destroying the data.

2. Keep personal data no longer than necessary unless there

are requirements by other legal provisions.

Maintain a proper record of personal data disposal

3. periodically and make such record available for submission
when directed by the Commissioner.

Dispose personal data collection forms used in commercial transactions

4. within the period not exceeding fourteen (14) days, except if/unless the
forms carry legal values in relation to the commercial transaction.

5. Review and dispose all unwanted personal data that in the

database.

Prepare a personal data disposal schedule for inactive data 2016

6. with a 24 month period. The personal data disposal schedule
should be maintained properly.

The transfer of personal data through removable media device

7. and cloud computing service is not permitted unless with written
consent by an officer authorized by the top management of the
data user organization.
* Obtain consent from the top management prior to utilizing
the cloud computing services.
Personal Data Protection Standard 2015 23

Data Integrity Standard

7. Establishment of data integrity standard for personal data processed

electronically and non-electronically

7.1 A data User shall take reasonable steps to

ensure that the personal data is accurate,
complete, not misleading and kept updated
by having regard to the purpose, including
any directly related purpose, for which the
personal data was collected and processed
further. Such measures are:

NO. Descriptions

1. Provide personal data update form for data

subjects, either via online or conventional.

2. Update personal data immediately once data

correction notice is received from data subject.

Ensure that all relevant legislation is fulfilled

3. in determining the type of documents
required to support the validity of the data
subject’s personal data.

Notify on personal data updates either through Notice of

4. the portal or notice at premises or by other
updating
of personal
data
appropriate methods.
24 Personal Data Protection Standard 2015

Cetakan Pertama, 2015

Hak Cipta Terpelihara

Pesuruhjaya Perlindungan Data Peribadi Malaysia, 2015
Hak cipta terpelihara. Mana-mana bahagian penerbitan ini
tidak boleh dihasilkan semula, disimpan dalam sistem simpanan kekal,
atau dipindahkan dalam sistem simpanan kekal, atau dipindahkan
dalam sebarang bentuk atau sebarang cara elektronik, mekanik,
penggambaran semula, rakaman dan sebagainya tanpa
terlebih dahulu mendapat izin daripada pihak
PESURUHJAYA PERLINDUNGAN DATA PERIBADI MALAYSIA.

All rights reserved. Any part of this publication may not be reproduced,
stored in, or transmitted in a permanent storage system, or
transmitted in any form or by any means, electronically, mechanically,
photocopying, recording or otherwise without the prior approval of the
The Personal Data Protection Commissioner Malaysia.