Protection of Employee’s Personal Data in Malaysia - General Data Protection Regulation (“GDPR”) and Personal Data Protection Act 2010 (“PDPA”)
23 November 2020
Recently, Sweden’s H&M was fined 35 million euros by the Hamburg Data Protection Authority for internal data security breaches at its customer service centre in Nuremberg.1
This is the second largest fine levied against a single company under the EU’s General Data Protection Regulation (“GDPR
”), which took effect on 25 May 2018. The largest fine was against Google in 2019 when it was fined 50 million euros for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”.2
According to news reports, H&M has, since at least 2014, recorded details about employees, which includes extensive information involving their medical symptoms, family issues and religious beliefs.
The large fine was, as stated by the Hamburg Data Protection Authority, “justified and should help to scare off companies from violating people’s privacy”. It is therefore evident that a failure to comply with the GDPR can have massive repercussions. However, how does the GDPR apply to EU companies with employees in Malaysia and are Malaysian laws likely to expose our local businesses to similar risks for processing employee data?
APPLICATION OF GDPR IN MALAYSIA
- “Location Principle” - Article 3(1) of the GDPR
The applicability of the GDPR extends to businesses outside the EU. Under Article 3(1), the GDPR applies to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”.
“Establishment” in the EU
This means that the GDPR applies to businesses which although are not incorporated in the EU maintains another “establishment” in the EU. Recital 22 of the GDPR clarifies that an “establishment” implies the effective and real exercise of activity through stable arrangements. A clear case where a business has “stable arrangements” in the EU is where there is permanent presence in the EU, such as a company representative with an EU office or a branch office. A mere temporary EU presence of a controller located outside the EU does not lead to the applicability of the GDPR, such as visits by company representatives, booths at trade fairs or business activities that are limited to some days.
Processing of personal data “in the context of activities” of an establishment in the EU
If the processing of personal data is “in the context of the activities” of such establishment, then the GDPR would apply to data controllers or processors located outside the EU. It would be helpful to consider whether there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of the EU establishment.
For example, it is not at all unusual for a subsidiary company in Malaysia to process personal data of its employees in Malaysia and in the course of same, transfer the personal data to its parent company located in the EU. The GDPR will therefore be applicable to the company in Malaysia.
- “Market place principle” - Article 3(2) of the GDPR
The GDPR also applies to organisations established outside the EU, if the organisation either processes personal data of data subjects who are in the EU in the context of:
- the offering of goods or services (irrespective of whether payment is required) to such data subjects; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.3
The actual location of the data subjects within the EU is sufficient, and EU citizenship or residency does not matter.
Thus, a Malaysian business that directly employs individuals to work within the EU or assigns individuals to carry out business transactions in the EU, regardless of those individuals’ nationality, would need to comply with the GDPR.
- What amounts to offering goods and services?
The GDPR clarifies in its recitals4
that in order to determine whether a data controller or processor is offering goods or services to data subjects who are in the EU, it should be ascertained whether it is apparent that the relevant business or company envisages offering services to data subjects in the EU. The recital provides that the following factors are insufficient to ascertain whether there is such an intention by the organisation to do so:
- the mere accessibility of the business website, email address or other contact details of the organisation in the EU; or
- the use of a language generally used in the third country where the business is established.
Nevertheless, the recitals have also provided that factors such as the use of a language or a currency generally used in the EU with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU, may make it apparent that the business or company envisages offering goods or services to data subjects in the EU.
This suggests that data that is collected in the course of doing online business that specifically targets the EU market would similarly be subject to the GDPR.
- What amounts to monitoring of behaviour?
Organisations should also take note that monitoring of behaviours would involve instances where individuals are tracked on the internet, including potential subsequent use of personal data processing techniques which consist of profiling, particularly in order to make decisions concerning the individual, or for analyzing or predicting the individual’s personal preferences, behaviours and attitudes.5
This may include instances where companies in Malaysia send employees to member states in the EU on a temporary basis, e.g.
to attend trainings or conferences, where their behaviours will still be monitored by the Malaysian company. The personal data processed in the context of monitoring such employees’ behaviour may therefore be governed under the GDPR. This may be very relevant in the context of disciplinary action against an employee for conduct that occurred within the EU.
GDPR vs PERSONAL DATA PROTECTION ACT 2010 (“PDPA”)
Under Malaysian law, the protection of personal data is governed by the Personal Data Protection Act 2010 (“PDPA
”). The PDPA defines personal data as any information in respect of commercial transactions
that relates directly or indirectly to a data subject, who is identified or identifiable.6
As such, the PDPA only protects personal data processed in the context of commercial transactions. The PDPA also expressly excludes the protection of personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes.7
Similarly, under the GDPR, personal data is defined widely as “any information relating to an identified or identifiable natural person (‘data subject’)…”
. Pursuant to Recital 18, the GDPR also does not apply to the processing of personal data in the course of a purely personal or household activity with no connection to a professional or commercial activity.
Both the PDPA and GDPR would therefore cover employee’s personal data processed by the employer, including information on employees’ personal details, religious beliefs, contact information, medical data, finance, payroll, job performance etc.
Requirements under the GDPR
Businesses in Malaysia should take note that the GDPR contains a number of requirements which are not found in the PDPA. If locally established businesses are carrying on business in the EU or have employees located in the EU, they should ensure that the requirements under the GDPR are complied with in order to avoid the major consequences of non-compliance.
Some requirements under the GDPR that are absent from the PDPA are as follows:
- Right to erasure (“right to be forgotten”)
Article 17 of the GDPR provides that data subjects have the right in certain circumstances to have their data controller to erase his/her personal data without undue delay. For instance, employees would have a right to request that their data be erased where their personal data are no longer necessary for the purposes which they were collected or processed. This may include data in relation to:
- the employee’s hiring process (e.g. employee’s resume, education and employment history) in the event that the employer did not proceed to hire the employee; and
- the employee’s past contact details where the employee has since provided updated information.
Furthermore, if the employer has made the personal data public, the employer has an obligation to take reasonable steps to inform other data controllers who are processing the personal data that the employee has requested the erasure of any links to, or copy or replication of, those personal data.
While Section 10 of the PDPA provides that an individual’s personal data shall not be kept longer than is necessary, it does not confer upon the employee an express right to have his/her personal data erased, unlike Article 17 of the GDPR.
- Right to data portability
Under Article 20 of the GDPR, employees also have the right in certain circumstances to receive their personal data which they have provided to their employer, in a structured, commonly used and machine-readable format, and the right to transmit those data to another data controller without hindrance. Employees also have the right to have their personal data transmitted directly from one data controller to another, where technically feasible.
In contrast, Section 30 of the PDPA only provides for the right to request from the data user a copy of the personal data in an intelligible form. The PDPA also does not provide a right for data subjects to have their personal data transmitted directly from one data user to another.
- Notification of data breach to the supervisory authority
In the case of a personal data breach, the employer is obliged under Article 33 of the GDPR to notify the breach, without undue delay, to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall also communicate the breach to the affected employees without undue delay, pursuant to Article 34 of the GDPR.
There are currently no requirements under the PDPA in relation to notification of data breach.
Penalties under GDPR and PDPA
Failure to comply with the GDPR could result in severe civil penalties of fines up to the higher of 20 million euros or 4% of the organisation’s global turnover.
In contrast, failure to comply with the provisions under the PDPA is an offence, with the maximum penalty being a fine of RM500,000 and/or 3 years’ imprisonment. In addition, if the offence is committed by a body corporate, any person who at the time of the commission of the offence was a director, chief executive officer, chief operating officer, manager, secretary or other similar officer of the body corporate, may be liable severally or jointly in the same proceedings with the body corporate. Since the coming into force of the PDPA in 2010, there have been several cases where companies have been charged for breach of the provisions under the PDPA, which involve fines or terms of imprisonment being imposed.8
We have not seen any instances where the GDPR has been enforced against Malaysian companies or businesses. However, taking into account the major repercussions towards the organisation, including the hefty fines imposed and the potential reputational damage towards the business for failing to adhere to the GDPR, it is advisable for Malaysian businesses doing business in the EU or monitoring employees within the EU to comply with the provisions under the GDPR in addition to compliance with the PDPA.
It will also be interesting to observe whether the rising penalty rates imposed in foreign countries under the GDPR, will spur local regulators to consider stricter enforcement of data protection law in Malaysia.