PDPA: In Malaysia, Singapore, Korea and Vietnam

Introduction to Southeast Asian Privacy Laws

Southeast Asia is changing quickly and growing increasingly powerful economically. However, with this growth comes digitalization of a mass population and new pressures for robust regulation and standards. Privacy is becoming even more important to consumers, so if your organization interacts with the Southeastern population or hosts online platforms in that Asian region, it is imperative to understand compliance laws and how to meet regulations. Below we will explore five of Southeast Asia’s most prevalent privacy laws and key difference organizations should be aware of. 

Malaysian Personal Data Protection Act

The Malaysian PDPA (APDP in local Bahasa Melayu language) was passed in 2010 and came into effect in 2013. It applies to any business that processes and has control over “personal data” with respect to commercial transactions. The act also applies to businesses that reside in Malaysia as well as foreign companies that do transactions with Malaysian residents or use equipment in Malaysia to process personal data. The penalty for non-compliance is between RM100K to 500K (approx. $25K USD to $125K USD) and/or between one to three years imprisonment.

Download Malaysia Personal Data Protection Act 2010

Singapore Personal Data Protection Act

The Singapore PDPA applies to all electronic and non-electronic communications that deal with data collection, processing, or disclosure within Singapore, regardless of whether they have an actual physical presence in Singapore. The PDPA empowers individuals to protect, access and correct their own information. 

The legislation requires that when organizations collect, process, or disclose this kind of personal data, they must:

• Have obtained an individual’s consent;
• Are collecting it for a reasonable purpose; and
• The individual has been notified of the purpose.

Singapore and Malaysia also both mandate that data must not be transferred to jurisdictions that have lesser personal data protections in place.

See here for an online version of the Singapore Personal Data Protection Act 2012

Korean Personal Information Protection Act

One of the strictest actors in the gamut of Southeastern countries in enforcing privacy is South Korea. The Personal Information Protection Act (개인정보보호법) also known as PIPA came into force in 2012. This law distinguishes between personal data and sensitive personal data, which is unique compared to many other privacy rules around the world. Sensitive personal data requires higher standards such as specific consents being obtained for that type of data and restrictions on that data being processed or transferred overseas. Personal data includes information, which when alone or combined with other pieces of information makes it possible to identify individuals. Sensitive personal data may include information about your beliefs and ideologies, information about participation in unions, sexual life, criminal history, DNA information and more. And not only are the nuances of this law strict, so are the penalties. Failure to comply with the Korea PIPA can result in steep fines and the potential for imprisonment. 

Download Korea Personal Information Protection Act

Vietnam Personal Data Protection Law

Although Vietnam does not have a single national privacy law, it’s constitution does recognize the right to personal privacy. In this regard, Vietnam addresses privacy rights is part of a broader pieces of legislation including the Law on Information Technology 2006 (Luật công nghệ thông tin) and Civil Code 2015 (BỘ LUẬT DÂN SỰ) among others. Article 21 of the Law on Information Technology covers the collection, processing, and use of personal information online, and sets out similar requirements to the laws in Singapore, Malaysia, and South Korea. Individuals need to be informed that their information is being collected, processed, or used, as well as the purpose for which it is being collected. Article 38 of the Civil Code 2015 is titled The Right to Private Life, Personal Privacy and Family Privacy which encapsulates the requirement to not store an individual’s data without permission. 

The Vietnamese Law shields individuals from having their personal information shared — things such as their birthday, name, and contact information, but it also regulates data related to family secrets and personal correspondence like mail and phone calls. The law generally applies to any personal data processors located within Vietnam as well as anyone who handles personal information of vietnamese residents and nationals living abroad/adopted.

Download Vietnam Law on Information Technology 2006

Download Vietnam Civil Code 2015 (Refer Article 38). Unofficial english translation.

Ensure PDPA Compliance with Data Discovery

Ground Lab’s solutions are uniquely positioned to assist compliance with Personal Data Protection laws in over 50 countries including throughout Asia to ensure that organizations have full awareness of the sensitive personal data that is residing in their desktops, servers, email, databases and a large variety of cloud storage locations. Ground Labs is the solution provider to organizations across 85 countries, making us a global expert in compliance no matter where your company or customers are located. Unique solution benefits include reduced time required to map, analyze and remediate data before determining if data can be transferred overseas into cloud storage, in accordance with the Singapore PDPA’s Transfer Limitation Obligation and regional equivalent requirements. 

By using Ground Labs personal data discovery capabilities, an organization can reduce overall time and investment required to reach and uphold privacy compliance including PDPA and PDPB, even as regulations change over time.

If you’re ready to meet compliance with Asia data protection laws in the new year, start by requesting a no-obligation data privacy briefing with a data discovery expert by scheduling a demo today.