1. What is the Personal Data Protection Act (“PDPA” or the “Act”) 2010?

The Personal Data Protection Act is an act enacted by the Malaysian government in 2010 to protect an individual’s personal data in commercial transactions.

2. When was PDPA enforced?

The PDPA came into force on 15th November 2013.  Hence all new customers who enter into a contract with Nazirin Skin Clinic (NSC), will have to comply immediately.

3. What is personal data?

The PDPA defines personal data as any information in respect of commercial transactions that relates directly or indirectly to an individual, who is identified or identifiable from that information or other information in possession of the individual. This includes name, address, IC number, passport number, email address and other contact details.

4. What is sensitive personal data?

The PDPA defines sensitive personal data as personal data consisting of information as to the physical or mental health or condition of the individual, political opinions, religious beliefs or other beliefs of a similar nature, the commission or alleged commission of any offence or any other personal data as determined by the Minister by order published in the Gazette.

5. What are “commercial transactions”?

Commercial transactions mean any transactions of a commercial nature, regardless of whether it is contractual. This includes the collection of personal data of potential customers.

6. What is “processing” of personal data?

Processing personal data is the act of collecting, recording, holding or storing personal data and carrying out any operation or set of operations on the personal data.

7. What are your rights as a customer under the PDPA?

The PDPA gives you certain rights in relation to your personal data.

– To access your personal data and to correct this information to make sure that the personal data is accurate, complete, not misleading and up-to-date.

– To withdraw your consent for disclosure of your personal data for marketing purposes or any other purposes than for the fulfilment of the service you have subscribed for.

8. What can NSC do with your consent?

You will give consent to NSC for marketing purposes, for NSC services and products only. NSC will send marketing materials including promos to you via various channels (e.g. email, letters and phone calls etc.).
9. What happens if you do not give consent?

If you do not give consent to NSC for marketing purposes, NSC will stop sending you marketing material for your products and services. However, NSC may still use your personal data for purposes of providing the products or services that you have signed up for or fulfilling any other contractual obligations, and for legal or regulatory purposes.

10. How often can I change my consent?

After changing the consent information, you are only able to change the consent after 14 days.

11. Why can I only change consent after 14 days again?

The consent information has to be processed throughout the whole NSC organisation and be reflected in the respective IT systems which are used by us.

12. After withdrawing consent do you still receive marketing information?

NSC has 14 days to process the consent information throughout the whole NSC organisation. Within these 14 days, it might be possible for you to receive marketing material. However, NSC tries to stop sending marketing material immediately, and at the latest, after 14 days.

13. Can you request access to your personal data?

Yes, NSC will provide access to your personal data which the clinic holds.

14. Can NSC deny your request to access personal data?

NSC can only deny your request to access personal data when there is insufficient information to confirm your identity.

15. Can any other person request access to your personal data?

A person other than you may request access to your personal data in the following situations:  If you are below the age of 18, a parent, guardian or a person who is responsible for you may request access to your personal data.  A person appointed by the court to manage our customer’s affairs may request our customer’s personal data. A person our customer has authorised in writing may request access to our customer’s personal data.

16. How does NSC safeguard your personal data?

We take steps to protect our customers’ personal data by maintaining physical and logical security measures in order to ensure that all information and IT systems are adequately protected from a variety of threats.

17. What security measures ensure that in the event of disclosing your personal data it is kept secure by other parties?

If we disclose your personal data to third parties such as vendors, we will ensure that they have policies and procedures in place to comply with the PDPA as well as to secure all our customers’ personal data.

18. How long does NSC retain your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose(s) for which it was collected or to comply with legal, regulatory and internal requirements.

19. Does NSC send customer’s personal data overseas? If yes, why is it necessary to send overseas?

In some cases, NSC may transfer customers’ personal data to places outside of Malaysia when it is required to provide customers with the services that they have requested for and for the performance of any contractual obligations NSC has with its customers.

20. Does the PDPA cover personal data transferred to those foreign entities?

Yes, if the personal data is first processed in Malaysia before transferring to a foreign entity, it will be covered under the PDPA. However, the PDPA will not cover personal data that is processed outside of Malaysia.