Malaysia's PDPA Applicability to Entities Registered or Incorporated in the Country

The Personal Data Protection Act 2010 (PDPA) of Malaysia uses incorporation or registration in the country as a factor to determine its applicability to data processing activities.

Text of Relevant Provisions

PDPA 2010 Sec.2(4b):

"(4) For the purposes of subsections (2) and (3), each of the following is to be treated as established in Malaysia: (b) a body incorporated under the Companies Act 1965 [Act 125];"

PDPA 2010 Sec.2(4c):

"(4) For the purposes of subsections (2) and (3), each of the following is to be treated as established in Malaysia: (c) a partnership or other unincorporated association formed under any written laws in Malaysia; and"

Analysis of Provisions

The PDPA extends its applicability to entities that are legally incorporated or registered in Malaysia. This is evident from Section 2(4) of the Act, which defines what constitutes being "established in Malaysia" for the purposes of the Act's application.

Specifically, the Act considers the following entities as established in Malaysia:

1. "a body incorporated under the Companies Act 1965" (Section 2(4)(b))
2. "a partnership or other unincorporated association formed under any written laws in Malaysia" (Section 2(4)(c))

These provisions effectively capture a wide range of business entities, including companies, partnerships, and other forms of associations that are legally recognized under Malaysian law.

It's important to note that this factor is part of a broader set of criteria for determining the PDPA's applicability. Section 2(2) of the PDPA states that the Act applies to a person in respect of personal data if:

"(a) the person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment;"

This means that for entities incorporated or registered in Malaysia, the PDPA applies to their data processing activities regardless of where the actual processing takes place, as long as it's done in the context of their Malaysian establishment.

Implications

The inclusion of this factor in the PDPA has several implications for businesses:

1. All companies incorporated under the Malaysian Companies Act, as well as partnerships and associations formed under Malaysian law, are automatically subject to the PDPA's requirements for their data processing activities.
2. These entities must comply with the PDPA even if they process personal data of non-Malaysian individuals or if the actual data processing occurs outside of Malaysia, as long as it's done in the context of their Malaysian establishment.
3. Foreign companies that incorporate subsidiaries or register branches in Malaysia will fall under the PDPA's jurisdiction for the activities of those Malaysian entities.
4. Local partnerships and associations, even if not formally incorporated, are also covered by the Act, ensuring comprehensive protection of personal data across various types of business structures in Malaysia.

This approach aligns with international trends in data protection legislation, where the place of establishment of the data controller or processor is often used as a key factor in determining the law's applicability. It ensures that entities with a formal legal presence in Malaysia are held accountable for their data processing activities, thereby protecting the personal data of individuals who interact with these entities.