Here’s how you can use the PDPA to stop spam calls (and other Malaysian annoyances)

We’re pretty sure you’ve gotten countless spam calls from banks asking you to sign up for a credit card, or telemarketers trying to hard-sell you their new new product.

As annoying as these calls may be, you might be more concerned about how they even got your phone number in the first place. But fret not! There is actually an Act solely created to help us keep our personal data safe – the Personal Data Protection Act 2010 (PDPA).

But for lay people like us, the Act might just sound like a bunch of legal mumbo jumbo. That’s why we teamed up with the PDPA’s regulatory body, the Department of Personal Data Protection (JPDP), to outline how you can use the PDPA to deal with:

• Condos putting up your details when you forget to pay maintenance fee,
• Telemarketers who won’t stop calling you, and
• Companies which misuse your personal data.

So without further ado, let’s start with…

 

Taking out sensitive info from your condo’s defaulters list.

If you’ve ever “forgotten” to pay your condo maintenance fees, chances are you’ve seen your name pop up on a ‘defaulters list‘ put up by the joint management body (JMB) to shame you pressure you into paying up.

But while the embarrassment might get people to settle their outstanding payments, we recently learned that the management isn’t actually allowed to display personal information like phone numbers and IC numbers. So, if the defaulters list contains anything other than your name, unit number, and the amount you owe, you have the right to ask the management to remove said info from the list, according to Section 42 of the PDPA:

Additionally, if your condo/neighborhood security guards are still asking your visitors to hand over their lesen or MyKADs as collateral when visiting your house, you can also talk to your JMB and ask them to change their SOP. While the security is allowed to ask for visitors’ license or MyKAD and record their details, they are not allowed to hold on to it. So yeah, you can definitely highlight this to your JMB or bring it up during the next AGM. #WahSoManyAbbreviations

 

Get spam callers and telemarketers to stop calling you.

Most of us might’ve just learned to ignore and block unknown numbers, so we were pretty shocked to find out that there’s not just 1, but 4 things you can do with regards to spam callers (spam ah, not scam). 

Before we get to those, you might be wondering why you’re getting these promotional calls in the first place. Well, there’s a chance that you consented to it yourself. When we sign forms without reading the fine print, they may have a hidden clause in their privacy notice (which contains info on how your data is collected, used, and who it’s sent to) that allows them to promote to you. So, lesson learned: Always read the fine print before signing a document!

Alrighty, now let’s get to the 4 things you can do.

A) You can check what info they have about you

You totally can skip this step, but in case you aren’t sure that you ever gave consent, or you simply want to know what info the company has about you, you can write to the company to check (Section 30 – Right of access to personal data).

Once they revert, you might notice that either:

• You did give them your consent,
• You never gave them consent, OR
• Some of the data like phone number is yours, but other info like name, email address, etc. is not yours (cause Malaysia actually recycles phone numbers).

In case it’s the latter, you have the ability to…

B) Get them to correct the data

In the event where they might have the wrong info, you can cite Section 34 of the PDPA, which gives you the right to correct your personal data. This can be useful if you want them to keep your information, but the current data they have is not up to date.

But if you don’t want them to call you anymore…

C) You can tell them to take you off their call-list

For this, you can cite Section 43, which gives you the “right to prevent the processing of your data for direct marketing purposes”, or in English, it basically means you can tell them to remove your name from their call-list and mailing list.

According to clause 43 (1) of the PDPA, you can formally write to these companies and request that they stop calling you for promotional purposes.

But according to a friend of ours, simply citing Section 43 to the telemarketer during the spam call and asserting that you don’t wanna receive anymore calls works too. However, since this is not in PDPA’s official document, please treat that as…

And even if you did consent to all these promotional calls, you can still…

D) Withdraw your consent

In summary, even if you’ve ticked the box that allows them to send you promotional emails and calls, Section 38 of the PDPA allows you to withdraw your consent:

This means you can write to them, asking them to stop marketing directly to you by citing the PDPA clauses as your legal backup. #lawhackinglikeaboss

But let’s just say they’re still calling you or completely disregarded your requests, it’s time to move on to the next step which is to…

 

Report these companies to JPDP

So you’ve talked to the companies and asked them to take you off the list, but they didn’t listen. What now?

Here’s where the JPDP comes in… but first, you’ll have to make a report directly to them through their website. Once the report has been made, their licensed enforcement team will then investigate and take the next step as deemed necessary. And don’t play play ah, their enforcement team has the authority to confiscate the documents and machines used in the breach of data, and can even arrest people. Fuiyoh.

As a matter of fact, they’ve even charged a number of data users (a.k.a. companies) who’ve had data breaches; ranging from industries like telecommunications to airlines, as these companies’ security measures weren’t adequate enough to prevent a security breach. And with the maximum penalty of a RM 500k fine, 3 years imprisonment, or both (since it is technically a criminal act), it’s no surprise when the JPDP told us there’s been a decrease in these kinds of cases.

But even with everything the JDPD can do, they aren’t actually able to intervene in all kinds of cases, because…

 

The PDPA can’t be used for non-commercial matters.

Much like all the different laws that exist in Malaysia, the PDPA isn’t a magical cure-all that can be used to solve every single personal data dispute that happens. ‘Cause the fact of the matter is, this act was primarily created to regulate data users, which basically refers to businesses, organizations, and just about any other commercial entity that collects, processes, and uses data.

This means that if your data is breached by a non-commercial entity like a family member, friend, or even if you were the target of illegal scammers, the PDPA does not apply.

And out of all the things that JPDP shared, perhaps the most interesting was when they told us that in most cases, the data breach might not be coming from commercial businesses… but our own social media accounts.

“Malaysians are starting to learn, but many of us still make that mistake of oversharing when it comes to using social media.

 

We let our guard down and share personal info such as our phone numbers, banking receipts, images of our boarding pass with the visible QR code, and even screenshots of our MySejahtera profile.” – Uma A/P Annamallai (Director of Policy & Strategic Planning for JPDP), to CILISOS.

However, if you do think you might be the victim of a scam, we highly recommend that you make a complaint to the MCMC.

But what the PDPA does ensure is that your personal data isn’t leaked out by legitimate businesses who you’ve entrusted with your private info. So if you suspect these companies might be misusing your data, at least now you know which PDPA clause you can cite to scare them 😉.