On 16 March 2016, the Malaysian Personal Data Protection Commissioner (the "Commissioner") released the Personal Data Protection (Compounding of Offences Regulations) 2016 (the "Regulations"), which came into effect on 15 March 2016.

Section 132 of the Personal Data Protection Act 2010 (the "Act") stipulates that where an organisation is suspected of committing an offence under the Act, the Commissioner, with the Public Prosecutor's consent, can offer the organisation the choice to compound the offence upon payment of an amount not exceeding 50% of the maximum fine for that offence (the "Offer"). The Regulations outline the particular offences that can be compounded under section 132 of the Act.

Whilst the Regulations are an alternative to prosecution, it should be noted that the Commissioner is not obligated to make an Offer, it is entirely at the discretion of the Commissioner and the Public Prosecutor and the penalties for the relevant offence may still apply in the event that prosecution is pursued.

The Regulations mean that prosecution is not the only option open to the Commissioner for breach of the Act. However, organisations should note that the applicability of the Regulations is entirely at the discretion of the Commission and as such should seek to ensure that they comply with the Act, to avoid the risk of prosecution entirely.

To view the Act, please click here.