You are here


Survey Answer:

IT Service Agreements
We are not aware of any contractual standards / obligations required for IT Service Agreements.
IT Outsourcing Agreements
(a) Obligation to require outsourcing agreements for data processing to be bound by contract
Where a third party is appointed to process personal data on behalf of a data user, paragraph 4.1(14) of the PDP Standards provide that data users are required to bind the appointed third party data processor with a contract for operating and carrying out data processing activities, to ensure the safety of personal data from loss, misuse, modification, unauthorized access and disclosure.
(b) Standards required in connection to outsourcing agreements for data processing
Pursuant to section 9 of the PDPA, the data user is required to ensure that the data processor: (i) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out, and (ii) takes reasonable steps to ensure compliance with those measures.
To comply with the PDPA, data users will be required to ensure that any data processing agreement entered into with a third party data processor incorporate clauses to the effect that the third party data processor shall comply with (i) and (ii) above.
Please also see the points below on the use of the cloud in data processing agreements.
Cloud Agreements
We are not aware of contractual standards or obligations that apply to cloud agreements generally. However, where a data processing agreement involves use of the cloud, paragraph 4.1(9) to (11) of the PDP Standards require the following measures to be complied with:
(a) transfer of personal data through cloud computing service is not permitted unless with written consent by an officer authorized by the top management of the data user organization;
(b) any transfer of data through cloud computing service must be recorded; and
(c) personal data transfer through cloud computing service must comply with the personal data protection principles in Malaysia, as well as with personal data protection laws of other countries.
To ensure compliance with the PDP Standards, the requirements above should be incorporated as contractual obligations to any data processing agreement which stores or transfers personal data via the cloud.
There are also specific obligations pertaining to the above matters issued by BNM and SCM. However these measures are limited to their respective licensees.

Provided By: