行业研究公司研究宏观策略财报招股书会议纪要 Token 低空经济十五五 AIGC 大模型

马来西亚：新的个人数据保护指南

信息技术 2026-05-08 钱伯斯(Baker McKenzie) 任云鹏

概述

本指南由马来西亚个人数据保护局发布，旨在为组织提供关于执行个人信息保护影响评估（DPIA）的实用指导。DPIA 是一种评估计划处理操作对个人信息保护影响的方法，涉及根据组织的职能、要求和流程识别、评估和管理个人信息保护风险。

DPIA 的目的和重要性

DPIA 有助于组织确定处理操作相关的风险，评估这些风险是否可接受，并在早期阶段确定和实施适当的风险处理措施。这有助于确保组织遵守《2010 年个人信息保护法》（Act 709），并符合国际个人信息保护环境中的充分性要求。此外，执行 DPIA 可以增强组织的问责制和透明度，建立公众对其数据处理活动的信任。

谁负责执行 DPIA

执行 DPIA 的责任落在数据控制者身上，因为他们负责决定是否进行处理操作并确保所有风险得到解决。数据控制者的高级管理层对 DPIA 和任何结果决策负有最终责任。数据保护官（DPO）的核心职责是支持 DPIA 的执行，包括确定是否需要 DPIA、提供有关 DPIA 执行和风险缓解措施的咨询，以及开发针对数据控制者的 DPIA 模板或清单。DPO 不一定是执行 DPIA 的负责人，DPIA 领导者可以是 DPO、项目经理或其他由数据控制者认为合适的人员。

当执行 DPIA 时

数据控制者应在预见处理操作可能导致对数据主体的高风险时执行 DPIA。数据控制者需要遵循一个两步法来确定风险级别并评估是否需要 DPIA：

定量阈值：如果处理个人数据预计将涉及 20,000 名以上数据主体，或者处理敏感个人数据（包括财务信息数据）预计将涉及 10,000 名以上数据主体，则应执行 DPIA。
定性因素：如果处理操作不符合任何定量阈值，DPO 需要运用最佳判断力，考虑其他可能导致对数据主体的个人数据保护构成高风险的定性因素，例如：
- 对数据主体潜在的法律或重大影响（例如，对数据主体的法律地位或权利、财务状况、健康、声誉、获取服务或其他经济或社会机会的明显影响）；
- 对数据主体的系统性监控；
- 使用创新技术；
- 拒绝或限制数据主体的权利；
- 跟踪数据主体的位置或行为；
- 针对儿童或弱势群体；
- 对数据主体构成高风险的自动化决策和画像。

如何执行 DPIA

数据控制者应采用五步法（DEICA）来分析处理操作：

描述：描述处理操作（包括涉及的个人数据的范围和数据流）和处理的目的是什么。
评估：评估处理操作的合规性、必要性和比例性与其目的相关。
识别：识别和分析对数据主体个人数据保护的特定风险。使用 3x3 风险矩阵确定每个特定风险的风险级别。
考虑：考虑采取措施来解决已识别的特定风险，以保护个人数据的保护。
评估：评估处理操作的整体剩余风险级别（例如，高、中、低）。

DPIA 后

向高级管理层报告：在完成 DPIA 后，如果整体剩余风险级别被评估为“高”，则应将发现报告给组织的高级管理层。除非组织另有决定，否则所有风险，无论其级别如何，也应报告给高级管理层。
实施风险缓解措施：一旦决定继续进行处理操作，就应相应地实施已识别的风险缓解措施，以解决 DPIA 中发现的特定风险。
发布、有效性和监控：为了促进透明度和问责制，数据控制者可以考虑发布其 DPIA，以培养对其个人数据处理活动的信任。为保护商业敏感信息或管理其他数据安全风险（包括涉及个人数据的那些风险），发布的 DPIA 可以被编辑。或者，可以发布 DPIA 的摘要。
记录保存：DPIA 应被保存，所有相关记录应至少从处理操作停止之日起保存两年。例如，如果处理操作持续五年，则 DPIA 及其相关记录应从处理操作停止之日起保存两年。因此，记录保存期将至少为七年。

(Department ofPersonal Data Protection, 2026) Any part of this publication may not be reproduced, stored in, or transmitted in a permanentstorage system, or transmitted in any form or by any means, electronically, mechanically, Address: DEPARTMENT OF PERSONAL DATA PROTECTIONLevel 8, Galeria PjH, Jalan P4W, Persiaran PerdanaPrecinct 4, Federal Government Administration Centre TABLE OF CONTENTS PART A:INTRODUCTION 1. 1.1Section 12A of the Personal Data Protection Act 2010 ("Act 709") sets out the requirement forboth the data controller and the data processor to appoint one or more Data Protection Officers 1.2Pursuant to the Circular of Personal Data Protection Commissioner No. 1/2025 (Appointmentof Data Protection Officer) and the Appointment of Data Protection Officer Guideline, one of 1.3This DPIA Guideline (“Guideline”) provides practical guidance in relation to the carrying outof DPIA. Through this process, theorganisations can systematically identify and manage risks 1.4Please note that examples provided in this Guideline are not intended to be exhaustive and 1.5This Guideline supplements and is to be read together with Act 709 and any other relevantlegislative instrument(s) issued under Act 709, as may be amended from time to time. It This 2.Legal Provisions 2.1This Guideline is issued by the Personal Data Protection Commissioner (“Commissioner”)pursuant to the functions of the Commissioner under subsection 48(g) of Act 709.In 3. 3.1Unless otherwise defined in this Guideline, the terms and expressions used herein shall havethe same meanings assigned to them under Act 709 and any other relevant legislative PART B:PRE-DPIA 4.What is a DPIA 4.1A DPIA is an assessment of the impact of a planned processing operation on personal dataprotection.It involvesidentifying, assessing,and managing personal data protection risks 4.2In essence, DPIA is a process designed to analyse and mitigate personal data protection risks. 5.Why Carry Out a DPIA 5.1DPIAserves as a useful mechanism to assist organisations in ascertaining the risksassociated with a processing operation.It enables the organisation to evaluatewhether suchrisks are acceptable in the circumstances, when weighed against the purpose and nature of 5.2The implementation of a DPIA assists organisations in fulfilling the adequacy requirementsprevalent in the international personal data protection landscape. For instance, the European 5.3Carrying out a DPIA willenhances an organisation’s accountability and transparency. Bydemonstrating a steadfast commitment to safeguarding personal data, organisations can 6.Who Is Responsible for Carrying Out a DPIA 6.1The obligation to carry out a DPIA falls on the data controller. This is because, by definition,the data processor does not process personal data for its own purposesand the data controller 6.2Nevertheless, the data processor who is involved in the processing operation is expected toprovide all reasonable and necessary assistance to the data controller in carrying out the Duty to carry out DPIA 6.3The ultimate responsibility for carrying out the DPIA and for any resulting decisions rests with DPO vs DPIA Lead 6.4One of the core responsibilities of a DPO is to support the carrying out of DPIA. In this regard, (a)identifying whether a DPIA needs to be carried out; 6.5The DPO may not necessarily be the individual leading the carrying out of a DPIA. A DPIALead may either be the DPO, the project manager, or other personnel deemed appropriate by 6.6The DPIA Lead is the key personnel in charge of planning and executing the DPIA. Thisincludes consulting and gathering input from relevant stakeholders on matters such as details Stakeholder Engagement 6.7To ensure a DPIA is comprehensive and effective, it shall involve all relevant stakeholdersfrom various functions of the organisation connected with the processing operation.These (a)project manager;(b)IT department;(c)legal department;(d)any other subject matter experts; 6.8All relevant stakeholders are expected to assist the DPO and the DPIA Lead and provideappropriate input in completing the DPIA. 7.When to Carry Out DPIA 7.1A data controller shall carry out a DPIA if the data controller foresees that a processingoperation is likely to result in a high risk to the protection of personal data for the data subject. 7.2In this regard, the data controller is required to follow a two-tier approach to determine thelevel of risk and assess whether a DPIA is required: (a)First, the data controller shall determine if thequantitative threshold(as explained inparagraph 7.5) is met. If the quantitative threshold is met, a DPIA shall be carried out. (b)Second, if the quantitative threshold is not met, the DPO shall exercise best judgmentin considering thequalitative factors(as explained in paragraph 7.6) to determine 7.3This Guideline does not derogate from the requirements set out under any other legal orregulatory instruments regarding the

点击免费查看完整报告