Last review date: 31 December 2024

"Personal data" refers to "the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities, and other information which may be used to identify a natural person, both directly and indirectly."

Last review date: 31 December 2024

Sensitive data includes:

☒         genetic data

☒         biometric data for the purpose of uniquely identifying a natural person or biometric templates

☒         data concerning health/medical information

☒         data concerning a natural person's sex life or sexual orientation

☒         personal data regarding an individual's criminal convictions or record

The term "Sensitive Personal Data" is not directly specified in the PDPA. Nevertheless, Article 6 of the same Act primarily refers to medical records, medical treatment, genetic information, sexual life, health examination and criminal records.

Last review date: 31 December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

• the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• the processor/agent is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Answer: No

The PDPA is silent on the concept of agents who deal with the data per the instruction of the data collector or processor. In practice, these agents are considered to be the contractors of the principal data collector/processor. The principal data collector/processor of the data should ensure their agent/sub-processor follows the PDPA requirements via contractual control.