Registration – Mandatory or Not?
The Personal Data Protection (Class of Data Users) Order 2013 sets out 11 classes of data users that must be registered under the Personal Data Protection Act (“PDPA“) with the Personal Data Protection Department (“PDPD”). One of the 11 specific ‘classes’ includes the ‘Real Estate’ sector.
However, the term ‘Real Estate’ in Order 2013 only captures ‘licensed housing developer(s)’ under the Housing Development Act. Therefore, only mandatory for housing developers (ie residential only) at the date of writing. It does not expressly include other players such as real estate agents, property managers, valuers etc.
Nevertheless, the PDPD has indicated that eventually, PDPA registration by all businesses that deal with personal data in a commercial context regardless of industry will be necessary.
Applying the PDPA to scenarios faced by Real Estate Agencies:
Scenario #1 – Using personal data in marketing flyers
- Agent X mails/emails the marketing flyers of a new property launch to his database of clients directed to their specific names and last known addresses/emails.
PDPA impact: X has used the personal data of these individuals. X will need to ensure that consent of such individuals have been obtained and they were notified of the purpose/usage of their personal data.
- Agent X distributes flyers to all the mailboxes of a condominium in the area to market a new property launch. The flyers are addressed generically to “The Resident” or “To whom this may concern”.
PDPA impact: X has not used personal data of any individual as the flyers are directed generally without identifying any specific individual.
Scenario #2 – Purchasing mobile phone numbers from third parties & SMS blasts
X buys a list of mobile phone numbers (only) from a popular property website, of individuals who have indicated interest in properties in a certain area. X sends SMS blasts to the mobile phone numbers of a new property launch.
PDPA impact: Is X a ‘data user’? Mobile phone numbers on their own, without additional information like names / address / IC numbers, are insufficient to identify a specific individual and therefore, on its own, may not constitute personal data. However, if X purchases the list of mobile numbers together with other information that allows an individual to be identified, X will be regarded as using personal data.
Side note: Some countries have taken specific steps to curb such practices by establishing a “Do Not Call (DNC)” registry that prohibits organisations from sending marketing messages (in the form of voice calls, text or fax messages) to telephone numbers registered with the DNC Registry. While Malaysia’s PDPA does not have express provisions requiring a DNC registry, one should not rule out the possibility of this being introduced in the near future.
Nevertheless, the Malaysian PDPA gives consumers the right to request in writing (including SMS reply) for the direct marketer or direct seller to stop or even not begin processing their personal data. Failure to cease using personal data for direct marketing purposes after a data subject has objected could cost the offender a fine of up to RM200,000 and/or imprisonment of up to two years.
Scenario #3 – Reports and Statistics
X obtains data of transacted properties through other agents and third parties. The raw data includes personal data about the buyers and sellers of the properties (ie, transacted prices, names, addresses, phone numbers, income bracket etc). X compiles a report on insights and statistics of sales for its clients on trends in the property market. X anonymises the raw data by removing any identifying information such that the published data does not identify any particular individual.
PDPA impact: X would not be disclosing personal data. However, X should bear in mind that statistics, combined with publicly available information, could lead to the identification of an individual. For example, in publishing statistics of a gated-guarded bungalow development with a small number of units, the chance of identifying the actual individual proprietor of the unit may be possible.
Scenario #4 – Personal data of clients for listing and marketing
- Agent X meets a client Amy who wishes to sell her condominium. X takes photos and information about the property (ie, number of bedrooms, toilets, size, facing, carparks) and posts them on a property website.
PDPA impact: Listing photos and details of a property on a website does not, in itself, constitute using personal data as the information relates to the property, not the individual. This is provided that the photos/information do not enable the identification of the individual.
- Amy tells X that she wants to sell her property urgently as she needs funds to treat a serious medical condition and can no longer afford the mortgage payments. X shares this information with a potential buyer to explain why this property is to be sold urgently and at a low price.
PDPA impact: The information X revealed relates to Amy personally and includes sensitive personal data (medical) X should have first obtained Amy’s express consent before disclosing (even verbally) such personal data to prospective buyers.
- X provides Amy his engagement form to appoint him as her real estate agent to market and sell her property. Through the form, Amy provides her mobile phone number, full name and IC number.
PDPA impact: Amy voluntarily provided her personal data to X, Amy is deemed/implied to have consented to X’s collection, use and disclosure of such personal data. However, unless the form expressly states otherwise, such consent is only restricted to the purpose of providing Amy with estate agency services, for example calling her to discuss offers received for her property or to arrange for prospective buyers to view her property etc.
Scenario #5 – Passing data of client to third party service providers
Amy asks estate agent X to refer a lawyer she can engage to handle her conveyancing transaction. X refers her to Lawyer Z.
PDPA impact: Amy may have impliedly consented to X giving her contact details to Lawyer Z. The best practice is for X to ask Amy whether X can release Amy’s contact details to Lawyer Z to contact her directly.
About the Author: Shawn Ho is a partner of Donovan & Ho. He is experienced in corporate matters such as acquisitions, cross-border transactions, restructuring exercises, sale of businesses, joint venture arrangements, shareholder agreements, and franchise businesses. His background in tax advisory has enabled him to assist several multi-national companies achieve considerable tax-savings through cross-border tax planning, implementing tax-efficient structures using Labuan companies, and incorporate tax advice into commercial transactions.