E-PDPF: EXIN Privacy and Data Protection Foundation

Module 1: Privacy & Data Protection Fundamentals and Regulations

1.1 Definitions

• Define privacy.
• Relate privacy to personal data and data protection.
• Describe the context of Union and Member state law.

1.2 Personal Data

• Personal data according to the GDPR.
• Distinction between personal data and special categories of data, like
  sensitive personal data.
• Data subject’s rights regarding personal data.
• Processing of personal data that falls within the scope of the GDPR.
• List the roles, responsibilities and stakeholders in the GDPR.

1.3 Legitimate Grounds and Purpose Limitation

• Six legitimate grounds for processing.
• The concept of purpose limitation.
• Proportionality and subsidiarity.

1.4 Further Requirements for Legitimate Processing of Personal Data

• The requirements for legitimate data processing.
• The purpose of personal data processing.
• The principles relating to processing of personal data.

1.5 Rights of Data Subjects

• The rights regarding data portability and the right of inspection.
• The right to be forgotten.

1.6 Personal Data Breach and Related Procedures

• The concept of personal data breach.
• Procedures on how to act when a personal data breach occurs.
• Examples of categories of personal data breaches.
• The difference between a security breach (incident) and a personal data breach.
• Relevant stakeholders that should be informed in case of a personal data breach

Module 2: Organizing Data Protection

2.1 Importance of Data Protection for the Organization

• The different types of administration (GDPR Article 28 & Article 30).
• Indicate what activities are required to comply with the GDPR.
• Data protection by design and by default.
• Personal data breaches.
• Personal data breach notification obligation as laid down in the GDPR.
• Enforcement of the rules by issuing penalties including administrative
  fines.

2.2 Supervisory Authority

• The general responsibilities of a supervisory authority.
• The role and responsibilities of a supervisory authority related to
  personal data breaches.
• How a supervisory authority contributes to the application of the GDPR.

2.3 Personal Data Transfer to Third Countries

• The regulations that apply to data transfer inside the EEA.
• The regulations that apply to data transfer outside the EEA.
• The regulations that apply to data transfer between the EEA and the
  USA.

2.4 Binding Corporate Rules and Data Protection in Contracts

• The concept of binding corporate rules (BCR).
• How data protection is formalized in contracts between the controller
  and the processor.
• The clauses of such a contract.

Module 3: Practice of Data Protection

3.1 Data Protection by Design and by Default

• The benefits of data protection by design and by default.
• The seven principles of data protection by design.

3.2 Data Protection Impact Assessment (DPIA)

• Outline what a DPIA covers and when to do a DPIA.
• Mention the eight objectives of a DPIA.
• List the topics of a DPIA report.

3.3 Personal Data in Use

• The purpose of data lifecycle management (DLM).
• Data retention and minimization.
• What a cookie is and what its purpose is.
• The right to object to the processing of personal data for the purpose
  of direct marketing, including profiling.

Module 4: Malaysia Legal and Regulatory Compliance

• ACT 854 CYBER SECURITY ACT 2024
• ACT 709 PERSONAL DATA PROTECTION ACT 2010)
• ACT A1727 PERSONAL DATA PROTECTION (AMENDMENT) ACT 2024
• ACT 864 Public Sector – The Data Sharing ACT 2025