Last updated: February 20, 2026
This Personal Data Protection Act (PDPA) Compliance Policy explains how Optom Pro Solutions Sdn Bhd (“Optom Pro Solutions”, “we”, “our”, or “us”) manages and protects personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.
This policy applies to all users of the Optom Pro EMR system, including optometrists, clinics, administrators, staff, and any authorized personnel accessing the system.
Introduction
Optom Pro Solutions Sdn Bhd provides a cloud-based electronic medical record (EMR) platform designed for optometry practices and healthcare providers for managing patient records, appointments, and clinical information. In the course of providing these services, we may process personal data belonging to patients, practitioners, clinic staff, and other individuals (“Data Subjects”).
We are committed to ensuring that all personal data is processed in accordance with the principles and requirements of the Personal Data Protection Act 2010.
Definition of Personal Data
For the purpose of this policy, Personal Data refers to any information relating directly or indirectly to an identifiable individual, including but not limited to:
Name
Identification numbers
Contact details
Medical or health information
Clinical examination records
Prescription information
Appointment records
Payment or billing details
Certain information relating to health or medical conditions may constitute Sensitive Personal Data under the PDPA.
Role of Optom Pro Solutions
For the purposes of the Personal Data Protection Act 2010:
i. Data User
Optometry clinics, practices, practitioners, and healthcare providers using the Optom Pro EMR system act as the Data Users in respect of patient records and clinical information entered into the system. These entities determine the purposes and means of processing personal data.
ii. Data Processor
Optom Pro Solutions Sdn Bhd acts as a Data Processor where it processes personal data on behalf of the clinics or practitioners using the EMR platform. Optom Pro Solutions processes such data solely for the purpose of providing the software platform, technical infrastructure, and related support services.
iii. Data Subject
Patients and individuals whose personal data are recorded within the EMR system are considered Data Subjects under the Personal Data Protection Act 2010.
Authorized users of the system remain responsible for ensuring that patient consent is obtained and that all legal obligations under the Personal Data Protection Act 2010 are satisfied. Optom Pro Solutions does not access, review, or control patient medical records except where necessary for technical support, system maintenance, or where authorized by the clinic / practice using the system.
Collection and Processing of Personal Data
Personal data may be collected and processed through the Optom Pro EMR platform for purposes including but not limited to:
Recording patient medical and optometric examination data
Managing appointments and clinic workflows
Generating prescriptions and clinical reports
Maintaining electronic medical records
Facilitating communication between clinics and patients
Supporting billing and administrative functions
Providing technical support and system maintenance
Personal data will only be processed for lawful and legitimate purposes directly related to the services provided.
Notice and Consent
Where required under the Personal Data Protection Act 2010, explicit consent must be obtained from the relevant data subject prior to the processing of their personal data, particularly where such data constitutes sensitive personal data such as health information.
Users using the Optom Pro EMR system are responsible for ensuring that patients are informed that their personal data may be stored and processed electronically within the system.
Users of the system acknowledge and agree that personal data entered into the system is collected with proper authorization and in compliance with applicable laws.
Disclosure of Personal Data
Personal data stored within the Optom Pro EMR system will not be disclosed to third parties without authorization, except under the following circumstances:
Where disclosure is necessary for the provision, operation, maintenance, or security of the Optom Pro EMR system
Where disclosure is required by law or regulatory authority
Where disclosure is necessary to protect the rights, safety, or vital interests of the data subject
Where disclosure is authorized by the clinic or healthcare provider controlling the data
Optom Pro Solutions does not sell, rent, or trade personal data.
Data Security
Optom Pro Solutions takes reasonable and practical steps to protect personal data against loss, misuse, unauthorized access, modification, disclosure, or destruction.
Security measures may include:
Secure server infrastructure
Encrypted data transmission
Role-based access control
User authentication and account security
System monitoring and logging
Regular system maintenance and updates
Personal data may be stored on secure cloud infrastructure managed by trusted service providers.
Data Storage and Retention
Personal data may be stored on secure cloud infrastructure managed by trusted service providers who are contractually required to maintain appropriate security and confidentiality safeguards.
Clinics are responsible for determining appropriate retention periods for patient records in accordance with healthcare regulations.
When personal data is no longer required, reasonable steps will be taken to ensure that it is securely deleted or anonymized.
Data Integrity
Optom Pro Solutions will take reasonable steps to ensure that personal data stored within the system remains accurate, complete, and up to date.
Users of the system are responsible for ensuring that the data they enter into the system is correct and properly maintained.
Access and Correction Rights
Under the Personal Data Protection Act 2010, data subjects may have the right to:
Request access to their personal data
Request correction of inaccurate or incomplete data
Such requests should be directed to the clinic or healthcare provider responsible for the patient’s record.
Optom Pro Solutions may assist clinics in facilitating such requests where technically feasible.
Cross-Border Data Processing
Personal data processed through the Optom Pro system may be stored or processed in data centres operated by third-party service providers located within or outside Malaysia.
Where personal data is transferred outside Malaysia, Optom Pro Solutions will take reasonable steps to ensure that the receiving party provides a level of protection comparable to that required under the Personal Data Protection Act 2010.
Responsibilities of Authorized Users
Authorized users of the Optom Pro EMR system must:
Ensure that personal data entered into the system is collected lawfully
Obtain appropriate consent where required
Protect login credentials and system access
Avoid unauthorized sharing or disclosure of patient data
Users are responsible for complying with all applicable healthcare regulations and data protection laws.
Withdrawal of Consent
A data subject may withdraw their consent to the processing of personal data at any time by providing written notice to the relevant clinic or healthcare provider responsible for the data. Upon such withdrawal, the clinic may request Optom Pro Solutions to cease further processing of the personal data where technically feasible and where such cessation does not conflict with legal or regulatory obligations.
Change of This Policy
Optom Pro Solutions Sdn. Bhd. reserves the right to amend this PDPA Policy from time to time to reflect changes in legal, regulatory, operational or technological developments.
Any updates will be published on this page and the updated policy shall take effect upon publication.
Contact Information
For any questions regarding this PDPA Compliance Policy, please contact: