Personal Data Protection
The Personal Data Protection Act 2010 (“PDPA“) came into force on 15 November 2013. The objective of the PDPA is to regulate the processing of personal data in commercial transactions, and to safeguard the rights and interests of individuals. Under the PDPA, anyone who processes personal data of an individual in commercial transactions, be it online or offline, must comply with the PDPA. In line with regional and international data protection developments, the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) was recently introduced and has come into force in stages between 1 January 2025 and 1 June 2025. The Amendment Act introduces several key changes to strengthen compliance obligations and enforcement mechanisms under the PDPA.
Definition of Personal Data
Personal Data is defined under the PDPA as any information in respect of commercial transactions that relates directly or indirectly to a data subject/individual, who is identified or identifiable from the information or from that and other information in the possession of a data controller (previously referred to as “data user”, including any sensitive personal data and expression of opinion about the data subject/individual.
Principles under the PDPA
A data controller must comply with the seven personal data protection principles, which form the fundamental backbone of the PDPA, as well as other relevant provisions of the PDPA:
- General principle – generally, a data controller must only process personal data with the consent of an individual, for a lawful purpose and the personal data collected must not be excessive or beyond what is required for the purpose it was collected;
- Notice and choice principle – a data controller must provide a notice informing individuals whose personal data is collected of several matters, including that their personal data is being processed and provide a description of the personal data, the purpose of collection, the categories of parties that it is to be shared with and whether it is obligatory to provide the said personal data;
- Disclosure principle – a data controller may only disclose personal data for purposes, or to other third parties to which the individual has, consented to;
- Security principle – a data controller must take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure;
- Retention principle – a data controller must not retain personal data longer than it is necessary to fulfil the purpose for which it was collected;
- Data integrity principle – a data controller must take reasonable steps to ensure that all personal data is accurate, complete, not misleading and kept-up-to-date; and
- Access principle – a data controller must allow an individual to have access to his own personal data and to correct it if it is inaccurate, incomplete, misleading or outdated.
Minimum Personal Data Protection Standards
Standards in relation to the Security, Retention and Data Integrity principles were issued by the Personal Data Protection Commissioner (the “Commissioner”) on 30 December 2015. The Standards are the “minimum standards” to be observed by data controllers, and details specific measures which need to be taken by data controllers in respect of the Security, Retention and Data Integrity principles. The Standards apply to both physical and electronic personal data. A contravention of any of the Standards may attract a fine of up to RM250,000 or imprisonment for a term not exceeding 2 years or both.
Rights of an Individual
The PDPA also confers a number of rights on an individual/data subject:
- an individual is entitled to be informed by the data controller whether his personal data is being processed by or on behalf of the data controller;
- an individual is entitled to correct his personal data if it is inaccurate, incomplete, misleading or outdated;
- an individual is entitled to withdraw his consent to the processing of personal data;
- an individual is entitled to request the data controller to cease or not begin the processing of his personal data based on the reason that the processing of personal data will cause or is likely to cause substantial damage or substantial distress to him or to another; and the damage or distress is or would be unwarranted;
- an individual is entitled to request the data controller to cease or not begin processing his personal data for purposes of direct marketing; and
- pursuant to the Amendment Act, an individual is entitled to request the data controller to transmit his personal data to another data controller of his choice, subject to technical feasibility and compatibility of the data format.
Transfer of Personal Data outside Malaysia
Under the Amendment Act, the data controller may transfer personal data to a place outside Malaysia, provided that certain requirements are met. The transfer is permitted where the destination jurisdiction:
- has in place personal data protection laws that are substantially similar to the PDPA; or
- provides an adequate level of protection in relation to the processing of personal data that is at least equivalent to the standards set out under the PDPA.
In addition, cross-border transfers may be carried out if the data controller has obtained consent from the individuals/data subjects prior to the transfer of their personal data outside Malaysia, or if the transfer falls within one of the exceptions under the PDPA (e.g. performance of contract, legal proceedings etc.).
In line with the changes introduced by the Amendment Act, the Commissioner has also issued the Cross-Border Data Transfer Guideline to provide further guidance to data controllers in effecting cross-border data transfers. This guideline outlines the measures and safeguards that data controllers must implement for cross-border data transfers. It also introduces additional or specific requirements that data controllers need to comply with for transferring personal data abroad.
Working with Data Processors
Under the PDPA, a data processor is any person, other than an employee of the data controller, who processes personal data solely on behalf of the data controller and does not process the personal data for any of his own purposes.
Where a data processor (e.g. contractor of the data controller) is given personal data by the data controller and the data processor processes the personal data on behalf of the data controller, the data processor must take reasonable steps to protect the personal data, providing sufficient guarantees in respect of the security measures governing the processing of such personal data and ensuring that reasonable steps are taken to comply with these security measures.
Pursuant to the Amendment Act, data processors are now required to directly comply with the Security Principle.
Registration as Data Controller
Pursuant to the Personal Data Protection (Class of Data Controllers) Order 2013 (and amended pursuant to an amendment order in 2016), there are 13 classes of data controllers who must be registered under the PDPA.
The classes which have been specified in the aforementioned Order are as follows:
- communications;
- banking & financial institution;
- insurance;
- health;
- tourism & hospitalities;
- transportation;
- education;
- direct selling;
- services (e.g. legal, audit, accountancy etc.);
- real estate;
- utilities;
- pawnbrokers; and
- moneylenders.
The Commissioner is empowered by the PDPA to designate a body as a data controller forum for each of the specific classes of data controllers. These data controller forums in turn may prepare codes of practice either on their own initiative or at the request of the Commissioner, to regulate the personal data processing activities carried out by the respective industries.
Additionally, codes of practice have been issued by the Commissioner for the following sectors:
- communications sector;
- private hospitals in the healthcare sector;
- utilities sector (electricity and water);
- insurance and takaful sector;
- banking and financial sector; and
- aviation sector.
A data controller who fails to comply with any provision of the code of practice that is applicable to the data controller commits an offence and shall, upon conviction, be liable to a fine not exceeding RM100,000 or to an imprisonment term of up to one year or both.
Non-application
The PDPA will not apply to:
- the Malaysian Federal and State Government;
- information processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010; and
- to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.
However, the PDPA does apply to a person/entity not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
Non-compliance
Aside from the negative publicity, penalties for non-compliance of the PDPA can be very severe, with the Commissioner being empowered to impose financial penalties of up to RM1,000,000 and/or imprisonment of up to 3 years for non-compliance with the PDPA, in particular contravention of any of the principles under the PDPA.
Compoundable Offences
Personal Data Protection (Compounding of Offences) Regulations 2016. The Compounding Regulations provide a list of offences which are prescribed to be “compoundable offences”, where the Commissioner may offer data controllers an opportunity to pay a monetary penalty (which penalty can be up to half of the maximum fine stipulated in the PDPA) within the time period stipulated in the offer. If no payment is received within the stipulated period, prosecution for the offence will be instituted against the data controller.
Enforcement Phase of PDPA
On 3 May 2017, a company has become the first data controller to be charged in court for alleged breach of the PDPA. The company, which operates a local private college, was charged in the Sessions Court for processing personal data of former employees of the college without a valid certificate of registration issued by the Commissioner’s department, in contravention with section 16(1) of the PDPA. Section 16(1) requires certain classes of data controllers to be registered and to be issued with a valid certificate of registration. The charge, under section 16(4) of the PDPA, provides that in the event of conviction, the company would be liable to a fine of up to RM500,000, or imprisonment of its officer(s) for up to three years, or both.
Since the inception of the PDPA, the Commissioner has actively conducted inspections on organisations as part of ongoing enforcement efforts. For instance, the Commissioner conducted 38 inspections on data controllers across various industries and sectors in 2023.
In recent years, there has been an increase in both the number and amount of compounds issued by the Commissioner, with 13 compounds recorded in 2024. The Commissioner has subsequently instituted enforcement actions and proceedings against several other data controllers, including the following (as reported in its official website):
| Sector | Offence / Maximum Penalty | Penalty Imposed |
| Others (Security Services Company) | Section 5(2) (Processing of personal data in contravention of the General, Disclosure and Retention Principles of the PDPA) Fine of RM1,000,000 or imprisonment not more than 3 years or both (as amended by the Amendment Act). | Fine of RM108,000 |
| Bank and Financial institution (Local Bank) | Section 5(2) (Processing of personal data in contravention of the Disclosure Principle of the PDPA) Fine of RM1,000,000 or imprisonment not more than 3 years or both (as amended by the Amendment Act). | Fine of RM70,200 |
| Others (Statutory Body) | Section 5(2) (Processing of personal data in contravention of the Disclosure Principle of the PDPA) Fine of RM1,000,000 or imprisonment not more than 3 years or both (as amended by the Amendment Act). | Fine of RM50,000 |
(Source: https://www.pdp.gov.my/ppdpv1/en/list-of-compound-cases-under-the-personal-data-protection-act-2010-act-709/)
Looking ahead, enforcement is expected to increase significantly with the recent increase in maximum penalties for PDPA breaches under the Amendment Act and the recent announcement by the Digital Minister that the Commissioner’s office will be actively increasing its enforcement efforts. This includes increasing the frequency of inspections conducted by at least 30% and introducing online-self assessment activities / programmes to improve data controllers’ compliance with the PDPA.
Implementation of The New Obligations Under The Amendment Act
The Amendment Act has introduced new obligations on data controllers, in particular the requirements to appoint a data protection officer (“DPO”) and also introduction of mandatory data breach notification requirement, which came into force on 1 June 2025. To support compliance with these new obligations, the Commissioner has issued the Guideline on the Appointment of Data Protection Officer (“DPO Guideline”) and the Data Breach Notification Guideline (“DBN Guideline”) to provide further clarity and guidance to data controllers and/or data processors in navigating the updated PDPA legislative framework.
Appointment of a DPO
Effective from 1 June 2025, data controllers and data processors will need to appoint at least one DPO if it meets at least one of the threshold requirements under the DPO Guideline:
- it processes personal data exceeding 20,000 data subjects;
- it processes sensitive personal data, including financial information, exceeding 10,000 data subjects; or
- its personal data processing activities involve regular and systematic monitoring of personal data.
The DPO may be appointed internally from within the organisation or externally from law firms, and the DPO will act as the primary liaison between the data controllers/data processors, the Commissioner and data subjects. The DPO’s responsibilities also include overseeing the data controller’s/data processor’s data protection compliance, managing data protection policies and procedures and handling any inquiries or complaints related to personal data.
Mandatory Data Breach Notification
Also effective from 1 June 2025, a data controller is required to notify the Commissioner and/or affected individuals in the event of a data breach incident if the breach causes or is likely to cause significant harm to the affected individuals. The DBN Guideline outlines the circumstances under which a breach is considered likely to cause significant harm, i.e. where the breach:
- may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
- may be misused for illegal purposes;
- consists of sensitive personal data;
- consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or
- is of significant scale, where the number of affected individuals exceed 1,000.
If a data breach meets any of the above thresholds under the DBN Guideline, the data controller is required to notify the Commissioner within 72 hours of the occurrence of the breach or becoming aware of the breach. Notification to affected individuals must be made within seven days of the initial notification to the Commissioner.
Proposed Implementation of Further Data Protection Regimes
In line with the implementation of the Amendment Act, the Commissioner is actively developing new regulations or updating existing subsidiary regulations under the PDPA to further strengthen the data protection framework in Malaysia. Building upon the existing DPO Guideline and DBN Guideline, the Commissioner has announced the development of the following new guidelines as of date:
- Right to Data Portability Guideline;
- Data Protection by Design Guideline;
- Data Protection Impact Assessment Guideline; and
- Automated Decision Making and Profiling Guideline.
The above guidelines are currently still under development by the Commissioner and are expected to be finalised by this year. Once in force, they will serve to provide clarity on the new changes introduced by the Amendment Act.
Additionally, the Personal Data Protection Standard 2015 which sets out the minimum security, retention and data integrity standards, is also currently being revised to align with the updated legislative framework.
For more information, click here to read more Doing Business Guide.
Notice
The contents of this Guide are owned by CLO and subject to copyright protection under the laws of Malaysia and, through international treaties, in other countries. No part of this Guide may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose) without the prior written permission of CLO.
Please note also that whilst the information in this Guide is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice for any particular course of action as such information may not suit your specific business or operational requirements. It is to your advantage to seek legal advice for your specific situation.
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
