Lee Hishammuddin Allen and Gledhill
What law(s) specifically govern personal data / information?
The Malaysian Personal Data Protection Act 2010 (PDPA) specifically governs the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto.
What are the key data protection principles in this jurisdiction?:
The PDPA provides for the following data protection principles that a data user (equivalent to data controller under the EU General Data Protection Regulation) must comply with:
- General Principle: A data controller must not process personal data about a data subject unless the data subject consents to the personal data processing, or explicitly consents to the processing of sensitive personal data (Section 6, PDPA).
- Notice and Choice Principle: A data user must by written notice provide information to the data subject regarding the personal data processing activities of the data controller and set out choices for the data subject regarding limiting the personal data processing (Section 7, PDPA).
- Disclosure Principle: A data controller must not disclose personal data without the data subject's consent except where the disclosure is: (a) for a purpose disclosed to the data subject at the time of collection, or for a purpose directly related to that purpose; or (b) to a third party who belongs to a class listed on the written notice issued to the data subject under the Notice and Choice Principle (Section 8, PDPA).
- Security Principle: A data controller must take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction (Section 9, PDPA). Where the processing of personal data is carried out by a data processor on behalf of the data controller, the data processor shall comply with the Security Principle (Section 5 (1A), PDPA).
- Retention Principle: Personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose (Section 10, PDPA).
- Data Integrity Principle: A data controller shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to date (Section 11, PDPA).
- Access Principle: A data subject shall be given access to their personal data held by a data controller and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up to date (Section 12, PDPA).
What is the supervisory authority / regulator in charge of data protection?
The Personal Data Protection Commissioner (PDPC ).
Is there a requirement to register with a supervisory authority / regulator?
Yes. A data controller who belongs to any class of data controllers listed under the Personal Data Protection (Class of Data Users) Order 2013 must register with the PDPC (Section 15, PDPA).
This includes data users in the following industries: communications, banking and financial institutions, insurance, health, tourism and hospitalities, transportation (aviation), education, direct selling, professional services, real estate, utilities, pawn brokering and moneylending.
A data controller who belongs to two or more classes of data controllers shall make an application for registration separately for each class of data controllers in which they belong (Regulation 3(2)), Personal Data Protection (Registration of Data User) Regulations 2013). The registration procedures and requirements are provided in Section 15 of the PDPA and the Personal Data Protection (Registration of Data User) Regulations 2013, which provide for the following:
- To apply to be registered, a data controller must provide a copy of their constitution (previously known as memorandum of association and article of association), if the data user is a private or public company, or in other cases, a copy of constituent documents under which the data user is established.
- The application to be registered must be accompanied with registration fees ranging from RM100 – RM400, depending on the type of establishment of the data user.
- The PDPC may in writing at any time after receiving the application and before it is determined, require the data controller to provide such additional documents or information within the time as specified by the PDPC.
- If the application is successful, a certificate of registration will be issued to the data user, which would be valid for a period of not less than twelve months from the date on which the certificate of registration is issued.
Is there a requirement to notify the supervisory authority / regulator?
There is no requirement to notify PDPC before any processing activities are commenced or before transferring personal data to another jurisdiction.
Is it possible to register with / notify the supervisory authority / regulator online?
A data controller who belongs to any class of data controllers listed under the Personal Data Protection (Class of Data Users) Order 2013 can apply to be registered via the website of the Department of Personal Data Protection here: https://daftar.pdp.gov.my/
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the PDPA, data subjects have the following rights:
- The right to access personal data (Section 30, PDPA).
- The right to correct personal data (Section 34, PDPA).
- The right to withdraw consent for the processing of their personal data (Section 38, PDPA).
- The right to prevent processing likely to cause unwarranted substantial damage or distress to them or another person (Section 42, PDPA).
- The right to prevent processing for purposes of direct marketing (Section 43, PDPA).
- The right to data portability (Section 43A, PDPA)
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. Effective 1 June 2025, data controllers and data processors will need to appoint one or more data protection officers, who shall be accountable to the respective organisation for its compliance with the PSPA if their processing of personal data involves one of the following:
- personal data exceeding 20,000 data subjects;
- sensitive personal data including financial information exceeding 10,000 data subjects; or
- activities that require "regular and systematic monitoring” of personal data
- (Section 12A, PDPA and Appointment of Data Protection Officer Guideline issued by the PDPC on 25 February 2025).
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
There is no express requirement under the PDPA for a data protection impact assessment to be carried out. However, the Appointment of Data Protection Officer Guideline issued by the PDPC on 25 February 2025 provides that one of the responsibilities of a data protection officer is to support the carrying out of data protection impact assessments in accordance with the requirements as may be determined by the PDPC from time to time.
The PDPC has issued a Public Consultation Paper on “Data Protection Impact Assessment Guideline” on 20 March 2025. The paper proposes to develop a guide to data protection officers on how to conduct a data protection impact assessment and to set the minimum requirements and practical steps in managing and protecting personal data controlled by an organisation. However, as at the date of writing, there is no publicly available information pertaining to the current status of the consultation paper.
Does this jurisdiction have any specific data breach notification requirements?
Yes. A data controller is obligated to notify the PDPC and affected data subjects if the data controller has reasons to believe that a personal data breach has occurred (Section 12B, PDPA). The procedure for data controller to notify the PDPC and affected data subjects of a personal data breach is set out in the Data Breach Notification Guideline issued by the PDPC on 25 February 2025).
Not all personal data breaches are notifiable to the PDPC. A data controller is only required to notify the Commissioner of a personal data breach if the personal data breach causes or is likely to cause “significant harm”. A personal data breach is considered to cause or is likely to cause “significant harm” if there is a risk that the compromised personal data:
- may result in physical harm, financial loss, a negative effect on credit
- records or damage to or loss of property
- may be misused for illegal purposes
- consists of sensitive personal data
- consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or
- is of significant scale (i.e. if the number of affected data subjects exceeds 1,000).
The notification shall be made as soon as practicable and no later than 72 hours from the occurrence of the personal data breach. As for notification to data subjects, the requirement is only triggered if the breach results in or is likely to result in “significant harm”. The notification to the affected data subjects, as referenced must be made without unnecessary delay, not later than 7 days after the initial data breach notification is made to the PDPC.
What restrictions apply to the international transfer of personal data / information?
A data controller may transfer any personal data of a data subject to any place outside Malaysia if:
- there is in that place in force any law which is substantially similar to the PDPA; or
- that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA
(Section 129(2), PDPA).
Notwithstanding the above, the PDPA provides for certain circumstances where a data controller may transfer personal data to a place outside Malaysia. These circumstances are:
- The data subject consents to the transfer.
- The transfer is necessary for the performance of a contract between the data subject and the data controller.
- The transfer is necessary for the conclusion or performance of a contract between the data controller and a third party entered into at the data subject's request, or is in the interests of a data subject.
- The transfer is for the purpose of legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising, or defending legal rights.
- The data controller has reasonable grounds to believe that:
- the transfer is to avoid or mitigate adverse action against a data subject;
- it is not practical to obtain written consent; and
- if obtaining consent was practical, the data subject would consent.
- The data controller has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in contravention of the PDPA.
- The transfer is necessary to protect the data subject's vital interests.
(Section 129(3), PDPA).
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the PDPA has “extra-territorial effect” on organisations outside of Malaysia in certain circumstances.
The PDPA applies to any person who processes or has control over or authorises the processing of any personal data concerning commercial transactions, and who:
- Is established in Malaysia.
- Is not established in Malaysia, but uses equipment in Malaysia to process personal data other than for the purposes of transit through Malaysia
(Section 2(2), PDPA).
The PDPA considers the following data controllers to have establishments in Malaysia:
- An individual who is physically present in Malaysia for no less than 180 days in one calendar year.
- A body incorporated under the Companies Act 1965.
- A partnership or other unincorporated association formed under any written Malaysian laws.
- Any person who does not fall within any of the above but maintains in Malaysia:
- an office, branch, or agency through which the person carries on any activity; or
- a regular practice
(Section 2(4), PDPA).
What rules specifically deal with marketing?
Under the PDPA, data subjects may object to direct marketing at any time by writing to a data user. On receipt of that objection, the data controller must cease, or not begin, processing personal data for direct marketing purposes.
Where a data user does not comply with the objection request, the data subjects may submit an application to the PDPC to require the data user to comply with the objection request.
Under the PDPA, direct marketing means a communication by any means of advertising or marketing material directed to particular individuals.
(Section 43, PDPA)
Do different rules apply to business-to-business and business-to-consumer marketing?
Under the PDPA, “data subject” is defined as an individual who is the subject of the personal data. This definition indicates that the PDPA only applies when an individual’s personal data is collected and processed by the data user.
In so far as business-to-business marketing is concerned, the marketing is not directed towards individuals, but companies. Hence, business-to-business marketing is not governed by the PDPA.
Business-to-consumers marketing, however, would be governed by the PDPA.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There are no rules specifically dealing with electronic marketing. Instead, the general rules relating to direct marketing, as discussed above, would apply to any form of direct marketing, whether electronic or non-electronic.
What rules specifically deal with cookies?
There are no rules specifically dealing with cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Failure to comply with the PDPA may entail fines and imprisonment. A data controller who contravenes the 7 Personal Data Protection Principles or a data processor who fails to comply with the Security Principles shall on conviction be liable to a fine not exceeding RM1 million or to imprisonment for a term not exceeding 3 years or both (Section 5(2), PDPA).
A data controller who fails to comply with the data breach notification requirement shall, on conviction, be liable to a fine not exceeding RM250,000 or imprisonment for a term not exceeding 2 years or both (Section 12B(3), PDPA).
Data controllers who fall under any one or more of the class of data controllers listed under the Personal Data Protection (Class of Data Users) Order 2013, who process personal data without registering themselves, commit an offence and may be liable to a fine of up to RM500,000 or to imprisonment for a term not exceeding 3 years or both (Section 16(4), PDPA).
A data controller whose registration has been and who continues to process personal data thereafter commits an offence and shall, on conviction, be liable to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding 3 years or both (Section 18(4), PDPA).
Where a certificate of registration has been revoked, a person who fails to surrender the certificate of registration to the PDPC commits an offence and shall, on conviction, be liable to a fine not exceeding RM200,000 or to imprisonment for a term not exceeding 2 years or both (Section 19, PDPA).
A data controller who fails to comply with any provision of a code of practice that is applicable commits an offence and shall on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding 1 year or both (Section 29, PDPA).
A data controller who continues processing personal data after a data subject has withdrawn their consent by notice in writing to the processing of their personal data commits an offence and shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding 1 year or both (Section 38(4), PDPA).
A data controller who fails to comply with the requirement of the PDPC to cease processing the personal data of the data subject in a manner that is causing or is likely to cause substantial damage or distress to the data subject or another person, commits an offence and shall, on conviction, be liable to a fine not exceeding RM200,000 or to imprisonment for a term not exceeding 2 years or both (Section 42(5), PDPA).
For non-compliance with the PDPC’s direction to a data controller to cease or not to begin processing of data subjects’ personal data for purposes of direct marketing, the penalties are a fine not exceeding RM200,000 or imprisonment for a term not exceeding 2 years or both (Section 43(4), PDPA).
A data controller who fails to comply with an enforcement notice served by the PDPC commits an offence and shall, on conviction, be liable to a fine not exceeding RM200,000 or to imprisonment for a term not exceeding 2 years or both (Section 108(8), PDPA).
A data controller who contravenes section 129 of the PDPA on the transfer of any personal data of a data subject to any place outside of Malaysia, commits an offence and shall, on conviction, be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or both (Section 129(5), PDPA).
A person who knowingly or recklessly collects or discloses personal data held by the data controller or procures the disclosure to another person of personal data held by the data controller without the consent of the data controller commits an offence and shall, upon conviction, be liable to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding 3 years or both (Section 130(7), PDPA).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
As mentioned above, the PDPA has “extra-territorial effect” on organisations outside of Malaysia in certain circumstances.
In this regard, organisations located outside of Malaysia who collect and process personal data in Malaysia should conduct the necessary assessment to identify if the PDPA applies to them. If yes, then they are required to comply with the requirements under the PDPA.
What upcoming data protection developments should multinational organisations be aware of?
In January 2025, the Digital Minister of Malaysia, Gobind Singh announced that 7 guidelines are planned to be issued and/or developed under the PDPA:
- Notification of Data Breach Guidelines;
- Data Protection Officers Guidelines;
- Data Portability Guidelines;
- Cross Border Data Transfer Guidelines;
- Data Protection Impact Assessment Guidelines;
- Privacy by Design Guidelines; and
- Automated Decision-Making Guidelines.
To date, the PDPC has issued the following 6 guidelines:
- Cross Border Personal Data Transfer Guidelines;
- Data Breach Notification Guidelines;
- Appointment of Data Protection Officer Guidelines;
- Data Protection Officer Professional Development Pathway & Training;
- Management of Data Protection Officer Training Service Providers Guidelines; and
- Data Protection Officer Competency Guideline
On 20 March 2025, the Personal Data Protection Department issued 3 public consultation papers on the following guidelines:
- Data Protection Impact Assessment Guideline;
- Data Protection by Design Guideline; and
- Automated Decision Making and Profiling.
The above 3 guidelines are anticipated to be released within 2025.
On 25 August 2025, the Personal Data Protection Department had issued another public consultation paper on proposed amendments to the Personal Data Protection Regulation 2013 to ensure alignment with the latest amendments and to support the implementation of the updated PDPA.