A Business Guide to the Malaysian Personal Data Protection Act 2010 (“PDPA”)

1) Purpose and scope of PDPA

Malaysia’s Personal Data Protection Act 2010 (“PDPA”) is the country’s primary private-sector privacy and personal data protection law. It regulates how organisations collect, use, disclose, store, and otherwise process personal data in the course of commercial transactions. Public sector bodies are governed under a separate government framework and are not subject to the PDPA.

The organisations that process personal data are known as “data controllers” under the PDPA and the individual persons whose personal data is processed are known as “data subjects”. There is another class of legal persons who are known as “data processors” who are commonly service providers, vendors, agents and contractors appointed by the data controllers to act on their behalf.

Private enterprises including foreign owned private enterprises should therefore be PDPA compliant when they process personal data in Malaysia, essentially personal data of their individual customers and employees.

2) How are “personal data” and “sensitive personal data” defined?

• Personal data refers to any information which relates directly or indirectly to an individual who is identified or identifiable from that information which is processed both manually and electronically. Examples include name, address, email, phone number, national ID/passport details, employment records, device identifiers, and usage data that can identify the data subject.

• Sensitive personal data under the PDPA covers five sensitive information categories about data subjects such as  their physical and mental health data, religious beliefs, political opinions, criminal conviction data and biometric data (fingerprints, facial recognition, voiceprints and etc).

3) Who regulates the PDPA?

The PDPA is administered and enforced by the Malaysian Personal Data Protection Commissioner (“PDPC”), a body under the Ministry of Digital,with the assistance and support of the Personal Data Protection Department (“JPDP”). The PDPA is the primarily legislation regulating personal data protection matters in Malaysia which is supplemented by subsidiary legislations and guidelines issued by the PDPC.  

4) The Seven Principles of PDPA

Every data controller must comply with the seven principles in processing personal data. The seven principles are summarised below:

1. General Principle – Personal data can only be processed with the data subject’s consent and for a lawful and relevant purpose, adequately and not excessively.

2. Notice and Choice Principle – Individuals must be informed of how their data is collected, used, and disclosed, and be given a choice to consent, access, correct and limit the data controller’s processing of their data.

3. Disclosure Principle – Personal data cannot be disclosed for purposes other than the purposes the data was collected for, unless permitted by law, nor disclosed or shared with other ‘non-approved’ third parties.

4. Security Principle – Reasonable security measures must be taken to protect personal data from loss, misuse, or unauthorised access.

5. Retention Principle – Personal data must not be kept longer than necessary for the purpose it was collected, it should thereafter be permanently destroyed and deleted.

6. Data Integrity Principle – Personal data must be accurate, complete, not misleading, and kept up to date.

7. Access Principle – Individuals have the right to access and correct their personal data held by a data controller.

5) Must you register with the PDPC?

Your organisation is required to register with PDPC if your organisation falls within the classes listed under the Personal Data Protection (Class of Data Users) Order 2013, as amended in 2016. Some examples of classes that fall within the registration requirement include communications, banking/financial, insurance/takaful, health, tourism & hospitality, transportation, education, direct selling, services, real estate, utilities, pawnbrokers, moneylenders and etc.

Even if your organisation does not fall within any of the registrable classes, you must still comply fully with the PDPA and related regulations/guidelines. 

6) Must you appoint a Data Protection Officer (DPO)?

From 1 June 2025, data controller and data processor are required to appoint one or more data protection officers (“DPO”) if their processing of personal data involves:

1. personal data exceeding 20,000 data subjects;

    

2. sensitive personal data including financial information data exceeding 10,000 data subjects; or

    

3. involves activities that require regular and systematic monitoring of personal data.

However, it is strongly recommended for organisations (that do not fall within the requirements above) to appoint a DPO or similar privacy officer as a contact point for any personal data protection related matters faced or encountered by the organisations in order to streamline personal data protection measures and matters of the organisations.

The appointment of a DPO must be notified to the PDPC as prescribed on their website.

All DPOs shall adhere to the guidelines issued by PDPC in respect of DPO’s roles and responsibilities.

7) Data breach notification

From 1 June 2025, data controllers must notify the PDPC as soon as practicable when they have reason to believe a personal data breach has occurred and that the data breach causes or is likely to cause “significant harm”, in any case within 72 hours from the discovery of a data breach. Where the data breach results in or is likely to result in “significant harm”, data controllers must additionally also notify affected data subjects without unnecessary delay, in any case within 7 days from the data controllers’ notification to the PDPC.

The PDPC has issued Data Breach Guidelines pertaining to the data breach notification requirements for businesses to comply.

8) Data portability—new right in Malaysia

Also from 1 June 2025, all data subjects gain a right to data portability. A data subject can request a data controller to transmit his personal data directly to another new data controller (for example, moving a mobile subscription between telco operators or transferring medical records between hospitals).

The industry is eagerly awaiting the data portability guidelines to be issued by the PDPC soon.

9) Cross-border transfers of Personal Data

Malaysia has recently updated section 129 PDPA with regards to the statutory requirements of transfer of personal data outside Malaysia. The updated section 129 PDPA (which comes into force on 1 April 2025) reframes the data transfer regime where a data controller may now transfer personal data outside Malaysia if one of the statutory conditions under section 129 of the PDPA is satisfied.

The PDPC has launched the Cross-Border Personal Data Transfer Guidelines (CBPDT) to help businesses choose the correct legal route and document assessments/contractual safeguards.

Every data controller should conduct a data transfer impact assessment (“TIA”) to assess its compliance with section 129 of the PDPA before transferring personal data outside Malaysia.

10) Record-keeping and internal governance

The Personal Data Protection Standard 2015 requires written policies and practical controls (security, retention, integrity), with attention to electronic and physical records. A data controller should maintain, inter-alia, the following policies, controls and records:

• A Record of Access to Personal Data by Employees;

• A Record of Data Processing Activities;

• A Data Breach Register in line with Guidelines issued by the PDPC;

• Training logs, vendor/processor due-diligence files and a cross-border transfer assessment file.

These records are vital in responding to PDPC’s enquiries, demonstrating compliance, and managing complaints from data subjects.

12) Practical compliance measures for businesses in Malaysia

Some recommended practical measures for businesses in the  Malaysian market:

• Map and assess: Run a privacy impact assessment (“PIA”) on Malaysian operations to chart systems, data flows, purposes, legal bases, disclosures, retention and cross-border transfers.

• Close gaps: Implement practical measures to address risks identified in the PIA.

• DPO: Appoint/register a DPO and set clear workflows to meet access, correction and timelines.

• Harden security: Deploy appropriate technical/organisational safeguards to reduce unauthorised access and cyber risks.

• Vet processors: Conduct due diligence on vendors/agents/service providers and ensure contracts impose PDPA-compliant safeguards.

• Publish notices: Issue PDPA privacy notices in English and Malay, with clear consent and contact channels.

• Write it down: Maintain internal PDPA policies/SOPs and a Data Breach Management & Response Plan including testesting them via drills.

• Keep evidence: Maintain the records listed above to prove compliance.

• Train people: Provide periodic training and refreshers to staff and key vendors.

• Registration: Confirm if you fall within a registrable class and register with the PDPC.

• Monitor change: Track PDPC updates and subsidiary legislation; review with Malaysian counsel.

Final thoughts

Malaysia’s PDPA is no longer a “light-touch” personal data protection regime. It has matured into a practical framework that now includes features familiar to global businesses such as data breach notification, data portability, clearer cross-border data transfer rules and the requirement to appoint a data protection officer. It is therefore recommended to engage a local Malaysian legal counsel to advise you to ensure compliance with the Malaysian PDPA.

By: Jeremiah Gurusamy, Danny Khoo & Zulaikha Zaidi

January 2026