Personal data is an invaluable asset to businesses in today’s digital economy and is routinely handled by businesses in the course of their daily operations. Data protection laws play a fundamental role in regulating the collection, use and disclosure of personal data by imposing specific data protection rules on data controllers. This article provides an overview of Malaysia’s data protection framework and highlights the key obligations businesses should be aware of.
1. What laws govern personal data protection in Malaysia?
Data protection in Malaysia is governed by the Personal Data Protection Act 2010 (“PDPA”) which has been amended by the Personal Data Protection (Amendment) Act 2024 (“PDPA 2024”). The PDPA 2024 introduces some key changes which are discussed further below.
Pursuant to the PDPA, the regulatory authority for data protection in Malaysia is the Personal Data Protection Commissioner (“Commissioner”) which is responsible for the enforcement of personal data protection laws and implementation of policies and procedures.
Subsidiary legislation provides further instruction on the application of the PDPA. These include the orders, regulations, circulars, standards, guidelines and codes of practice issued pursuant to the PDPA.
2. What is personal data?
Section 4 of the PDPA defines personal data as any information in respect of commercial transactions which:
- Is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
- Is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
- Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010;
In other words, under the PDPA, personal data refers to any information that relates directly or indirectly to an individual who can be identified from that data. This includes, but is not limited to names, identification numbers, contact details, addresses, email information, financial details, employment records, images, biometric data etc.
The PDPA also recognises sensitive personal data, such as information relating to health, religious beliefs, or criminal records, which is subject to stricter requirements.
3. Who must comply with the PDPA?
In essence, all persons and organizations (with exception of the Federal and State Governments) that process personal data in the course of their operations are required to comply with the PDPA.
The two parties involved in a commercial transaction where personal data is processed are the data controller (formerly known as data user) and the data subject.
A data controller refers to a person who processes any personal data or has control over or authorises the processing of any personal data while a data subject refers to the individual who is the subject of the personal data.
Certain classes of data controllers (e.g. data controllers involved in communications, financial services, insurance, healthcare, education etc.) are required to register with the Commissioner and Data controllers who meet any of the following criteria are required to appoint a Data Protection Officer (DPO):
- Processes personal data of more than 20,000 data subjects;
- Processes sensitive personal data, including financial information, for more than 10,000 data subjects; or
- Involves activities that require regular and systematic monitoring of personal data.
The PDPA affords the following key rights and protections to data user against the processing of personal data by data controllers:
- Right to access personal data
- Right to correct personal data
- Right to withdraw consent
- Right to prevent the processing of personal data that is likely to cause damage or distress
- Right to prevent processing for purposes of direct marketing
As regulatory scrutiny and enforcement of data protection laws increases, non-compliance with personal data protection laws by data controllers may lead to fines and even imprisonment.
4. The seven personal data protection principles
The PDPA entrenches seven key principles that act as a guide on how personal data must be handled by data controllers:
i. General Principle
Personal data may only be processed with the consent of the data subject, unless an exception applies.
ii. Notice and Choice Principle
Businesses must inform individuals of the purpose for which their data is collected and how it will be used, typically through a privacy notice.
iii. Disclosure Principle
Personal data cannot be disclosed for purposes other than those stated at the time of collection, without consent.
iv. Security Principle
Reasonable steps must be taken to protect personal data from loss, misuse, unauthorised access or disclosure.
v. Retention Principle
Personal data must not be kept longer than necessary for the fulfilment of its purpose.
vi. Data Integrity Principle
Businesses must ensure that personal data is accurate, complete and up to date.
vii. Access Principle
Individuals have the right to access their personal data and request corrections where appropriate.
5. Key changes introduced by the PDPA 2024
The Personal Data Protection (Amendment) Act 2024 introduces several significant reforms aimed at modernising Malaysia’s data protection framework and aligning it with international standards. Key changes include:
1. Recognition of biometric data as sensitive personal data
Biometric data (e.g. fingerprints, facial recognition) is now expressly classified as sensitive personal data, requiring a higher threshold of protection and typically explicit consent for processing.
2. Mandatory appointment of a Data Protection Officer (DPO)
Organisations are now required to appoint a DPO responsible for overseeing PDPA compliance, marking a shift towards greater organisational accountability.
3. Mandatory data breach notification
Data controllers must notify the regulator—and in certain cases, affected individuals—of data breaches, ensuring greater transparency and timely response to incidents.
4. Direct obligations imposed on data processors
Data processors are now subject to statutory duties (previously focused mainly on data controllers), including compliance with security requirements.
5. Introduction of the right to data portability
Individuals are granted the right to request the transfer of their personal data between service providers, enhancing user control and promoting competition.
6. Removal of the “white-list” regime for cross-border transfers
The previous system restricting data transfers to approved jurisdictions has been replaced with a more flexible framework, allowing transfers subject to compliance with prescribed safeguards.
6. Practical steps to ensure compliance with PDPA
A data controller should always ensure that consent of the data subject is clearly obtained and documented in compliance with the seven personal data protection principles.
Consent is commonly obtained through privacy notices which clearly explain what data is collected, the purpose of collecting said data and to whom it may be disclosed to. Privacy notices must also tell individuals how they can access and correct their data or withdraw consent.
Business should conduct regular internal audits to identify any gaps in PDPA compliance and privacy notices should be regularly updated.
Conclusion
Data protection compliance is no longer optional for businesses in Malaysia. The PDPA imposes clear obligations on how personal data is collected, used and safeguarded. By understanding these requirements and taking proactive compliance steps, businesses can reduce legal risks, strengthen customer confidence and operate more responsibly in an increasingly data-driven environment.
