Ready to use legal template

Drafted by experienced lawyers

Compliant with Malaysian law

Ready to use legal template

Drafted by lawyers

Compliant with Malaysian law

HomeIntellectual propertyPersonal data protection

Learn more about Personal Data Protection in Malaysia

Personal data protection in Malaysia is governed by the Personal Data Protection Act (PDPA) which was enacted in 2010. The PDPA regulates the collection, use, and disclosure of personal data, including intellectual property, by businesses and organizations operating in Malaysia. It also gives individuals the right to access and request correction of their personal data, and the right to be informed of any data breaches. Companies are required to appoint a Data Protection Officer (DPO) to ensure compliance with the PDPA, and to implement appropriate security measures to protect personal data. Penalties for non-compliance can include fines and imprisonment. The PDPA is enforced by the Personal Data Protection Commissioner and the enforcement of the act is one of the key focuses of the Government of Malaysia to ensure citizens personal data is protected.

Table of contents


What does the personal data protection act (PDPA) regulate?

The Personal Data Protection Act (PDPA) regulates the collection, use, and storage of personal data. It applies to both public and private sector organizations. It sets out the rights of individuals with respect to their personal data and the obligations of organizations that process personal data.

The PDPA is intended to protect the privacy of individuals and give them control over their personal data. Organizations must comply with the PDPA to avoid penalties and legal actions.

The key provisions of the PDPA include:

1. Obligations of data controllers: Organizations that collect, use, or store personal data are considered data controllers, and are required to comply with the PDPA. This includes obtaining consent from individuals before collecting their personal data, and providing them with access to their personal data on request.

2. Data processing principles: Organizations must ensure that personal data is processed in a lawful, fair, and transparent manner. They must also ensure that the data is accurate, complete, and not excessive for the purpose for which it is collected.

3. Data security: Organizations must take appropriate technical and organisational measures to protect personal data against unauthorised or accidental access, processing, erasure, loss or destruction.

4. Notification of data breaches: Organizations must notify the Commissioner of any data breaches that occur, and take steps to mitigate the effects of the breach.

5. Individual rights: Individuals have the right to access and correct their personal data, and to request that their data be deleted. They also have the right to object to the processing of their data for certain purposes, such as direct marketing.

6. Penalties: Organizations that fail to comply with the PDPA may be subject to fines and penalties.

How does the PDPA protect individuals' personal data in Malaysia?

The Personal Data Protection Act (PDPA) protects individuals’ personal data by setting out rules and guidelines for how organizations can collect, use, and store personal data. The PDPA gives individuals the right to know what personal data is being collected about them and how it will be used, as well as the right to control their personal data.

Some of the ways in which the PDPA protects individuals’ personal data include:

➤ Obtaining consent: Organizations must obtain the consent of individuals before collecting, using, or disclosing their personal data. This ensures that individuals are aware of how their data will be used and have the ability to control it.
➤ Data accuracy: Organizations must ensure that personal data is accurate, complete, and not excessive for the purpose for which it is collected. This helps to protect individuals from inaccuracies and errors in their personal data.
➤ Data security: Organizations must take appropriate technical and organisational measures to protect personal data against unauthorised or accidental access, processing, erasure, loss or destruction. This helps to protect individuals from data breaches and identity theft.
➤ Notification of data breaches: Organizations must notify the Commissioner of any data breaches that occur, and take steps to mitigate the effects of the breach. This helps to protect individuals by ensuring that they are aware of data breaches and can take steps to protect themselves.
➤ Individual rights: Individuals have the right to access and correct their personal data, and to request that their data be deleted. They also have the right to object to the processing of their data for certain purposes, such as direct marketing. This gives individuals control over their personal data and the ability to protect their privacy.
➤ Penalties: Organizations that fail to comply with the PDPA may be subject to fines and penalties. This helps to ensure that organizations take personal data protection seriously and are held accountable for any failures to comply with the PDPA.

What are the obligations of companies and organizations under the PDPA?

Companies and organizations have several obligations under the Personal Data Protection Act (PDPA) to ensure the protection of individuals’ personal data.

These include obtaining valid consent from individuals before collecting, using or disclosing their personal data, ensuring that personal data is accurate and not excessive, implementing appropriate technical and organizational measures to protect personal data against unauthorized or accidental access, processing, erasure, loss or destruction, notifying the commissioner of any data breaches that occur, and allowing individuals to access, correct, and delete their personal data as well as object to the processing of their data for certain purposes.

Organizations also have the obligation to appoint a Data Protection Officer (DPO) if required, and to comply with the data protection principles and guidelines issued by the Commissioner. Organizations found to be in violation of the PDPA can face fines and penalties.

What are the rights of individuals under the PDPA?

The Personal Data Protection Act (PDPA) provides several rights to individuals regarding their personal data. Some of these rights include:

1. Right to access personal data: Individuals have the right to request access to their personal data that is held by organizations. This includes the right to see the data, as well as to obtain a copy of it.

2. Right to correct personal data: Individuals have the right to request that their personal data be corrected if it is inaccurate or incomplete. This includes the right to have errors or omissions corrected and to have incomplete data completed.

3. Right to withdraw consent: Individuals have the right to withdraw their consent for the collection, use, or disclosure of their personal data at any time.

4. Right to object to direct marketing: Individuals have the right to object to the use of their personal data for direct marketing purposes.

5. Right to limit the use or disclosure of personal data: Individuals have the right to limit the use or disclosure of their personal data by organizations.

6. Right to complain to the Commissioner: Individuals have the right to complain to the Personal Data Protection Commissioner if they believe their rights under the PDPA have been violated.

7. Right to know the purpose of collection: Individuals have the right to know the purpose of the collection of their personal data

8. Right to know the third party to which the personal data will be transferred.

How are the PDPA and its regulations enforced?

The Personal Data Protection Act (PDPA) and its regulations are enforced by the Personal Data Protection Commissioner (PDPC). The PDPC is responsible for enforcing the PDPA and ensuring that organizations comply with the act. The PDPC has the authority to conduct investigations and audits, issue enforcement notices and fines, and take legal action against organizations that violate the PDPA. The PDPC also has the power to impose administrative fines of up to MYR 1 million, and the power to seek an injunction against the company or organization that violates the Act. Additionally, the PDPC offers guidance, education and awareness programs to help organizations understand and comply with the PDPA. The PDPC also works closely with other regulatory bodies, such as the Ministry of Domestic Trade and Consumer Affairs, to ensure compliance and enforcement of the PDPA.

What penalties can be imposed for non-compliance with the PDPA?

Non-compliance with the Personal Data Protection Act (PDPA) can result in several penalties, including:

1. Administrative fines: Organizations found to be in violation of the PDPA can be subject to administrative fines of up to MYR 1 million per offense.

2. Injunctions: The Personal Data Protection Commissioner (PDPC) has the power to seek an injunction against organizations that violate the PDPA. This can include ordering an organization to stop certain activities or to take specific actions to comply with the PDPA.

3. Criminal penalties: In serious cases, individuals or organizations that violate the PDPA can face criminal penalties, including fines and/or imprisonment.

4. Public warning: The PDPC may issue a public warning against organizations that violate the PDPA.

5. Disclosure of non-compliance: The PDPC may also disclose the non-compliance of organizations to the public.

6. Prosecution and conviction: The PDPC can take legal action against organizations that violate the PDPA, leading to prosecution and conviction.

What is the role of a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) plays a crucial role in companies and organizations in Malaysia by ensuring compliance with the Personal Data Protection Act (PDPA) and related regulations.

The DPO is responsible for monitoring the organization’s compliance with the PDPA, providing advice and guidance on data protection issues, and working with the organization’s management to implement policies and procedures to protect personal data. The DPO also serves as a liaison with the Personal Data Protection Commissioner (PDPC) and other regulatory bodies, and is responsible for ensuring that the organization has adequate technical and organizational measures in place to protect personal data. Additionally, DPOs are responsible for carrying out regular data protection impact assessments and conducting training sessions for employees to ensure compliance with the PDPA. DPOs should have the necessary knowledge and experience on data protection and security matters.

Organizations that are required by the PDPA to appoint a DPO are businesses that process sensitive personal data, and data processors with more than 250 employees.

How does Malaysia's Personal Data Protection Act compare to other countries?

Malaysia’s Personal Data Protection Act (PDPA) is similar to other data protection laws in other countries in that it aims to protect individuals’ personal data and ensure that organizations handle personal data in a responsible and secure manner.

It is based on the EU General Data Protection Regulation (GDPR) and is designed to align with international standards on data protection. Like other data protection laws, the PDPA requires organizations to obtain valid consent from individuals before collecting, using or disclosing their personal data, and requires organizations to implement appropriate technical and organisational measures to protect personal data against unauthorised or accidental access, processing, erasure, loss or destruction. The PDPA also gives individuals certain rights, such as the right to access, correct, and delete their personal data, and the right to object to the processing of their data for certain purposes. However, the PDPA differs in some aspects, such as the enforcement mechanism, the fines, and the rights of the individuals.

It also applies to businesses operating outside of Malaysia when they process personal data of individuals in Malaysia.

Share information

Why Themis Partner ?

Make documents forhundreds of purposes

Hundreds of documents

Instant access to our entire library of documents for Malaysia.

24/7 legal support

Free legal advice from our network of qualified lawyers.

Easily customized

Editable Word documents, unlimited revisions and copies.

Legal and Reliable

Documents written by lawyers that you can use with confidence.

DOWNLOAD NOW