1. Legislative Overview

The main legislation governing data protection in Malaysia is the Personal Data Protection Act 2010 (PDPA) which was passed by Parliament on 5 April 2010 with Royal assent on June 16, 2010 and gazetted on 10 June 2010. The main objective of this legislation relates to the regulations of processing of personal data by the user in commercial transactions and protection of personal data. To this end, the data subjects are accorded certain rights and the data users are subjected to certain imperatives.

The PDPA which came into force on 15 November 2013 is in turn supported by subsidiary legislations, namely:

Personal Data Protection Regulations 2013
Personal Data Protection (Registration of Data User) Regulations 2013
Personal Data Protection (Class of Data Users) Order 2013
Personal Data Protection (Class of Data Users) (Amendment) Order 2016

Personal Data Protection (Fees) Regulations 2013
Personal Data Protection (Compounding of Offences) Regulations 2016
Personal Data Protection (Appeal Tribunal) Regulations 2021

In addition to the above, there are Codes of Practice registered by the Data Protection Commissioner of Malaysia which carry the force of law. (See Section VIII below.)

II Governing Authority

Under the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed with the functions and powers to implement the PDPA.

After the Parliament enacted the Personal Data Protection Act 2010 (PDPA) of Act 709, the Personal Data Protection Department (PDPD) was set-up as an agency under the Ministry of Communications and Multimedia Commission (MCMC). The primary responsibility of this department is to oversee the processing of personal data of individuals in relation to commercial transactions so that they are not abused or used in violation of the PDPA.

III Scope of Application

This PDPA applies to any person who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions. In addition, the PDPA applies to a person in respect of personal data if:

(i) The person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or

(ii) The person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.

IV Exceptions and Non-application

The PDPA shall not apply to the Federal Government and State Governments.

Further, the PDPA shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.

V Penalties for Violations

Violation of the PDPA will attract a fine or imprisonment or both, depending on the severity.

VI Personal Data Protection Principles

In terms of processing of personal data, there are seven Personal Data Protection Principles as set out in the PDPA for compliance, namely:

  1. General Principle This relates to consent and the process of sensitive data.
  2. Notice and Choice Principle This relates to the requirement of a written notice to the data subject that the persona data is being processed and the choices in regard thereto.
  3. Disclosure Principle This relates to the requirement before any personal data is disclosed to third parties.
  4. Security Principle This relates to the need for a data user to take practical steps to protect the personal data.
  5. Retention Principle This relates to the duration for which personal data may be kept.
  6. Data Integrity Principle This relates to the need for a data user to take reasonable steps to ensure data integrity.
  7. Access Principle This relates to the data subject’s right to access and to make corrections.

VII Who Needs To Register under the PDPA

A data user who belongs to any class of data users under the following sectors shall be registered under the Act.

1. Communications

2. Banking and financial institution

3. Insurance

4. Health

5. Tourism and hospitalities

6. Transportation

7. Education

8. Direct selling

9. Services

(a) A company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:

(i) legal;

(ii) audit;

(iii) accountancy;

(iv) engineering;

(v) architecture;

(vi) retail dealing and wholesale as defined under the Control Supplies Act 1961 [Act 122]; or

(vii) private employment agency under the Private Employment Agencies Act 1981 [Act 246].

10. Real estate

(a) A licensed housing developer under the Housing Development

(Control and Licensing) Act 1966 [Act 118].

(b) A licensed housing developer under the Housing Development

(Control and Licensing) Enactment 1978, Sabah.

(c) A licensed housing developer under the Housing Developers

(Control and Licensing) Ordinance 1993, Sarawak.

11. Utilities

12. Pawnbroking

13. Money Lending

VIII Codes of Practice

There are seven Codes of Practice with one being of general nature and the others being industry specific, namely:

General Code of Practice for Personal Data Protection

The Personal Data Protection Code of Practice for Private Hospitals in the Healthcare Industry

THE Personal Data Protection Code of Practice for the Utilities Sector (Water)

Personal Data Protection Code of Practice for the Banking And Financial Sector

The Personal Data Protection Code of Practice for The Utilities Sector (Electricity)

The Personal Data Protection Code of Practice for the Malaysia Aviation Sector

Code Of Practice on Personal data Protection for the Insurance and Takaful Industry in Malaysia

Unlike many codes of practice which are recommendatory and non-statutory in nature, these codes of practice carry with them the force of law.

IX. Data Protection Officer (DPO)

It is not made mandatory to appoint a DPO.

X Notification for Data Breach

At the time of writing, there is no mandatory requirement for data users to notify authorities in regard to data breaches in Malaysia under the PDPA.

XI. Penalties A breach of the provisions of the PDPA can attract a fine of up to RM500,000 and/or imprisonment of up to three years, depending on the infringement.