Personal Data Protection Act (PDPA) Malaysia

    Overview

    The Personal Data Protection Act (PDPA) was enacted in 2010 and has been updated through the Personal Data Protection (Amendment) Act 2024. The law governs the collection, processing, use, and security of personal data in Malaysia. It aims to enhance privacy protections, security, and individual rights while defining businesses’ obligations in handling personal data.

     

    Regulation Summary

    Timeline
    • June 10, 2010 – Original law enacted.
    • November 15, 2013 – Law came into effect.
    • October 9, 2024 – Amendment Act received Royal Assent.
    • October 17, 2024 – Amendment Act published in the Gazette.
    • January 1, 2025 - Amendment Act went into effect with certain provisions going into effect later in the year. 
    What Businesses Are Affected
    • Any business operating in Malaysia that collects or processes personal data.
    • International companies targeting Malaysian residents.
    • Public institutions and NGOs handling personal data.
    • Entities utilizing hardware and software for data collection and processing.
    Exemptions
    • Personal Use: Data processed for private, non-commercial purposes.
    • Government Exemption: Federal and state governments are not subject to PDPA.
    • National Security: Data processing for defense, public safety, or crime prevention.
    Responsibilities for Businesses
    • Obtain clear and explicit consent before collecting personal data.
    • Limit data collection to what is strictly necessary.
    • Implement security measures to protect stored and processed data.
    • Maintain transparency regarding data usage and processing.
    • Ensure accountability by keeping processing records.
    • Data processors must comply with the security principles outlined in the law.
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit consent for non-essential cookies.
    • Privacy Policy: Publish a clear, detailed privacy notice covering:
      • Types of data collected
      • Processing purposes
      • Data retention policies
      • Third-party sharing
      • User rights
    • User Rights Portal: Provide an accessible way for users to manage their data.
    • Secure Data Transmission: Use encryption for submitted data (e.g., contact or payment forms).
    Additional Requirements
    • Cross-Border Data Transfers: Restricted unless specific safeguards are in place.
    • Sensitive Data Protection: Stricter rules apply to biometric, health, and genetic data.
    • Mandatory Data Protection Officer (DPO): Large-scale processors must appoint a DPO.
    • Data Breach Notification: Businesses must notify the Commissioner and affected users of a breach. Failure to do so may result in fines up to RM 250,000 (≈ USD 53,000) or two years' imprisonment.
    Data Subject Rights
    • Access: Request a copy of their personal data.
    • Rectification: Correct inaccurate or incomplete data.
    • Erasure: Request deletion under certain conditions.
    • Portability: Request data transfer to another service provider.
    • Objection: Opt out of processing for marketing or other purposes.
    • Restriction: Limit processing under specific circumstances.
    Enforcement
    • Regulatory Authorities:
      • Personal Data Protection Commissioner (PDPC) under the Ministry of Communications and Digital.
    • Penalties:
      • Unauthorized processing – Fine up to RM 1,000,000 (≈ USD 211,000).
      • Failure to appoint a DPO (if required) – Fine up to RM 500,000 (≈ USD 105,000).
      • Failure to report a data breach – Fine up to RM 250,000 (≈ USD 53,000) or two years' imprisonment.
    • Severe violations – Up to three years’ imprisonment.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596