Company’s Data Protection and Privacy in Malaysia

July 27, 20201:31 pm2114 views
Company’s Data Protection and Privacy in Malaysia
Image source: Pexels

Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013. 

Personal data protected under PDPA law are any information in respect of commercial transactions that is: 

  • Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose,
  • Recorded with the intention that it should wholly or partly be processed by means of such equipment, or 
  • Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. 

In each case, all the information that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that and other information in the possession of a data user. 

See also: Employee Privacy & Data Protection Law in Indonesia

Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010

Collection and processing 

Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of personal data. Where consent is required from a data subject under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data user. 

Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties. On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015, which set out the Commission’s minimum requirements for processing personal data. The Standards include the following: 

  • Security Standard For Personal Data Processed Electronically Security 
  • Standard For Personal Data Processed Non-Electronically 
  • Retention Standard For Personal Data Processed Electronically And Non-Electronically 
  • Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically


Under the PDPA, a data user might not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister. However, there are exceptions to this restriction, including the following: 

  • The data subject has given consent to the transfer. 
  • The transfer is necessary for the performance of a contract between the data subject and the data user. 
  • The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA. 
  • The transfer is necessary to protect the data subject’s vital interests.


Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards.

Moreover, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. 

Breach notification

There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia. However, Malaysia’s laws could be updated, to include data breach notification requirements modelled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice to government authorities. 

Read also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics

(Visited 1 times, 1 visits today)