The PDPA forms the main federal regulatory framework for personal data protection in Malaysia and the Personal Data Protection Commissioner (“Commissioner”) is the regulator in charge of enforcing and administering the PDPA. 

The PDPA safeguards personal data by requiring data controllers to comply with obligations. Certain rights are also granted to data subjects under the PDPA.

The following subsidiary legislation has been enacted under the PDPA:

• Personal Data Protection Regulations 2013 (“Regulations”);
• Personal Data Protection (Class of Data Controllers) Order 2013 (“Order”);
• Personal Data Protection (Registration of Data Controller) Regulations 2013); 
• Personal Data Protection (Fees) Regulations 2013; 
• Personal Data Protection (Compounding of Offence) Regulations 2016; and
• Personal Data Protection (Appeal Tribunal) Regulations 2021.

Three standards, namely the Security Standards, Retention Standards and Data Integrity Standards were issued in 2015. The Standards are stated to be a “minimum requirement” and apply to all data controllers.

The Commissioner is empowered to designate a body as a data controller forum for a class of data controllers. Data controller forums are tasked to prepare codes of practice (COP) to govern compliance with the PDPA, which are then registered with the Commissioner. Several COPs have been registered and published, including for the banking and financial, aviation, utilities, communications, healthcare, and the insurance and takaful industries. There is also a general COP which applies to classes of data controllers required to be registered as data controllers but are currently not subject to any specific COPs. 

The PDPA applies to “data users”, defined as any person who processes or has control over the processing of any personal data. The term “data user” will be replaced with “data controller” and this amendment will come into force on 1 April 2025. The PDPA defines “data subject” as an individual who is the subject of personal data.

The PDPA also makes reference to “data processors” and prescribes obligations where data processors are engaged. A data processor is defined as “any person other than an employee of the data controller, who processes the personal data solely on behalf of the data controller and does not process the personal data for any other purpose of his own”.

Presently, data processors are not directly subject to the PDPA, but the Amendment Act has introduced direct liability provisions on data processors in respect of data security.

The PDPA applies to data controllers who are: 

• established in Malaysia and the personal data is processed by any other person employed or engaged by such establishment; or 
• not established in Malaysia but use equipment in Malaysia to process the personal data otherwise than for the purposes of transit through Malaysia. 

The phrase “established in Malaysia” defined broadly, encompasses the following:

• an individual whose physical presence in Malaysia shall not be less than 180 days in one calendar year;
• a body incorporated under our Companies Act 2016;
• a partnership or other unincorporated association formed under any written laws in Malaysia; and
• any person who does not fall within the above categories but maintains an office, branch, agency, or regular practice in Malaysia. 

The PDPA does not apply to any personal data processed outside Malaysia unless the data is intended to be further processed in Malaysia.

The PDPA applies to any “processing” of personal data, which is defined as collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including:

• the organisation, adaptation or alteration of personal data;
• the retrieval, consultation or use of personal data;
• the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
• the alignment, combination, correction, erasure or destruction of personal data.

Three conditions must be fulfilled in order for data to be considered as “personal data”, namely: 

• the data must be information in respect of commercial transactions;
• such information must be processed by means of equipment, be recorded with the intention that it should be processed by such equipment, or be recorded as part of a relevant filing system; and
• the information must relate directly or indirectly to a data subject (an individual person) who is identifiable from the information or other information in the possession of the data controller.

In respect of the first condition, “commercial transactions” are defined as “transactions of a commercial nature and include any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance”.

The definition of “personal data” is sufficiently wide to cover commonly collected personal information such as name, address, telephone number, email address, banking details, photographs, etc.

There is currently no express provision or guidance in the PDPA on anonymous and pseudonymous data. Where the data cannot identify or cause an individual to be identified, such data could be argued as falling outside the definition of “personal data” and thus would not be subject to the requirements under the PDPA. 

Further, any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010 is not considered “personal data” under PDPA.

The processing of personal data for certain purposes is fully or conditionally exempted under PDPA as set forth in Question 4, above. 

Stricter rules apply to the processing of “sensitive personal data”, which means any personal data consisting of information as to the:

• physical or mental health or condition of a data subject;
• political opinions or religious beliefs or other beliefs of a similar nature;
• the commission or alleged commission of any offence; or
• any other personal data as the Minister may determine by a Gazette order. 

Under the Amendment Act, the definition of “sensitive personal data” has been expanded to expressly include “biometric data” (“personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”).

“Explicit consent” is required for the processing of sensitive personal data unless exceptions apply, for example, where such sensitive personal data has been made public by the data subject; where the processing is necessary for the purposes of exercising or performing any right or obligation under law in connection with employment; to protect vital interests, etc.

See the discussion under Question 8 below on the data protection obligations under the PDPA.

In particular, the PDPA requires consent (for processing of non-sensitive personal data) and explicit consent (for sensitive personal data), failing which the processing must be legitimised on specific exceptions. 

For non-sensitive personal data, the PDPA provides for exceptions to consent, such as where the processing is necessary for the performance of a contract, compliance with legal obligations, the protection of vital interests, and administration of justice, among others.

Personal data processed only for the purposes of an individual’s personal, family or household affairs, including recreational purposes, is excluded from the scope of the PDPA.

Personal data processed for the following purposes is also exempted from certain data protection principles (such as the consent requirement):

• for the prevention or detection of crime, for the purposes of investigations, apprehension or prosecution of offenders, or assessment or collection of any tax or duty or other similar impositions;
• in relation to information relating to the physical or mental health of a data subject, of which the application of the provisions in the PDPA to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
• solely for the purposes of preparing statistics or carrying out research, provided that the resulting statistics or research results are not in a form which identifies the data subject;
• for the purposes of, or in connection with, any court judgment or order;
• for the purpose of discharging regulatory functions if the application of those provisions would be likely to prejudice the proper discharge of those regulatory functions; and
• for journalistic, literary or artistic purposes.

The General Principle further states that personal data shall not be processed unless:

• it is for a lawful purpose directly related to an activity of the data controller;
• it is necessary for, or directly related to, that purpose; and
• the data is adequate but not excessive in relation to that purpose.

The Regulations prescribe that consent must be recorded and be properly kept by data controllers, and the onus of proving consent falls on the data controller. Where the form in which consent is to be given also concerns another matter, the requirement to obtain consent shall be presented distinguishable in its appearance from such other matter. 

Where personal data relates to a data subject under the age of 18, consent must be sought from the parent, guardian or person who has parental responsibility for the data subject. 

Data controllers must comply with the following data protection principles when processing personal data:

• General Principle. Consent from the data subject is required for processing of any personal data, unless there is an exception that may be relied upon. 

• Notice and Choice Principle. The PDPA requires data controllers to inform a data subject by written notice of certain prescribed matters.

• Disclosure Principle. There may not be disclosure of personal data without the data subject’s consent, for any purpose other than that for which the data was disclosed at the time of collection, or a purpose directly related to it; or to any party other than a third party of the class notified to the data controller.

• Security Principle. Data controllers must take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by having regard to factors including the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

When processing on behalf of data controllers, data processors will also be required to: 

1. provide sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and

2. take reasonable steps to ensure compliance with those measures.

Under the Amendment Act, data processors will be required to directly comply with the Security Principle of the PDPA.

• Retention Principle. Personal data must not be kept longer than is necessary for the fulfilment of the purpose for which it is processed. Data controllers have a duty to take reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

• Data Integrity Principle. Data controllers must take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to date, having regard to the purpose (and any directly related purpose) for which it was collected and processed.

• Access Principle. PDPA gives the data subject the right to access their own data and to correct the same where the personal data is inaccurate, incomplete, misleading or outdated. The PDPA provides grounds on which the data controller may refuse to comply with a data access or data correction request by the data subject.

Each principle is subject to certain exceptions and conditions. There are also specific measures set out in the Retention, Security and Data Integrity Standards.

In addition to the data protection principles above, other obligations include:

• Data controllers falling within the class of data controllers prescribed in the Order are required to register with the Commissioner. 

• Under the Amendment Act, data controllers must notify the Commissioner of any personal data breaches as soon as practicable. Data subjects must also be notified without unnecessary delay if the data breach causes or is likely to cause significant harm to the data subject. “Personal Data Breach” is defined as “any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data”.

• The Amendment Act introduces a new obligation for both data controllers and data processors to appoint a data protection officer (DPO). The appointed DPO shall be accountable to the data controller in relation to the data controller/data processor’s compliance with the PDPA and are required to be registered with the PDP Commissioner.

The PDPA confers the following rights on data subjects:

• right of access to personal data;

• right to require a data controller to correct the personal data;

• right to withdraw consent to process personal data;

• right to prevent processing likely to cause damage or distress; 

• right to prevent processing for direct marketing; and

• right to data portability (this is a new right introduced under the Amendment Act). 

There are prescribed procedures and timelines where access or correction is requested by the data subject. 

There are also circumstances where data controllers may refuse to comply with data access or correction requests, such as where the data controller is not supplied with sufficient information to verify the identity of the requestor.

Direct marketing is defined under the PDPA as the “communication by whatever means of any advertising or marketing material, which is directed to particular individuals”. A data subject may, at any time by notice in writing to a data controller, require the data controller to cease or not to begin processing their personal data for direct marketing purposes. 

Marketing messages electronically transmitted are also governed under telecommunications law. Recent amendments to the Communications and Multimedia Act 1998 (CMA) introduced a specific provision on unsolicited commercial electronic messages (i.e. spam). A new provision was also introduced pursuant to the amendments to empower the Minister to make regulations in relation to this matter.

The CMA also criminalises the use of application services with the intent of annoying, abusing threatening or harassing any person at any number or electronic address. 

The Malaysian Communications and Multimedia Commission (MCMC) has issued guidance on spam, including: the public consultation report on Regulating Unsolicited Commercial Messages, dated 17 February 2004; FAQs on the MCMC website; and the Anti-Spam Toolkit, which contains the Anti-Spam Framework of Best Practices and Technical Guidelines.

Based on the various documents issued by MCMC on the subject of spam, the main distinguishing factor between a legitimate message and spam appears to be consent. Marketers are expected to obtain the recipient’s permission/consent before sending out marketing messages and the target audience should only be those who have expressed an interest in a particular product or service being marketed by that sender.  

The PDPA prohibits the transfer of personal data out of Malaysia, save where it is to a permitted place or where certain exceptions apply. No permitted places have been gazetted so far and the provisions under the Amendment Act remove the white-list regime for cross-border transfers.

Under the Amendment Act, personal data may be transferred out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection.

Cross-border transfer is also permissible in certain specified circumstances, such as where the data subject has given consent to the transfer, if the transfer is necessary for the performance of a contract, the data controller has taken all reasonable steps and exercised all due diligence to ensure the personal data will not be processed in a manner that would contravene the PDPA.

The Commissioner is empowered to implement and enforce the PDPA and to monitor and supervise compliance with the same. The PDPA also expressly grants powers to the Commissioner to do all things necessary or expedient for or in connection with the performance of his/her functions. 

Under the Regulations, the Commissioner has the power to inspect personal data processing systems and data controllers are required to make the systems available for inspection by the Commissioner or any inspection officer. Production of documents such as records of consent for processing and the list of personal data disclosures to third parties may also be requested by the Commissioner or inspection office.

The Commissioner may inquire or investigate into incidents if they:

• receive a complaint; or

• have reasonable grounds to believe that an act, practice or request that may contravene the PDPA has been done or engaged in, or is being done or engaged in, by the relevant data controller that relates to personal data.

Non-compliance with the PDPA can lead to administrative sanctions and criminal penalties. Breach of the PDPA may result in an inquiry or investigation by the Commissioner (either on their own initiative or based on a complaint received). Where, following the investigation, the Commissioner decides that the PDPA has been contravened, the Commissioner may serve an enforcement notice, specifying inter alia the breach, the steps required to be taken to remedy the breach within a certain period and directing, if necessary, the relevant data controller to cease processing the personal data. Fines of up to MYR 200,000 or two years’ imprisonment or both are possible for failing to comply with the Commissioner’s enforcement notice.

Currently, a breach of any of the personal data protection principles may incur a fine of up to MYR 300,000 and/or two years’ imprisonment. However, the penalties for non-compliance with the principles will be increased to MYR 1 million and/or three years’ imprisonment pursuant to the Amendment Act — the increased penalties will come into force on 1 April 2025. Note that penalties for Security Principle will also be extended to data processors.

If a body corporate commits an offence, the officers of such body corporate are deemed to have committed the offence personally unless such offence was committed without their knowledge and all reasonable precautions and due diligence were exercised.