Personal Data Protection in Malaysia

Do you feel like your rights have been violated? We can assist you:

The abundance of personal data generated by today’s economy has triggered concerns about data privacy. Personal data in unregulated domains are at risk of loss, manipulation and other security breaches. The Personal Data Protection Act 2010 (“PDPA”) came into force on 15th November 2013 to ensure that the processing and usage of personal data are properly regulated, and the rights of the data subjects are adequately protected.

What is Personal Data?

Personal data is defined under the Personal Data Protection Act 2010 as “information in respect of commercial transactions” relating directly or indirectly to a data subject that is recorded or processed for purposes other than credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010[1].

A person whose personal data is being collected is known as a “data subject”.

Principles of Personal Data Protection in Malaysia

The PDPA asserts seven Personal Data Protection Principles to be complied with when processing personal data, namely:

  1. General Principle

The general principle prohibits the data user from processing a data subject’s personal data without his/her consent unless such processing is necessary[2].

Processing of sensitive personal data, such as data on physical or mental health conditions, political opinions, religious beliefs or other similar beliefs, requires explicit consent of the data subject[3].

2. Notice and Choice Principle

The data user is compelled to inform the data subject by written notice as to the type, purpose, extent, accuracy and consequences of the personal data being processed[4].

Such written notice has to be given by the data user “as soon as practicable”[5]. Of course, a data subject can request in writing for the data used to cease processing his/her personal data[6]. Failure to accord to such request without valid justification can be an offence[7].

It may be good to know that a data subject can also refuse or request the data used to cease the processing of his/her personal data for the purposes of direct marketing[8].

3. Disclosure Principle

This principle prohibits the disclosure of personal data without the consent of the data subject[9] except for some limited circumstances[10], such as instances where the disclosure is authorized by the order of a court.

4. Security Principle

The PDPA imposes obligations on the data user to take reasonable steps to protect the personal data being processed from any loss, misuse, unauthorized or accidental access or disclosure, alteration or destruction[11].

5. Retention Principle

Under this Principle, data users are to ensure that the personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it is processed[12].

It is the duty of the data user to effectively destroy or permanently delete such personal data once the purpose has been fulfilled.

6. Data Integrity Principle

The data user has an obligation to take reasonable steps to ensure that the data kept is accurate, complete, not misleading and up-to-date[13], having regard to the purpose of which the data was collected and processed.

7. Access Principle

The PDPA gives the data subject the right to access his/her own personal data[14] and to correct the personal data[15] which is inaccurate, incomplete, misleading or outdated[16], save and except under certain circumstances[17].


In the event of a breach in personal data usage, the data subject has the right to file a complaint with the Personal Data Protection Commissioner[18] for breaches in the use and/or process of her/her personal data. Non-compliance by a data user of any of the above said principles constitutes an offence under the PDPA and is liable to a fine not exceeding three hundred thousand ringgit (RM300,000.00) or imprisonment for a term not exceeding two years or both.

Do you feel like your rights have been violated? We can assist you:

[1] Section 4, Personal Data Protection Act 2010
[2] Section 6, Ibid.
[3]  Section 40, Ibid.
[4] Section 7, Ibid.
[5] PDPA 7 Principles Booklet
[6] Section 38 (1) and (2), Ibid.
[7] Section 38 (4), Ibid.
[8] Section 43, Ibid.
[9] Section 8, Ibid.
[10] Section 39, Ibid.
[11] Section 9, Ibid.
[12] Section 10, Ibid.
[13] Section 11, Ibid.
[14] Section 30, Ibid.
[15] Section 34, Ibid.
[16] Section 12, Ibid.
[17] Section 32, Ibid.
[18] Section 104, Ibid.