Skip to main content

Malaysia Personal Data Protection Act 2010

Malaysia's Personal Data Protection Act 2010 regulates personal data in commercial transactions through seven principles centered on consent and notice. A 2024 amendment added mandatory breach notification, a data protection officer duty, data portability, and higher penalties.

Jurisdiction
Malaysia

Malaysia Personal Data Protection Act 2010

The Malaysia Personal Data Protection Act 2010 (PDPA) regulates the processing of personal data in commercial transactions. Although passed in 2010, it came into force on November 15, 2013. The law is administered by the Personal Data Protection Department under the Ministry. A significant 2024 amendment, with provisions phasing in through 2025, modernized the Act by adding mandatory breach notification, a data protection officer requirement, and data portability.

Who It Applies To

The PDPA applies to any person who processes, or who has control over or authorizes the processing of, personal data in respect of commercial transactions. It originally excluded processing outside Malaysia unless the data was intended to be further processed in Malaysia, though the 2024 reforms broadened obligations. Federal and state governments are excluded from the Act's scope.

Key Requirements

The Act is built on seven principles: the General Principle (requiring consent), Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access. Data users must obtain consent before processing and must give a written notice describing the purposes of collection and the data subject's rights. Sensitive personal data, such as health and religious beliefs, requires explicit consent. Data subjects have rights of access, correction, withdrawal of consent, and to prevent processing likely to cause damage or distress. Under the 2024 amendments, data controllers must notify the Commissioner of personal data breaches, appoint a data protection officer, and honor data portability requests.

Penalties for Non-Compliance

Non-compliance with the data protection principles is an offense that can result in fines and imprisonment. The 2024 amendments substantially increased the maximum penalties, with offenses involving the principles carrying fines up to one million ringgit and possible imprisonment, reflecting a tougher enforcement stance.

How to Comply

Obtain consent and issue compliant notice and choice statements, with explicit consent for sensitive data. Implement security and retention practices aligned to the seven principles, and honor access, correction, and the new portability rights. Appoint a data protection officer and establish breach-notification procedures to satisfy the amended requirements.

Practical Notes

The 2024 amendments mark the most significant change to Malaysian data protection since 2013, introducing breach notification, a data protection officer requirement, and data portability while raising penalties. Organizations should not rely on the original light-touch regime; instead they should implement breach-response procedures, appoint a DPO, and review consent and notice practices against the strengthened seven-principle framework.

Building a Durable Program

Organizations operating across borders should treat this regime as one input into a unified, principles-based privacy program rather than a standalone checklist. Practical foundations include maintaining a current record of processing activities that documents purposes, lawful bases, data categories, recipients, retention periods, and any cross-border transfers; classifying data so that sensitive categories receive heightened safeguards by default; and embedding privacy-by-design reviews into product and engineering workflows so that new features are assessed before launch. Robust consent and preference management, demonstrable through audit logs, is essential where the law is consent-centric, since the burden of proving a valid lawful basis typically rests on the controller. Incident-response runbooks should encode the applicable breach-notification timelines and decision criteria so that the organization can act within tight windows. Vendor management should ensure processors are bound by contracts that flow down core obligations, and periodic audits should verify that controls remain effective. Aligning to recognized frameworks such as ISO 27701 and privacy-by-design principles helps satisfy overlapping obligations across jurisdictions while reducing duplicated effort and the risk of gaps.