An Overview of Malaysia’s Personal Data Protection Act (PDPA)

A. Introduction

Malaysia is one of the few countries that took the lead in protecting the privacy and digital rights of its citizens online. Thanks to its Personal Data Protection Act (PDPA), citizens in Malaysia have rights over how companies and websites collect, use, and share their personal data.

The PDPA goes into great detail about what rights a data subject has regarding their data being collected, the responsibilities of a data controller in properly educating the data subjects about their rights, and, most importantly, how organizations can expect to be penalized if they fall foul of the PDPA regulations.

Passed in June 2010 by the Malaysian parliament, the PDPA came into effect more than three years later in November 2013. Under Article 55 of the PDPA, the enforcement powers of the data regulation rest with the Malaysian Ministry of Justice, which later established the office of the Commissioner of the Department of Personal Data Protection (Commissioner) dedicated specifically to enforcing the PDPA.

The PDPA is seen as an incredibly balanced piece of legislation that takes concrete steps to guarantee data subjects’ right to privacy and protection of their data while giving all websites and corporations the necessary breathing space to carry out their behavioral analyses with minimal losses to their reach or engagement.

In July 2024, the Malaysian Parliament passed the long-awaited Amendment (2024 Amendment) to the PDPA, which introduced changes to the existing provisions of the PDPA and added some additional obligations.

B. Who Needs to Comply with PDPA

The PDPA follows the same data protection protocols that several other pieces of legislation have followed over the last couple of years, such as the GDPR and CPRA. It not only applies to organizations inside Malaysia but also ones that deal with the data of Malaysian citizens from anywhere in the world if they have used equipment inside Malaysia for that very purpose.

Any website or company that handles user data collected on the basis of “commercial transactions” is required to follow these regulations. This would include any site related to financing, banking, insurance, investments, or the supply or exchange of goods and services for a price.

However, the PDPA is explicitly clear in creating exceptions for the following entities:

• The Federal & State governments of Malaysia;
• Credit report agencies that fall under the Malaysia Credit Reporting Agencies Act 2010; and
• Data Controllers processing personal data outside Malaysia (Unless the processed data requires further processing inside Malaysia).

The last part has special significance since it gives companies and websites leeway in collecting Malaysians’ data if they aren’t processing that data inside Malaysian borders.

For further clarification, the term “processing” includes collecting, publishing, selling, recording, disclosing, and using data obtained from Malaysian users. Companies that do engage in these activities but not within Malaysia’s borders are exempt from the PDPA regulations.

C. Obligations for Organizations Under the PDPA

The PDPA emphasizes the rights of data subjects. Hence, it goes into extensive detail about the responsibility of websites and data controllers when it comes to handling the data subject’s personal data.

a. Lawful Basis Requirements

The PDPA provides that a data controller (data controller) must not process individuals without their consent. The PDPA, however, provides the following exception to this principle:

• Performance of a contract to which the data subject is a party;
• Taking steps, at the data subject's request, with a view to entering into a contract;
• Protecting the vital interests, namely matters relating to life, death, or security, of the data subject;
• Compliance with any legal obligation to which the data controller is the subject, other than a contractual obligation;
• Administration of justice; or
• Exercise of any functions conferred on any person under any law.

b. Consent Requirements

An organization can only collect data for which it has gained explicit consent from the data subject. At the same time, it must have options for data subjects to easily withdraw or revoke their consent. Once consent is withdrawn, proper measures must be taken to ensure that the data subject’s data is not collected in any form.

c. Privacy Notice Requirements

An organization has the responsibility to properly inform all users who visit their website why their data needs to be collected and whether it will be shared with any third parties. The PDPA requires a data controller to inform a data subject by written notice of the following:

• That the personal data of the data subject is being processed and a description of the data;
• The purposes for which the personal data is being collected and further processed;
• Any information available to the data controller as to the source of that personal data;
• The data subject's right to request access and correction of the personal data;
• The contact particulars of the data controller in the event of any inquiries or complaints;
• The class of third parties to whom the data is or may be disclosed;
• The choices and means offered to a data subject to limit the processing of the data; and
• Whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so.

d. Security Requirements

The onus is on the data handler to ensure that the data collected is properly protected against any form of cyberattacks and data breaches. For this reason, the data handler needs to have the best organizational tools and practices in place to prevent any such attacks. Where a data processor carries out the data processing on behalf of a data controller, the data controller must ensure that the data processor provides sufficient guarantees with respect to the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures. The 2024 Amendments now require data processors to adhere to the security principle under section 9 of the PDPA. The Commissioner has also issued several security standards that mandate a data controller to have a formulated security policy.

e. Data Breach Requirements

As per the 2024 Amendments to the PDPA, if a data controller believes a personal data breach has occurred, they must notify the Commissioner as soon as practicable, in the prescribed manner and form. If the breach is likely to cause significant harm to the data subject, the data controller must also notify the data subject without unnecessary delay.

Additionally, as per the Public Consultation Paper 1/2018: The Implementation of Data Breach Notification, data controllers are required to notify the Commissioner about the breach and whether any of their information has been compromised as a result within 72 hours.

f. Data Protection Impact Assessment

There is no requirement for conducting a data protection impact assessment under the PDPA.

g. Record of Processing Activities

A data controller must keep and maintain a record of any privacy notice, data subject request, or any other information relating to personal data processed by him in the form and manner that may be determined by the Commission.

h. Cross-Border Data Transfer Requirements

As per the 2024 Amendments, personal data can be transferred outside Malaysia when:

• The destination country has laws similar to Malaysia's PDPA.
• The destination country provides adequate protection for personal data, comparable to the PDPA.

The PDPA provides the following exceptions to the cross-border data transfer requirements:

• Where the consent of the data subject is obtained for transfer; or
• Where the transfer is necessary for the performance of a contract between the parties;
• The transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
• The data controller has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this PDPA;
• The transfer is necessary in order to protect the vital interests of the data subject; or
• The transfer is necessary as being in the public interest in circumstances as determined by the Minister.

D. Data Subject Rights

The data subjects or the person whose data is being collected has certain rights under the PDPA. The most prominent rights can be categorized under the following:

a. Right to Access and Rectification

As per this right, anyone whose data has been collected has the right to request to review and update their personal data. The onus is on the data handlers to respond to such a request as soon as possible while also making it easier for data subjects to request access to their personal data.

b. Right to Restriction of Processing

The PDPA allows the data subjects to restrict the use of their data entirely or to restrict its use in certain conditions. In such a case, the data subject allows the data handler to keep possession of their data and use it as they see fit, except in a few cases, such as restricted use of their data in marketing campaigns for certain products/services. Data subjects can also request their data not be processed or used for anything that can cause distress or damage to them.

c. Right to Data Portability

As per the 2024 Amendments to the PDPO, a data subject can request that the data controller transfer their personal data to another data controller of their choice. After receiving the data portability request, the data controller must complete the transfer of personal data within a period prescribed by regulations.

d. Right to Withdraw Consent

The PDPA, like some of the other landmark data protection laws, such as CPRA and GDPR, gives data subjects the right to revoke their consent at any time by way of written notice from having their data collected and processed.

E. Appointment of DPO

The 2024 Amendments to the PDPA introduced the requirement of mandatory appointment of data protection officers (DPOs) who are responsible for ensuring compliance with PDPA. The appointment of a DPO is mandatory for both the data controller and the data processor. Organizations must inform the Commissioner about the appointment of DPOs, following the prescribed manner and form. It is to be noted that the appointment of DPOs does not absolve a data controller or data processor from their obligations and responsibilities under the PDPA.

F. Regulatory Authority

Under 55 of the PDPA, the Malaysian Ministry of Justice has the enforcement powers of the data regulation. However, the Ministry has since established the ​​Commissioner of the Department of Personal Data Protection (regulatory authority) to oversee the enforcement of PDPA across organizations collecting data on Malaysian residents.

G. Penalties for Non-Compliance

The PDPA has seven data protection principles, including the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle. Under the 2024 Amendments to the PDPA, the maximum penalty for non-compliance with the principles of the PDPA is MYR 1 million (approx. $212,530) and 3 years imprisonment.

Furthermore, under Section 16 of the PDPA, certain institutes, such as ​​licensed banks, insurers, private health care institutions, licensed tour operators, direct sales businesses, private higher education institutions, and certain utilities and transportation service providers, are required to register their activities with the PDPA. In case of any violations, offenders can face fines of up to RM500,000 and imprisonment of up to 3 years.

Additionally, non-compliance with the data breach notification requirement under the 2024 Amendment can result in a fine of up to MYR 250,000 (approx. $53,130) or imprisonment for up to two years, or both, for failure to comply with data breach notifications.

Lastly, as per Section 129 of the PDPA, if an organization is found to have transferred data obtained from inside Malaysia to any external location, they can be fined up to RM300,000 and/or 2 years of imprisonment to follow.

H. How Organizations Can Operationalize PDPA

Organizations hoping to become and, more importantly, remain PDPA complaint in Malaysia have to ensure the following:

• Obtain express consent from the users before processing any data from them.
• Communicate to data subjects what data is being collected on them.
• Maintain proper channels of communication, allowing the data subjects to request access, alteration, or deletion of data collected on them.
• Have a robust structure of data mapping within the organization.
• Properly educate the employees and the workforce on your data processing methods to reduce the chance of any discrepancies.

I. How Securiti Can Help

Citizens, in addition to governments around the world, are increasingly becoming vigilant about the need for proper data protection regulation. Not only is it necessary to properly oversee the sanctity of consumers’ data, but it is also essential to do so without jeopardizing companies’ ability to market to their target audiences.

Securiti’s Data Command Center enables organizations to comply with Malaysia’s Personal Data Protection Act (PDPA) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

To see Securiti in action, request a demo today.