+44 212 582 0192 [email protected]

The Malaysia Personal Data Protection Act 2010 – All you need to know (Part 1) Undated 2026

by | Feb 1, 2026 | Asia Privacy Laws | 0 comments

Futuristic digital illustration of Malaysia's geographical map outlined in glowing circuits, centered around a holographic shield with a padlock and the text '2025' over the Kuala Lumpur skyline, representing national data security reforms.

This content is protected against AI scraping.

1. Introduction to the PDPA (Updated 2026)

The Personal Data Protection Act (PDPA) 2010 and this Malaysia PDPA 2010 2026 Guide. update remains the primary framework for personal data in commercial transactions. However, as of June 1, 2025, the law has been significantly strengthened to address modern digital threats, including AI-driven data processing and large-scale data breaches

 A key shift in 2026 is the change in terminology: what was formerly known as a “Data User” is now officially referred to as a Data Controller, while the “Data Processor” now carries direct legal obligations for the first time.

2. Key Definitions & Expanded Scope

The 2024 amendments introduced several critical updates to definitions that all organizations must now follow:

  • Biometric Data: Now officially classified as Sensitive Personal Data. This includes fingerprints, facial recognition, and voice patterns. Processing this data requires explicit consent and higher security standards.

  • Data Controller vs. Data Processor: * Data Controller: The entity that determines the purposes and means of processing (formerly “Data User”).

    • Data Processor: Any person (other than an employee of the controller) who processes data on behalf of the controller. Processors are now directly liable for security breaches and can be fined independently of the controller.

  • Deceased Persons: The Act now clarifies that the PDPA does not apply to the personal data of deceased individuals.

 

3. The Seven Protection Principles (2026 Status)
While the core seven principles remain, the Security and Retention standards were updated in 2025 to be “outcome-based” rather than just a checklist.

Principle 2026 Key Requirement
General Processing requires explicit consent. Direct marketing now has stricter “opt-out” requirements.
Notice & Choice Privacy notices must be available in both Malay and English and must clearly state if data is transferred overseas.
Disclosure Stricter controls on sharing data with third parties; controllers must maintain a “Disclosure Record.”
Security Mandatory for both Controllers and Processors. Includes the duty to appoint a Data Protection Officer (DPO).
Retention Data must be destroyed once the purpose is fulfilled. 24-month reviews of inactive data are standard.
Data Integrity Controllers must provide easy, often digital, ways for subjects to verify and update their data.
Access Data subjects have the right to access their data within 21 days.

 

4. Major New Requirements (Effective 2025/2026)

 

A. Mandatory Data Protection Officer (DPO)

Starting June 2025, organizations meeting certain thresholds must appoint a DPO and register them with the Commissioner.

  • Who needs one? Organizations processing data of 20,000+ individuals or sensitive data of 10,000+ individuals.

  • Qualifications: The DPO must be a Malaysian resident and proficient in both Malay and English.

 

B. Mandatory Data Breach Notification

The “silent breach” era is over. Organizations must now:

  1. Notify the Commissioner within 72 hours of becoming aware of a breach that causes “significant harm” or is of a “significant scale” (usually 500+ individuals).

  2. Notify Affected Individuals “without unnecessary delay” if the breach is likely to cause them harm (e.g., financial loss or identity theft).

 

C. Right to Data Portability

Data subjects now have a new right: they can request that a Data Controller transfer their personal data directly to another controller (e.g., moving data between banks or service providers) in a machine-readable format, provided it is “technically feasible.”

D. Cross-Border Data Transfers

The old “Whitelist” (which was never actually created) has been replaced. Data can now be transferred out of Malaysia if:

  • The destination country has “substantially similar” laws.

  • The controller has a valid contract ensuring the data is protected to Malaysian standards.

5. Penalties & Enforcement

The stakes for non-compliance have tripled as of late 2024.

  • Fines: Increased from RM 300,000 to RM 1,000,000 per breach.

  • Imprisonment: Potential terms have been extended up to 3 years.

  • Processor Liability: Data Processors can now be fined directly for security failures, whereas previously only the “Data User” was at risk.

 

6. Sectors Must Register

The list of “Sectors that must register” remains largely consistent but is strictly enforced via the SPDP Portal. If your organization falls under Banking, Insurance, Healthcare, Utilities, or Education, you must ensure your registration and DPO details are current for 2026.

Note: With the 2025 guidelines, the Commissioner has been granted broader powers to “search and seize” without a warrant in urgent cases involving large-scale data leaks.