+44 (0) 121 582 0192 [email protected]


Malaysia’s PDPA was introduced to increase consumer confidence in commerce and e-commerce in the face of the ever-increasing number of credit cards and to detect identity theft and sales fraud involving unauthorized users. PDPA stipulates a set of data protection principles, and data controllers must always abide by these principles when collecting, processing or disclosing personal data of Malaysian citizens. PDPA’s general principles require that personal data should not be processed unless such data is used for a

(a) legitimate purpose directly related to the activities of the data user is necessary or directly related to this purpose, and (b) the information is sufficient. And it is not excessive and related to this goal.    

Employee Data Processing

However, it should be noted that Malaysia’s PDPA specifically allows data users to process confidential personal data of employees without the explicit consent of employees if the processing is necessary to ensure compliance with the rights or obligations granted or imposed by law on the use of employees’ employment data.

Given that PDPA only regulates personal data in the context of commercial transactions, there is also some ambiguity as to whether nominal social media users (for example, for entertainment and social purposes) can benefit from the protection provided by PDPA. In contrast, PDPA does not require data users to consider privacy or security when designing systems or processes.    

According to PDPCM, civil society organizations generally violate the general principles of information security, retention, and disclosure. However, the 2013 Financial Services Act (FSA) provides protection for financial companies that voluntarily disclose information, knowledge or documents to Bank Negara, which clearly indicates that violations have occurred or are about to occur in accordance with the FSA guidelines. Any company that doubts whether its business operations (including data processing and storage) comply with legal principles and the above-mentioned minimum standards is recommended to seek legal advice.   

Technical and Organisational Measures (TOMS) 

Organizations should include technical and organizational mechanisms to protect personal information when developing new processes and systems. In addition, data protection officers must report to the top management of the organizations with which they work and must not perform any duties that could create a conflict of interest. The PDPA does not require the appointment of a Data Protection Officer (DPO), but the Data User Registration Application form does require the appointment of a Compliance Officer, called the person who will oversee the application of the PDPA in organizing the data. users.    

Governance of the PDPA

Data protection in Malaysia is mainly governed by the Personal Data Protection Act (PDPA) 2010 and its supplementary provisions as described below. The Personal Data Protection Commissioner is an actively responsible agency in Malaysia, responsible for implementing and enforcing the PDPA 2010 law. The European GDPR sets out rules for processing and protecting the personal information of EU data subjects.    

In short, Malaysia PDPA requires

a) end-user consent

b) requires Malaysian users to be informed about the processing of data on their websites,

c) grants Malaysians the right to access and correct their data, and regulates all processing of personal data through its 7 PDPA principles.

Malaysia’s PDPA revolves around end-user consent, requiring your website to first obtain explicit and explicit consent from visitors before activating any cookies and trackers that process personal data, like other important privacy laws.

Worldwide data laws such as EU GDPR, Brazil LGPD and POPIA South Africa. Malaysia PDPA, compliance for your website means obtaining explicit/explicit consent from Malaysian end-users before processing their personal data and informing them with detailed information about the data processing activities on your websites, for example, the types of data you collect for what goals and with whom you share it.  


Violation of the restriction on cross-border data flow is a criminal offence and can result in a fine of up to MYR 300,000 (approximately EUR 66,500) and/or imprisonment for up to two years. Under Section 5 of the PDPA, violation of any of the data protection principles is an offence under the PDPA and is punishable by a fine of up to RM300,000 and/or a prison sentence of up to 2 years. Violation of the PDPA regulations can result in various fines and/or jail time. As stated above, failure to comply with the PDPA can result in up to three years in prison.