6 Things Every Business Owners should know about the Malaysian Personal Data Protection Act 2010.


1. Why is PDPA so important?

The Personal Data Protection Act 2010 (“PDPA”) is the primary legislation concerning data protection in Malaysia. It is important as it provides guidance and the best practice rules for companies to follow on how to process personal and sensitive data.


Today, the use of such data is an integral part of today’s commercial world. A vast amount of personal and sensitive data are being collected, used and transferred to third party companies everyday for a variety of commercial reasons. This trend is expected to grow exponentially with the emergence of advanced technology that are becoming more and more accessible to business owners.


To simply put it, the failure to obey the PDPA could have serious consequences that expose your business to expensive and often unnecessary civil lawsuits. Moreover, violating the PDPA can also see you and your business facing serious penalties, resulting in harsh punishments by the authority.



2. Who should comply with the PDPA?

The PDPA applies to any person who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions.


At this point, it may be noted that while the PDPA does not have an extraterritorial application like the GDPR, any foreign companies whether or not the company itself has a physical presence in Malaysia will still be caught under the PDPA, if the foreign company uses equipment in Malaysia to process personal data otherwise than for the purposes of transit through the country. In that case, the PDPA requires that foreign company to establish a representative/ company with a physical presence in Malaysia.

 white building with data has a better idea text signage

3. What constitutes ‘personal’ and ‘sensitive’ personal data?

The PDPA applies to both ‘Personal Data’ and ‘Sensitive Personal Data’.


‘Personal data’, means any information concerning commercial transactions, which is processed by means of equipment operating automatically in response to instructions given for that purpose. Further, any information that is recorded with the intention that it should be processed by means of such equipment, or is recorded as part of a relevant filing system are also constitute as personal data. Clearly, this definition is broad and fairly all-encompassing that may include NRIC/Passport No., home addresses, contact details, and occupation.


‘Sensitive personal data’ is defined under the PDPA as any personal data consisting of information as to the physical or mental health or condition of the person, his political opinions and/or his religion.



4. What is the difference between a ‘data user’ and ‘data subject’?

The PDPA defines ‘data user’ as a person who processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor.


The ‘data subject’ means an individual who is the subject of the personal data.



5. Are there restrictions on cross-border data transfers from Malaysia?

Yes, the PDPA prohibits the transfer of any personal data of a data subject overseas unless to such places specified by Minister, upon the recommendation of the Minister, by notification published in the Gazette. Nonetheless, it is worth mentioning that a proposed order was recommended by the Minister that will allow the transfer of personal data to certain safe harbour jurisdictions outside Malaysia without having to obtain consent or invoke any of the exceptions provided under the PDPA.


As of the date of this publication, the Minister has yet to approve the safe harbor jurisdictions. Hence, at this time, the Minister may only allow international data transfers if there is in that place any law which is substantially similar to PDPA, or that particular country can ensure an adequate level of protection in relation to the processing of personal data.


On top of that, you may only transfer personal data outside Malaysia if there is consent, or it meets any other exceptions as provided under the PDPA, for example where the transfer is necessary for the performance or conclusion of a contract between data user and data subject, or for the purpose of any legal proceedings or for the obtaining of legal advice for establishing, exercising or defending legal rights.



6. What are the penalties of non-compliance?

Anyone disobeying the PDPA may be liable to fines of up to RM500,000.00 and imprisonment for a term not exceeding 3 years, or both.


In the event that a company commits an offence under the PDPA, these persons can be charged severally or jointly in the same proceedings with the company:


  • any person who at the time of the commission of the offence was a director, CEO, COO, manager, secretary
  • Any other similar officer of the company or was purposting to act in any such capacity or was in any manner responsible for the management of any affairs of the company or was assisting in such management


Disclaimer: The above article is intended for general informational and education purposes only and not for the purpose of providing legal and professional advice. Got a question on the Malaysian Data Protection law? Contact members of Chern & Co. at info@chernco.com.my.



More Posts

Understanding Garnishee Proceedings in Malaysia.

What happens when you win and the losing party in a Court case refuses to pay you? Yes, you have won the case, and yes, the Judge has pronounced the Judgment in your favour. What can you do when this happens? In this event, you should consider taking out Garnishee Proceedings to enforce the Court

Fraudulent Misrepresentation in Business

Recently, the most common complaints we received from our clients involved the buying and selling of personal protection equipment (“PPE”). We have seen businesses fraudulently claiming that they have ready stock of gloves or PPEs. Once payment is made, the Buyers would often realize that the Seller could never meet order requirements in time, and their

Probationary Employees: What Employers Need to Know

The realisation that you may have had a bad hire is worrisome. During this probation period, you as the Employer can assess their abilities and suitability in the Company. Likewise, the probationer can determine if he or she wants to stay with the organisation after the period ends. Notably, there is no legal requirement under

Send Us A Message