Data & Privacy · Malaysia
Data protection & privacy laws in Malaysia (2026)
Malaysia shaded by its data & privacy status
Malaysia has a comprehensive, GDPR-style data-protection regime: the Personal Data Protection Act 2010 governs the processing of personal data in commercial transactions and is overseen by the Personal Data Protection Commissioner. The Personal Data Protection (Amendment) Act 2024 substantially modernised the law, with provisions commencing in three phases on 1 January, 1 April and 1 June 2025, adding mandatory breach notification, DPO appointment, data portability, biometric data as sensitive data, and higher penalties.
Key points
The PDPA 2010 regulates processing of personal data in commercial transactions across seven Personal Data Protection Principles (General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, Access). Note it historically does not apply to federal/state government and, for personal data processed wholly outside Malaysia, only where further processed in Malaysia.
The Personal Data Protection Commissioner heads the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP) under the Ministry of Digital, issuing guidelines, circulars and enforcing compliance.
Act A1727 replaced 'data user' with 'data controller', extended the Security Principle directly to data processors, excluded deceased persons from 'personal data', and added a 'personal data breach' definition. Provisions took effect 1 Jan, 1 Apr and 1 Jun 2025.
Effective 1 June 2025, controllers must notify the Commissioner as soon as practicable and within 72 hours of a breach, and notify affected data subjects within 7 days of notifying the Commissioner where the breach causes or is likely to cause significant harm (per Commissioner Circular No. 1/2025 and the DBN Guidelines).
From 1 June 2025, a DPO must be appointed where processing exceeds 20,000 data subjects (or 10,000 for sensitive/financial data) or involves regular systematic monitoring; appointment must be notified to the Commissioner within 21 days. A new data portability right lets individuals request transmission of their data to another controller, subject to technical feasibility.
Biometric data is now classified as sensitive personal data. The Cross-Border Personal Data Transfer Guidelines (issued 29 April 2025) set out legal bases for transfers outside Malaysia. Maximum fines for breaching the data-protection principles rose from RM300,000 to RM1,000,000, and maximum imprisonment from 2 to 3 years.
Timeline - major decisions & events
The final tranche of the Personal Data Protection (Amendment) Act 2024 activates its most operationally demanding obligations: mandatory data breach notification to the Commissioner and affected individuals, compulsory Data Protection Officer appointment (with 21-day notification to the Commissioner), and a right to data portability. Penalties now reach MYR 1 million and/or three years' imprisonment.
Personal Data Protection Department (PDPD) ↗The Personal Data Protection Commissioner published guidelines replacing the previous country-whitelist regime with a risk-based framework; data controllers must conduct a Transfer Impact Assessment (TIA, valid three years) and may rely on Binding Corporate Rules, Standard Contractual Clauses, or approved certification schemes to justify transfers.
CMS Law-Now (citing official PDPC Guidelines) ↗The PDPD published two operational guidelines — specifying DPO qualifications and appointment procedures, and requiring a breach register retained for at least two years — providing the compliance roadmap ahead of the 1 June 2025 implementation date.
Personal Data Protection Department (PDPD) ↗Following Royal Assent on 9 October 2024, the Amendment Act is published in the Federal Gazette as Act A1727, formally enacting GDPR-influenced reforms including mandatory DPOs, breach notification, data portability, and risk-based cross-border transfer rules.
Personal Data Protection Department (PDPD) – Federal Gazette Act A1727 ↗Malaysia's first standalone cybersecurity statute, gazetted 26 June 2024, establishes mandatory incident-reporting and risk-assessment obligations for National Critical Information Infrastructure operators and a licensing regime for cybersecurity service providers — creating parallel security obligations that complement PDPA breach-notification duties.
National Cyber Security Agency (NACSA) ↗The Personal Data Protection Department reported 130 breach cases in just the first half of 2023, versus only 30 for all of 2022; the Digital Minister disclosed that average fines since 2017 were a mere MYR 24,000 per company, directly fuelling the case for the 2024 amendment's penalty hike.
Malay Mail ↗Threat-intelligence firm ThreatMon identified records linked to Maybank, Astro, and the Election Commission on dark-web forums; the Communications and Digital Minister ordered the PDPD and CyberSecurity Malaysia to investigate, exposing the critical gap caused by the absence of any mandatory breach-notification law.
BankInfoSecurity ↗A 160 GB database purportedly sourced from government MyIdentity APIs — covering the entire adult population — was listed online for USD 10,000; the Home Ministry denied the NRD as the source but the incident intensified public pressure on the government to strengthen data-protection law.
Malay Mail ↗Three years after enactment, the PDPA 2010 takes legal effect — making Malaysia the first ASEAN country with comprehensive data-protection legislation — establishing seven data-protection principles, a registration regime for 13 commercial sectors, and the office of the Personal Data Protection Commissioner.
Personal Data Protection Department (PDPD) ↗Malaysia enacts its first comprehensive personal data protection statute, creating the PDPA framework to govern commercial-sector processing — though it notably excludes government bodies from its scope and applies only within commercial transactions, leaving significant coverage gaps that persist until the 2024 amendment.
Invest Malaysia (Official Government Portal) ↗Part of Malaysia's landmark five-statute 'Cyber Laws' package, the CMA establishes the Malaysian Communications and Multimedia Commission (MCMC) and introduces the earliest statutory network security provisions — functioning as the de facto pre-PDPA framework for communications-related data.
Malaysian Communications and Multimedia Commission (MCMC) ↗Malaysia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →