Data & Privacy - Malaysia

The PDPA 2010 regulates processing of personal data in commercial transactions across seven Personal Data Protection Principles (General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, Access). Note it historically does not apply to federal/state government and, for personal data processed wholly outside Malaysia, only where further processed in Malaysia.

The Personal Data Protection Commissioner heads the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP) under the Ministry of Digital, issuing guidelines, circulars and enforcing compliance.

Act A1727 replaced 'data user' with 'data controller', extended the Security Principle directly to data processors, excluded deceased persons from 'personal data', and added a 'personal data breach' definition. Provisions took effect 1 Jan, 1 Apr and 1 Jun 2025.

Effective 1 June 2025, controllers must notify the Commissioner as soon as practicable and within 72 hours of a breach, and notify affected data subjects within 7 days of notifying the Commissioner where the breach causes or is likely to cause significant harm (per Commissioner Circular No. 1/2025 and the DBN Guidelines).

From 1 June 2025, a DPO must be appointed where processing exceeds 20,000 data subjects (or 10,000 for sensitive/financial data) or involves regular systematic monitoring; appointment must be notified to the Commissioner within 21 days. A new data portability right lets individuals request transmission of their data to another controller, subject to technical feasibility.

Biometric data is now classified as sensitive personal data. The Cross-Border Personal Data Transfer Guidelines (issued 29 April 2025) set out legal bases for transfers outside Malaysia. Maximum fines for breaching the data-protection principles rose from RM300,000 to RM1,000,000, and maximum imprisonment from 2 to 3 years.