Malaysia Data Privacy Laws: PDPA 2010 Compliance Guide (2026)

Malaysia's Personal Data Protection Act 2010, known as the PDPA or Act 709, stands as Southeast Asia's first comprehensive data privacy statute. Enacted in 2010 and enforced since November 2013, the law regulates how businesses and organizations collect, process, store, and share personal data within the context of commercial transactions.

The PDPA received its most significant overhaul in over a decade when the Personal Data Protection (Amendment) Act 2024 received Royal Assent on 22 October 2024. These amendments, which came into force in phases from January through June 2025, align Malaysia's data protection framework more closely with international standards such as the EU's General Data Protection Regulation.

This guide covers the complete Malaysian data privacy framework as it stands in 2026, including the original PDPA requirements, the 2024 amendments, enforcement mechanisms, and practical compliance obligations.

Who Does the PDPA Apply To

The PDPA applies to any person or organization that processes personal data in connection with commercial transactions. This covers businesses of all sizes operating in Malaysia, from multinational corporations to small enterprises.

The law applies to organizations located in Malaysia and those outside the country if they use equipment or facilities in Malaysia to process personal data. This extraterritorial reach means foreign companies that process Malaysian residents' data through Malaysian infrastructure fall under the PDPA's scope.

Key Exemptions

The PDPA does not apply to the Malaysian Federal Government or State Governments. Public sector data sharing is instead governed by the separate Data Sharing Act 2025, which imposes its own requirements on government agencies that share data between themselves.

Other exemptions include personal data processed outside Malaysia (unless intended for further processing within the country), data processed for personal or household purposes, and data regulated by sector-specific legislation such as the Credit Reporting Agencies Act 2010.

The Department of Personal Data Protection (JPDP)

The Jabatan Perlindungan Data Peribadi, commonly known as JPDP or the Department of Personal Data Protection, is the regulatory body responsible for administering and enforcing the PDPA. It operates under the Ministry of Communications and Digital.

The Personal Data Protection Commissioner heads the JPDP and holds broad enforcement powers under the Act. These include the authority to monitor compliance, investigate complaints from data subjects, conduct inspections and audits of organizations, issue enforcement notices requiring specific actions, and impose penalties for violations.

The Commissioner also issues guidelines and advisory documents to help organizations understand their compliance obligations. Since the 2024 amendments took effect, the JPDP has published seven sets of guidelines covering breach notification, DPO appointment, data portability, cross-border transfers, data protection impact assessments, privacy by design, and automated decision-making.

Enforcement Track Record

The JPDP has steadily increased its enforcement activities since the PDPA's initial implementation. Complaints can be filed directly through the department's online portal or in writing. The Commissioner has the authority to investigate potential violations even without a formal complaint, allowing for proactive enforcement where systemic issues are identified.

The 7 Data Protection Principles

Section 5(1) of the PDPA establishes seven principles that form the foundation of Malaysia's data protection framework. Every data controller must comply with these principles when processing personal data.

1. General Principle

A data controller must not process personal data about a data subject unless the data subject has given consent. For sensitive personal data, explicit consent is required.

Consent is not required in limited circumstances, including where processing is necessary for compliance with a legal obligation, for the performance of a contract to which the data subject is a party, to protect the vital interests of the data subject, for the administration of justice, or for the exercise of any functions conferred by law.

The 2024 amendments clarified that consent must be freely given, specific, informed, and unambiguous. Silence or pre-ticked boxes no longer constitute valid consent.

2. Notice and Choice Principle

Before processing any personal data, a data controller must provide the data subject with a written notice containing specific information. This notice must be given in both Bahasa Malaysia (Malay) and English.

The notice must describe the personal data being processed, the purposes of processing, the source of the data (if not collected directly from the data subject), the data subject's right to access and correct their data, the class of third parties to whom the data may be disclosed, and whether providing the data is obligatory or voluntary.

Data subjects must be given a genuine choice about whether to allow their data to be processed. Organizations cannot make the provision of a service conditional on consent to data processing that is unrelated to that service.

3. Disclosure Principle

Personal data must not be disclosed for any purpose other than the purpose for which it was collected, or a purpose directly related to the original purpose. The data controller must clearly identify the purpose for which personal data will be disclosed at the time of collection.

Disclosure to third parties is permitted only where the data subject has consented or where disclosure falls within a recognized exemption, such as compliance with a court order or a legal requirement.

4. Security Principle

Data controllers must take practical steps to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction. This requirement extends to both technical and organizational security measures.

The Security Principle is the only principle that now applies directly to data processors as well as data controllers, following the 2024 amendments. Data processors face independent penalty exposure for security violations.

Organizations must comply with the Personal Data Protection Standard 2015, which sets out specific technical and organizational security requirements. These include implementing access controls, encryption of sensitive data, regular security assessments, and employee training on data protection.

5. Retention Principle

Personal data must not be kept for longer than is necessary for the fulfillment of the purpose for which it was collected. Once the original processing purpose has been fulfilled, the data controller must take all reasonable steps to permanently destroy the personal data.

Organizations should establish clear data retention schedules that define how long different categories of personal data will be kept. The retention period should be documented and communicated to data subjects as part of the Notice and Choice Principle.

6. Data Integrity Principle

Data controllers must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date. This obligation applies throughout the entire lifecycle of the data, from collection through to destruction.

The practical implication is that organizations need processes to verify and update personal data at regular intervals. Where a data subject notifies the controller that their data is inaccurate, the controller must correct it promptly.

7. Access Principle

Data subjects have the right to access their personal data held by a data controller and to request corrections to any data that is inaccurate, incomplete, misleading, or not up to date.

Data controllers must respond to access requests within 21 days of receiving the request. The controller may charge a reasonable fee for processing access requests, but this fee must not be excessive enough to deter data subjects from exercising their rights.

Data Subject Rights Under the PDPA

The original PDPA provided data subjects with rights of access, correction, and withdrawal of consent. The 2024 amendments significantly expanded the rights available to individuals.

Right of Access

Data subjects can request access to all personal data that a data controller holds about them. The controller must acknowledge receipt and respond within 21 days. The response must include a description of the data held, the purposes for which it is processed, and the sources from which the data was obtained.

Right to Correction

Where personal data is inaccurate, incomplete, misleading, or out of date, the data subject has the right to request that the data controller correct it. The controller must process correction requests promptly and notify any third parties to whom the incorrect data was previously disclosed.

Right to Withdraw Consent

Data subjects may withdraw their consent for the processing of their personal data at any time by giving written notice to the data controller. Upon receiving a withdrawal notice, the controller must cease processing the personal data unless another lawful basis for processing exists.

Right to Data Portability

Introduced by the 2024 amendments and effective from 1 June 2025, data subjects now have the right to request that a data controller transmit their personal data directly to another data controller. This request must be made in writing through electronic means.

The right to portability applies where the transfer is technically feasible and the data formats are compatible between the two controllers. Data controllers must provide personal data in a structured, commonly used, and machine-readable format when a portability request is received.

Right to Erasure

The 2024 amendments introduced a clearer right to erasure, sometimes referred to as the right to be forgotten. Data subjects can request the deletion of their personal data where it is no longer necessary for the purpose for which it was collected, where consent has been withdrawn, or where the data was unlawfully processed.

Right to Prevent Processing for Direct Marketing

Data subjects have the right to require a data controller to cease or not begin processing their personal data for purposes of direct marketing. This right exists regardless of whether consent was originally given. The penalty for non-compliance with a direction to stop direct marketing processing is a fine not exceeding RM 200,000 or imprisonment for up to 2 years, or both.

Sensitive Personal Data

The PDPA defines sensitive personal data as data relating to the physical or mental health of a data subject, political opinions, religious beliefs or other beliefs of a similar nature, the commission of any offence, or any other personal data determined by the Minister.

The 2024 amendments explicitly added biometric data to the definition of sensitive personal data. This includes fingerprints, facial recognition data, voice patterns, retinal scans, and any other biometric identifiers. Organizations processing biometric data must obtain explicit consent and apply higher security standards than those required for ordinary personal data.

Processing sensitive personal data requires explicit consent from the data subject. The threshold for "explicit consent" is higher than ordinary consent, requiring a clear, affirmative act that specifically addresses the processing of sensitive categories of data.

Mandatory Data Breach Notification

One of the most significant changes introduced by the 2024 amendments is the mandatory data breach notification requirement, which took effect on 1 June 2025.

What Constitutes a Personal Data Breach

The PDPA now formally defines a "personal data breach" as any breach, loss, misuse, or unauthorized access of personal data. This definition is source-agnostic, meaning it covers breaches resulting from external cyberattacks, employee errors, system misconfigurations, misplaced devices, or any other cause.

When Notification Is Required

Notification to the Commissioner is required when a personal data breach causes or is likely to cause "significant harm" to data subjects. The assessment of significant harm considers five criteria.

First, the risk of physical harm, financial loss, credit damage, or property loss to data subjects. Second, the potential for the breached data to be misused for illegal purposes. Third, whether sensitive personal data is involved. Fourth, whether the combination of breached data could enable identity fraud. Fifth, whether the breach affects more than 1,000 data subjects, which constitutes "significant scale."

A breach of significant scale (over 1,000 data subjects) triggers the obligation to notify the Commissioner even if it does not otherwise cause significant harm to individuals.

Notification Timelines

Data controllers must notify the Personal Data Protection Commissioner within 72 hours of the breach occurrence. This timeline runs from the point the breach happens, not from when the organization discovers it, making rapid detection capabilities essential.

If the breach is likely to result in significant harm to individual data subjects, the controller must also notify the affected individuals. Notification to data subjects must occur without undue delay and no later than 7 days after the initial notification to the Commissioner.

Breach Register Requirements

All data controllers must maintain a breach register for at least two years. The register must document the cause of each breach, its impact, the number of affected data subjects, the types of data involved, and the remedial actions taken. The Commissioner may request access to this register during investigations or audits.

Penalties for Failure to Notify

Failing to notify the Commissioner of a qualifying breach constitutes a quasi-criminal offence. The penalty for non-compliance with the breach notification requirement is a fine of up to RM 250,000 and/or imprisonment of up to 2 years.

Data Protection Officer Requirements

The 2024 amendments introduced mandatory Data Protection Officer (DPO) appointments for certain categories of organizations, effective 1 June 2025.

Organizations that process personal data of 20,000 or more individuals, or sensitive personal data of 10,000 or more individuals, must appoint a DPO. The DPO must be registered with the Commissioner.

The DPO's responsibilities include advising the organization on compliance with the PDPA, monitoring data processing activities, serving as the point of contact for the Commissioner and data subjects, conducting or overseeing data protection impact assessments, and ensuring staff are trained on data protection obligations.

The DPO must have appropriate qualifications, knowledge, and experience in data protection law and practice. Organizations that fail to appoint a DPO when required face penalties under the amended Act.

Cross-Border Data Transfers

The original PDPA prohibited the transfer of personal data outside Malaysia unless the destination country was on a government-approved whitelist. In practice, this whitelist was never populated, creating legal uncertainty for international data flows.

The 2024 amendments replaced the whitelist system entirely with a new adequacy-based framework under amended Section 129 of the PDPA.

The New Framework

Cross-border transfers are now permitted to destinations that have data protection laws substantially similar to the PDPA or that provide an adequate level of protection equivalent to what the PDPA affords. The Cross Border Personal Data Transfer Guidelines, issued on 29 April 2025, provide detailed guidance on how controllers should assess adequacy.

Transfer Impact Assessments

Before transferring personal data outside Malaysia, data controllers must conduct a Transfer Impact Assessment (TIA). The TIA evaluates whether the destination country's legal framework provides substantially similar protections to those under the PDPA. Factors to consider include the existence of a dedicated data protection authority, the enforceability of data subject rights, the availability of legal remedies, and the rule of law in the destination jurisdiction.

Permissible Transfer Mechanisms

Where a destination country does not have substantially similar laws, transfers may still be permitted through alternative mechanisms. These include binding corporate rules approved by the Commissioner, standard contractual clauses that incorporate PDPA-equivalent protections, explicit consent from the data subject after being informed of the risks, or where the transfer is necessary for the performance of a contract.

Data controllers must document their assessment and the basis for each cross-border transfer. The Commissioner may request evidence of compliance at any time.

Penalties for Unauthorized Transfers

Transferring personal data outside Malaysia in contravention of the cross-border transfer requirements carries a fine of up to RM 300,000 and/or imprisonment for up to 2 years.

Penalties and Enforcement

The 2024 amendments significantly increased the penalty framework under the PDPA.

General Penalties

Contravention of any of the seven data protection principles now carries a maximum fine of RM 1,000,000 (approximately USD 210,000) and/or imprisonment for up to 3 years. Before the amendments, the maximum fine was RM 300,000 with up to 2 years imprisonment.

This penalty applies to both data controllers and, for Security Principle violations, data processors.

Specific Offence Penalties

Different provisions carry different penalty levels. Failure to comply with breach notification requirements attracts fines up to RM 250,000 and/or 2 years imprisonment. Non-compliance with a direction to stop direct marketing processing carries fines up to RM 200,000 and/or 2 years imprisonment. Unauthorized cross-border data transfers face fines up to RM 300,000 and/or 2 years imprisonment. Obstruction of the Commissioner's investigation or inspection carries its own separate penalties.

Criminal vs Civil Liability

PDPA violations are treated as quasi-criminal offences in Malaysia. This means prosecution is handled through the criminal justice system, with the burden of proof resting on the prosecution to establish guilt beyond reasonable doubt. Data subjects who suffer damage as a result of a PDPA violation may also pursue civil claims for compensation, although the PDPA does not specify a statutory right to compensation.

Compliance Requirements for Organizations

Organizations operating in Malaysia should take the following practical steps to ensure PDPA compliance.

Data Mapping and Inventory

Conduct a comprehensive audit of all personal data processing activities. Document what personal data is collected, the purposes of processing, how data flows through the organization, where it is stored, who has access, and when it is deleted.

Privacy Notices

Prepare clear, comprehensive privacy notices in both Bahasa Malaysia and English. These notices must be provided to data subjects before or at the point of data collection and must include all information required by the Notice and Choice Principle.

Consent Management

Implement robust consent management processes. Consent must be freely given, specific, informed, and unambiguous. Maintain records of when and how consent was obtained, and ensure mechanisms exist for data subjects to withdraw consent easily.

Security Measures

Implement technical and organizational security measures that comply with the Personal Data Protection Standard 2015. This includes access controls, encryption, regular vulnerability assessments, incident response plans, and employee security training.

Breach Response Plan

Develop and test a data breach response plan that enables compliance with the 72-hour notification requirement. The plan should include clear escalation procedures, designated response team members, template notifications, and regular simulation exercises.

DPO Appointment

Assess whether your organization meets the thresholds for mandatory DPO appointment (processing data of 20,000 or more individuals, or sensitive data of 10,000 or more). If so, appoint a qualified DPO and register them with the Commissioner.

Cross-Border Transfer Documentation

For any international data transfers, conduct and document Transfer Impact Assessments. Ensure appropriate transfer mechanisms are in place, whether based on adequacy findings, binding corporate rules, contractual clauses, or informed consent.

Key Differences Between Malaysia's PDPA and the EU GDPR

While the 2024 amendments brought the PDPA closer to GDPR standards, several important differences remain.

The PDPA applies only to commercial transactions in the private sector, while the GDPR applies to all data processing regardless of sector. The Malaysian Federal and State Governments are exempt from the PDPA, whereas EU public bodies must comply with the GDPR.

The PDPA's breach notification timeline of 72 hours runs from the occurrence of the breach, not its discovery. The GDPR's 72-hour window starts from when the controller becomes aware of the breach, which is generally more practical for organizations.

The PDPA does not include a specific right to object to processing based on legitimate interests, as the PDPA does not recognize legitimate interests as a lawful basis for processing. Consent remains the primary legal basis under Malaysian law.

Maximum fines under the PDPA reach RM 1 million (approximately USD 210,000), which is substantially lower than the GDPR's maximum of 20 million euros or 4% of global annual turnover.

Sources and References