Malaysia Data Privacy Laws: PDPA 2010 Compliance Guide (2026)

Malaysia's Personal Data Protection Act 2010 (Act 709) is Southeast Asia's first comprehensive data privacy statute. Enacted in 2010 and in force since November 2013, the PDPA regulates how businesses collect, process, store, and share personal data in commercial transactions. The Personal Data Protection (Amendment) Act 2024 introduced the most significant reforms since enactment, phased in from January through June 2025.

This guide covers the complete Malaysian data privacy framework as it stands in 2026, including the original PDPA requirements, the 2024 amendments, enforcement mechanisms, and practical compliance obligations for organizations operating in or with Malaysia.

Who Does the PDPA Apply To

The PDPA applies to any person or organization that processes personal data in connection with commercial transactions. The law covers businesses of all sizes operating in Malaysia, from multinational corporations to small enterprises, across most private-sector industries.

The law applies to organizations located in Malaysia and those outside Malaysia that use equipment or facilities in Malaysia to process personal data. This extraterritorial reach means foreign companies that process data through Malaysian servers, data centers, or infrastructure fall within the PDPA's scope regardless of where the company is incorporated.

Key Exemptions

The PDPA does not apply to the Malaysian Federal Government or State Governments. Public sector data sharing is instead governed by the Data Sharing Act 2025 (Act 864), which came into effect on 28 April 2025. That Act established the National Data Sharing Committee and imposes obligations on public agencies to maintain security safeguards, keep records of shared data, and report unauthorized disclosures to the Director General of the National Digital Department. Unauthorized disclosure of shared data under Act 864 carries penalties up to RM 1 million and/or five years imprisonment.

Other PDPA exemptions include: personal data processed outside Malaysia (unless intended for further processing within the country), data processed for personal or household purposes, and data regulated by sector-specific legislation such as the Credit Reporting Agencies Act 2010.

The Registration Regime

Malaysia operates a mandatory registration regime for data controllers in regulated sectors. Before processing personal data, data controllers operating in any of the 14 prescribed sectors must register with the Commissioner and obtain a certificate of registration.

The 14 regulated sectors are:

1. Communications (licensees under the Communications and Multimedia Act 1998 and Postal Services Act 2012)
2. Banking and finance (licensed banks, investment banks, Islamic banks, and development financial institutions)
3. Insurance and takaful (licensed insurers and takaful operators)
4. Healthcare (private healthcare facilities, medical and dental clinics, registered pharmacies)
5. Tourism (licensed tour operators, travel agents, tourist guides, and accommodation premises)
6. Transportation (specified transportation service providers)
7. Education (private higher educational institutions and private schools)
8. Direct selling (licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993)
9. Professional services (legal, audit, accountancy, engineering, and architecture firms)
10. Retail and wholesale
11. Employment (private employment agency operators)
12. Real estate (licensed housing developers)
13. Utilities
14. Pawnbrokers and moneylenders

Registration certificates are valid for at least one year and must be renewed for the data controller to continue processing personal data lawfully. Data controllers must display their certificate at a conspicuous place at their principal place of business and certified copies at branch locations.

The Commissioner has also issued sector-specific Codes of Practice for banking and financial services, aviation, utilities, communications, healthcare, and insurance and takaful, which supplement the general PDPA requirements with sector-tailored standards.

The 2024 Amendment did not alter the registration requirements. Registration obligations operate alongside the new DPO appointment, breach notification, and cross-border transfer obligations introduced by the Amendment Act.

The Department of Personal Data Protection (JPDP)

The Jabatan Perlindungan Data Peribadi, known as JPDP or the Department of Personal Data Protection, is the regulatory body responsible for administering and enforcing the PDPA. It operates under the Ministry of Communications and Digital.

The Personal Data Protection Commissioner heads the JPDP and holds broad enforcement powers under the Act. These include authority to monitor compliance, investigate complaints from data subjects, conduct inspections and audits of organizations, issue enforcement notices requiring specific actions, and impose penalties for violations.

Since the 2024 amendments took effect, the JPDP has published eight sets of guidelines: the Data Breach Notification Guideline (25 February 2025), the DPO Appointment Guideline (25 February 2025), the Cross-Border Personal Data Transfer Guideline (29 April 2025), the Data Portability Guideline, the Data Protection Impact Assessment Guideline (consultation completed May 2025), the Privacy by Design Guideline, the Automated Decision-Making and Profiling Guideline (consultation completed May 2025), and the DPO Training and Competency Guideline (21 July 2025).

Enforcement Track Record

From 2017 through 2025, the JPDP required 33 data controllers to pay compounded fees for PDPA violations. Eight cases proceeded to court prosecution. The highest publicly reported compound was RM 108,000, imposed for simultaneous breaches of the General, Disclosure, and Retention Principles. The JPDP conducted four inspection visits and two enforcement actions against unregistered data controllers in recent enforcement cycles.

The enhanced maximum penalty of RM 1,000,000 took effect from 1 April 2025. Enforcement actions applying the new maximum are expected to emerge in late 2025 and 2026 as the JPDP fully exercises its expanded powers.

Complaints can be filed directly through the JPDP's online portal or in writing. The Commissioner may also initiate investigations proactively without a formal complaint where systemic compliance issues are identified.

The 7 Data Protection Principles

Section 5(1) of the PDPA establishes seven principles that form the foundation of Malaysia's data protection framework. Every data controller must comply with these principles when processing personal data.

1. General Principle

A data controller must not process personal data about a data subject unless the data subject has given consent. For sensitive personal data, explicit consent is required.

Consent is not required in limited circumstances, including where processing is necessary for compliance with a legal obligation, for the performance of a contract to which the data subject is a party, to protect the vital interests of the data subject, for the administration of justice, or for the exercise of any functions conferred by law.

The 2024 Amendment clarified that consent must be freely given, specific, informed, and unambiguous. Silence and pre-ticked boxes do not constitute valid consent.

2. Notice and Choice Principle

Before processing any personal data, a data controller must provide the data subject with a written notice containing specific information. This notice must be provided in both Bahasa Malaysia and English.

The notice must describe the personal data being processed, the purposes of processing, the source of the data (if not collected directly from the data subject), the data subject's right to access and correct their data, the class of third parties to whom the data may be disclosed, and whether providing the data is obligatory or voluntary.

Data subjects must be given a genuine choice about whether to allow their data to be processed. Organizations cannot make the provision of a service conditional on consent to data processing that is unrelated to that service.

3. Disclosure Principle

Personal data must not be disclosed for any purpose other than the purpose for which it was collected, or a purpose directly related to the original purpose. The data controller must clearly identify the purpose for which personal data will be disclosed at the time of collection.

Disclosure to third parties is permitted only where the data subject has consented or where disclosure falls within a recognized exemption, such as compliance with a court order or a legal obligation.

4. Security Principle

Data controllers must take practical steps to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction. This requirement covers both technical and organizational security measures.

The 2024 Amendment extended the Security Principle directly to data processors. Data processors now face independent penalty exposure for security violations, not only data controllers. This is the only PDPA principle that imposes direct obligations on processors.

Organizations must comply with the Personal Data Protection Standard 2015, which sets specific technical and organizational security requirements including access controls, encryption of sensitive data, regular security assessments, and employee training on data protection.

5. Retention Principle

Personal data must not be kept for longer than is necessary for the fulfillment of the purpose for which it was collected. Once the original processing purpose has been fulfilled, the data controller must take all reasonable steps to permanently destroy the personal data.

Organizations should establish clear data retention schedules defining how long different categories of personal data will be kept. The retention period should be documented and communicated to data subjects as part of the Notice and Choice Principle.

6. Data Integrity Principle

Data controllers must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date throughout the entire lifecycle of the data, from collection through to destruction.

Where a data subject notifies the controller that their data is inaccurate, the controller must correct it promptly.

7. Access Principle

Data subjects have the right to access their personal data held by a data controller and to request corrections to any data that is inaccurate, incomplete, misleading, or not up to date.

Data controllers must respond to access requests within 21 days of receiving the request. The controller may charge a reasonable fee for processing access requests, but the fee must not be excessive enough to deter data subjects from exercising their rights.

Data Subject Rights Under the PDPA

The original PDPA provided data subjects with rights of access, correction, and withdrawal of consent. The 2024 Amendment significantly expanded the rights available to individuals. These rights became operative in Phase 3 on 1 June 2025.

Right of Access

Data subjects can request access to all personal data that a data controller holds about them. The controller must acknowledge receipt and respond within 21 days. The response must include a description of the data held, the purposes for which it is processed, and the sources from which the data was obtained.

Right to Correction

Where personal data is inaccurate, incomplete, misleading, or out of date, the data subject has the right to request correction. The controller must process correction requests promptly and notify any third parties to whom the incorrect data was previously disclosed.

Right to Withdraw Consent

Data subjects may withdraw their consent for the processing of their personal data at any time by giving written notice to the data controller. Upon receiving a withdrawal notice, the controller must cease processing the personal data unless another lawful basis for processing exists.

Right to Data Portability

Effective from 1 June 2025, data subjects have the right to request that a data controller transmit their personal data directly to another data controller. This request must be made in writing through electronic means.

The right to portability applies where the transfer is technically feasible and the data formats are compatible between the two controllers. Data controllers must provide personal data in a structured, commonly used, and machine-readable format when a portability request is received.

Right to Erasure

The 2024 Amendment introduced the right to erasure. Data subjects can request deletion of their personal data where it is no longer necessary for the purpose for which it was collected, where consent has been withdrawn, or where the data was unlawfully processed.

Right to Prevent Processing for Direct Marketing

Data subjects have the right to require a data controller to cease or not begin processing their personal data for direct marketing purposes. This right applies regardless of whether consent was originally given. The penalty for non-compliance with a direction to stop direct marketing processing is a fine not exceeding RM 200,000 and/or imprisonment for up to 2 years.

Proposed Right Regarding Automated Decision-Making

The JPDP opened public consultation in March 2025 on an Automated Decision-Making and Profiling Guideline. The proposed guideline would introduce three rights for data subjects: the right to decline decisions based solely on automated processing that have significant personal impact; the right to be notified when automated decision-making applies to them; and the right to request human review of automated decisions. The final guideline had not been formally issued as of mid-2026.

Sensitive Personal Data

The PDPA defines sensitive personal data as data relating to the physical or mental health of a data subject, political opinions, religious beliefs or other beliefs of a similar nature, the commission of any offence, or any other personal data determined by the Minister.

The 2024 Amendment explicitly added biometric data to the definition of sensitive personal data, effective 1 April 2025. This includes fingerprints, facial recognition data, voice patterns, retinal scans, and other biometric identifiers. Organizations processing biometric data must obtain explicit consent and apply the higher security standards required for sensitive personal data.

Processing sensitive personal data requires explicit consent from the data subject. The threshold for explicit consent is higher than ordinary consent, requiring a clear and affirmative act that specifically addresses the processing of sensitive categories of data.

Mandatory Data Breach Notification

The mandatory data breach notification requirement, introduced by the 2024 Amendment, took effect on 1 June 2025. The JPDP issued the Data Breach Notification Guideline on 25 February 2025 to provide implementation guidance.

What Constitutes a Personal Data Breach

The PDPA now formally defines a personal data breach as any breach, loss, misuse, or unauthorized access of personal data. This definition covers breaches from external cyberattacks, employee errors, system misconfigurations, misplaced devices, or any other cause.

When Notification Is Required

Notification to the Commissioner is required when a personal data breach causes or is likely to cause significant harm to data subjects. The assessment of significant harm considers five criteria: the risk of physical harm, financial loss, credit damage, or property loss to data subjects; the potential for the breached data to be misused for illegal purposes; whether sensitive personal data is involved; whether the combination of breached data could enable identity fraud; and whether the breach affects more than 1,000 data subjects (classified as significant scale).

A breach affecting more than 1,000 data subjects triggers the obligation to notify the Commissioner even if it does not cause significant harm to individuals.

Notification Timeline

Data controllers must notify the Commissioner within 72 hours of becoming aware of the breach. Although the amended PDPA uses the phrase "from the occurrence," the JPDP's Data Breach Notification Guideline clarifies that the 72-hour clock commences from the point of discovery, whether through internal detection or external notification to the data controller. Where the 72-hour deadline cannot be met, the controller must submit the notification as soon as practicable together with a written explanation and supporting evidence for the delay.

If the breach is likely to result in significant harm to individual data subjects, the controller must also notify the affected individuals without undue delay and no later than 7 days after notifying the Commissioner.

How to Notify the Commissioner

Notification must be submitted by one of three methods: through the online notification form on the JPDP website; by submitting the notification form set out in Annex B of the Guideline to pdp@pdp.gov.my; or by delivering a hard copy to the Commissioner.

Breach Register Requirements

All data controllers must maintain a breach register for at least two years. The register must document the cause of each breach, its impact, the number of affected data subjects, the types of data involved, and the remedial actions taken. The Commissioner may request access to this register during investigations or audits.

Penalties for Failure to Notify

Failure to notify the Commissioner of a qualifying breach is an offence. The penalty is a fine of up to RM 250,000 and/or imprisonment for up to 2 years.

Data Protection Officer Requirements

The 2024 Amendment introduced mandatory DPO appointments for certain organizations, effective 1 June 2025. Both data controllers and data processors must appoint a DPO if they meet any one of three thresholds.

The thresholds are: processing personal data of 20,000 or more individuals; processing sensitive personal data of 10,000 or more individuals; or engaging in systematic monitoring of individuals on a large scale, such as online behavioral tracking or extensive CCTV operations.

The DPO may be an internal employee or an external consultant. The appointed DPO must be registered with the Commissioner within 21 days of appointment through the Personal Data Protection System at daftar.pdp.gov.my.

The DPO's responsibilities include advising the organization on PDPA compliance, monitoring data processing activities, serving as the point of contact for the Commissioner and for data subjects, conducting or overseeing data protection impact assessments, and ensuring staff receive appropriate training.

The JPDP issued the DPO Training and Competency Guideline on 21 July 2025, setting professional standards and minimum competency requirements for registered DPOs. Organizations that fail to appoint a DPO when required face penalties under the amended Act.

Cross-Border Data Transfers

The original PDPA prohibited transfer of personal data outside Malaysia unless the destination country was on a government-approved whitelist. That whitelist was never populated, creating legal uncertainty for international data flows for over a decade.

The 2024 Amendment replaced the whitelist system entirely with an adequacy-based framework under amended Section 129 of the PDPA, effective 1 April 2025.

The New Framework

Cross-border transfers are permitted to destinations that have data protection laws substantially similar to the PDPA or that provide an adequate level of protection equivalent to what the PDPA affords. The Personal Data Protection Guidelines on Cross-Border Transfer of Personal Data (Guideline No. 3/2025), issued on 29 April 2025, provide detailed guidance on how controllers must assess adequacy.

No formal adequacy determinations designating specific countries as adequate had been issued by the Commissioner as of mid-2026. Data controllers must therefore conduct their own Transfer Impact Assessments.

Transfer Impact Assessments

Before transferring personal data outside Malaysia, data controllers must conduct a Transfer Impact Assessment (TIA). The TIA evaluates whether the destination jurisdiction's legal framework provides protections substantially similar to the PDPA. Factors to consider include: the existence of data subject rights (access, correction); the presence of data protection principles comparable to the PDPA's seven principles; whether the destination has DPO and breach notification requirements; the enforceability of data processor obligations; the existence and powers of a dedicated regulatory authority; and the rule of law in the destination jurisdiction.

Data controllers must document their assessment and the basis for each cross-border transfer. The Commissioner may request evidence of compliance at any time.

Permissible Transfer Mechanisms

Where a destination country does not meet the adequacy threshold, transfers may still occur through alternative mechanisms. These include: standard contractual clauses incorporating PDPA-equivalent protections, inserted into contracts between the data controller and the overseas recipient; binding corporate rules approved by the Commissioner; explicit consent from the data subject after being informed of the destination country's protections and the associated risks; or where the transfer is necessary for the performance of a contract to which the data subject is a party.

Penalties for Unauthorized Transfers

Transferring personal data outside Malaysia in contravention of Section 129 carries a fine of up to RM 300,000 and/or imprisonment for up to 2 years.

Penalties and Enforcement

The 2024 Amendment significantly increased the PDPA's penalty framework, with higher penalties taking effect from 1 April 2025.

General Penalties

Contravention of any of the seven data protection principles now carries a maximum fine of RM 1,000,000 (approximately USD 210,000 to 225,000 at 2026 exchange rates) and/or imprisonment for up to 3 years. Before the Amendment, the maximum was RM 300,000 with up to 2 years imprisonment.

This general penalty applies to data controllers. For Security Principle violations, data processors also face direct penalty exposure.

Specific Offence Penalties

Different PDPA provisions carry their own penalty levels:

• Failure to notify the Commissioner of a qualifying breach: up to RM 250,000 and/or 2 years imprisonment
• Non-compliance with a direction to stop direct marketing processing: up to RM 200,000 and/or 2 years imprisonment
• Unauthorized cross-border data transfer: up to RM 300,000 and/or 2 years imprisonment
• Obstruction of the Commissioner's investigation or inspection: separate penalties under the Act

Criminal Liability and Enforcement History

PDPA violations are treated as quasi-criminal offences. Prosecution proceeds through the criminal justice system, with the burden of proof on the prosecution to establish guilt beyond reasonable doubt. Data subjects who suffer damage from a PDPA violation may also pursue civil compensation claims, although the PDPA does not specify a statutory right to compensation.

From 2017 through 2025, the JPDP required 33 data controllers to pay compounded fees for PDPA violations, with 8 cases proceeding to court prosecution. The highest compound imposed was RM 108,000 for breaches of the General, Disclosure, and Retention Principles by a single data controller. Enforcement actions applying the RM 1,000,000 maximum introduced by the 2024 Amendment are expected to emerge from late 2025 onward.

Data Protection Impact Assessments

The JPDP opened public consultation in March 2025 on a proposed Data Protection Impact Assessment (DPIA) Guideline, with responses due by 19 May 2025. A DPIA is defined as an assessment of the impact of planned processing operations on personal data protection, which involves identifying, assessing, and managing data protection risks considering the organization's functions and processes.

Under the proposed guideline, conducting a DPIA would become mandatory when processing involves: sensitive personal data of 10,000 or more individuals; personal data of 20,000 or more individuals where processing is for automated decision-making purposes; or general personal data of 20,000 or more individuals.

The DPO Appointment Guideline (February 2025) already introduced the expectation that DPOs will conduct or oversee DPIAs as part of their responsibilities. The final DPIA Guideline had not been formally issued as of mid-2026. Organizations subject to the DPO requirement are advised to begin developing DPIA procedures in anticipation of the final guideline.

Compliance Requirements for Organizations

Organizations operating in Malaysia should take the following practical steps to ensure PDPA compliance.

Data Mapping and Inventory

Conduct a comprehensive audit of all personal data processing activities. Document what personal data is collected, the purposes of processing, how data flows through the organization, where it is stored, who has access, and when it is deleted.

Privacy Notices

Prepare clear privacy notices in both Bahasa Malaysia and English. These notices must be provided to data subjects before or at the point of data collection and must include all information required by the Notice and Choice Principle.

Consent Management

Implement consent management processes that meet the 2024 Amendment's standard: freely given, specific, informed, and unambiguous. Maintain records of when and how consent was obtained, and ensure mechanisms exist for data subjects to withdraw consent.

Security Measures

Implement technical and organizational security measures that comply with the Personal Data Protection Standard 2015. These include access controls, encryption, regular vulnerability assessments, incident response plans, and employee security training.

Breach Response Plan

Develop and test a data breach response plan capable of meeting the 72-hour notification requirement from the point of discovery. The plan should include escalation procedures, designated response team members, template notifications for both the Commissioner and affected individuals, and regular simulation exercises.

DPO Appointment

Assess whether your organization meets any of the three DPO appointment thresholds: processing personal data of 20,000 or more individuals; processing sensitive personal data of 10,000 or more individuals; or engaging in systematic monitoring on a large scale. If so, appoint a qualified DPO and register them with the Commissioner within 21 days of appointment at daftar.pdp.gov.my.

Cross-Border Transfer Documentation

For any international data transfers, conduct and document Transfer Impact Assessments. Ensure appropriate transfer mechanisms are in place, whether based on adequacy assessment, standard contractual clauses, binding corporate rules, or informed consent.

Sector Registration

If your organization operates in one of the 14 regulated sectors, ensure your registration with the Commissioner is current and that certificates are displayed as required. Renewal must occur before expiry to avoid operating without a valid certificate.

Key Differences Between Malaysia's PDPA and the EU GDPR

While the 2024 amendments brought the PDPA closer to GDPR standards, several important differences remain.

The PDPA applies only to commercial transactions in the private sector. The GDPR applies to all data processing regardless of commercial nature or sector. The Malaysian Federal and State Governments are exempt from the PDPA; EU public bodies must comply with the GDPR.

Malaysia operates a mandatory registration regime for 14 prescribed sectors. The GDPR has no equivalent registration requirement.

The PDPA's breach notification 72-hour timeline, as clarified by the JPDP's February 2025 Guideline, runs from discovery of the breach. The GDPR's 72-hour window also runs from when the controller becomes aware of the breach. Both frameworks are aligned on this point.

The PDPA does not recognize legitimate interests as a lawful basis for processing. Consent remains the primary legal basis under Malaysian law. The GDPR provides six lawful bases including legitimate interests.

Maximum fines under the PDPA reach RM 1 million (approximately USD 210,000 to 225,000), substantially lower than the GDPR's maximum of 20 million euros or 4% of global annual turnover.

The PDPA does not yet have a final automated decision-making rights framework. The GDPR's Article 22 right not to be subject to solely automated decisions has been in force since 2018. Malaysia's equivalent rights are proposed in the JPDP's ADM Guideline consultation but not yet enacted.

Recent Developments (2025 to 2026)

Malaysia's data protection landscape underwent rapid change following the 2024 Amendment Act's phased implementation.

January 2025: Phase 1 of the Amendment took effect, covering ancillary and administrative provisions.

February 2025: JPDP issued the Data Breach Notification Guideline and the DPO Appointment Guideline, providing practical implementation guidance for the June 2025 obligations.

March 2025: JPDP launched public consultations on draft guidelines for Data Protection Impact Assessments, Privacy by Design, and Automated Decision-Making and Profiling. Consultation closed 19 May 2025.

April 2025: Phase 2 took effect. The terminology shift from "data user" to "data controller" became operative. Biometric data became sensitive personal data. The new adequacy-based cross-border transfer framework came into force. Enhanced penalties of up to RM 1,000,000 for principle violations became effective.

April 2025: The Data Sharing Act 2025 (Act 864) entered into force on 28 April 2025, establishing a new public sector data governance regime.

April 2025: JPDP issued the Cross-Border Personal Data Transfer Guideline (Guideline No. 3/2025) on 29 April 2025.

June 2025: Phase 3 took effect. Mandatory DPO appointments became required for qualifying organizations. Mandatory data breach notification became operative. The data portability right became enforceable.

July 2025: JPDP issued the DPO Training and Competency Guideline (21 July 2025), setting professional standards for registered DPOs.

Ongoing in 2026: The JPDP is finalizing the DPIA, Privacy by Design, and Automated Decision-Making guidelines following the 2025 consultations. Enforcement actions applying the enhanced RM 1,000,000 maximum penalty are anticipated as the JPDP continues inspection and audit activities under its expanded powers.

For related guidance on recording laws in Malaysia, see Malaysia recording laws.

This article presents general legal information about Malaysia's data protection framework as of May 2026. It does not constitute legal advice. Laws and guidelines may change; consult a lawyer licensed in Malaysia for advice on your specific situation.

Sources and References