This FAQ brings together the most common questions we have heard directly from SME founders, entrepreneurs, and business owners navigating Malaysia’s data protection landscape.
Whether you are new to PDPA or reviewing how your business handles personal data, this guide breaks down the essentials in a clear and practical format.
What is the PDPA?
The Personal Data Protection Act 2010 (PDPA) is Malaysia’s law that governs how businesses collect, use, process, store, and share personal data in commercial transaction.
The PDPA was amended via the Personal Data Protection (Amendment) Act 2024 which introduced key changes to enforcement, increased penalties, data protection officer, data breach notification, and cross-border transfer requirements.
For more information, read our breakdown of the PDPA amendments.
Who does it apply to?
The PDPA applies to:
- any person or commercial organisations established in Malaysia, and
- foreign organisations using equipment in Malaysia to process personal data
It doesn’t apply to:
- federal or state governments, or
- personal data processed for personal, family, or household purposes
What are the seven PDPA principles?
These seven principles set the standard for how personal data should be handled responsibly:
- General – Only collect personal data when necessary and with consent.
- Notice and Choice – Inform people what personal data you collect and why.
- Disclosure – Don’t share personal data without consent.
- Security – Protect personal data from loss, misuse, or unauthorised access.
- Retention – Don’t keep personal data longer than needed.
- Data Integrity – Make sure the personal data you hold is accurate, complete, and up to date.
- Access – Give individuals the right to access and correct their personal data.
For an in-depth look at applying these principles, see our framework on PDPA compliance.
What is considered “personal data”?
Any information that identifies or can identify an individual, directly or indirectly, including:
- names
- IC numbers
- phone numbers
- email addresses, and
- physical addresses
What is considered “sensitive personal data”?
Sensitive personal data is a special category of personal data that includes:
- physical or mental health records
- religious beliefs
- political opinions
- criminal records, and
- biometric data
This type of data requires extra care because of its sensitive nature.
Do I need consent before collecting personal data?
Yes.
Consent is one of the key legal requirements under the PDPA and sensitive personal data requires explicit consent (for example: a clearly expressed and documented).
What are examples of valid consent?
Since there are many possible ways to get consent, just make sure that the method you use is:
- Voluntary – freely given, not forced or obtained through pressure.
- Informed – the individual knows what data is being collected, why, and how it will be used.
- Recorded – you must keep a record of how consent was obtained (e.g. date, method).
Here are some common examples of valid consent that meet the above requirements:
- signed form
- manually ticked checkbox
- an email or message where the individual agrees
- behavioural consent – e.g. the individual voluntarily provides their personal data in response to a clear request
What must a privacy notice include?
Your privacy notice is how you show transparency and should clearly explain:
- what personal data you collect
- why you collect it (purpose)
- where the personal data comes from
- who it may be shared with
- whether it’s mandatory or voluntary
- how people can access or correct their personal data
- what choices they have (e.g. opt-outs)
The privacy notice should be provided in both Bahasa Malaysia and English to ensure compliance with the PDPA.
As a reference, the PDP Department has provided a sample privacy notice template.
Where should a privacy notice be displayed?
Your privacy notice should be clearly displayed at the point where personal data is collected.
For example: your website, registration forms, premises, and any customer touchpoints that involve collecting personal data.
What rights do data subjects have?
Under the PDPA, data subjects (individuals) have the right to:
- Access: Request a copy of their personal data held by you.
- Correct: Ask for their personal data to be corrected if it’s inaccurate or outdated.
- Withdraw Consent: Revoke consent previously given, at any time.
- Object to Processing: Say no to personal data being used for direct marketing or likely to cause damage or distress.
- Data portability: Request their personal data to be transferred to another data controller.
How long can I keep personal data?
Under the Retention Principle, personal data should only be kept for as long as necessary to fulfil the original purpose for which it was collected.
Once it’s no longer needed, you should delete or anonymise it securely.
To manage this effectively, your organisation can establish a personal data retention policy.
How can I let individuals access / correct their data?
Under the Access Principle, individuals (data subjects) have the right to access and correct their personal data. To meet this obligation, your organisation should:
- provide a simple way for individuals to request access to their data, such as an online form
- establish a process for verifying identity before releasing personal data
- enable individuals to submit personal data correction requests
- ensure requests are handled promptly, typically within 21 days, as required under the PDPA
Can I share personal data with third parties?
Yes, but make sure you have:
- obtained written consent from the individual (unless exempted)
- ensured third parties follow data protection standards
- used a contract or service agreement that includes relevant PDPA-compliant clauses (e.g. data handling, confidentiality, security measures)
Can I transfer personal data overseas?
Cross-border transfers are allowed under the PDPA, provided:
- the receiving country has similar data protection laws as the PDPA, or
- the individual has given consent, or
- the transfer is necessary for contractual or legal purposes
What’s expected under the Security Principle?
Organisations must take practical and reasonable steps to protect personal data from:
- loss or destruction
- misuse or unauthorised access
- modification or destruction
Common steps may include:
| Technical Measures | Strong passwords Two-factor authentication (2FA) Data encryption (in transit and at rest) Secure cloud infrastructure with firewalls |
| Organisational Measures | Role-based access control regular audits and access reviews |
| Physical Measures | Restricted physical access to servers or sensitive files Secure disposal of physical records |
How do I ensure data integrity?
To comply with the Data Integrity Principle as defined by the PDPA, organisations must ensure that personal data is:
- Accurate – Regularly verify that the personal data is correct (e.g. contact info, payment details).
- Complete – Avoid using incomplete records that may misrepresent someone.
- Not misleading – Personal data should not be ambiguous, deceiving or an oversight.
- Up to Date – Update personal data when notified of changes (e.g. change of address or employment status).
Is there a breach notification requirement under the PDPA?
Yes. The organisation should notify the incident where the breach causes or is likely to cause significant harm. You should:
- have an internal incident response plan
- assess and document breaches immediately
- use the prescribed DBN form to notify
Check out our step-by-step guide to handling data breach notifications in Malaysia.
Do I need to appoint a Data Protection Officer?
Yes, but only if your organisation:
- processes personal data of more than 20,000 individuals
- processes sensitive personal data of more than 10,000 individuals, or
- conducts regular and systematic monitoring of personal data (e.g., CCTV)
If your organisation does not fall under these classes, appointing a DPO is not compulsory.
What is a Data Protection Officer?
A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia.
To learn more, read our guides:
What internal policies should I have?
To embed PDPA compliance in your organisation, consider these:
- a clear Privacy Notice
- a Data Protection Manual (roles, SOPs, escalation steps)
- a Breach Response Plan
- internal training and awareness programmes
- documented processes for access/correction requests
Start small and scale based on your size and risk exposure.
What are penalties for not complying with the PDPA?
Under the PDPA, penalties vary by offence but can be as high as:
- a fine of up to RM1,000,000, or
- imprisonment for up to 3 years, or
- both
Conclusion
We are here to make PDPA compliance practical, not painful. Whether it’s crafting your privacy notice, running internal audits, or training your team, contact us to get started.
For further reading, we recommend checking out the official FAQ by the Personal Data Protection Department.
