How To Write A PDPA-Compliant Privacy Policy In Malaysia

How To Write A PDPA-Compliant Privacy Policy In Malaysia

Table of Contents

Note:

This guide focuses on the customer-facing privacy policy typically published on a business’s website. If you are looking for the equivalent obligations for your staff, see ELP’s guide to employee data privacy in Malaysia, which covers the separate notice requirements that apply across the employment lifecycle.

Any business in Malaysia that collects personal data from customers, whether through a website form, an app signup, or a physical intake form needs a privacy policy.  

A privacy policy that does not accurately describe your actual data practices does not protect you and can itself become evidence of non-compliance. As a result, copy-pasting a generic template or skipping a policy entirely can leave your business exposed to a fine of up to RM1 million and / or imprisonment of up to 3 years for breaching the Notice and Choice Principle. 

This guide explains what a proper privacy policy should contain under Malaysia’s Personal Data Protection Act 2010 (PDPA) and how it differs from a consent form. 

Why a business needs a privacy policy 

A sole proprietor running an online store has the same basic notice obligation as a large corporation, and both are exposed to the same penalty tier for getting it wrong. 

1. Legal requirement 

If your business collects, stores, or processes personal data in the course of commercial activity, the PDPA’s Notice and Choice Principle requires you to inform data subjects, by written notice, of how their data is used. This applies regardless of your business size.  

2. Business requirement 

Setting the legal obligation aside, a privacy policy, or the broader personal data protection mechanisms and safeguards behind it, is frequently a practical prerequisite for doing business at all: 

  1. App store requirements. If you plan to publish an app on the Google Play Store or Apple App Store, both platforms require a working privacy policy as part of the app listing submission. 
  2. Dealing with foreign customers or suppliers under stricter regimes. If your business has customers, suppliers, or partners based in the EU or other jurisdictions with stronger data protection laws (such as the GDPR), they will often expect, or contractually require, that you have proper personal data protection mechanisms and safeguards in place, including a privacy policy, meeting a certain standard before they will transact with you. See ELP’s comparison of the PDPA and GDPR for how the two regimes line up. 
  3. Vendor registration. When registering as a vendor with larger corporations, applicants are often required to declare or confirm whether they have a privacy policy in place, as part of the due diligence or compliance checks built into the application process. 

Privacy policy vs PDPA consent form 

These two documents are often confused, but they serve different purposes. 

  1. A privacy policy (or privacy notice) is a general, public-facing document that explains how your business collects, uses, stores, and shares personal data across all your operations. It is usually published on your website and applies broadly. 
  2. A PDPA consent form is transaction-specific. It is used to obtain explicit consent for a particular processing activity, such as collecting sensitive personal data (like health information) for a specific purpose. 

Most businesses need both. A privacy policy sets the overall framework, while a consent form is used at the point of a specific data collection activity that requires explicit, informed consent. 

What a PDPA-compliant privacy policy should contain 

Under the PDPA’s Notice and Choice Principle, a data controller must inform data subjects, by written notice, of certain matters.  

Rather than listing these in the abstract, it helps to see how they apply to a real business.  

Below, each requirement is illustrated using Toko ABC, a hypothetical Malaysian online store selling home goods through its own website. Notice how each of these becomes concrete and specific once applied to an actual business 

1. What personal data is collected 

Toko ABC’s policy should state plainly what it collects: full name, delivery address, phone number, email address, and payment information (processed through a third-party payment gateway, not stored directly). If Toko ABC also runs a loyalty programme that tracks purchase history, that should be listed too. 

2. The purpose of collection 

Rather than a vague “to improve our services,” the policy should specify: to fulfil and deliver orders; to send order confirmations; marketing newsletters; or delivery coordination. Each purpose should be distinct and specific. 

3. Whether the data is obligatory or voluntary 

Delivery address and phone number are obligatory to complete a purchase; without them, the order cannot be fulfilled. Signing up for the marketing newsletter is voluntary, and the policy should say so clearly. 

This is also where businesses commonly overreach: a customer’s consent must be freely given under the PDPA’s General Principle, so a business should never bundle marketing consent as a precondition for using the core service, for example, refusing to process an order unless the customer also agrees to receive marketing emails. 

4. Who the data may be disclosed to 

Toko ABC shares delivery details with its courier partner to complete delivery, and payment details are processed by its payment gateway provider. If Toko ABC uses a CRM or email marketing platform that is hosted overseas, this should be disclosed as well, since it also triggers the cross-border transfer point below. 

5. Data subject rights 

The policy should state that customers can request access to, or correction of, their personal data, and can withdraw consent to receive marketing communications at any time, including a simple mechanism, such as the data controller’s contact details, to do so (see point 6 below). 

6. Contact information 

A named point of contact or email address (e.g. [email protected]) where customers can direct data protection queries or complaints. Where Toko ABC has appointed a Data Protection Officer, this should be the DPO’s contact details. See ELP’s FAQs on DPO appointments in Malaysia if you are unsure whether your business needs one. 

7. The source of the data 

Where Toko ABC collects personal data indirectly rather than directly from the customer, for example, if a customer’s details were passed on by a referral partner, an affiliate marketer, or a corporate gifting client ordering on someone else’s behalf, the policy should disclose this. For data collected directly from the customer at checkout, this can simply be stated as such. 

8. Cross-border data transfers 

The Cross Border Personal Data Transfer Guidelines require that where a business relies on the data subject’s consent as its basis for transferring data overseas, the class of third parties and the purpose of the transfer should be disclosed in the personal data protection notice beforehand. In practice, this makes disclosure effectively necessary for most businesses relying on consent as their transfer mechanism, and it is good practice to disclose it regardless of which legal basis is used.  for most businesses relying on consent as their transfer mechanism, and it is good practice to disclose it regardless of which legal basis is used.  

If Toko ABC’s e-commerce platform is hosted on a server outside Malaysia, or its CRM or marketing platform stores data overseas, this should be disclosed, along with a brief note on the safeguards in place.  

9. Data retention and Security  

The policy should state how long personal data will be retained and when it will be disposed of. For Toko ABC, transaction records may be retained for a period consistent with tax record-keeping obligations, and securely deleted or anonymised once that period lapses.  

The policy should also disclose what practical measures are taken to secure the data, such as encrypted storage, restricted access, or secure disposal methods, since this reassures customers and demonstrates accountability. 

Is an English privacy policy enough? 

No. The PDPA requires that the privacy notice be issued in both Bahasa Malaysia and English. Many Malaysian businesses, particularly those that started with an English-only website, overlook this requirement entirely. If your privacy policy is only in English, it is technically incomplete, regardless of how thorough the English version is. 

Common mistakes

  1. Copy-pasting a foreign template. A GDPR-style privacy policy copied from a website often references rights and obligations that do not exist under Malaysian law (like the EU’s “right to be forgotten”) and may omit PDPA-specific requirements like a Bahasa Malaysia version. 
  2. Describing data practices that do not match reality. For example, if Toko ABC’s privacy policy states that customer data is “used only for order fulfilment,” but the business also runs retargeting ads on Facebook using customer email addresses uploaded as a custom audience, the actual practice does not match what the policy discloses.  
  3. Never updating it. As your business adopts new tools (a new CRM, a new payment gateway, a new marketing platform), your privacy policy should be updated to reflect new categories of data sharing. 
  4. Treating it as a legal formality rather than a working document. A privacy policy should be something your team actually refers to when deciding how to handle personal data, not just a page nobody reads after publishing. 

A basic PDPA compliance checklist 

Beyond the privacy policy itself, a business handling personal data in Malaysia should generally have: 

  • a privacy policy published in English and Bahasa Malaysia, 
  • a process for handling data subject access and correction requests, 
  • data breach response policy
  • data processing agreements with third-party vendors who process personal data on your behalf, and 
  • in some cases, a registered Data Protection Officer

For a full picture, ELP’s PDPA compliance framework guide covers this in more depth. 

Let ELP draft your privacy policy

We draft PDPA-compliant privacy policies and consent forms tailored to what your business actually does with personal data, rather than generic templates. We also review existing privacy policies to identify gaps against current PDPA requirements, and against practical needs such as app store submissions or cross-border commercial requirements. If your privacy policy needs a review, or you do not have one yet, book a consultation with us. 

shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Let us know how we can support your business

Drop us a message and let us better understand your needs. Get your first consultation within 24-hours.
Share this article:
Post might interest you:
ABOUT THE AUTHOR

Wong Shen Ming

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.