A Business Guide To Employee Data Privacy In Malaysia

A Business Guide To Employee Data Privacy In Malaysia

Table of Contents

Employers in Malaysia collect a substantial amount of personal data about their employees, and yet many incorrectly assume this data sits outside the scope of the Personal Data Protection Act 2010 (PDPA).  

In reality, the PDPA applies to employee personal data in the same way it applies to customer data. This guide walks through what that means at each stage of the employment lifecycle, from recruitment to after an employee has left. 

Data protection across the employment lifecycle 

Employers’ PDPA obligations towards employee personal data shifts depending on the stage of the employment relationship, and the table below sets out what is typically collected at each stage and the corresponding obligation. 

Stage Typical data collected Key obligation 
Recruitment Resumes, identity documents, references, background checks. Collect only what is necessary to assess the application. Provide a PDPA notice at the point of collection, ideally at the interview stage.  
Onboarding Bank details, EPF and SOCSO numbers, emergency contacts, next-of-kin Issue the full employee privacy notice, typically alongside the Letter of Offer or employment handbook  
During employment Payroll, performance reviews, disciplinary records, medical certificates, leave records, monitoring data Keep data accurate and secure, provide employees a means to access and correct their own records 
Termination Exit interview records, final settlement details, reference letters Retain only for the period justified by statutory requirements or legal risk, then destroy  

Some of the data collected at each stage, such as medical records or (in specific job contexts) religious or health-related information, is classified as sensitive personal data under the PDPA and requires explicit consent rather than ordinary consent. 

Data responsibilities start at recruitment

Processing of employee personal data begins the moment a job application is received, not on the first day of work. Two issues come up often at this stage: 

  1. Collecting more than necessary. Asking for information like marital status when it has no bearing on the role is generally excessive and should be avoided unless the job itself has a specific, justifiable reason for it. 
  2. Using a recruitment agency. Where a company engages a recruitment agency, the agency is usually the first point of collection for candidate data. The engaging company should confirm the agency has its own proper PDPA procedures in place, since a data breach or non-compliance at the agency level can still expose the company that ultimately hires the candidate. 

    Unsuccessful applicants’ data should not be kept indefinitely. Common practice is to retain rejected applications for a defined period, commonly around 6 to 12 months, in case a suitable role opens up or for record-keeping in the event of a dispute. 

    Is consent to data collection voluntary? 

    This is one of the more overlooked issues in employment PDPA compliance. Consent under the PDPA must be freely given, but in an employment relationship, there is an inherent power imbalance as an employee who is asked to ‘consent’ to data processing as a condition of employment may not be in a genuine position to refuse. 

    In practice, most employers rely on a combination of consent (documented clearly in the employment contract or a standalone data privacy notice) and legitimate processing grounds that do not strictly require consent, such as processing necessary for performing the employment contract, complying with statutory obligations (EPF, SOCSO, tax reporting), or the employer’s legitimate business interests. 

    What matters legally is that employees are clearly informed through a privacy notice about:

    • what data is collected 
    • why 
    • how long it is kept, and  
    • who it may be shared with 

    A practical implementation point: the privacy notice does not need to be a standalone document, it can work well when attached alongside other onboarding materials the employee is already required to review and sign, such as the Letter of Offer, the employee handbook, or a company policy acknowledgement form. 

    Workplace monitoring and privacy 

    Tools that monitor employee activity like email monitoring, CCTV, access card records, and biometric systems such as fingerprint or facial recognition scanners are not prohibited under Malaysian law, but do involve processing personal data, and biometric data in particular is treated as a more sensitive category requiring careful handling: 

    • employees should be informed that monitoring takes place, ideally through a clear workplace monitoring policy, 
    • monitoring should be proportionate to a legitimate business purpose (security, productivity, compliance), 
    • biometric data used for access control should be stored securely and not repurposed for an unrelated purpose without informing employees, and 
    • data collected through monitoring should not be used for purposes beyond what employees were informed of. 

    Sharing with third parties 

    Employers routinely share employee personal data with third parties such as payroll processors, IT vendors, and insurance providers. Each of these involves a transfer of personal data that should be accounted for in the employer’s privacy notice.  

    This becomes especially relevant where the employer uses an overseas HR system or IT vendor, as this may breach the PDPA’s guidelines on cross-border data transfers

    Sharing with related companies 

    A less obvious scenario involves sharing data across related companies within one group. This is still a disclosure of personal data to a separate legal entity, even if both companies share common ownership or management. 

    For example, a candidate applies to Company A, but Company A believes the candidate may be a better fit for a vacancy at Company B within the same group and wants to refer the application across. 

    The safest approach is to address this upfront: the privacy notice given at the point of application should disclose that data may be shared with related group entities for the purpose of considering the candidate for other suitable roles, giving the candidate the opportunity to object.  

    Where this was not disclosed at the outset, fresh consent should be obtained before the referral is made. 

    Employee images or likeness in marketing 

    It has become increasingly common for companies to feature employees, their photos, video, or likeness, in marketing materials, social media content, or company websites. This use of an employee’s image is a separate processing purpose from employment itself, and consent to be employed does not automatically extend to consent to be used in marketing. 

    Employers should obtain a specific consent from the employee before using their image or likeness for marketing purposes, best handled through a standalone consent form rather than a clause buried in the employment contract, since the employee should be able to decline this specific use without it affecting their employment. 

    Employee data after termination 

    The PDPA’s retention principle requires that personal data not be kept longer than necessary for the purpose it was collected.  

    For employee data, this means employers should have a clear view of how long different categories of employee records need to be retained after termination, factoring in statutory retention requirements (such as EPF and tax record-keeping obligations, and the Employment Act’s requirement to keep certain employee registers for a minimum period) as well as the risk of retaining data unnecessarily. 

    What employers should put in place

    These policies typically sit within a broader corporate governance framework:

    1. An employee privacy notice. Covering both employees and job applicants, explaining what data is collected, why, how long it is kept, and who it is shared with, including any related group entities. 
    2. PDPA clauses in the employment contract. Addressing consent and data use. 
    3. A workplace monitoring policy. Covering any CCTV, access control, biometric, or digital monitoring in place. 
    4. A data retention schedule. Covering employees, unsuccessful job applicants, and former employees. 
    5. Data processing agreements with HR vendors. Payroll providers, recruitment agencies, background check agencies, and any other third party processing employee data on the employer’s behalf. 
    6. A separate marketing consent form. Where employee images or testimonials are used in company marketing. 

    ELP’s Employment Contract service and PDPA compliance framework work together to cover both angles. 

    Let ELP support your data obligations

    We advise Malaysian employers on PDPA obligations across the employment lifecycle: drafting employee privacy notices, reviewing employment documents for PDPA compliance, advising on workplace monitoring policies, and setting up data retention schedules for employee and applicant records. If you want your practices reviewed for PDPA compliance, book a consultation with us. 

    shen-ming-casual

    Wong Shen Ming

    Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

    View her full profile here.

    Let us know how we can support your business

    Drop us a message and let us better understand your needs. Get your first consultation within 24-hours.
    Share this article:
    Post might interest you:
    ABOUT THE AUTHOR

    Wong Shen Ming

    Trademark : How To Protect Your Brand Online.

    Trademark : How To Protect Your Brand Online.

    Trademarks are generally protected under trademark legislation (for a registered trademark) and common law tort of passing off (for unregistered trademark). Brand owners are always encouraged to have their trademarks

    Want more content like this?

    Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

    A boutique corporate & commercial law firm in Kuala Lumpur.

    FREE Legal Updates

    Sign up for our newsletter to get the latest updates, happenings and goodies!
    We don't spam, promise.
    Global Chamber of Business Leaders logo - Light

     © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

    Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
    Click here to see our certificate of registration

    Responsibilities of Executor:

    • Apply for and extract the grant of probate.
    • Make arrangements for the funeral of the deceased.
    • Collect and make an accurate inventory of the deceased’s assets.
    • Settling the debts and obligations of the deceased.
    • Distributing the assets.

    Note for Digital Executor:
    If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

    • Keep a note of specific instructions on how to access your username and password of your digital asset.
    • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
    • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.