If you are a licensed housing developer in Malaysia, PDPA compliance should not be an afterthought. This is because property developers routinely collect and process large amounts of purchaser and prospect data throughout the sales and project lifecycle.
This guide explains what licensed property developers should know in practical terms.
Must property developers register under PDPA?
Yes, licensed housing developers fall under the Real Estate prescribed class under the Personal Data Protection framework.
If your company is licensed under the Housing Development (Control and Licensing) Act 1966, you should register as a data controller and enforcement has been taken against businesses in prescribed sectors for non-compliance.
If you are unsure, you can refer to our step-by-step guide on data controller registration.
Project-specific SPVs / dormant entities
It is common in the property industry for one company to be used for a single development project. After the project is completed, that entity may become dormant from a business perspective, but PDPA obligations will continue if it still:
- retains purchaser personal data
- continues to have access to such data, or
- uses the data for any purpose
This means the company should still assess whether it is required to maintain registration (if applicable) and continue complying with PDPA requirements.
Do you need a Data Protection Officer (DPO)?
Large developers may process substantial volumes of purchaser, prospect, and owner data. Where processing thresholds or regulatory expectations are triggered, appointment of a Data Protection Officer (DPO) should be assessed.
This is particularly relevant for developers with:
- multiple ongoing projects
- large CRM databases
- active marketing campaigns
- group-wide data sharing structures
If you are unsure whether your organisation requires a DPO or how to appoint one, you can refer to our guide on DPO requirements and responsibilities.
Compliance across the development lifecycle
The easiest way to understand PDPA is through your actual business operations.
Marketing leads and prospect collection
Developers typically collect personal data at the earliest stage of engagement through various marketing and outreach channels. At this point, the data gathered is usually basic but sufficient to identify and follow up with potential buyers.
What PDPA requires:
- inform prospects what data is collected
- explain why the data is collected
- clarify whether it will be used for marketing
- disclose who the data may be shared with
Booking and sales process
Once a purchaser proceeds with a booking, the level of personal data collected becomes significantly more detailed. This stage involves documentation necessary for legal, financial, and administrative purposes, often including sensitive personal and financial information.
What PDPA requires:
- only collect data that is reasonably necessary for the transaction
- avoid requesting excessive or irrelevant documents without a clear purpose
Sharing data with third parties
During the transaction process, purchaser data is often shared with multiple third parties who play a role in completing the sale. This is one of the most critical areas for PDPA compliance, as it involves disclosure beyond the developer’s internal systems.
What PDPA requires: Inform purchasers their data may be disclosed to relevant third parties for transaction or project-related purposes
Project administration and handover
Even after the sale is completed, developers continue to handle purchaser data for various operational and administrative purposes. This includes managing communications and processes tied to the delivery and maintenance of the property.
What PDPA requires: Continue to handle personal data in compliance with PDPA even after the sale is completed
Purchaser data retention
Property development involves long timelines, which often leads to extended retention of purchaser data. Developers may need to keep records for warranties, defect liability periods, disputes, strata management matters, or tax and audit requirements. While long-term storage may be justified, it must still be proportionate and defensible.
What PDPA requires:
- retain personal data only as long as reasonably necessary
- consider both legal obligations and operational needs when determining retention periods
Data security
Purchaser files often contain highly sensitive personal and financial information. These records may exist across multiple formats and storage environments, including shared folders, email chains, hardcopy files, sales gallery systems, and cloud storage. Given that many property transactions still involve physical documentation, proper handling of hardcopy files is important.
What PDPA requires: Implement appropriate security measures to protect personal data from unauthorised access or disclosure
What a Privacy Notice should include
A proper Privacy Notice should clearly explain:
- what personal data you collect
- why you collect it
- who you disclose it to
- marketing communications usage
- retention period / approach
- how individuals may access or correct their data
- contact details for enquiries
This can be integrated into website forms, booking forms, and SPA onboarding packs.
PDPA compliance checklist
If you are a licensed property developer, you should ensure that:
- registration obligations have been assessed
- privacy notices are properly implemented
- purchaser data sharing is disclosed
- marketing databases are lawfully managed
- retention and security controls are in place
- internal responsibility is assigned
PDPA compliance in 90 days with ELP
If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.
