ELP Logo
A Guide To PDPA 2010 Compliance For Recruitment Agencies

A Guide To PDPA 2010 Compliance For Recruitment Agencies

Table of Contents

Many recruitment agencies in Malaysia only start thinking about PDPA compliance  when a client asks: “Do you have a proper personal data policy?” 

This is increasingly common, especially when dealing with larger companies or multinational clients. Before engaging a recruitment agency, they want assurance that candidate data is handled properly. 

If you are running a recruitment agency in Malaysia, this is a legal requirement under the Personal Data Protection Act 2010 (PDPA), and our guide walks you through what you need to do to achieve compliance. 

Must recruitment agencies register under PDPA? 

Yes, recruitment agencies fall under the “Services” category (private employment agencies), which is one of the prescribed classes under the PDPA. 

If your agency is licensed and operating as a private employment agency under Private Employment Agencies Act 1981, you are required to register as a data controller. 

Failure to register as a data controller is not merely theoretical, enforcement action has been taken in practice. For example, recruitment agencies were compounded in 2017 and 2018 for non-compliance with registration requirements under section 16(4) of the PDPA, with a penalty of RM10,000. 

If you are unsure, you can refer to our step-by-step guide on data controller registration

Do you need a Data Protection Officer (DPO)? 

Under current PDPA developments, a DPO appointment is required if your organisation processes a large volume of personal data, including more than 20,000 individuals’ personal data. 

For recruitment agencies, this threshold can be reached quite quickly, especially if you: 

  • actively collect CVs  
  • maintain a large candidate database  
  • retain historical candidate records over time  

If your agency has been operating for a few years and storing candidate profiles, there is a real possibility that you may already meet the threshold. If you are unsure whether your organisation requires a DPO or how to appoint one, you can refer to our guide on DPO requirements and responsibilities. 

PDPA in daily operations

The easiest way to understand PDPA is not through theory, but through your day-to-day workflow. Let’s break it down. 

Collecting candidate information

Typical personal data collected: 

  • CV / resume  
  • Name, IC/passport  
  • Contact details  
  • Salary information  
  • Employment history  

What the PDPA requires? 

Candidates must be informed: 

  • what data you are collecting  
  • why you are collecting it  
  • how it will be used  

This is usually done through a privacy notice/privacy policy. 

Using candidate data 

After collecting the personal data, your team will: 

  • review CVs  
  • shortlist candidates  
  • match them to job openings  

What the PDPA requires 

You can only use personal data for the purpose it was collected. For example: 

  • If a candidate applied for Job A  
  • You should not automatically use their data for unrelated roles without proper notice or consent  

Sharing candidate data with clients  

This is the most sensitive part. In practice: 

  • You send candidate CVs to hiring companies  
  • Sometimes to multiple clients  

What the PDPA requires 

You must ensure that: 

  • candidates are informed that their data will be shared  
  • candidates have agreed to such disclosure  

You cannot simply forward CVs without this. 

Retaining candidate data 

Most agencies keep candidate data for future opportunities. 

What the PDPA requires 

You cannot keep personal data forever. Data should only be retained: 

  • for as long as necessary  
  • based on a reasonable business purpose  

Storing and protecting data 

Candidate data is often stored in: 

  • email inboxes  
  • Google Drive / shared folders  
  • CRM systems  
  • even WhatsApp chats  

What the PDPA requires 

You must take practical steps to protect personal data, such as: 

  • limiting access to authorised staff  
  • avoiding unnecessary sharing internally  
  • securing storage systems 

Why clients now ask for a Privacy Notice 

Many companies now require recruitment agencies to confirm PDPA compliance or provide a privacy notice / privacy policy. This is because once you share candidate data with them, they are also exposed to PDPA risk.

The PDPA framework in Malaysia has been recently strengthened through amendments in 2024, with further guidelines expected to be issued between 2025 to 2026. This has increased awareness and regulatory expectations around how personal data should be handled. 

As a result, companies are becoming more cautious and are placing greater emphasis on ensuring that their vendors, including recruitment agencies, have proper data protection practices in place. 

What should your Privacy Notice cover? 

A proper privacy notice should clearly explain: 

  • What personal data you collect  
  • Why you collect it (job matching, placement)  
  • Who you disclose it to (potential employers)  
  • How long you retain it  
  • How candidates can access or correct their data  
  • Your contact details  

Demonstrating PDPA compliance 

In today’s environment, companies are not just asking whether you comply, they want to see how you comply, and practical ways to demonstrate this include: 

Displaying your Certificate of Registration 

You may display your PDPA registration certificate at your business premises or refer to it on your website. This signals that your agency is properly registered and compliant.  

Having a clear and accessible privacy notice 

Ensure your privacy notice is easy to understand and readily available (e.g. on your website or shared with candidates during onboarding).  

Including data protection clauses in your service agreements 

You can include clauses in your agreements with clients to clarify:  

  • how candidate data is handled  
  • your compliance with PDPA  
  • responsibilities of each party  

Implementing internal SOPs 

Having a structured internal process for handling candidate data shows professionalism and reduces risk of errors. 

A quick PDPA compliance checklist 

If you are running a recruitment agency, you should ensure that: 

  • You are properly registered under PDPA  
  • You have a clear and compliant privacy notice  
  • Candidates are informed before their data is shared  
  • Your team follows a consistent data handling process  
  • You do not retain personal data longer than necessary  

Achieve PDPA compliance in 90 days with ELP  

If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.  

Picture of Wong Shen Ming
Wong Shen Ming
Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements. View her full profile here.
shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Linkedin

Let us know how we can support your business

Drop us a message and let us better understand your needs. Get your first consultation within 24-hours.
Share this article:
Post might interest you:
ABOUT THE AUTHOR

Wong Shen Ming

Evidence Act E-Evidence & E-Forensics

Evidence Act: E-Evidence & E-Forensics

Let’s talk about electronic evidence (“E-Evidence”) and electronic forensics (“E-Forensics”) in this article. In Malaysia, the Evidence Act 1950 (“EA”) is the main legislation governing the forms of evidence, how

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

ELP Logo

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.