ELP Logo
A PDPA 2010 Summary For Malaysian SMEs

A PDPA 2010 Summary For Malaysian SMEs

Table of Contents

This article provides a brief overview of the PDPA framework in Malaysia for businesses, including key principles that guide how organisations should collect, use and safeguard personal data

Personal data under PDPA 

Under the PDPA, personal data generally refers to any information that can directly identify a person, as well as information that can identify a person when combined with other data. 

In a business context, personal data may include information such as: 

  • names 
  • identification numbers (such as NRIC or passport numbers) 
  • phone numbers or email addresses 
  • residential addresses 
  • employment records 
  • financial or transaction details. 

Personal data can exist in many forms, whether stored electronically in databases and systems, or contained in physical documents such as application forms, contracts, or personnel files.  

Data controllers 

Under the PDPA, the primary obligations fall on organisations that control or determine how personal data is processed. Such organisations are commonly referred to as data controllers.  

In practice, most businesses that collect or process personal data during commercial activities will fall within this category, and those that meet certain thresholds are required to appoint a Data Protection Officer (DPO). 

Key principles 

The PDPA establishes seven core principles that govern how organisations should handle personal data in the course of commercial activities: 

  1. General Principle: Personal data should generally not be processed without the consent of the individual, unless permitted under the PDPA. 
  2. Notice and Choice Principle: Organisations must inform individuals about how their personal data will be collected, used and disclosed. 
  3. Disclosure Principle: Personal data should not be disclosed to third parties for purposes other than those originally communicated to the individual, unless further consent is obtained or the disclosure is permitted by law. 
  4. Security Principle: Organisations must take practical steps to protect personal data from loss, misuse, unauthorised access, or disclosure. This may include implementing appropriate technical, administrative and physical safeguards. 
  5. Retention Principle: Personal data should not be kept longer than necessary for the purpose for which it was collected. Once the data is no longer required, organisations should take reasonable steps to delete or dispose of it securely. 
  6. Data Integrity Principle: Organisations should take reasonable steps to ensure that personal data is accurate, complete, and kept up to date. 
  7. Access Principle: Individuals have the right to request access to their personal data and request corrections if the information is inaccurate or incomplete. 

These principles form the foundation of PDPA compliance and guide how organisations should manage personal data throughout its lifecycle. 

Individual rights 

In addition to imposing obligations on organisations, the PDPA also grants certain rights to individuals whose personal data is being processed: 

  1. Right of Access: Individuals can request access to the personal data held by an organisation, subject to certain conditions under the PDPA. 
  2. Right to Correction: Individuals can request corrections if their personal data is inaccurate, incomplete, misleading, or not up to date. 
  3. Right to Withdraw Consent: In certain circumstances, individuals may withdraw their consent for the processing of their personal data. 
  4. Right to Data Portability: Individuals can request that their personal data be transferred to another data controller.  
  5. Right to Prevent Processing: Individuals may request that their personal data is no longer used for direct marketing purposes or when processing is likely to cause damage or distress. 

In practice, organisations should have clear internal procedures for receiving and responding to such requests. Having proper processes in place helps organisations manage these requests effectively while ensuring compliance with the PDPA. 

Consequences of non-compliance 

Failure to comply with the requirements of the PDPA may expose organisations to enforcement actions under the Act, which may include financial penalties or other sanctions prescribed by law, in addition to operational and reputational risks for businesses.  

Further reading 

This summary is a consolidation of our various dedicated guides and for a deeper understanding of a particular PDPA topic, readers may want to see: 

PDPA compliance in 90 days with ELP 

If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA

Picture of Wong Shen Ming
Wong Shen Ming
Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements. View her full profile here.
shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Linkedin

Let us know how we can support your business

Drop us a message and let us better understand your needs. Get your first consultation within 24-hours.
Share this article:
Post might interest you:
ABOUT THE AUTHOR

Wong Shen Ming

electronic-signature

Digital Signature and E-Signature

Is electronic signature legally recognised by law? Digital Signature and Electronic signature (E-Sign) may be used interchangeably, to refer a signing tool for signer to sign on a softcopy. Signing

A Quick Guide To Cap Tables For Malaysian Shareholders

A Quick Guide To Cap Tables For Malaysian SMEs

Ownership structure of a business changes whenever new investors come in, as new shares may be issued or existing shares are sold. A capitalisation table (“cap table”) becomes essential for any business looking to

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

ELP Logo

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.