Malaysia – Personal Data Protection Act 2010 - (Archive)

The Malaysian Personal Data Protection Act 2010 (“PDPA”) which had been gazetted on 10 June 2010 had recently came into force on 15 November 2013.

All Data Users shall have three (3) months period (ie. up till 14 February 2014) to comply with all the provisions of PDPA.

What is PDPA?
This is an act to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto. This also includes who control and authorise the processing of data for commercial transactions. The PDPA is applicable to all types of data users which process personal data in a commercial transaction.

The PDPA was introduced with the purpose of safeguarding the security/ privacy of personal data and integrity of data protection in Malaysia. PDPA comes within the purview of the Malaysian Communications and Multimedia Commission (MCMC).

What is Personal Data?
Any information which relates directly or indirectly to a person who is identified or identifiable from that information which includes but not limited to name, identification number, passport number, email address, any address, phone numbers, credit card details, any form of images, expression of an opinion on an individual etc.

It also includes sensitive personal data eg. the physical and mental health of an individual, religious and/or political belief, the commission or alleged commission by him of any offence. Company data does come under the purview of personal data if it contains data of individual directors or shareholders.

Who are required to register?
Every Data User who has control over the processing of personal data in respect of commercial transactions is required to register with the Malaysian Personal Data Protection Department. “Data User” means a person who processes or authorises the processing of personal data and covers individuals, companies, other corporate and unincorporated entities.

Currently under the Personal Data Protection (Class of Data Users) Order 2013 (“the Order”), the following specific class of Data Users are applicable for registration:

  • Communications
  • Banking and financial institution
  • Insurance
  • Utilities
  • Healthcare
  • Hospitality and Tourism
  • Transportation
  • Education
  • Direct selling / retail / wholesale / marketing
  • Real estate / Property development
  • Services (eg. legal, audit, accountancy, business consulting, engineering, employment agencies, architecture)

Where you are not listed in the Order, it is not compulsory for the industry in question to register with the Personal Data Protection Department. Nevertheless, the PDPA has made it clear that the non-registration requirement does not preclude Data Users from complying with the other provisions of the PDPA.

Failure to comply with the PDPA requirements may result in a fine which can go as high as RM 500,000 or imprisonment not exceeding three (3) years, or both.

Please contact us at for enquiries pertaining to the above.