What is PDPA Malaysia? (The Only Guide You Need)
Navigating data privacy regulations around the world can be challenging. Still, it is essential to businesses if they want to mitigate legal and financial risks.
In this guide, we’ll answer “what is PDPA Malaysia,” why is it important, what responsibilities you have as a business, and more.
By the end, you’ll be much better prepared to ensure compliance with PDPA Malaysia and uphold the trust of your Malaysian customers.
- The Personal Data Protection Act (PDPA) is a data protection law in Malaysia established in 2010 and made official in 2013 to regulate the handling of personal data by Malaysian companies for commercial transactions.
- The PDPA applies to any person (data user) who processes, has control over, or authorizes the processing of personal data, whether the processing is done outside of Malaysia and includes the processing of Malaysian citizens’ data or within Malaysia.
- The PDPA is enforced by the Personal Data Protection Commissioner (PDPC), which also sets fines for companies violating this law.
What is PDPA Malaysia?
The Personal Data Protection Act (PDPA) Malaysia regulates the processing of personal data of Malaysian residents in for-profit transactions.
The law was introduced in 2010 and officially became effective on 15th November 2013. Since then, PDPA Malaysia has seen several amendments and updates to stay relevant and effective in the constantly evolving digital landscape.
The main purpose of PDPA Malaysia is to help Malaysian residents better safeguard their personal data from misuse by businesses processing their information.
The law applies to anyone processing, has control of, or authorizes the processing of personal data for commercial transactions of Malaysians (including outside of Malaysia) or non-Malaysians (if their data is processed within Malaysia).
Three major provisions of PDPA Malaysia include the requirement of consent before data processing, the accountability of businesses to ensure the integrity and security of the data they’re handling and the limitation on personal data disclosure.
PDPA Malaysia is enforced by the Personal Data Protection Commissioner’s office. The PDPC is responsible for ensuring compliance with PDPA, offering guidance to organizations, and handling PDPA violations.
Who Does PDPA Malaysia Apply to?
PDPA Malaysia applies to any business that is located in Malaysia or uses equipment in Malaysia to process personal data and that either:
- Processes personal data
- Has control over data processing or
- Authorizes the processing of personal data concerning commercial transactions.
It’s important to note that PDPA Malaysia has an “extra-territorial effect” and can, therefore, apply to companies outside of Malaysia in some cases. This includes organizations not established in Malaysia but that are using equipment in Malaysia to process data and those that use data processors in Malaysia.
The Act does not apply to the Malaysian Federal Government, the State Governments, or any personal data processed outside of Malaysia unless it is intended for further processing in the country.
According to Section 2(4), a data user is established in Malaysia if:
- They have a physical presence in Malaysia for no less than 188 days in a single calendar year
- They are incorporated under the Companies Act (Act 125);
- They have a partnership or other unincorporated association formed under a written law in Malaysia;
- Or, they maintain an office, branch, or agency in Malaysia or a regular practice via which they carry out their activities.
Fundamentals for Compliance Under PDPA Malaysia
Similarly to other data privacy laws like the Singapore PDPA, the Personal Data Protection Act of Malaysia is based on several principles and grants individuals certain rights.
We’ll cover both next:
Malaysia PDPA Principles
PDPA Malaysia is based on seven data protection principles that a data user is obligated to follow:
1. General Principle
A data user cannot process personal data unless the data subject consents to processing.
However, this does not apply if the processing is done to:
- Comply with the data user’s legal obligations
- For the performance of a contract
- Take steps requested by the data subject for entering into a contract
- Protect the vital interests of the subject
- Administer justice
- Exercise any function by other laws
2. Notice and Choice Principle
The data user is required to inform the data subject in writing of the following:
- That their data is being processed and also provide a detailed description of that personal data
- The purpose(s) of processing
- The source of that personal data
- The data subjects right to request access and correction of the personal data, including the data user’s contact information for inquiries and complaints
- Any third parties to whom the data subject shares or may share the data with
- The choices and means the data subject has at their disposal to limit the processing of their personal data
- Whether the data subject is obligated or not to supply the data
- The consequences for the data subject should they fail to supply the data if they are obligated to do so
3. Disclosure Principle
According to the 3rd principle of PDPA Malaysia, personal data cannot be disclosed without the data subject’s consent, unless:
- The purpose for disclosing the data will be revealed at the time of collection
- Any purpose related directly to this
4. Security Principle
When processing personal data, the data user has to take adequate steps to protect that data from loss, misuse, unauthorized or accidental access or disclosure, alteration, modification, or destruction.
5. Retention Principle
Personal data can be kept only for as long as necessary to fulfill the specified processing purpose, after which the data user must destroy it permanently.
6. Data Integrity Principle
Personal data must be accurate, complete, up-to-date, and not misleading regarding their processing purpose, and it falls on the data user to ensure this by taking appropriate steps.
7. Access Principle
The data subject can access the data held by the data user and correct any inaccurate, incomplete, outdated, or misleading information.
Data Subject Rights
PDPA Malaysia also grants several data subject rights, including:
Right of Access to Personal Data
The Act grants an individual the right to be informed of the processing of their personal data by the data user or on the data user’s behalf. The data user is obligated to respond to the individual’s data subject access request regarding their data clearly and understandably.
Right to Correct Personal Data
The data subject can also request the data user to correct any inaccurate, misleading, or out-of-date information they have collected about them.
Right to Prevent Processing Likely to Cause Damage or Distress
In case data processing can potentially cause damage or distress to them, the data subject can send a “data subject notice” to the data user to not begin the processing or, if the processing started, to cease it.
Right to Prevent Processing for Purposes of Direct Marketing
If the data user uses or intends to process the data for direct marketing (promote a product or service via email, SMS, online ads, etc.), the data subject can request to prevent that.
If the data user fails to comply with this request, the data subject may send an application to the Commissioner.
The Commissioner can, upon reviewing the application, force the data user to comply with such a request.
Right to Withdraw Consent
Finally, if at any point after providing their consent, the data subject wishes to withdraw it, they can do so by sending a written notice to the data user.
How to Comply with PDPA Malaysia?
If you are conducting business in Malaysia or have customers there, it’s important to comply with PDPA Malaysia. The following section will give you important pointers on how to do that:
Obtain Explicit Consent
Before you can collect, use, or disclose the personal data of any individual, you first need to obtain explicit consent. This consent must be given freely, and the data subject must be informed about the purposes of processing, types, and categories of personal data you are collecting, retention times, as well as any third parties you will disclose their data to.
Keep in mind, once more, that the data subject may withdraw their previous consent at any time.
Take a Personal Data Audit
Perform a thorough audit of the personal data you are holding, including how you are processing it, where you’re storing it, and to whom you are disclosing it.
This will help you better answer your organization’s compliance requirements.
Develop Clear Data Protection Policies
Create and implement clear policies and procedures for the protection of personal data you are processing, including who has access to them, how you answer data subject requests, and more.
These data protection policies should include data localization policies and cybersecurity policies, among others.
Communicate these policies and procedures throughout your organization.
Implement Appropriate Data Security Measures
Put strong physical and digital data security measures to safeguard the data against unauthorized and unlawful access, loss, disclosure, misuse, alteration, or destruction.
Develop a Data Breach Response Plan
Develop and follow a data breach response plan. This should include notification to the Commissioner, measures to contain the breach, assessing the impact on the affected customers, etc.
Conduct Regular Training and Education
Finally, you need to conduct regular compliance training and education of your employees to make sure they understand the importance of data protection and their obligation to comply with the PDPA Malaysia.
Penalties for Non-Compliance
The Personal Data Protection Act of Malaysia also includes fines and penalties for non-compliance. These are enforced by the Commissioner.
- Any data user that goes against the principles of PDPA Malaysia will pay a fine of 300,000 ringgit (MYR) (around $64,500), or up to two years in prison or both.
- If the data user fails to comply with the data subject’s request concerning his rights, the Commissioner can fine them (the data user) for up to 200,000 ringgit (around $43,000), up to two years imprisonment, or both.
- If the data user’s registration has been revoked and they continue to process data, they will be fined up to 500,000 ringgit or for an imprisonment term of up to three years or both.
We hope this all-inclusive guide helps you understand what is PDPA Malaysia, its purpose, principles, data subject rights, and your organization’s compliance obligations.
What’s the next step for your business? Well, you can either take this information and have your data protection officer implement it or let Captain Compliance handle it for you!
What is the purpose of Data Protection Act laws in Malaysia?
Data protection in Malaysia is regulated by the Personal Data Protection Act (PDPA). This act was established in 2010 and officially enacted in 2013.
The main purpose of PDPA Malaysia is to protect the personal data of data subjects from misuse.
In addition, the act serves to regulate how businesses can collect, use, or disclose the personal data of customers, align Malaysian laws with international laws and standards for compliance, create a legal framework for individuals to use if their data is abused, and seek compensation, build customer trust and promote accountability by businesses processing data.
Is PDPA the same as GDPR?
No. While the Personal Data Protection Act (PDPA) of Malaysia and the European Union’s General Data Protection Regulation (GDPR) share many similarities as data protection regulations, they are not the same thing.
For one, PDPA applies to organizations that are collecting, storing, using, or disclosing personal data of Malaysian residents for commercial purposes or are established in Malaysia.
On the other hand, the GDPR applies to businesses that process EU citizens' data.
Where do I report PDPA Malaysia?
If you are a data subject to whom PDPA Malaysia applies and wish to report a company for violating your rights under this act, you can do this by applying to the Personal Data Protection Commissioner’s office in Malaysia.
Who needs to comply with PDPA?
According to Section 2 of the Personal Data Protection Act of Malaysia, the PDPA applies to:
- Any person who processes, or
- Any person who has control over or authorizes the processing of any personal data for commercial purposes
Is Malaysia subject to GDPR?
Malaysia has its own data protection regulation, called the Personal Data Protection Act (PDPA), which is official as of 15th November 2013, and the EU’s GDPR generally does not apply to Malaysian companies unless they are processing data of EU citizens.