In 2010, the Malaysian Parliament passed the Malaysia Personal Data Protection Act (PDPA). In June, the law received Royal Assent. However, the PDPA didn't go into effect until November 15, 2013.

The PDPA provides a comprehensive framework designed to protect individuals' personal data with respect to transactions that are commercial in nature.

In the article below, we'll cover what the PDPA aims to do, whom it applies to, what it requires, and how to comply.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



The Malaysian PDPA 101

The following is a brief introduction to the PDPA. The Malaysian government passed the legislation to boost overall consumer confidence in e-commerce and other business transactions.

The Malaysian Parliament deemed this necessary since the country saw an increase in personal data being sold without the user's knowledge and consent. At the same time, there was a troubling rise in identity theft and credit card fraud.

Before 2010, personal data was regulated by industry-specific legislation. Examples of industries where the government regulated personal information are telecommunications, banking and finance, and healthcare.

Today, the Malaysian PDPA covers all businesses that are based in Malaysia regardless of industry. Foreign companies that conduct business transactions with residents of the country using equipment in Malaysia, which process personal information, are also bound by the law's regulations.

The PDPA Authority

The authority responsible for carrying out the regulations within Malaysia's PDPA is the Personal Data Protection Commissioner. This individual is empowered to conduct a broad range of job functions within the scope of the 2010 data protection law.

These powers include:

  • Authority to access a company's computerized data
  • Authority to investigate data breaches
  • Authority to inspect a company's data system
  • Authority to (with or without a warrant) search and seize data "where necessary"
  • Authority to serve an enforcement notice following an investigation of a data breach. This notice provides an outline of the breach, steps that must be taken to rectify the situation and a deadline for compliance.
  • Authority to direct a company to stop processing user data permanently

Who Does the PDPA Apply to?

Who Does the PDPA Apply to?

Anyone who processes personal data or has control over that processing is considered a "data user." This can therefore be a person or an organization. The Malaysian PDPA covers all data users based in Malaysia and all data users who use equipment in Malaysia to process data.

It's relevant to note that under the PDPA, "processing" covers a broad range of activities.

These include:

  • Collecting personal data
  • Recording personal data
  • Using personal data
  • Sharing personal data; and
  • Storing personal data

Data processors may also be individuals or organizations. However, this is something of a "third-party" category. Under the PDPA, these data processing third-parties, which process personal data on behalf of a data user, are not directly bound by the same regulations.

Instead, the data user is expected to oversee the data processor and make sure that relevant regulations are adhered to.

Exemptions

The following are exempt from the PDPA:

  • Malaysia's national government
  • Malaysia's state governments
  • Credit reporting businesses that are already covered by the Credit Reporting Agencies Act of 2010

Definitions and Scope of the PDPA

There are four main definitions that you need to be familiar with regarding the Malaysian PDPA. These are:

  • Personal data
  • Sensitive data
  • Data user
  • Data processor

Personal Data

To be considered "personal data" under the PDPA, three conditions must be met. These are:

  • The data in question must be indirectly or directly related to an individual who is specifically identified or may be identified by that data or through other data, which the data user possesses,
  • The data must be recorded with the intent that it be processed either wholly or in part through the use of equipment that operates automatically according to instructions given for that purpose, be actually processed either wholly or in part through the use of equipment that operates automatically according to instructions given for that purpose, be recorded as part of an applicable filing system or with the intent that it will become part of an applicable filing system, and
  • The data must be information pertaining to commercial transactions

Additionally, "personal information" as defined by the PDPA is considered to be much the same as that covered by Europe's General Data Protection Regulation (GDPR). In other words, "personal information" covers all the types of data business owners have come to expect when it comes to data privacy and protection laws.

These include but may not be limited to:

  • Photographs
  • Banking details
  • Name
  • Physical address
  • Email address
  • Telephone number
  • IP addresses
  • Search history
  • Browser history
  • Device details
  • Unique IDs

According to the PDPA, commercial transactions include anything to do with the exchange or supply of services or goods, banking and insurance, financing, investments, and agency.

It's important to note that the PDPA does not specify whether employment relationships are considered a type of commercial transaction.

Sensitive Data

You may be tempted to ask why there is a separate category for sensitive data when there's already a category for personal information.

After all, isn't personal data sensitive, too?

The fact is that while some data protection laws lump a lot of data categories together under "personal data" or "personal information" where obligations are much the same, the PDPA imposes greater responsibilities on data users when it comes to "sensitive data."

Under the PDPA, sensitive data includes such things as an individual's:

  • Political leanings
  • Religious beliefs
  • Physical health
  • Mental health
  • Criminal record (or alleged crimes committed), and
  • Any other information, which the Minister "may order published in the Gazette"

Data User

While the PDPA uses the term "data user," the term is essentially the same as the GDPR's data controller.

The data user is an individual who processes any personal data alone, jointly, or together in common with others. Additionally, a data user may be someone who authorizes the processing of personal data but doesn't include a data processor.

Data Processor

As stated in the PDPA, a data processor is "any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes."

The Seven Data Principles of the PDPA

The Seven Data Principles of the PDPA

There are seven data protection principles that all data users must comply with under the Malaysian PDPA. These principles describe how your company's website must handle a data subject's personal information.

These principles are:

  • The General Principle
  • Notice and Choice Principle
  • Discourse Principle
  • Security Principle
  • Retention Principle
  • Data Integrity Principle
  • Access Principle

Let's take a look at each principle individually.

The General Principle

The first Malaysian PDPA principle is simply known as the "General Principle." It demands that data users acquire valid consent from data subjects before collecting personal and sensitive information.

Similar in nature to GDPR requirements, consent from a data subject must be explicit and provided through an affirmative opt-in. Consent is not considered valid otherwise.

In other words, under Malaysia's PDPA, implied consent isn't valid. For example, suppose you only had a notice on your website that you collect data, but you didn't give your site's visitors a way to opt-out of that data collection. In that case, any information you gathered from your site's visitors would have been without their consent.

Here's an example of a non-compliant notice that doesn't obtain consent or let users know that they can opt out of the use of their data. It doesn't give users options:

Spotify Cookie Consent banner with browsewrap highlighted

Additionally, many of the items that constitute "personal data" are bits of information that cookies usually process. Having an acceptable cookie consent notice that obtains explicit consent is therefore essential as well.

Here's an example of a compliant cookie consent notice that gives options and obtains actual, active consent:

Financial Times cookie consent notice - 2023 update

Generally speaking, personal information is only allowed to be processed under the PDPA if it is:

  • Directly related to your website's activity
  • Necessary for the lawful purpose of your website, and
  • Limited to the minimums necessary to fulfill your site's purpose

There are some exceptions to the stipulation for consent. For instance, if you collect data to fulfill a contract, then explicit consent is not required.

Notice and Choice

Notice and Choice

Like many other data privacy and protection laws, Malaysia's PDPA requires that you provide your website's users with notice concerning your company's data processing activities.

You must provide a conspicuous written statement (such as a Privacy Policy) regarding the following:

  • Your intent to collect personal information
  • What kind of data you collect (personal, sensitive, both, etc.)
  • Why you are collecting the data (i.e., what you intend to do with it)
  • With whom you share data
  • The right of the data subject to access and rectify personal data
  • Whether the data collection is voluntary (i.e., as part of a contract) or is mandatory
  • How a data subject may limit the processing of their personal information
  • Your contact information

Here's an example of an excerpt of a Privacy Policy that helps disclose part of the above requirements:

Porch Potty Privacy Policy: Information we collect clause

Here's a clause that addresses data subject rights:

Etsy Privacy Policy: Your Rights and Choices clause excerpt

Include your contact information, like so:

Impact Privacy Policy: How to Contact Us clause

The notice and choice principle is directly tied into the general principle since you must provide your website's visitors with notice and let them know what their options are in order for them to know precisely what they are consenting to.

Finally, the data user must provide notice in both English and Malay and before any data processing occurs.

Disclosure

The PDPA prohibits you from disclosing personal data to any third party. You must obtain explicit consent from the data subject in advance.

In other words, all data you collect whether it's from opt-in forms, cookies and trackers, social media plugins, analytics, etc., may only be shared with others outside your company if you've acquired the express permission of your website's visitors to do so.

As a whole, when it comes to disclosing or sharing data you collect, you're limited to what you've specified in your notice and to third parties you've explicitly listed in it.

Here's an example of a way to give notice via your Privacy Policy that you may disclose or share collected data:

NeuBase Privacy Policy: Will Your Information Be Shared With Anyone clause - Vendors, consultants and other third party service providers section

Furthermore, if you do list third parties in your notice with whom you intend to share data, you must maintain up-to-date and accurate lists.

Security

Security

Strict measures to safeguard personal data is obligatory under the PDPA.

To comply with this requirement, your business must put in place a security policy, which details the following:

  • Who may access personal data. This must include a registration system to monitor access.
  • What steps are taken to make sure personal data is always managed in a confidential manner
  • What technical measures currently exist, such as recovery systems and secure storage
  • What steps are in place to make sure data is transferred safely

You can let users know that you have security procedures in place via your Privacy Policy, like so:

Clients on Demand Privacy Policy: Security of Your Information clause

Here's another example so you can see how these clauses do vary:

Workday Master Subscription Agreement: Protection and Security of Customer Data clause

Data users need to remember that the legal responsibility to protect a data subject's personal information includes ensuring that strict safeguards are in place. These safeguards encompass, but aren't limited to, the following:

  • Organizational security arrangements (i.e., authorizations and access, appointing compliance personnel)
  • Technical security arrangements (i.e., safe storage, encryption, and means of secure transfer)
  • Preventing the misuse and abuse of personal data (i.e., preventing data breaches, loss of data, and the disclosure of data without consent)

Data Retention

The Malaysian PDPA allows you to store (or retain) a data subject's personal information only for the amount of time required for you to fulfill the reasons stated within your information and notice.

It is essential for you to bear in mind that you're legally required to delete all personal information in your possession once you've used it for the purposes stated in your information and notice.

With that said, there aren't any legal limits placed on the amount of time you can retain personal data. As long as you're actively using that information for the purposes you made public, then time limits do not apply.

However, you must also recall that the personal data you collect is subject to inspection by the Department of Personal Data Protection. You, therefore, must maintain full and accurate records, including records of deleted data.

You should let people know how long you plan to retain data by adding a clause like the following to your Privacy Policy:

Bolder Play Privacy Policy: Data retention clause

Data Integrity

Essentially, this principle demands that businesses ensure that all personal data collected from data subjects is up-to-date, complete, and accurate.

Access to Data

Malaysian data subjects (customers/clients/website users, etc.) have the right to request access to all personal data, which your business has collected from them. In other words, all information you've collected through the use of cookies, opt-in forms, trackers, and more must be made available to data subjects upon request.

Moreover, data subjects have the right to request corrections to any information that is deemed inaccurate, incomplete, or misleading.

Let them know this by adding a clause to your Privacy Policy, as seen here:

POM Wonderful Privacy Policy: How You Can Access and Update Information clause

Summary

The following are the key points to keep in mind regarding the Malaysian PDPA:

  • The Malaysian Parliament passed the Malaysia Personal Data Protection Act (PDPA) in 2010, and it went into effect on November 15, 2013.
  • The law is designed to protect individuals' personal data in connection with commercial transactions.
  • The PDPA covers individuals and businesses that are based in Malaysia or that process personal data using equipment in Malaysia.
  • Like other data privacy and protection laws, the Malaysian PDPA demands that data users obtain explicit consent before collecting a data subject's personal information. They must also provide written notice in both English and Malay as to what type of data is collected, why it is collected, how it will be used, whether it is shared with third parties, how it is stored, how it is secured, and how the data user may be contacted.
  • Strict measures to safeguard personal data is obligatory under the PDPA.
  • You are allowed to store (or retain) a data subject's personal information only for the amount of time necessary for you to fulfill the reasons stated within your information and notice.
  • The PDPA prohibits you from disclosing personal data to any third party. Acquiring explicit consent in advance is the only exception.
  • You must ensure that all personal data collected from data subjects is up-to-date, complete, and accurate.
  • The PDPA provides the right to data subjects to request access to their personal data and request corrections.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy