Jurisdiction - Malaysia
Reports and Analysis
Malaysia – PDPA: Are You Compliant?

19 December, 2013


The Personal Data Protection Act 2010 (“Act”) came into force on 15 November 2013. The Act requires those using personal data collected after that date to comply with the Act. For personal data which has been collected prior to that date, a 3-month leeway is given for compliance.

Is the personal data you are now collecting in compliance with the Act? Your answers to the questions below will give you an indication.


  • Have you notified the data subject (the person whose data you are collecting) of the purpose for which you are collecting his personal data? 
  • Have you informed the data subject that he or she has a right to access the personal data you are collecting and to make corrections to it? 
  • Have you made sure that the personal data you are collecting is only used for the purposes you have informed the data subject of? 
  • Has the data subject given his or her consent for you to use the personal data you are collecting in the manner you intend to? 
  • How safe is the personal data you are collecting? Have you taken practical steps to protect it from loss, misuse or modification? 
  • Have you taken practical steps to prevent the personal data you are collecting from being  accessed or disclosed or altered or destroyed in an accidental or unauthorised manner? 
  • Do you have in place reasonable steps to ensure that the personal data you are collecting is sufficiently complete and accurate and that it can be kept updated and not mislead? 
  • Can the data subject access the personal data you are collecting so that he or she can correct it when it is inaccurate or incomplete or misleading or not kept up to date. 
  • Do you have a policy in place as to how long you will keep the personal data you are collecting? 
  • If you intend to transfer the personal data abroad, have you obtained consent from the data subject to do so?

These are but some of your obligations with respect to personal data you are collecting. The answer No’ to any of the questions posed means that you are potentially in breach of the Act and may be liable for a fine up to RM500,000 or to be imprisoned for up to 3 years, or both.


Note: Are You A Data User? 

You are a data user if you process personal data (ie you collect, record, hold or store  or otherwise carry out any operation on personal data),  or control or authorise such  processing, in Malaysia. 


You are considered to be  processing personal data in  Malaysia should you use  equipment in Malaysia to  process personal data, even if  you are not established in  Malaysia.


Zicolaw Logo


For further information, please contact:


Sharon Tan, Partner, ZICOlaw

[email protected] 

Yong Hon Cheong, Partner, ZICOlaw

[email protected] 

Paul Subramaniam, Partner, ZICOlaw

[email protected]


ZICOlaw TMT Practice Profile in Malaysia

TMT Law Firms in Malayasia

Comments are closed.