Jurisdiction - Malaysia
Malaysia – Personal Data Protection Act 2010 In Force.

20 December, 2013

The coming into effect of the Personal Data Protection Act 2010 (“Act”) on 15 November 2013 heralds the dawn of a new era for standards of fair dealing with regard to personal data. The Act entrenches the notion that an individual has the right to ensure that his personal information is accurate, and is being used fairly in accordance with the law. At a time when direct marketing is reinventing itself with the widespread use of internet technology and crimes relating to identity are on the rise, the need for privacy and personal data protection has never been greater.

Does It Apply To Me? 

The Act introduces a comprehensive personal data protection regime that imposes broad obligations on those who process personal data in connection with commercial transactions.

What Is Personal Data? 

This is widely defined as information which relates directly or indirectly to an individual (known as a data subject) who is identified or identifiable from that information or from that and other information in the possession of a data user. For example: personal data of customers, vendors, visitors, websites and employees. These would include data in traditional paper form or stored electronically on your computers.

Do You Process Personal Data? 

Processing is defined as collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data. The Act also applies if you have control over or authorise the processing of personal data, e.g. even outsourced processing.

Do You Process Personal Data In Malaysia

If you are not established in Malaysia, but use equipment in Malaysia to process personal data, the Act would also apply.

If you answered “yes” to all of the above, note that penalties for breach of the Act include fines of up to RM300,000 and imprisonment of up to two years. Note that the Commission has the power to inspect your compliance with the Act.


The Commission

The Personal Data Protection Commissioner (the “Commissioner”) is appointed by the Minister of Communications and Multimedia (“Minister”) to implement the provisions of the Act. He is to be advised by a Personal Data Protection Advisory Committee. Decisions of the Commissioner can be appealed to the Personal Data Protection Appeal Tribunal.

Mr Abu Hassan bin Ismail has been appointed as the Commissioner with effect from 15 November 2013.

Summary Of Substantive Obligations 

The Act requires compliance with the following seven Personal Data Protection Principles:

1. General Principle: Use personal data only for the purpose it was given (eg to perform a contract) or for compliance with legal obligations. Do not collect personal data which is excessive for this purpose and consent is required if you use it for a different purpose or if you process sensitive personal data.

2. Notice and Choice Principle: Consistent with the concept of fair use, you must notify the individual of the nature of the personal data being processed, the purposes for which it is collected and further processed and the data subject’s right to request access to and correction of personal data, etc. Notification can be in electronic form as long as the individual can record and keep a copy.

3. Disclosure Principle: Limit disclosure of the personal data to the purpose which the data subject had been informed of at the time of collection and for which the data subject had consented. You must maintain a list of disclosures made to third parties.

4. Security Principle: Take practical steps to safeguard personal data from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

5. Retention Principle: Do not retain personal data for longer than is necessary for the fulfilment of the purpose.

6. Data Integrity Principle: Take reasonable steps to ensure that the personal data is accurate complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

7. Access Principle: Give a data subject access to his personal data held by the data user and ability to correct that personal data where it is inaccurate, incomplete, misleading or not up-to-date.


Additional Restrictions 

There are certain types of personal data and data processing which are subject to additional restrictions:


  • Sensitive Personal Data (ie any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may) cannot be processed without the explicit consent of the data subject.
  • Restriction on Cross-border Transfers. Generally, personal data may not be transferred to a place outside Malaysia unless such place has been specified by the Minister, unless a prescribed exemption applies (eg where the individual has consented to such transfer of his personal data). This restriction will need to be considered carefully in view of the increasing use of cross-border outsourcing and sharing of information between members of multinational group and with the advent of cloud computing.
  • Right to prevent processing for purposes of direct marketing. A data subject may require the data user to cease, or not begin, processing his personal data for purposes of direct marketing. The failure to comply with such request is an offence, punishable by a fine of up to RM200,000 or imprisonment of up to 2 years or both.
  • Registration. See Schedule for prescribed classes of data users required to register.
  • Codes of practice. The Act introduces a form of self-regulation, whereby data user forums can prepare codes of practice by which to govern compliance with the Act. Much of the detail of the compliance is expected to be shaped by these codes of practice, which will be registered and published. But if the codes are unsatisfactory, the Commission can issue its own code, and compliance with the relevant code is mandatory.

What Should I Do Now? 

Companies and businesses will have 3 months from 15 November 2013 (ie until 15 February 2014) to comply with the Act. If your business is personal data-centric or deals with a large volume of personal data, you may wish to implement compliance initiatives as soon as possible.

Your compliance efforts should:


  • Identify personal data that is being collected and what it is being used for
  • Issue personal data protection notices
  • Implement processes to comply with security, retention, data integrity and access requirements
  • Audit compliance periodically, taking into account standards set by the Commission from time to time


If you are required to register, take the opportunity to influence collective consensus on fair use of personal data.



Sector Data  Users Who Must Register 
  • Licensees under the Communications and Multimedia Act 1998
  • Licensees under the Postal Act 2012
Banking and Financial Institutions 
  • Banks and investment banks licensed under the Financial Services Act 2013
  • Islamic banks and international Islamic banks licensed under the Islamic Financial Services Act 2013
  • Development financial institutions under the Development Financial Institution Act 2002
  • Insurers licensed under the Financial Services Act 2013
  • Takaful operators and international takaful operators licensed under the Islamic Financial Services Act 2013
  • Licensees, and holders of a certificate of registration of a private medical clinic or a private dental clinic, under the Private Healthcare Facilities and Services Act 1998
  • A body corporate registered under the Registration of Pharmacists Act 1951
Tourism and Hospitality
  • Persons carrying on or operating tourism training institutions, licensed tour operators, licensed travel agents or licensed tourist guides under the Tourism Industry Act 1992
  • Persons carrying on or operating a registered tourist accommodation premises under the Tourism Industry Act 1992.
  • Malaysian Airlines (MAS), Air Asia, MAS Wings, Air Asia X, Firefly, Berjaya Air and Malindo Air
  • Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996
  • Private schools or private educational institutions registered under the Education Act 1996
Direct Selling 
  • Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993
  • Companies or persons in a partnership carrying on businesses in connection with legal, audit, accountancy, engineering or architecture services
  • Companies or persons in a partnership conducting retail dealing and wholesale dealing as defined under the Control Supplies Act 1961
  • Companies or persons in a partnership carrying on the business of a private employment agency under the Private Employment Agencies Act 1981
Real Estate
  • Licensed housing developers under: the Housing Development (Control and Licensing) Act 1966; the Housing Development (Control and Licensing) Enactment 1978, Sabah; and the Housing Development (Control and Licensing) Enactment 1993, Sarawak.
  • Tenaga Nasional Berhad, Sabah Electricity Sdn Bhd, Sarawak Electricity, Supply Corporation, SAJ Holding Sdn Bhd, Air Kelantan Sdn Bhd, LAKU Management Sdn Bhd, Perbadanan Bekalan Air Pulau Pinang Sdn Bhd, Syarikat Bekalan Air Selangor Sdn Bhd, Syarikat Air Terengganu Sdn Bhd, Syarikat Air Melaka Sdn Bhd, Syarikat Air Negeri Sembilan Sdn Bhd, Syarikat Air Darul Aman Sdn Bhd, Pengurusan Air Pahang Berhad, Lembaga Air Perak, Lembaga Air Kuching and Lembaga Air Sibu.


Zicolaw Logo


For further information, please contact:


Sharon Tan, Partner, ZICOlaw

[email protected]

Yong Hon Cheong, Partner, ZICOlaw

[email protected]

Paul Subramaniam, Partner, ZICOlaw

[email protected]


ZICOlaw TMT Practice Profile in Malaysia

TMT Law Firms in Malayasia


Comments are closed.