Talk To An Expert

+66 (0) 2285 6240-9

Knowing the Obligations of Data Controllers & Processors for Malaysia PDPA

Global Data Privacy Regulations

Malaysia PDPA

[et_pb_section fb_built=”1″ _builder_version=”3.22″][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.7.7″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ sticky_enabled=”0″]

The personal data protection act was passed in Malaysia in May 2010 by the Malaysian Parliament to safeguard the personal data of ‘data subjects’ that businesses deal with on a daily basis. Under the law, data processors and data controllers are required to follow specific obligations which this article discusses.


What are the Obligations of Data Controllers/Processors under Malaysia PDPA?


Data collection and processing

Data controllers are required to follow the seven principles of personal data protection – however, these do not directly apply to data processors.

Under Malaysia PDPA – subject to specific exceptions such as when processing for journalistic, judicial or personal purposes – data controllers must acquire a data subject’s consent for processing his/her personal data. This includes consent for collection and disclosure.

If consent from an under-18 data subject is required, the controller must acquire consent from the parent or guardian. This consent should be in a form where it can be recorded and maintained by the controller, such as written or electronic.

Malaysian PDPA law also contains specific data protection obligations where data subjects must be notified about the purpose of personal data collection, in addition to a requirement where data controllers must maintain a list of personal data disclosures to third parties.

Additional rules apply should data controllers or processors need to process sensitive personal information. The processing must satisfy specific conditions set out by Malaysia PDPA law, which you can learn more about here 

Furthermore, sensitive personal data processing requires explicit consent from the data subject, although the PDPA has not defined “explicit consent” as yet. With that said, data controllers are required to maintain a record of all consents received from data subjects.


Data transfer


Under Malaysia PDPA law, a data controller/processor cannot transfer personal data out of Malaysia, unless that country has been recorded by the Minister in the Official Gazette. Thus far, no countries have been specifically recorded.

In light of the above, the PDPA has laid out a few exceptions to this prohibition – for example, where the data subject’s consent has been acquired for cross-border transfers or where that transfer is deemed necessary for satisfying contractual terms between both parties. Other exceptions include where the data controller has taken the necessary steps and conducted due diligence so that the personal data is transferred and processed only in a way that does not undermine, break or overturn the obligations, standards and policies set out by the PDPA.

When in doubt so as to whether such exceptions apply on the data transfer, the feasible approach would be to gain consent from the data subject for out-of-Malaysia data transfers.


Data retention


As described in the Retention Principle under Malaysia PDPA law, the 2015 Standards outline three key standards – retention, security and data integrity – which are applicable to personal data processed electronically or non-electronically. Here’s a brief overview of the 2015 Standards:

  • Ensure that legislation related to processing and retaining of personal data complies with the Standards before it is disposed
  • Not retain personal data other than the duration for which it has been agreed upon or after the business or legal purpose for doing so has been fulfilled
  • Prepare and maintain records of personal data disposal and submit them to the Commissioner when required
  • Dispose of personal data collection forms used during commercial transactions in 14 days, unless that form has any legal value in regards to the commercial transaction
  • Review and dispose of all personal data which is no longer required in the organizational database
  • Have a personal data ‘destroy and dispose’ schedule for 24 months for inactive personal data


Closing thoughts on Data Controller/Processor Obligations for Malaysia PDPA


Any violations of these obligations, including specific provisions under the Personal Data Protection Regulations 2013 are a criminal offence and punishable by law.

To fully understand all the obligations that data processors and controllers are required to follow under Malaysia PDPA law and how they may affect your day-to-day data processing activities, please get in touch with one of our data privacy consultants now.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_column type=”3_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_code _builder_version=”4.7.7″ _module_preset=”default” background_color=”#73c2e0″][weforms id=”1204″][/et_pb_code][/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.7.7″ _module_preset=”default”][et_pb_blurb title=”Data Privacy 360 Assessment ” _builder_version=”4.7.7″ _module_preset=”default”]

The VinarcoPDPA  Data Privacy 360 Assessment is a globally recognised privacy gap analysis and remediation report that provides organisations with certainty with regards to their compliance status. Covers all regulations

  • Thailand PDPA
  • Singapore PDPA
  • Malaysia PDPA
  • Hong Kong PDPO


Share This :

Recent Posts

Have Any Question?

The world of data privacy laws and compliance can be a complex maze. We’re here to offer competitive data privacy protection and regulatory services to help you deal with day-to-day data privacy compliance and maintenance challenges.