- General Questions
To protect the personal information of an individual that is processed for the purpose of commercial transactions.
All individuals and organizations that process personal data in their affairs must comply with the regulations set out in the Personal Data Protection Act 2010. The Federal Government and State Governments are exempt.
The Personal Data Protection Act contains seven principles of information handling practices that must be followed.
General Principles
Principles of Notice and Choice
The Principle of Revelation
Safety Principles
Storage Principles
Principles of Data Integrity
Access Principles
Any data that allows a living individual to be identified is protected under the Personal Data Protection Act. Some examples of data can be considered personal data as long as a living individual can be identified from the information or data:
Name and address
Identification card number
Passport number
Health information
Email address
Pictures
limage in closed circuit recording (CCTV)
Information in personal files
An organization must comply with the Act only if it “processes” personal data. The Personal Data Protection Act defines the meaning of the word “processing”. The definition is very broad. “Processing” personal data means doing something to the data including collecting, recording, holding, storing, organizing, changing, disclosing and destroying. Just by reading or accessing information is already considered “processing”.
Examples of activities that may be considered “processing” include:
Collect data using a form, over the phone or through a website
Publishing data
Selling data
Using data in administration
Using data for marketing purposes
Record data
Disclose or provide data to other organizations
Destroy data
The Personal Data Protection Act applies to an individual and an organization if they are a “Data Controller.” A “Data Controller” is an individual or organization that:
Processing personal data, or
Have control over the processing of personal data, or
Authorizing the processing of personal data
The Personal Data Protection Act does not apply to an individual or organization that processes personal data on behalf of a data controller.
If organization A obtains the services of organization B to process data on its behalf, then in this relationship, organization A is the data controller while organization B is the data processor. The Personal Data Protection Act requires organization A to ensure that organization B guarantees to take security measures to protect the data it processes. Organization A is also required by the Act to ensure that organization B complies with the measures.
The Personal Data Protection Act provides rules on good practice in processing personal data of living individuals. The Act defines the individuals whose data is processed by the data controller as data subjects.
Data subjects are granted the following rights:
The right to be informed whether their data is being processed by an organisation
The right to access personal data
The right to correct personal data
The right to withdraw consent to process personal data
The right to prevent processing that may cause damage or distress
The right to prevent processing for direct marketing purposes
The Personal Data Protection Act defines sensitive personal data as information about an individual’s health or physical or mental condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the conduct or statement of conduct of any offense by an individual is also sensitive personal data.
The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and such processing must be with the express consent of the data subject.
Individuals who feel that their personal data has been processed in breach of the provisions of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.
The Act does not specifically provide for the right to claim damages.
Remedies under the Personal Data Protection Act are in the form of criminal offences. The Act has created several new criminal offences, these include the following offences:
Processing personal data without registration certificate
Processing personal data after registration is cancelled
Violate any data principles
Processing personal data after consent is withdrawn
Processing sensitive personal data not according to the conditions that have been set
Selling or offering to sell personal data
Failure to comply with the requirements of the Personal Data Protection Commissioner to comply with notices regarding direct marketing.
- General principles
If the data controller clearly states in its contract with the third party the responsibility to comply with the PDPA when processing personal data on their behalf, any breach by the third party may be subject to fines/imprisonment or both.
Yes, you must ensure that there is in that place outside Malaysia in force any law which is substantially similar to the PDPA, or which has the same purpose as the Act; or the place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection provided by the PDPA.
No, because you are included as a third party in the bank agreement between the bank and the customer.
If the data controller clearly states in its contract with the third party the responsibility for compliance with the PDPA when processing personal data on their behalf, any breach by the third party may be subject to fines/imprisonment or both.
Yes, you can scan records. However, because records are sensitive data; you need to ensure data security is in accordance with PDP Security Principles and Standards.
yes. However, sending promotional newsletters or updates must have consent from your customers.
- Registration
Once a company has registered as a Data Controller under the PDPA, it can begin to comply with the provisions of the Act.
In situations where both colleges hold the same brand under one license by the Ministry of Education; the main college has to register and apply for CTC from the PDP Commissioner for all its branches in Malaysia.
However, if both colleges hold separate licenses; then registration is applicable to both.
As Immigration is a federal department, it is not bound by the PDPA. In addition, according to Section 39; disclosure of personal data to authorities may be granted such as for the prevention and detection of crime, and for investigative purposes. However, the data controller should have procedures to verify the validity of the request.
The data controller may not keep personal data longer than necessary unless there are other legal provisions that require longer data retention.
Yes, under P.U.(A) 337/2013, Regulation 8(1) and Regulation 9; each branch must display a certified true copy of the registration certificate. A certified true copy can be applied for online at https://daftar.pdp.gov.my
Data controllers who are within the Personal Data Protection (Group of Data Controllers) Order 2013 (P.U.(A). 336) or the Personal Data Protection (Group of Data Controllers) (Amendment) Order 2016 (P.U.(A). 326)
Registered data controllers will be issued a Registration Certificate and a Data Controller Forum will be established. The Data Controller Forum will provide a Code of Practice where it can increase trust and integrity in handling personal data
Late registration renewal is considered as processing personal data without a registration certificate. It is an offense under Section 16(4) of the PDPA.
- Principles of Notice and Choice
A Privacy Notice that must be consistent with all provisions under Section 7, PDPA must be served by the data controller to its customers when processing the customer’s personal data. In addition, consent for the transfer of personal data abroad must also be obtained by the data controller. However, as a data processor; you are responsible for ensuring the security of the transfer.
You can put up a simple CCTV notice about “Surveillance for Safety”
The Commissioner’s Office has established Guidance on Privacy Notices. Yes, the Office has communicated with MAH in producing the Tourism & Hospitality Sector Code of Practice
- The Principle of Revelation
In order to provide services to customers, the bank may need to disclose customer information to any third party acting on behalf of the bank.
This is in line with Section 8 of the PDPA which states that there is no disclosure of personal data without the customer’s consent to any third party other than those listed by the data controller in the Disclosure List as required by PU(A) 335/2013.
The APDP Disclosure Principles stipulate that no data subject’s personal data may be disclosed without consent
- Appointment Of Data Protection Officer (DPO)
A Data Protection Officer is an individual appointed by an organization in accordance with Section 12A of the Personal Data Protection Act 2010 [Act 709] to ensure compliance with Act 709.
The appointment of the Data Protection Officer will take effect from 1 June 2025.
Not all organizations are required to appoint a Data Protection Officer. A data user or data processor must appoint one or more Data Protection Officers if the processing involves:
i. Personal data of more than 20,000 data subjects;
ii. Sensitive personal data, including financial information, of more than 10,000 data subjects; or
iii. Activities requiring regular and systematic monitoring, such as online user behavior tracking.
The main responsibilities of a Data Protection Officer include:
i. Advising the data user or data processor on the processing of personal data in accordance with Act 709;
ii. Providing support services in the implementation of data protection regulations;
iii. Monitoring compliance with the provisions of Act 709 and the data protection policies developed by the data user and data processor;
iv. Providing support and advice on the implementation of Data Protection Impact Assessments (DPIAs);
v. Acting as the primary contact person for the Commissioner regarding compliance with Act 709, personal data processing, and the rights of data subjects; and
vi. Ensuring the data user or data processor manages data breaches and security incidents appropriately.
Data users and data processors must ensure that the appointed Data Protection Officer possesses qualifications, experience, skills, and expertise that are appropriate to the operational needs of personal data processing, the complexity and scale of data processed, data sensitivity, and the level of protection required. The required skills or expertise include:
i. Knowledge of Act 709, legal requirements, and national data protection practices (including any other relevant data protection laws);
ii. Understanding of the business operations of the data user or data processor, and the personal data processing operations carried out;
iii. Understanding of information technology and data security;
iv. Personal qualities such as integrity, understanding of corporate governance, and a high level of professional ethics;
v. The ability to promote a culture of data protection within the organization.
Yes, a Data Protection Officer may be appointed from among existing employees within the organization. The data user or data processor must ensure that the appointed employee possesses the appropriate qualifications, experience, skills, and expertise, and that there is no conflict of interest with their existing duties. The employee should also be given sufficient support to carry out their responsibilities as a Data Protection Officer without disrupting their primary duties in the organization.
Yes, a non-Malaysian citizen can be appointed as a Data Protection Officer, but they are subject to the following conditions:
i. Must reside in Malaysia (i.e., be physically present in Malaysia for at least 180 days in a calendar year); or
ii. Must be easily reachable by any means; and
iii. Must be proficient in the National Language (Bahasa Malaysia) and English.
The data user and data processor must also ensure that the DPO’s business contact information is available to facilitate communication.
Yes, a Data Protection Officer can perform other duties. However, the data user or data processor must ensure that such additional duties do not create a conflict of interest (for example, roles related to marketing that involve processing personal data for marketing purposes) with the DPO’s core responsibility of protecting personal data and ensuring compliance with Act 709.
Yes, an organization may outsource the role of the Data Protection Officer. The data user or data processor must ensure that the service contract clearly outlines the obligations and responsibilities of the DPO, and that the outsourcing organization designates an individual as the Person in Charge (PIC) to communicate with the data user or data processor.
Yes, a data user or data processor may appoint a Data Protection Officer to serve multiple organizations, taking into account the functions, structure, and size of those organizations. For example, a group of companies under the same parent organization. However, the data user or data processor must ensure the appointed DPO is provided with sufficient resources and, if necessary, supported by a team to carry out their responsibilities effectively. The contact information of the appointed DPO must be clearly identified and accessible to employees, the Commissioner, and data subjects.
The main responsibility of data users and data processors is to ensure that the DPO is given adequate support, allowed to carry out their duties independently, and ensure compliance with Act 709. According to the Personal Data Protection Commissioner’s Circular No. 1 of 2025, the summary of the duties and responsibilities of data users and data processors in supporting the DPO is as follows:
i. Ensuring the DPO is involved in all matters relating to personal data protection;
ii. Providing sufficient autonomy, necessary resources, and facilitating access to personal data and processing operations to enable the DPO to perform their duties effectively;
iii. Providing appropriate training to the DPO;
iv. Providing an official email account for the DPO that is separate from personal or business emails of the individual appointed as DPO;
v. Ensuring the DPO is bound by confidentiality in the performance of their duties;
vi. Ensuring the DPO performs their duties professionally, is not bound by instructions, and reports directly to senior management (or equivalent) within the organization.
A data user who meets the criteria for DPO appointment must notify the Commissioner of the appointment within twenty-one (21) days from the date of appointment. Notification must be made by registering the DPO’s business contact information via the Personal Data Protection System (SPDP) at https://daftar.pdp.gov.my.
Registration of DPOs will only be available starting 1 June 2025. Currently, the SPDP module is used for reporting personal data misuse complaints and registering thirteen (13) categories of data users who are required to register under Act 709. A user guide for DPO registration will be uploaded to the official website of the Department of Personal Data Protection (JPDP).
If a DPO is appointed to serve more than one organization, each appointing organization must notify the Commissioner of the appointment. This notification is done by registering the DPO’s business contact information through the SPDP system at https://daftar.pdp.gov.my. Each organization must ensure that the information provided is accurate and up-to-date to facilitate efficient communication among all involved parties.
If there are any changes to the appointed DPO’s information or their business contact details, the data user must promptly update the changes through the SPDP system. These changes must be updated no later than fourteen (14) days from the effective date of the new appointment.
No, the DPO is not personally liable for data protection compliance. The responsibility for ensuring compliance with Act 709 remains with the data user or data processor. However, the DPO plays a key role in assisting the organization in fulfilling its data protection obligations.
There is no set requirement for minimum professional qualifications before being appointed as a DPO, unless otherwise determined by the Commissioner from time to time.
However, organizations must ensure that the appointed DPO receives relevant and appropriate training to enable them to perform their duties efficiently and effectively.
Currently, there is no specific requirement from the Commissioner regarding the duration of courses or training for DPOs. However, such courses or training are recommended to be completed within a reasonable timeframe. Organizations should determine a suitable duration based on the course content and the organization’s needs.
The PDP Commissioner is currently developing a “DPO Competency and Training Roadmap” to serve as a reference for organizations on the competency framework and training required for DPOs. The development process is ongoing and will be announced once completed.
At present, there is no requirement from the Commissioner for DPOs to attend courses provided by appointed training providers. Therefore, organizations may choose qualified or recognized training providers in the field of personal data protection, as long as the attended courses are relevant and meet the requirements of Act 709, and provide the necessary understanding for the DPO to carry out their responsibilities effectively and appropriately for the organization.
The Commissioner is currently finalizing a minimum training module to be provided by training providers for DPOs. The development of this training module is ongoing and will be announced once completed.
Currently, there is no requirement from the Commissioner for DPOs to undergo an assessment. This matter is still under discussion and is being carefully considered by the Commissioner, as assessments are considered important in evaluating the knowledge and understanding of DPOs in fulfilling their responsibilities effectively. Organizations are encouraged to stay updated with the latest announcements from the Commissioner regarding any potential assessment mechanisms.