- General Questions
To protect the personal information of an individual that is processed for the purpose of commercial transactions.
All individuals and organizations that process personal data in their affairs must comply with the regulations set out in the Personal Data Protection Act 2010. The Federal Government and State Governments are exempt.
The Personal Data Protection Act contains seven principles of information handling practices that must be followed.
General Principles
Principles of Notice and Choice
The Principle of Revelation
Safety Principles
Storage Principles
Principles of Data Integrity
Access Principles
Any data that allows a living individual to be identified is protected under the Personal Data Protection Act. Some examples of data can be considered personal data as long as a living individual can be identified from the information or data:
Name and address
Identification card number
Passport number
Health information
Email address
Pictures
limage in closed circuit recording (CCTV)
Information in personal files
An organization must comply with the Act only if it “processes” personal data. The Personal Data Protection Act defines the meaning of the word “processing”. The definition is very broad. “Processing” personal data means doing something to the data including collecting, recording, holding, storing, organizing, changing, disclosing and destroying. Just by reading or accessing information is already considered “processing”.
Examples of activities that may be considered “processing” include:
Collect data using a form, over the phone or through a website
Publishing data
Selling data
Using data in administration
Using data for marketing purposes
Record data
Disclose or provide data to other organizations
Destroy data
The Personal Data Protection Act applies to an individual and an organization if they are a “Data Controller.” A “Data Controller” is an individual or organization that:
Processing personal data, or
Have control over the processing of personal data, or
Authorizing the processing of personal data
The Personal Data Protection Act does not apply to an individual or organization that processes personal data on behalf of a data controller.
If organization A obtains the services of organization B to process data on its behalf, then in this relationship, organization A is the data controller while organization B is the data processor. The Personal Data Protection Act requires organization A to ensure that organization B guarantees to take security measures to protect the data it processes. Organization A is also required by the Act to ensure that organization B complies with the measures.
The Personal Data Protection Act provides rules on good practice in processing personal data of living individuals. The Act defines the individuals whose data is processed by the data controller as data subjects.
Data subjects are granted the following rights:
The right to be informed whether their data is being processed by an organisation
The right to access personal data
The right to correct personal data
The right to withdraw consent to process personal data
The right to prevent processing that may cause damage or distress
The right to prevent processing for direct marketing purposes
The Personal Data Protection Act defines sensitive personal data as information about an individual’s health or physical or mental condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the conduct or statement of conduct of any offense by an individual is also sensitive personal data.
The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and such processing must be with the express consent of the data subject.
Individuals who feel that their personal data has been processed in breach of the provisions of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.
The Act does not specifically provide for the right to claim damages.
Remedies under the Personal Data Protection Act are in the form of criminal offences. The Act has created several new criminal offences, these include the following offences:
Processing personal data without registration certificate
Processing personal data after registration is cancelled
Violate any data principles
Processing personal data after consent is withdrawn
Processing sensitive personal data not according to the conditions that have been set
Selling or offering to sell personal data
Failure to comply with the requirements of the Personal Data Protection Commissioner to comply with notices regarding direct marketing.
- General principles
If the data controller clearly states in its contract with the third party the responsibility to comply with the PDPA when processing personal data on their behalf, any breach by the third party may be subject to fines/imprisonment or both.
Yes, you must ensure that there is in that place outside Malaysia in force any law which is substantially similar to the PDPA, or which has the same purpose as the Act; or the place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection provided by the PDPA.
No, because you are included as a third party in the bank agreement between the bank and the customer.
If the data controller clearly states in its contract with the third party the responsibility for compliance with the PDPA when processing personal data on their behalf, any breach by the third party may be subject to fines/imprisonment or both.
Yes, you can scan records. However, because records are sensitive data; you need to ensure data security is in accordance with PDP Security Principles and Standards.
yes. However, sending promotional newsletters or updates must have consent from your customers.
- Registration
Once a company has registered as a Data Controller under the PDPA, it can begin to comply with the provisions of the Act.
In situations where both colleges hold the same brand under one license by the Ministry of Education; the main college has to register and apply for CTC from the PDP Commissioner for all its branches in Malaysia.
However, if both colleges hold separate licenses; then registration is applicable to both.
As Immigration is a federal department, it is not bound by the PDPA. In addition, according to Section 39; disclosure of personal data to authorities may be granted such as for the prevention and detection of crime, and for investigative purposes. However, the data controller should have procedures to verify the validity of the request.
The data controller may not keep personal data longer than necessary unless there are other legal provisions that require longer data retention.
Yes, under P.U.(A) 337/2013, Regulation 8(1) and Regulation 9; each branch must display a certified true copy of the registration certificate. A certified true copy can be applied for online at https://daftar.pdp.gov.my
Data controllers who are within the Personal Data Protection (Group of Data Controllers) Order 2013 (P.U.(A). 336) or the Personal Data Protection (Group of Data Controllers) (Amendment) Order 2016 (P.U.(A). 326)
Registered data controllers will be issued a Registration Certificate and a Data Controller Forum will be established. The Data Controller Forum will provide a Code of Practice where it can increase trust and integrity in handling personal data
Late registration renewal is considered as processing personal data without a registration certificate. It is an offense under Section 16(4) of the PDPA.
- Principles of Notice and Choice
A Privacy Notice that must be consistent with all provisions under Section 7, PDPA must be served by the data controller to its customers when processing the customer’s personal data. In addition, consent for the transfer of personal data abroad must also be obtained by the data controller. However, as a data processor; you are responsible for ensuring the security of the transfer.
You can put up a simple CCTV notice about “Surveillance for Safety”
The Commissioner’s Office has established Guidance on Privacy Notices. Yes, the Office has communicated with MAH in producing the Tourism & Hospitality Sector Code of Practice
- The Principle of Revelation
In order to provide services to customers, the bank may need to disclose customer information to any third party acting on behalf of the bank.
This is in line with Section 8 of the PDPA which states that there is no disclosure of personal data without the customer’s consent to any third party other than those listed by the data controller in the Disclosure List as required by PU(A) 335/2013.
The APDP Disclosure Principles stipulate that no data subject’s personal data may be disclosed without consent
- Appointment Of Data Protection Officer (DPO)
A Data Protection Officer is an individual appointed by an organization in accordance with Section 12A of the Personal Data Protection Act 2010 [Act 709] to ensure compliance with Act 709.
The appointment of the Data Protection Officer will take effect from 1 June 2025.
Not all organizations are required to appoint a Data Protection Officer. Data controller or data processor must appoint one or more Data Protection Officers if the processing involves:
i. personal data exceeding 20,000 data subjects;
ii. sensitive personal data including financial information data exceeding 10,000 data subjects; or
iii. activities that require regular and systematic monitoring, such as online user behavior tracking.
The main responsibilities of a Data Protection Officer include:
i. advice data controller or data processor on the processing of personal data in accordance with Act 709;
ii. provide support in implementation of data protection regulations;
iii. monitor compliance with the provisions of Act 709 and policies related to personal data protection developed by data controllers and data processors;
iv. provide support and advice on the implementation of data protection impact assessments;
v. act as primary liaison officer to the Commissioner regarding issues of compliance with Act 709, personal data processing and data subject rights; and
vi. ensure the data controller or data processor manages data breaches and security incidents appropriately.
Data controller and data processor must ensure that the appointed Data Protection Officer possesses the qualifications, experience, skills, and expertise appropriate to the requirements of the personal data processing operations, the complexity and scale of the data processed, the sensitivity of the data, and the protection required for such data. The required skills or expertise include:
i. knowledge on the Act 709, requirement under the law data protection practices in the country (including any other applicable data protection laws, where relevant);
ii. understanding of the data controller or data processor’s business operations and the personal data processing operations that are carried out;
iii. understanding of information technology and data security;
iv. personal qualities such as integrity, understanding of corporate governance and high professional ethics;
v. ability to promote data protection culture within the organisation.
Yes, a Data Protection Officer (DPO) may be appointed from among the existing employees within the organisation. A data controller or data processor must ensure that the appointed employee as the DPO possesses the appropriate qualifications, experience, skills, and expertise, and that there is no conflict of interest with their existing duties. The employee must also be provided with sufficient support to carry out their responsibilities as a DPO without disrupting their primary role within the organisation.
Yes, a non-Malaysian citizen may be appointed as a Data Protection Officer (DPO), but they are subject to the following conditions:
i. must be resident in Malaysia (i.e., physically present in Malaysia for at least 180 days in one calendar year); or
ii. easily contactable via any means; and
iii. be proficient in the Bahasa Melayu and English languages.
The data controller and data processor must also ensure that the business contact information of the Data Protection Officer is available to facilitate communication.
Yes, a Data Protection Officer (DPO) may perform other duties. However, data controller or data processor must ensure that the performance of these additional tasks and functions does not result in a conflict of interest (such as marketing-related duties that involve the processing of personal data for marketing purposes) with the DPO’s primary responsibility of protecting personal data and ensuring compliance with Act 709.
Yes, an organisation may use outsourcing services to appoint a Data Protection Officer (DPO). Data controller or data processor must ensure that the service contract outlines the duties and obligations of the DPO, and also ensure that the outsourcing organisation appoints an individual within its organisation as the person-in-charge (PIC) to liaise with the data controller or data processor.
Yes, data controller or data processor may appoint a single Data Protection Officer (DPO) to serve multiple organisations, taking into account the functions, structure, and size of those organisations. For example, a group of companies under the same large parent organisation. However, the data controller or data processor must ensure that the appointed DPO is provided with sufficient resources to carry out their responsibilities and is supported by a team, if necessary. The contact details of the appointed Data Protection Officer must be identified and accessible to employees, the Commissioner, and data subjects.
The primary responsibility of data controller and data processor is to ensure that the Data Protection Officer (DPO) is provided with adequate support, is able to perform their duties independently, and ensure compliance with Act 709 is maintained. Based on the Personal Data Protection Commissioner’s Circular No. 1 of 2025, a summary of the duties and responsibilities of the data controller and data processor in supporting the Data Protection Officer is as follows:
i. ensure that the Data Protection Officer is involved in all matters related to personal data protection;
ii. provide sufficient autonomy, providing necessary adequate resources, and facilitate access to personal data and processing operations to ensure that the Data Protection Officer can carry out their duties effectively;
iii. provide appropriate training to the Data Protection Officer;
iv. provide a dedicated official business e-mail account for the Data Protection Officer that is separate from the personal email and the official business work e-mail address of the individual appointed as the Data Protection Officer;
v. ensure that the Data Protection Officer is bound by secrecy concerning the performance of their duties;
vi. ensure that the Data Protection Officer performs their duties professionally, is not bound by instructions, and reports directly to senior management (or equivalent) within the organisation.
Data controller that fulfills the conditions for appointing a Data Protection Officer (DPO) must notify the appointment to the Commissioner within twenty-one (21) days from the date of appointment. The notification must be made by registering the business contact information of the DPO through the Personal Data Protection System (SPDP) via https://daftar.pdp.gov.my.
Registration for Data Protection Officers will only be open starting from 1 June 2025. Currently, the SPDP module is used to report personal data misuse complaints and to register thirteen (13) categories of data controllers who are required to register under Act 709. A user guide for the registration of Data Protection Officers will be uploaded on the official website of the Personal Data Protection Department (JPDP).
If a Data Protection Officer (DPO) is appointed to serve more than one organisation, each organisation that appoints the DPO must notify the Commissioner of the appointment. This notification must be made by registering the DPO’s business contact information through the Personal Data Protection System (SPDP) at the link https://daftar.pdp.gov.my. Each organisation must ensure that the submitted information is accurate and up to date to ensure efficient communication between all parties involved.
If there are any changes to the details of the appointed Data Protection Officer or to the officer’s business contact information, the data controller must promptly maintain and update the changes through the Personal Data Protection System (SPDP). These changes must be updated no later than fourteen (14) days from the effective date of the new appointment.
No, the Data Protection Officer (DPO) is not personally responsible for data protection compliance. The responsibility for ensuring compliance with Act 709 remains with the data controller or data processor. However, the DPO plays a crucial role in assisting the organisation in fulfilling its data protection obligations.
There is no fixed requirement for minimum professional qualifications or expertise before being appointed as a Data Protection Officer, unless otherwise determined by the Commissioner from time to time.
However, organisations must ensure that the appointed Data Protection Officer receives relevant and appropriate training to enable them to carry out their duties efficiently and effectively.
Currently, there is no specific requirement from the Commissioner regarding the duration of courses or training that must be attended by a Data Protection Officer. However, it is recommended that such courses or training be attended within a reasonable timeframe, and the organisation should determine an appropriate duration based on the course content and the needs of the organisation.
The PDP Commissioner is currently developing a “DPO Competency and Training Road Map” (“Roadmap”) as a reference for organisations regarding the competency framework and training requirements that must be fulfilled by Data Protection Officers. The development process of this Roadmap is still ongoing and will be announced upon completion.
At present, there is no requirement from the Commissioner requiring Data Protection Officers to attend courses conducted by appointed training providers. Therefore, organisations may choose qualified or recognised training providers in the field of personal data protection, as long as the courses attended are relevant, meet the requirements of Act 709, and provide the necessary understanding for the Data Protection Officer to carry out their responsibilities effectively, according to the organisation’s needs.
The Commissioner is in the process of refining the minimum training modules that should be provided by training providers for Data Protection Officers. The development of these training modules is still ongoing and will be announced upon completion.
At present, there is no requirement from the Commissioner regarding the requirement for Data Protection Officer to undergo an assessment. This matter is still under discussion and needs to be further examined by the Commissioner, considering that assessment is regarded as an important aspect in evaluating the level of knowledge and understanding of a Data Protection Officer in effectively carrying out their responsibilities. Organisations are advised to stay updated with the latest developments from the Commissioner regarding any assessment mechanisms that may be introduced in the future.