The Personal Data Protection Act 2010 (“PDPA”) governs the processing of personal data in respect of commercial transactions. The PDPA contains principles of consent, notice, disclosure, security, data retention, data integrity and access.  

The key legislation governing data protection in Malaysia is the PDPA. The PDPA came into force on November 15, 2013, and it sets out seven key principles in the processing of personal data by a data controller. Six further pieces of subsidiary legislation have been enacted pursuant to the PDPA to further facilitate the enforcement of the PDPA.

The Personal Data Protection Standard 2015 (“PDP Standards”) was also issued by the Personal Data Protection Commissioner (“PDP Commissioner”). The PDP Standards spell out three main standards, namely: Security Standards, Retention Standards and Data Integrity Standards, which have application to both personal data which are processed both electronically and non-electronically.

In 2024, the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) was gazetted with its amendments coming into force in three stages, i.e., 1 January 2025, 1 April 2025, and 1 June 2025.

To date, three guidelines have been launched by the PDP Commissioner, namely the Data Protection Officer Guidelines (“DPO Guidelines”), Data Breach Notification Guidelines (“DBN Guidelines”) and Cross-Border Personal Data Transfer Guidelines (“CBPDT Guidelines”).

Most of the reported cases considered the application of the general exemption of Section 45 of the PDPA. For example, in Newlake Development Sdn Bhd v Zenith Delight Sdn Bhd & Ors (No 2) [2021] 7 CLJ 88, it was held that if the court rules that the documents in question were relevant and admissible, the PDPA cannot be used as a shield to prevent such documents from being produced at trial under the guise of personal data protection.

Notably, in Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors [2022] 11 MLJ 898, the High Court held that the PDPA does not permit the Director-General of the Inland Revenue Board of Malaysia (“DGIR”) to issue blanket demands for personal data, given the protections afforded to data subjects under the PDPA. The Court emphasized that such request for data must comply with legal requirements and satisfy the test of necessity, in that “the interference with the rights of data subjects must be proportionate to the reality as well as to the potential gravity of the public interests involved” and “there must also be a specific instance as contemplated by the statute and not a general sweeping and inconsistent reasons for the disclosure to be given”. This decision was significant as it marked the first formal challenge to the powers of law enforcement authorities to request disclosure of personal data.

However, in 2025, the Court of Appeal in Director-General, Inland Revenue v Genting Malaysia Berhad [2025] MLJU 129 set aside the High Court’s decision on the ground that the DGIR’s letter was not a decision subject to judicial review. As a result, the High Court lacked jurisdiction to hear the case in the first place.\

The Court of Appeal did not address the judgment concerning data protection issues under the PDPA, leaving it uncertain whether it remains the prevailing position. Note that Genting has filed a motion for leave to appeal to the Federal Court, but it was unanimously dismissed.

Personal data protects information in respect of a commercial transaction from which an individual is identified or identifiable.  

Note: “Personal data” means any information in respect of commercial transactions, which—

• is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
• is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
• is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

Examples of what would be considered personal data include name and contact details.
“Sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence, biometric data, or any other personal data as the Minister may determine by order published in the Gazette.

Examples of sensitive personal data would include data concerning an individual's health, political opinions, religion, as well as arrests and convictions for criminal offences.

Note: “Biometric data” means any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person. 

Generally, the defined data is protected under the PDPA through the exercise of seven personal data protection principles, namely: 

• General Principle;
• Notice and Choice Principle;
• Disclosure Principle;
• Security Principle;
• Retention Principle;
• Data Integrity Principle; and 
• Access Principle.

Further details of these principles can be found in the questions below.

The PDPA applies to any person who processes or has control over the “processing” of any personal data (data controller).

“Data controller” means a person who either alone, jointly, or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor. There is also a category referred to as “data processors,” which carries the following meaning:-

“data processor”, in relation to personal data, means any person, other than an employee of the data controller, who processes the personal data solely on behalf of the data controller and does not process the personal data for any of his own purposes.

A data controller would be primarily responsible for any data processors it utilizes. However, pursuant to the Amendment Act, the Security Principle has been extended to data processors, including direct imposition of penalties on data processors for breach – these amendments came into force on 1 April 2025. 

The PDPA does not apply to personal data processed outside Malaysia unless the data is intended to be further processed in Malaysia and it also does not apply to a data controller who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data (save where it is only for purposes of transit).

The Malaysian Federal and State Governments are also exempt from the PDPA.

Data controllers who fall within certain sectors are required to register with the PDP Commissioner. The sectors which have been specified are:

• Communications
• Banking and Financial Institutions
• Insurance
• Health
• Tourism and Hospitality
• Transportation
• Education
• Direct Selling
• Services, namely organizations carrying on the following businesses: legal, audit, accountancy, engineering or architecture, retail or wholesale dealing as defined under the Control Supplies Act 1961, and private employment agencies
• Real Estate
• Utilities
• Pawnbroker
• Moneylender

“Processing” is defined widely under the PDPA and includes “collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including— 

• the organization, adaptation or alteration of personal data;
• the retrieval, consultation or use of personal data;
• the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
• the alignment, combination, correction, erasure or destruction of personal data”.

The PDPA prohibits a data controller from processing personal data without the consent of a data subject and the PDPA requires a data controller to inform a data subject of various matters relating to the information of a data subject, which is being processed by or on behalf of that data controller.

The General Principle of the PDPA prohibits a data controller from processing personal data without the consent of the data subject unless it is for the following reasons:

• for the performance of a contract to which the data subject is a party;
• for the taking of steps at the request of the data subject with a view to entering into a contract;
• for compliance with any legal obligation to which the data controller is the subject, other than an obligation imposed by a contract;
• in order to protect the vital interests of the data subject;
• for the administration of justice; or
• for the exercise of any functions conferred on any person by or under any law.

The Notice and Choice Principle of the PDPA requires a data controller to inform a data subject by written notice of the following, in both the national language (Malay) and English:

• that personal data of the data subject is being processed by or on behalf of the data controller, and shall provide a description of the personal data to that data subject;
• the purposes for which the personal data is being or is to be collected and further processed;
• of any information available to the data controller as to the source of that personal data;
• of the data subject’s right to request access to and to request correction of the personal data and how to contact the data controller with any inquiries or complaints in respect of the personal data;
• of the class of third parties to whom the data controller discloses or may disclose the personal data;
• of the choices and means the data controller offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
• whether it is obligatory or voluntary for the data subject to supply personal data; and
• where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if they fail to supply the personal data.

Notice has to be provided as soon as practicable, which means:-

• when the data subject is first asked by the data controller to provide his personal data;
• when the data controller first collects the personal data of the data subject; or
• in any other case, before the data controller—
  
  • uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or
  • discloses the personal data to a third party.

Data controller cannot disclose any personal data of a data subject for any purpose other than the purpose disclosed (and directly related purpose) and to any party other than the class of third parties to the data subject. (Disclosure Principle of the PDPA)

However, the disclosure of personal data is permitted where:

• consent has been given by the data subject;
• the disclosure is necessary to prevent or detect crime, or for the purpose of investigations;
• the disclosure is required or authorized by law or order of the court;
• the data controller had acted under the belief that he has a legal right to disclose the data to another person;
• the data controller had acted under the reasonable belief that he would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or
• the disclosure was justified as being in the public interests in circumstances as determined by the Minister.

A data controller and data processor are obligated to take specified measures to protect personal data from loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction during its processing. (Security Principle) A data controller must also not retain longer than is necessary any data for the fulfillment of the purpose for which it is processed and must destroy or permanently delete all personal data, which is no longer required for the purpose for which it was processed. (Retention Principle)

Where data is being processed, the data controller and data processor must take into account the following security factors:

• the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
• the place or location where the personal data is stored;
• any security measures incorporated into any equipment in which the personal data is stored;
• the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
• the measures taken to ensure the secure transfer of the personal data.

The PDP Standards also provide certain measures that have to be complied with under the Security Standards.
Where processing of personal data is carried out by a “data processor” on behalf of a data controller, the data processor shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction—

• provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and 
• takes reasonable steps to ensure compliance with those measures.

For the Retention Principles, the PDP Standards also contain the Retention Standards, which specify the measures that have to be taken in terms of retention of data.  

The Access Principle confers the right on a data subject to access their personal data and to correct the same if it is inaccurate, incomplete, misleading or outdated.

A data subject shall be given access to their personal data held by a data controller and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under the PDPA.

The PDPA also grants rights to data subjects to request access to and/or correction of personal data. The PDPA prescribes the procedures, and there are also timelines that would have to be complied with by a data controller where there is an access and/or correction request.

The PDPA also provides the grounds on which such data access request may be refused such as where the burden or expense of providing access is disproportionate to the risks to the data subject’s privacy in relation to the personal data in the case in question or where the data controller cannot comply with the data access request without disclosing personal data relating to another individual, among other factors.

A data correction request may also be turned down where the data controller is not supplied with such information as he may reasonably require to ascertain in what way the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date or where the data controller is not satisfied that the personal data to which the data correction request relates is inaccurate, incomplete, misleading or not up-to-date, among other factors.

The PDPA also provides data subjects with the right to withdraw consent for the processing of their personal data. The data controller must, upon receiving the written notices from data subjects, cease the processing of their personal data. 

Moreover, the data subjects also have the right to prevent processing of their personal data that is likely to cause damage or distress by providing a written notice to the data controller; however, such right subject to certain exceptions, such as where the processing is necessary for the performance of a contract which the data subject is party and where the processing is necessary for the data controller to comply with any legal obligation.

The data subjects also have the right to prevent their personal data from being processed for direct marketing purposes. Further details can be found in Question 16 below.

Lastly, the PDPA also grants data subjects the right to request the data controller to transmit their personal data to another data controller of their choice directly by giving a notice in writing by way of electronic means to the data controller. However, such a request is subject to technical feasibility and compatibility of the data format.

The PDPA does not define “consent” or prescribe a specific consent method, and the Personal Data Protection Regulations 2013 merely require that consent must be in a form that can be “recorded” and “maintained”. The onus of proving consent falls on the data controller. 

Where the form in which consent is to be given also concerns another matter, the requirement to obtain consent shall be presented distinguishable in its appearance from such other matter.

That said, explicit consent is required for the processing of sensitive personal data unless certain exceptions apply. 

The PDPA does not contain specific provisions on how authorization for use (i.e., consent) should be handled. As mentioned above in Question 9, consent must be in a form that can be recorded and maintained.

Yes. The PDPA contains provisions regulating cross-border data transfer.

A data controller shall not transfer any personal data of a data subject to a place outside Malaysia unless to such a place which has in force any law which is substantially similar to the PDPA, or which ensures an adequate level of protection equivalent to the levels of protection afforded under the PDPA. To rely on either of these conditions, the CBPDT Guidelines provide that data controllers are required to conduct a transfer impact assessment ("TIA") to determine whether these conditions are met.

Notwithstanding the prohibition, a data controller may transfer any personal data to a place outside of Malaysia if:

• the data subject has given their consent to the transfer;
• the transfer is necessary for the performance of a contract between the data subject and the data controller;
• the transfer is necessary for the conclusion or performance of a contract between the data controller and a third party which—
  
  • is entered into at the request of the data subject; or
  • is in the interests of the data subject;
• the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
• the data controller has reasonable grounds for believing that in all circumstances of the case—
  
  • the transfer is for the avoidance or mitigation of adverse action against the data subject;
  • it is not practicable to obtain the consent in writing of the data subject to that transfer; and
  • if it was practicable to obtain such consent, the data subject would have given his consent;
• the data controller has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not, in that plac,e be processed in any manner which, if that place is Malaysia, would be a contravention of the PDPA; or
• the transfer is necessary in order to protect the vital interests of the data subject.

The PDPA does not use or define the term “data incident”. Instead, it specifically adopts the term “personal data breach,” which is defined to include any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data.

The DBN Guidelines further provide that the personal data breach includes but is not limited to modification, duplication, alteration or destruction, and may be caused by accidental or deliberate actions (either internally or externally).

Yes. The new Section 12B of the PDPA imposes a mandatory obligation on data controllers to notify both the PDP Commissioner and affected data subjects of personal data breaches where such personal data breach causes “significant harm”.

A personal data breach will be considered to cause or is likely to cause “significant harm” if there is a risk that the compromised personal data:

• may result in physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• may be misused for illegal purposes;
• consists of sensitive personal data;
• consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or
• is of “significant scale”, i.e., if the number of affected data subjects exceeds 1000.

The DBN Guidelines provide specific requirements and guidance on the procedures and timelines for handling personal data breaches: 

• Notification to the PDP Commissioner: Notification of data breaches that cause “significant harm” must be made as soon as practicable and no later than 72 hours from the occurrence of the personal data breach. A data controller who fails to notify the PDP Commissioner within 72 hours must submit a written notice to the PDP Commissioner detailing the reasons for the delay and providing supporting evidence.
• Notification to affected data subjects: Notification of data breaches that cause “significant harm” must be made without unnecessary delay, and no later than 7 days after the initial notification is made to the PDP Commissioner. Note that the “significant scale” criterion does not apply when determining whether notification to affected data subjects is required. 

A PDP Commissioner will be appointed by the Minister to carry out the functions and the powers assigned to the PDP Commissioner by the PDPA. There is currently a PDP Commissioner appointed and also a Personal Data Protection Department which has been set up.

The functions of the PDP Commissioner include:

• to advise the Minister on the national policy for personal data protection and all other related matters;
• to implement and enforce personal data protection laws, including the formulation of operational policies and procedures;
• to promote and encourage associations or bodies representing data controllers to prepare codes of practice and to disseminate to their members the codes of practice for the purposes of the PDPA;
• to cooperate with bodies corporate or government agencies for the purpose of performing his functions;
• to determine in pursuance of Section 129 whether any place outside Malaysia has in place a system for the protection of personal data that is substantially similar to that as provided for under the PDPA or that serves the same purposes as the PDPA;
• to undertake or cause to be undertaken research into and monitor developments in the processing of personal data, including technology, in order to take into account any effects such developments may have on the privacy of individuals in relation to their personal data;
• to monitor and supervise compliance with the provisions of the PDPA, including the issuance of circulars, enforcement notices or any other instruments to any person;
• to promote awareness and dissemination of information to the public about the operation of the PDPA;
• to liaise and cooperate with persons performing similar personal data protection functions in any place outside Malaysia in respect of matters of mutual interest, including matters concerning the privacy of individuals in relation to their personal data;
• to represent Malaysia through participation in events that relate to personal data protection as authorized by the Minister, whether within or outside Malaysia; and
• to carry out such activities and do such things as are necessary, advantageous and proper for the administration of the PDPA, or such other purposes consistent with the PDPA as may be directed by the Minister.

Breaches of the provisions of the PDPA will result in a fine and/or imprisonment. Please also see Question 13 above for the data breach notification requirements and procedure.  

Failure to comply with the provisions in the PDPA may amount to a criminal offence:

• Breach of any of the seven data protection principles attracts a fine of up to RM 1,000,000 and/or up to three years imprisonment.
• The unlawful collection, disclosure and sale of personal data attract a fine of up to RM 500,000 and/or up to three years imprisonment.

If a body corporate is found to have committed an offence, the officers of such body corporate are deemed to have committed the offence personally. However, the officer(s) of such body corporate may not be found to have committed the offence if they can prove the offence was committed without their knowledge or consent and they had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.

There are no specific rules on electronic marketing under the PDPA; however, the PDPA has a general provision on the section on the processing of personal data for direct marketing.

“Direct marketing” is defined in the PDPA as “the communication by whatever means of any advertising or marketing material which is directed to particular individuals”. This would be wide enough to encompass electronic marketing.

The PDPA stipulates that a data subject may, at any time by notice in writing to a data controller, require the data controller at the end of such period as is reasonable in the circumstances to cease or not to begin processing his personal data for purposes of direct marketing.

Where the data subject is dissatisfied with the failure of the data controller to comply with the notice, whether in whole or in part, the data subject may submit an application to the PDP Commissioner to require the data controller to comply with the notice. 

Where the PDP Commissioner is satisfied that the application of the data subject is justified, the PDP Commissioner may require the data controller to take such steps to comply with the notice. A data controller who fails to comply with the requirement of the PDP Commissioner commits an offense and shall, on conviction, be liable to a fine not exceeding RM 200,000 or to imprisonment for a term not exceeding two years or to both.

Under the PDPA, data controllers falling within the class of data controllers prescribed in the Personal Data Protection (Class of Data Controllers) Order 2013 (to be read with Personal Data Protection (Class of Data Controllers) (Amendment) Order 2016) must register with the PDP Commissioner.  

The PDP Commissioner may designate a body as a data controller forum in respect of a specific class of data controllers for the purposes of the PDPA and such data controller forum may develop a code of practice on its own initiative, or upon request by the PDP Commissioner.

The following enforceable codes of practice have been registered: General Code of Practice, Code of Practice for the Utilities Sector (Electricity), Code of Practice for the Insurance and Takaful Industry in Malaysia, Code of Practice for the Banking Sector and Financial Institutions, Code of Practice for the Malaysian Aviation Sector, Code of Practice for the Communications Sector, Code of Practice for the Utilities Sector (Water), and Code of Practice for Private Hospitals in the Healthcare Industry.

Additionally, depending on the type of data in question and the industry in which the data controller and/or data subject are in, specific data protection requirements under other laws and regulations may apply, particularly in highly regulated sectors such as financial or healthcare sectors. 

The Amendment Act introduces a new obligation for both data controllers and data processors to appoint a Data Protection Officer (“DPO”). The appointed DPO shall be accountable to the data controller in relation to the data controller/data processor’s compliance with the PDPA and is required to be registered with the PDP Commissioner within 21 days from the date of the appointment via the Personal Data Protection System. This requirement came into force on 1 June 2025.

According to the DPO Guidelines, only data controllers or data processors, whose processing of personal data involves either one of the following, are required to appoint a DPO: 

• personal data exceeding 20,000 data subjects;
• sensitive personal data, including financial information exceeding 10,000 data subjects; or
  involves activities that require “regular and systematic monitoring” of personal data.

Data controllers and data processors must ensure their appointed DPOs can demonstrate a sound level of the following skills, qualities, and expertise:

•  knowledge on the PDPA, local data protection practices (including any other applicable data protection laws, where relevant);
• understanding of the data controller/processor’s business and personal data processing operations;
• understanding of information technology and data security;
• personal qualities such as integrity, understanding of corporate governance and high professional ethics; and
• ability to promote data protection culture within the organisation.

DPOs may be appointed from among existing employees or through outsourcing services.
Additionally, DPOs must:

• be resident in Malaysia (physically present in Malaysia for at least 180 days in one calendar year) or be easily contactable via any means; and
• be proficient in Bahasa Melayu and English.

DPOs assume the following responsibilities:

• inform and advise the data controller and data processor on personal data processing;
• support the data controller and data processor in complying with the PDPA and other related data protection laws, and monitoring compliance with the same;
• support the carrying out of data protection impact assessments;
• ensure proper data breach and security incident management;
• act as a facilitator and point of contact for data subjects; and
• act as the liaison officer and main point of reference for the PDP Commissioner.

The PDPA requires the data controller to keep and maintain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by them.

Additionally, the data controller must keep and maintain a list of disclosures to third parties (who are not specified in the privacy notices) in relation to personal data of the subject data that has been or is being processed by them. 

The personal data system must be open for inspection, and the PDP Commissioner or the inspection officer may require the production of the following documents and information, which must therefore be properly recorded and maintained:

• Record of the consent from a data subject maintained in respect of the processing of personal data by the data controller;
• Record of a written notice issued by the data controller to the data subject;
• List of disclosures to third parties in respect of personal data that has been or is being processed by him;
• Security policy developed and implemented by the data controller;
• Record of compliance in accordance with the Retention Standards;
• Record of compliance in accordance with the Data Integrity Standards; or
• Such other related information as the PDP Commissioner or any inspection officer deems necessary.

The PDP Standards also contain certain record-keeping requirements; for example, any transfer of personal data using removable media devices and cloud computing services must be recorded. 

Under the DBN Guidelines and DPO Guidelines, the data controller must also keep records and maintain a register detailing personal data breaches for at least 2 years from the date of the notification to the PDP Commissioner and maintain records of their appointed DPOs.

Under the CBPDT Guidelines, the data controller must also keep and maintain a record of the recipient to whom the personal data is transferred.

Presently, there is no express requirement on this in the PDPA.

However, it should be noted that the new Section 12A of the PDPA mandates the appointment of a DPO and one of the responsibilities of the DPO is to provide support and advice on the implementation of data protection impact assessments (DPIA). In this regard, the PDP Commissioner is developing a guideline to provide guidance on conducting a DPIA. It is presently unclear whether this would be a mandatory requirement under the PDPA.

Third-party vendors who process personal data solely on behalf of a data controller are considered “data processors: under the PDPA and are responsible for complying with the Security Principle. Pursuant to the Security Principle, a data controller shall ensure that data processors they engage shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction—

• provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
• take reasonable steps to ensure compliance with those measures     

The above obligations may be incorporated into the data processing agreement with the third-party vendor as warranties and representations. The Security Standards under the PDP Standards also stipulate that contracts should be entered into with data processors.

Additionally, under the DBN Guidelines, data controllers are required to contractually impose obligations on data processors to promptly notify the data controller about any personal data breach that has occurred, and to provide all reasonable and necessary assistance to the data controller to meet the data controller’s data breach notification obligation under the PDPA.

Breach of the PDPA may result in an inquiry or investigation by the PDP Commissioner (either on its own initiative or based on a complaint received). Where, following the investigation, the PDP Commissioner decides that the PDPA has been contravened, the PDP Commissioner may serve an enforcement notice, specifying inter alia the breach, the steps required to be taken to remedy the breach within a certain period and directing, if necessary, the relevant data controller to cease processing the personal data. Failure to comply with the PDP Commissioner’s enforcement notice may attract a fine not exceeding RM 200,000 and/or imprisonment for a term not exceeding two years.

Depending on the nature of the offence, a breach of the PDPA may attract a maximum fine of RM 1,000,000, although certain offences are compoundable, which may allow reduced penalties. 

Some examples of penalties are as follows:

• Contravention of the Personal Data Protection Principles may attract a fine not exceeding RM 1,000,000 and/or imprisonment for a term not exceeding three years;
• Processing personal data without a certificate of registration (where required by law) may attract a fine not exceeding RM 500,000 and/or imprisonment for a term not exceeding three years; and
• Non-compliance with the requirement to record and maintain consent, to develop and implement a security policy and to process personal data in accordance with any standards issued by the PDP Commissioner may attract a fine not exceeding RM 250,000 and/or imprisonment for a term not exceeding two years.

Please note that any person who is aggrieved by the decision of the PDP Commissioner may appeal to the Appeal Tribunal by filing a notice of appeal with the Appeal Tribunal. The decisions that may be appealed are:

1. the registration of data controllers;
2. the refusal of the PDP Commissioner to register a code of practice;
3. the failure of the data controller to comply with a data access request or correction request;
4. the issuance of an enforcement notice;
5. the PDP Commissioner’s refusal to vary or revoke an enforcement notice; and
6. the PDP Commissioner’s refusal to conduct or continue an investigation based on a complaint.

There are no express audit requirements under the PDPA, but see Question 21 about the obligations of data controllers to ensure that data processors take reasonable steps to ensure compliance with security measures. A recommended method would be for data controllers to have a right to audit data processors.

As mentioned in Question 1 above, the PDPA was recently amended, and all amendments have come into force.

Three DPO-related documents have been published by the PDP Commissioner, namely, the DPO Professional Development Pathway & Training Roadmap, the DPO Competency Guidelines, and the Management of DPO Training Service Providers Guideline.  

The Personal Data Protection Department is currently developing five additional guidelines and has issued public consultation papers proposing requirements for (i) data subjects’ right to data portability; (ii) data protection impact assessment; (iii) data protection by design; (iv) automated decision making and profiling; as well as (v) amendments to the PDP Standards.