In Malaysia, the data protection and privacy law is provided for in the federal constitution as well as in a dedicated act of parliament governing the collection of personal data in the context of commercial transactions.

Federal Constitution

The federal constitution of Malaysia does not expressly list privacy as a fundamental right. However, Malaysian case law has, in limited circumstances, interpreted the right to life and personal liberty under Article 5(1) as encompassing a right to privacy.

Personal Data Protection Laws in Malaysia

The Personal Data Protection Act 2010 (PDPA) acts as the primary legislation governing the collection and processing of personal data in commercial transactions. In line with that, the Personal Data Protection Commissioner (the “Commissioner”) and the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi or JPDP) were established to implement and enforce the PDPA.

Since the PDPA came into force, several subsidiary regulations and guidelines have been introduced, including:

• the Personal Data Protection Regulations 2013 (PDP Regulations);
• the Personal Data Protection (Class of Data Users) Order 2013;
• the Personal Data Protection (Registration of Data User) Regulations 2013;
• the Personal Data Protection Standard 2015 (PDP Standard);
• the Guide to Prepare Personal Data Protection Notice 2022; and
• the General Code of Practice of Personal Data Protection.

Pursuant to the Personal Data Protection (Amendment) Act 2024 (the “Amendment Act”), a suite of guidelines have been, or will be issued by the Commissioner. These include, namely:

• the Data Breach Notification Guideline (“DBN Guideline”) (issued 25 February 2025);
• the Appointment of Data Protection Officer Guideline (“DPO Guideline”) (issued 25 February 2025);
• the Right to Data Portability Guideline (“Data Portability Guideline”);
• the Cross Border Data Transfer Guideline (“CBDT Guideline”) (issued 29 April 2025);
• the Management of Data Protection Officer Training Service Providers Guideline (issued 21 July 2025);
• the Data Protection Officer Competency Guideline (issued 21 July 2025);
• the Data Protection Officer Professional Development Pathway & Training Roadmap (issued 21 July 2025);
• the Data Protection Impact Assessment Guideline;
• the Data Protection by Design Guideline (“DPbD Guideline”); and
• the Automated Decision Making and Profiling Guideline (“ADMP Guideline”).

In addition to the above guidelines, sector-specific codes of practice have also been developed, including for banking and financial services, healthcare, and the aviation sector. These codes set out additional obligations tailored to the operational circumstances of each sector and industry.

Sector-Specific Requirements

In addition to the PDPA, there are data protection requirements prescribed by sector-specific regulations. For example, in the banking and financial sector, Section 133 of the Financial Services Act 2013 (FSA) imposes secrecy obligations, except where one of the conditions for permitted disclosure is met. Bank Negara Malaysia (BNM)’s Risk Management in Technology (RMiT) policy document requires financial institutions to establish comprehensive cyber crisis management frameworks, including a cyber-incident response plan. The Management of Customer Information and Permitted Disclosures (MCIPD) policy document further prescribes detailed measures and controls governing the collection, storage, use, transmission, sharing, disclosure and disposal of customer information.

Data Sharing Between Public Sector Agencies

Where personal data is shared between federal public sector agencies, the Data Sharing Act 2025 (DSA) applies. The DSA imposes statutory duties on public sector agencies that request or provide data to other agencies, including requirements to take appropriate measures to safeguard the security and confidentiality of the data, maintain records of the shared data, and report any unauthorised disclosure to the Director General of the National Digital Department (DGNDD).

Taken as a whole, Malaysia’s data governance framework operates on a layered basis. The PDPA governs private-sector processing of personal data in commercial contexts, supplemented by sector-specific regulatory instruments and codes of practice.

Data controllers (ie, persons who process personal data or have control or authority over the processing of personal data) are required to comply with the relevant requirements under the PDPA. This includes the requirement to comply with the seven personal data protection principles (“PDP Principles”), namely:

• General Principle (Section 6) – this is the general requirement to obtain the consent of data subjects for the processing of their personal data, unless any of the PDPA exemptions apply. Additionally, the processing of personal data must be for a lawful purpose directly related to the data controller’s activities and be adequate, relevant and not excessive in relation to that purpose. Finally, where sensitive personal data is involved, data controllers are required to obtain the explicit consent of the data subject unless one of the relevant exemptions under Section 40 applies; 
• Notice and Choice Principle (Section 7) – this is the requirement to issue a written privacy notice in both Bahasa Malaysia and English, setting out the relevant information required under Section 7 of the PDPA;
• Disclosure Principle (Section 8) – this is the prohibition from the disclosure of personal data without the data subject’s consent, except where the disclosure is for purposes or to parties specified in the data controller’s privacy notice, or where an exemption under the PDPA applies;
• Security Principle (Section 9) – this is the requirement to take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by having regard to the matters specified in the PDPA;
• Retention Principle (Section 10) – this is the obligation to only retain personal data for the period necessary to achieve the purpose for which it was collected and processed, and to destroy or permanently delete such data when it is no longer needed;
• Data Integrity Principle (Section 11) – this is the requirement to take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date; and
• Access Principle (Section 12) – this is the requirement to allow data subjects to access and correct their personal data.

In addition to the seven principles, the PDPA also prohibits the transfer of personal data outside Malaysia, unless one of the conditions listed under Sections 129(2) or (3) of the PDPA is met.

With respect to data subject rights, the PDPA confers data subjects with several rights in respect of their personal data:

• right of access to personal data – data subjects are entitled to be informed by a data controller as to whether their personal data is being processed by, or on behalf of the controller;
• right to correct personal data – data subjects are entitled to correct their personal data if it is inaccurate, incomplete, misleading or out of date;
• right to withdraw consent – data subjects are entitled to withdraw their consent to the processing of their personal data;
• right to prevent processing of personal data that is likely to cause damage or distress – data subjects are entitled to request that the data controller cease or not commence the processing of their personal data based on the reasons that the processing is causing or is likely to cause substantial damage or substantial distress to the data subject or another person, and such damage or distress is or would be unwarranted;
• right to prevent processing for purposes of direct marketing – data subjects are entitled to request that the data controller cease or not commence the processing of their personal data for direct marketing purposes; and
• right to data portability – data subjects are entitled to request that the data controller transmit their personal data directly to another data controller, subject to technical feasibility and compatibility of format.

Under the PDPA, any personal data relating to the physical or mental health of a data subject, their political opinions, religious beliefs or other similar beliefs, biometric data, or the commission or alleged commission of an offence, is considered to be “sensitive personal data”. 

As a general rule, explicit consent is required for the processing of sensitive personal data. While the PDPA does not provide any definition or guide as to what constitutes explicit consent, it is generally understood that explicit consent requires the data subject to have carried out an affirmative action to signify their consent. This includes:

• writing the words “I consent”;
• ticking a check box; or
• providing their signature.

Both data controllers and data processors (ie, any person who processes personal data for and on behalf of a data controller, and not for its own purposes) are required to implement enhanced security safeguards to protect sensitive personal data. This is because under the PDPA’s Security Principle, the level of security should correspond to the nature of the personal data and the harm that may result from its loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

Processing of Personal Data of Children

The PDPA does not impose children-specific data protection obligations. Nevertheless, as individuals below the age of 18 are not legally able to provide consent, Regulation 3(3) of the PDP Regulations provides that consent for the processing of a child’s personal data must be obtained from a parent, guardian, or any such person with parental responsibility over that child.

When personal data is processed for the purpose of preparing statistics or carrying out research, the processing is exempted from the General, Notice and Choice, Disclosure and Access Principles, as well as other related provisions of the PDPA. This exemption applies only where the personal data is not used for any other purpose and the resulting statistics or research findings are anonymised, such that no data subject is identifiable.

Additionally, the Commissioner intends to issue the DPbD Guideline which aims to encourage data controllers to integrate privacy considerations into all aspects of their personal data management. Based on the Public Consultation Paper on the DPbD Guideline, the DPbD Guideline intends to introduce the element of data minimisation, which encourages data controllers to verify whether the relevant purposes for processing personal data can be achieved by using less detailed, aggregated, or non-personal data. Where the purpose ultimately does not require identification – such as in statistical analyses – the DPbD Guideline expects controllers to delete or anonymise personal data as soon as identification is no longer required. If identification must be retained for other processing activities, controllers are encouraged to apply pseudonymisation to reduce the risk to data subjects.

Sector-Specific Requirements

Similarly, the Malaysian Medical Council’s Guidelines on Confidentiality echo this principle by ensuring that data used for medical research or audit be anonymised wherever practicable. Where anonymisation is not feasible or would undermine the validity of the research, the Guidelines on Confidentiality require that express consent be obtained before any identifiable patient data is used or disclosed. This reflects a consistent approach in Malaysia where anonymisation is preferred for research purposes, and identifiable data may be used only where necessary and with appropriate safeguards.

Malaysia currently does not have a dedicated statute or comprehensive regulatory framework governing AI. As a result, the legal landscape is shaped primarily by non-binding policy guidelines and the application of existing laws to AI-related activities. While certain sectoral regulators have introduced guidelines or requirements to address AI risks within their respective domains, such initiatives remain limited in scope and are the exception rather than the rule.

In the absence of binding AI-specific legislation, reference is often made to the National Guidelines on AI Governance and Ethics (“NAIGE”). While NAIGE does not carry any legal effect, it currently serves as Malaysia’s principal policy instrument for promoting responsible and ethical AI development and use. NAIGE sets out seven AI principles that end users, including individuals and organisations deploying AI systems, are expected to observe. One of the key principles is “privacy and security”, which emphasises that when handling personal data such as financial or health information, proper procedures, informed consent, and secure storage practices are essential. In line with this, NAIGE underscores the need for robust security measures to protect against hacking, data breaches and other malicious activities.

Therefore, AI developers are encouraged to obtain consent where required, ensure privacy and data protection throughout the AI system life cycle, avoid unlawful or discriminatory use of data, and incorporate privacy-by-design and security-by-design approaches aligned with relevant international standards.

Separately, the Commissioner intends to issue the ADMP Guideline to address risks arising from the use of automated systems. Based on the public consultation paper on the ADMP Guideline, the guideline intends to confer three rights on data subjects, collectively referred to as the Automated Decision-Making Restrictions:

• the right to refuse to be subjected to a decision based solely on automated decision-making (including profiling) which produces legal effects concerning the data subjects or significantly affects the data subject;
• a right to information on the automated decision-making being undertaken (ie, the transparency requirement); and
• a right to request a human review of the automated decision-making.

In addition, the public consultation paper on the ADMP Guideline highlights the Commissioner’s proposal to introduce specific safeguards for the processing of biometric data in the context of automated decision-making and profiling. However, as automated decision-making and profiling are not currently recognised or defined concepts under the PDPA, it remains to be seen whether the ADMP Guideline, once issued, will carry any binding legal effect.

Notification Requirement and Timeline

The PDPA read in line with the DBN Guideline imposes a requirement on data controllers to notify the Commissioner of the occurrence of a personal data breach if the personal data breach causes, or is likely to cause, “significant harm” to data subjects or is of a “significant scale”. A personal data breach is considered to be of a “significant scale” where it affects more than 1,000 data subjects.

On the other hand, “significant harm” includes instances where there is a risk that the compromised personal data:

• may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
• may be misused for illegal purposes;
• consists of sensitive personal data; or
• consists of personal data and other personal information which, when combined, could potentially enable identity fraud.

Notification must be made as soon as possible and no later than 72 hours from the occurrence of the breach. If the data controller is unable to submit the notification to the Commissioner within 72 hours, the data controller must submit a written notice to the Commissioner detailing the reasons for the delay, together with supporting evidence.

Besides the Commissioner, data controllers must also notify affected data subjects if a breach results in, or is likely to result in, “significant harm” to the affected data subjects. Affected data subjects must be notified of the personal data breach without unnecessary delay and in any case, no later than seven days after the initial data breach notification is made to the Commissioner.

Dealing With the Data Breach

The DBN Guideline imposes a requirement on data controllers to act promptly as soon as they become aware of any personal data breach by assessing, containing and reducing the potential impact of the data breach, by considering the following immediate containment actions where applicable:

• isolate and disconnect the compromised database or system from the network;
• suspend or disable compromised access rights;
• stop the practices identified as having caused the data breach; and
• determine whether the lost data can be recovered or whether any immediate remedial action can be taken to minimise further harm being caused by the breach.

Data controllers are also required to conduct a post-breach evaluation to review the effectiveness of the data breach management and response plan, as well as its data protection practices and policies to prevent the recurrence of similar incidents.

In addition, data controllers are required to keep and maintain written records and a register detailing all occurrences of personal data breaches for a period of at least two years from the date of notification to the Commissioner.

Individual Claims

The PDPA does not expressly allow aggrieved claimants to pursue civil actions against data controllers for any breach of the provisions of the PDPA including for any loss or damage arising from a personal data breach. This position was affirmed in the Court of Appeal case of Ranjan Paramalingam & Anor v Persatuan Penduduk Taman Bangsar Kuala Lumpur [2023] 1 MLJ 459. However, claimants may still initiate civil actions against data controllers through other causes of action, such as breach of contract for the data controller’s breach of its obligations to protect the aggrieved claimant’s personal data.

Sector-Specific Requirements

Certain sectors also impose data breach notification requirements. For example, Paragraph 11 of the MCIPD lays out the exact requirements financial institutions must comply with when dealing with customer information breaches. As notification of data breaches under the MCIPD is directed to BNM, the financial institution will also need to comply with the data breach notification requirements under the PDPA, and notify the JPDP within the prescribed timeframes.

The Commissioner, assisted by officers in the JPDP, acts as the primary regulator overseeing enforcement of the PDPA and its regulations.

Section 48 of the PDPA lays out the functions of the Commissioner, which include:

• implementing and enforcing the PDPA;
• monitoring and supervising compliance with the PDPA; and
• promoting awareness and disseminating information to the public about the operation of the PDPA.

In addition to the general functions and powers, the Commissioner is provided with a wide range of investigative and enforcement powers, which include the power to:

• inspect any personal data system used by a data controller for the purpose of obtaining information that would assist the Commissioner in making recommendations to promote the data controller’s compliance with the PDPA;
• carry out investigations where complaints have been lodged by data subjects or where the Commissioner has reasonable grounds to believe that a data controller may be in contravention of the PDPA;
• issue enforcement notices to direct a data controller to take steps to remedy any contravention of the PDPA, or to cease processing personal data until the contravention has been remedied;
• carry out search and seizure with or without a warrant on the data controller’s premises;
• request access to computerised data when conducting a search on the data controller’s premises;
• require production of any computer, book, account, computerised data or other document kept by the data controller;
• require attendance of persons acquainted with the case and examine such persons to obtain their statement when carrying out its investigation under the PDPA;
• arrest without warrant any person reasonably believed to have committed, or to be attempting to commit, an offence under the PDPA; and
• issue compounds for offences under the PDPA.

Note that the digital minister has proposed elevating the Commissioner’s office, which currently operates as a government department, into a full-fledged independent data commission. This proposed reform aims to enhance the Commissioner’s enforcement and oversight powers, and to strengthen overall data protection and governance in Malaysia.

Sector-Specific Requirements

In addition to the JPDP, regulators who oversee specific sectors are provided with the power to ensure compliance with specific sectorial requirements. For example, BNM acts as the regulator of the financial sector. It is provided with vast powers to oversee compliance with the FSA and set standards relating to the conduct of financial institutions, including conduct relating to the processing of customer information.

Data Sharing Between Public Sector Agencies

The DSA sets up the National Data Sharing Committee (NDSC), which oversees the implementation of the DSA. They are assisted by the DGNDD. Their roles are further discussed in 3.4 Regulators and Enforcement.

Investigations and Enforcement Notices

The PDPA does not grant data subjects a private right of action or a right to claim compensation from data controllers or data processors for non-compliance with the PDPA. Instead, aggrieved individuals may lodge written complaints with the Commissioner in respect of any act, practice or request relating to their personal data. Upon receiving such a complaint, the Commissioner may conduct an investigation unless one of the circumstances under Section 106 of the PDPA applies, which permits the Commissioner to refuse to proceed with the complaint (eg, the complaint is frivolous, vexatious or is not made in good faith).

Following an investigation, the Commissioner may issue an enforcement notice to a data controller if he is of the opinion that the data controller is contravening any provision of the PDPA or has previously contravened it in circumstances that make it likely that the contravention may continue or be repeated. The enforcement notice will state the Commissioner’s findings, identify the relevant statutory provision that has been breached and direct the data controller to take specified steps to remedy the contravention within a prescribed period. The notice may also require the data controller to cease processing personal data pending the rectification of the breach.

Data controllers who are not satisfied or disagree with the enforcement notice may initiate appeal proceedings with the Appeal Tribunal. Failure to comply with an enforcement notice constitutes an offence, punishable by a fine of up to MYR200,000, imprisonment for up to two years, or both.

Penalties for Breaches

Data controllers are also reminded that various provisions of the PDPA carry fines and jail terms, with any contravention of the PDP Principles carrying a maximum fine of MYR1 million and/or imprisonment for up to three years.

Sector-Specific Requirements

Apart from the PDPA, data controllers in certain sectors may also be at risk of breaching certain sectoral requirements, such as Section 133 of the FSA. Any person who contravenes Section 133 of the FSA shall on conviction be liable to a fine not exceeding MYR10 million, five years’ imprisonment or both.

Similarly, Section 234 of the FSA provides BNM with the power to take action against any person who has committed a breach under the FSA, or if the person has failed to comply with or give effect to any standards, such as the RMiT or MCIPD. This includes the power to prescribe monetary penalties as well as the power to provide the person with a notice in writing ordering them to comply or give effect to the standard. 

Data Sharing Between Public Sector Agencies

Section 18 of the DSA provides that any officer or servant of a data recipient shall not use or disclose the data shared under the DSA other than for the purpose for which the data is shared.

According to the list of inspection activities published on the JPDP’s website, the JPDP carried out four inspection visits to four different data controllers’ personal data systems, as well as two enforcement activities against unregistered data controllers. The Commissioner also released a list of compound cases issued under the PDPA from 2017 to 2025, which recorded that a total of 33 data controllers were required to pay a compounded fee for breaches to one or more sections under the PDPA. Additionally, a total of eight cases were taken to court. To date, the highest publicly reported compound issued under the PDPA is MYR108,000 for breaches of the General, Disclosure and Retention Principles.

Based on the above trends, data controllers should place higher importance on ensuring their compliance with the PDPA including the seven PDP Principles, and ensure adherence to the PDP Standards, the PDP Regulations, and any subsidiary legislation or guidelines issued pursuant to the PDPA.

Sector-Specific Requirements

BNM has over the past years carried out various enforcement activities against financial institutions. The trend relating to enforcement activities for disclosing customer information is discussed under 3.4 Regulators and Enforcement.

Over the past 24 months, a small number of cases involving civil claims for non-compliance with the PDPA have been brought to court. However, these cases were dismissed, with the courts either making a finding that there was no breach, or that the PDPA did not provide data subjects with the ability to pursue civil claims on the basis of non-compliance with the PDPA.

On the other hand, the PDPA has been used in court to contend that certain documents should not be produced in court as this would violate the disclosure principle under the PDPA. These typically involved cases focused on disputes of a different nature, such as disputes over employment or banking which required the production of certain documents or personal data.

Finally, in a recent significant case, namely Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors [2025] 4 CLJ 710, the claimant commenced judicial review proceedings against a statutory body relating to disputes over the disclosure of personal data.

That said, the number of cases involving the PDPA since 2010 have been limited in number, often due to the fact that aggrieved parties are prevented from pursuing civil claims against the non-complying party. This is unlikely to change in the near future as the Commissioner of the JPDP has not signalled any intention to introduce civil claims and remedies under the PDPA. Therefore, future cases are likely to primarily involve the disclosure of documents or information as well as judicial review proceedings.

Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors

The case of Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors [2025] 4 CLJ 710 garnered a great deal of public attention as it was the first time that the director general of Inland Revenue was taken to court over a personal data-related dispute. As such, the case was touted to lay the groundwork for the extent to which a statutory body may request and obtain access to personal data.

Under the Income Tax Act 1967 (ITA), the Inland Revenue Broad of Malaysia (IRB) is provided with broad powers to ensure effective collection of tax revenue. This includes Section 81 of the ITA, which empowers the director general of the IRB (DGIR) to demand the disclosure of information or particulars that are in the possession or control of a person, for the purposes of the ITA.

The dispute arose when the DGIR exercised his powers under Section 81 of the ITA to demand that Genting Malaysia Berhad (“Genting”) disclose the personal data of all of its customers who were members under the Genting Rewards Loyalty Programme (“Loyalty Programme”) for the purposes of enlarging the IRB’s tax base.

Genting refused to agree to the demand, stating that complying with the DGIR’s demands would result in Genting breaching its obligations to customers under the PDPA. In response, the DGIR stated that the disclosure was permitted under the PDPA as it met the exemptions listed under Sections 39 and 45 of the PDPA. As a result of this, Genting subsequently filed a judicial review application with the High Court, which then ruled that the PDPA does not allow the DGIR to make blanket demands for personal data (in this case, the demand for the data of all customers who were members of the Loyalty Programme).

That said, the High Court’s ruling was overturned by the Court of Appeal, which ruled that the judicial review application brought forward by Genting was time barred as it was filed after the three-month window prescribed by Order 53 Rule 3(6) of the Rules of Court 2012 had passed. Genting’s motion for leave to appeal to the Federal Court was also dismissed.

Nevertheless, while the ruling by the High Court was overturned, this case has made it clear that the courts will not be shy in limiting the powers of statutory bodies in cases where the collection and processing of personal data is found to be excessive. In the event that another similar application for judicial review surfaces, the decisions of the High Court, while not binding, may serve as an indication of how the courts may decide such cases in the future.

Ranjan Paramalingam & Anor v Persatuan Penduduk Taman Bangsar Kuala Lumpur

In the case of Ranjan Paramalingam & Anor v Persatuan Penduduk Taman Bangsar Kuala Lumpur [2023] 1 MLJ 459, the appellants alleged that, among other things, the residents’ association unlawfully obtained and misused the personal data of Bangsar Park residents under the guise of implementing a guarded neighbourhood security scheme. They claimed this amounted to a breach of the PDPA and sought an inquiry into the acquisition and use of their data, along with damages. In its decision, the High Court found that personal information was collected solely for security purposes with no evidence of misuse. As such, the High Court ruled that there was no breach of the PDPA.

Following the High Court’s decision, the appellants decided to take the matter to the Court of Appeal. However, the appeal was subsequently dismissed. In reaching its decision, the Court of Appeal emphasised that, given the penal consequences arising from non-compliance with the PDPA, allegations of offences under the PDPA must be pursued strictly through the complaints mechanism provided by the JPDP. The Court of Appeal emphasised that, pursuant to Section 104 of the PDPA, complainants are required to submit a written complaint to the Commissioner, who is empowered to investigate and take appropriate action. Additionally, the Court of Appeal clarified that non-compliance with the PDPA cannot be used as a cause of action in a civil suit.

It is clear from this case that the primary mechanism available to any party aggrieved by another party’s non-compliance with the PDPA lies with the complaint mechanism provided by the JPDP. Any party that attempts to pursue a civil claim for non-compliance with the PDPA will fail in their claim due to the fact that the PDPA does not provide for any means to make civil claims, unless and until a further decision of an appellate court in Malaysia determines otherwise.

The PDPA does not provide aggrieved parties with the ability to pursue civil claims in the court, therefore collective redress is unlikely to succeed in Malaysia at this juncture (based on case law). Any complaints relating to a breach of the PDPA may only be channelled to the JPDP who may then carry out an investigation.

As such, there is currently no available collective redress mechanism available to the public to take action against any party in breach of the PDPA.

Public Sector Agencies

The largest legislation pertaining to the sharing of data (both personal data and non-personal) between public sector agencies is the DSA, which has been approved by the parliament of Malaysia but has yet to come into force. The DSA will establish the National Data Sharing Committee (NDSC) and sets down the general rules pertaining to the sharing of data between public sector agencies. This includes the methods to request data sharing, the purposes for which data may be shared, as well as the circumstances in which a public sector agency may deny a data-sharing request.

Additionally, the DSA imposes duties and obligations in relation to the protection of data that has been shared, such as the requirement to take necessary measures to ensure the security and privacy of data, including the protection of data from any loss, misuse, unauthorised or accidental modification, access or disclosure, alteration or destruction.

This obligation is similar to that provided under the PDPA in relation to the protection of personal data. Additionally, the obligation to protect data shared under the DSA extends to the recipient of the data as well as third parties who have been engaged by the data provider or recipient to conduct any data migration, data integration or data analytics work using the data shared under the DSA.

Finally, Section 23 of the DSA provides a general obligation of secrecy, imposing a requirement on any officer or servant of public sector agencies not to disclose any information obtained by them during the course of their duties.

Sector-Specific Requirements

Certain sectors in Malaysia impose additional requirements on the sharing of data through their regulations and guidelines.

For example, in the financial sector, Section 133 of the FSA prohibits the disclosure of any document or information relating to the affairs or account of any customer of the financial institutions, unless one of the conditions provided under Section 134 of the FSA is met. This applies to all documents or information relating to the affairs or account of the customer regardless of whether it is personal data or non-personal data.

The above requirements are further supplemented by various guidelines issued by the regulator, BNM. For example, the MCIPD lays out the specific conditions for permitted disclosures as well as the financial institution’s obligations in relation to the protection of customer information, and notification requirements in the event of a breach.

Note that when processing personal data, financial institutions need to comply with the requirements under both the PDPA and FSA.

On the other hand, the disclosure of data under certain sectors is regulated under different acts. For example, the disclosure of credit information by credit reporting agencies is regulated by the Credit Reporting Agencies Act 2010 (CRAA). Any information subject to regulation by the CRAA is expressly excluded from the PDPA’s scope. As such, when processing and disclosing credit information for the purpose of the credit reporting agency’s business, the credit reporting agency is not required to comply with the PDPA and will instead be subject to the relevant requirements under the CRAA.

National Cloud Computing Policy

The National Cloud Computing Policy (NCCP) serves as a framework for cloud adoption across Malaysia’s public, private and citizen sectors. In particular, it serves as a mandate for cloud adoption within government agencies.

While the NCCP merely sets out a framework for the adoption of cloud policy, it provides important insight into the likely direction the government wishes to take in relation to data sharing using cloud technology. Examples of this include Pillar One of the NCCP, which aims to prepare a cloud-based data integration platform for government agencies, allowing them to share data across agencies efficiently.

Nevertheless, the NCCP does not set out unique rules for sharing data across the cloud – rather, it references existing laws in Malaysia such as the PDPA and requires all stakeholders to adhere to the standards set under the PDPA. In cases where there is cross-border data transfer, the NCCP reminds all stakeholders that they may also be subject to the other nation’s personal data protection laws, such as the EU General Data Protection Regulation.

Public Sector Agencies

With regards to IP protection, Section 4(2) of the DSA provides that any data shared under the DSA is deemed to be compiled pursuant to the relevant provisions of the statutes listed under the schedule of the DSA. This list includes Section 52 of the Copyright Act 1987 (the “Copyright Act”) which regulates the disclosure of information obtained pursuant to the Copyright Act.

Therefore, any data that is considered to be the intellectual property of another person may only be shared in compliance with Section 52 of the Copyright Act.

Sector-Specific Requirements

In cases where the PDPA applies to the processing and disclosure of data, data controllers within these industries (such as the financial industry) are expected to comply with both the requirements under the PDPA as well as the relevant requirements under the applicable act, regulation or guideline. As such, financial institutions are required to comply with both the PDPA and secrecy obligations under the FSA and applicable guidelines. In cases where there are differing standards, the financial institution will be expected to comply with the stricter standard.

On the other hand, credit information subject to the requirements under the CRAA are expressly excluded under the PDPA. As such, credit reporting agencies are not required to comply with the PDPA when disclosing credit information. However, credit reporting agencies are still required to comply with the PDPA when dealing with non-credit information, such as the personal data of their employees.

In the case of IP protection of non-personal data, the Copyright Act will apply in all sectors, unless there is an act that expressly limits its application.

National Cloud Computing Policy

Part 4 of the NCCP (governance and oversight) sets down the applicable regulatory framework to ensure compliance with data protection laws. In this respect, the NCCP requires all stakeholders to comply with the PDPA and international data protection laws. Additionally, cloud service providers are expected to implement certain general data protection measures, such as encryption, access control and audits.

Apart from the rights and obligations provided under the PDPA, the previously mentioned laws do not provide for any additional rights and obligations as they are primarily focused on the disclosure obligations of the data controller, as opposed to providing rights to the data subjects.

Public Sector Agencies

Under Section 5 of the DSA, the NDSC was established, among other things, to oversee the implementation of the DSA, to take or recommend steps or administrative actions to resolve issues arising during the implementation of the act, and to formulate policies relating to databases for the purposes of data sharing under the DSA. The NDSC is comprised of representatives from several departments and ministries, including the secretary general of the Ministry of Digital, the chief government security officer and a representative of JPDP.

Additionally, Section 11 of the DSA provides the director general with several functions and powers, including the power to: implement policies and strategies related to data sharing, require any person to submit any relevant information or document for the purposes of performing the director general’s duties, and to issue circulars or guidelines. Finally, Section 22 of the DSA gives police officers with the rank of sergeant and above the power to enforce, inspect and investigate any offence under the DSA.

That said, as the DSA has not yet come into force, there are currently no cases of enforcement arising under this act.

Sector-Specific Requirements

Data controllers in different sectors fall under different regulators. For example, BNM acts as the regulator overseeing financial institutions and is responsible for issuing various guidelines, such as guidelines relating to the disclosure of customer information. Additionally, as the regulator, BNM has the power to investigate and impose penalties on financial institutions that fail to comply with the FSA or BNM’s guidelines, including any failure to comply with the secrecy obligation under Section 133.

As a result of BNM’s enforcement powers, in 2019 it issued two separate compounds and administrative monetary penalties. Similarly, several banks were taken to court for their or their employees’ breach of Section 133 of the FSA. 

Similarly, the Registrar of Credit Reporting Agencies is provided under Section 4 of the CRAA with the power to implement and enforce the CRAA, and is responsible for the monitoring, controlling, supervision and regulation of credit reporting agencies.

National Cloud Computing Policy

While the NCCP was overseen and developed by the Ministry of Digital in collaboration with several other ministries and government agencies (ie, the National Cyber Security Agency and the JPDP), the NCCP does not establish any enforcement agency or authority as it is merely a policy meant to guide and promote the adoption of cloud services.

There are currently no rules governing online trafficking technologies such as cookies. As such, Malaysia does not impose any specific requirements relating to consent, op-out models or cookie policies.

Nevertheless, while there are no strict requirements for the use of online tracking technologies, it is generally best practice for websites and other applications or devices to inform their users about the use of such technologies. Examples of such methods include simple pop-up notifications when a user first accesses a website or the insertion of a cookies policy in the website privacy notice or terms of use.

In cases where the online tracking technology processes personal data, the general requirements under the PDPA for the processing of personal data will apply. As such, any person who uses online tracking technology to process personal data will be required, among other things, to obtain consent for such processing, and to prepare and provide users with a privacy notice.

Use of Personalised or Targeted Advertising

Personalised or targeted advertising refers to advertisements that are tailored to an individual’s interest. In order to achieve this, personal data of that individual, such as their age, preferences, purchase history, web search history and nationality, will be collected and processed.

Therefore, any processing of personal data for the purposes of personalised or targeted advertising must be carried out in line with the PDPA. This includes the requirement to obtain the data subject’s consent as well as providing them with a privacy notice which, among other things, informs them that their personal data will be used for the purposes of personalised or targeted advertising.

In the event that the personal data processed includes sensitive personal data, such as a person’s physical or mental health condition, political opinions, religious beliefs, commission or alleged commission of an offence, or biometric data, the advertiser will be required to obtain the explicit consent of the data subject before it may carry out the processing of such data.

The above requirement to obtain consent extends to any personalised or targeted advertising directed at children. In the event that children’s personal data is processed, the advertiser must first ensure that it has the consent of the parent, guardian or such other person who has parental responsibility over the child.

In addition to the general obligations under the PDPA, advertisers are also required, under Section 43 of the PDPA, to provide data subjects with the right to prevent the processing of their personal data for the purposes of direct marketing. Therefore, any advertiser who uses personalised or targeted advertisements must ensure that they provide data subjects with options to prevent such processing. Examples of options that may be provided to data subjects include:

• providing them with an email address which may be used to contact the advertiser on personal data-related matters; or
• attaching a form on the website or app.

Finally, the commissioner of the JPDP intends to issue the ADMP Guideline, which seeks to regulate the processing of personal data through automated decision-making as well as profiling (which involves the processing of personal data to assess personal aspects of an individual, such as their personal preferences, interests and behaviour). Based on the Public Consultation Paper on the Guideline on Automated Decision Making and Profiling, the commissioner of the JPDP intends to provide data subjects with several rights, such as:

• the right to object or not be subjected to a decision based solely on automated decision-making;
• the right to information/transparency; and
• the right to request human review of any automated decision-making.

Therefore, any advertiser who relies on a fully automated system to profile and assess a data subject’s preferences, interests or behaviour will be required to ensure that they comply with the requirements provided under the ADMP Guideline.

Delivery of Personalised or Targeted Advertisements

While there is currently no general prohibition against the means of delivering personalised or targeted advertisements, the Malaysian Communications and Multimedia Commission (MCMC) issued a Public Consultation Paper on Unsolicited Commercial Electronic Messages (“Unsolicited Messages PCP”) in 2025 which, in line with Section 233A of the Communications and Multimedia Act 1998, intends to introduce a framework to address the issues of unsolicited commercial electronic messages.

The Unsolicited Messages PCP provides the following definitions:

• “unsolicited commercial electronic messages” – any commercial electronic message sent through any communication mode where there is no prior relationship between the sender and the recipient or no prior consent from the recipient;
• “commercial electronic message” – any electronic message sent by electronic means for the purpose of promoting, offering, marketing or supplying:
1. products or services;
2. land or any interest in land;
3. business or investment opportunities; or
4. a person or entity that provides such products, services or opportunities; and
• “electronic messages” – any message sent using a network service or applications service to an electronic address, endpoint, or similar communication mode.

Based on the Unsolicited Messages PCP, the MCMC is seeking to prohibit the following activities:

• the acquisition, distribution or usage of certain tools or software designed to extract electronic addresses from online sources or mechanisms that generate addresses through automated or pattern-based guessing (commonly known as “dictionary attacks”); and
• the sending of unsolicited messages to electronic addresses obtained from address harvesting (the automated collection of electronic addresses without consent) or dictionary attacks.

Therefore, in the event that the framework proposed under the Unsolicited Messages PCP is introduced by the MCMC, advertisers will be prohibited from sending any personalised or targeted advertisements via electronic message (such as an email) obtained from address harvesting or dictionary attacks. Nevertheless, the framework proposed under the Unsolicited Messages PCP is subject to change pending confirmation from the MCMC.

Notification of Employees

Generally speaking, any processing of the personal data of job applicants and employees, whether it is for the purposes of adding them to the payroll, providing them with employment-related benefits or for employee disciplinary proceedings, is regulated under the PDPA. As such, employers must first provide the job applicants and employees with their privacy notice to inform them and obtain their consent for the processing of their personal data.

In cases where the employer wishes to process their personal data for new purposes not listed under the personal data protection notice, the employer will be required to obtain employees’ consent for the new purpose or amend the personal data protection notice and inform employees of the amendment.

The above-mentioned obligations also apply to the processing of personal data related to the monitoring of employees, use of the employer’s IT systems, bring-your-own-device policies and background checks. As there are no specific guidelines regulating the processing of personal data for the above-mentioned purposes, the standard obligations and requirements under the PDPA apply.

Regulations Relating to Third-Party Service Providers

Data processors

Additionally, employers often outsource many of their HR-related functions, such as the use of third-party service providers to administer payroll or to conduct background checks. As these third-party service providers process personal data on behalf of the employer for the employer’s purposes, the third-party service providers are considered to be data processors.

Under Section 9(2) of the PDPA, data processors are required to provide the data controller (in this case, the employer) with sufficient guarantees in respect of the technical and organisational security measures governing the processing that is to be carried out on behalf of the employer, and take reasonable steps to comply with these measures. Item 14 of Paragraph 4.1 of the Personal Data Protection Standard further imposes a requirement on the employer to bind the data processor with a contract. This is typically known as a data processing agreement, which includes the data processor’s responsibilities as well as their obligations in relation to the protection of personal data and notification of data breaches.

Credit reporting agencies

In cases where employers wish to conduct background checks on a job applicant or employee through a credit reporting agency, the employers are generally required to first request that the job applicant or employee sign a consent form or letter authorising the disclosure of their information to the employer.

Apart from under the PDPA, there are no specific privacy requirements that specifically apply to M&A and asset deals. As such, when conducting any M&A transaction or asset deal, all parties to the transaction or deal are required to ensure that they have obtained the relevant consent, in line with the requirements under the PDPA.

Nevertheless, certain general privacy requirements that apply to entities that act within certain industries may apply in M&A transactions and asset deals. For example, Section 133 of the FSA imposes a general prohibition on disclosure by any financial institution and its employees concerning documents or information relating to the affairs or accounts of customers of such financial institutions, unless the disclosure meets the relevant conditions set out under Section 134 of the FSA.

Similarly, Section 153 of the Capital Markets and Services Act 2007 (CMSA) prohibits any member, employee or agent of the corporation from disclosing any information or document obtained in the course of their duties, except in the circumstances provided for under Section 154 of the CMSA.

In both cases, employees of the financial institution or corporation will be required to maintain secrecy and ensure that any disclosures made for the purposes of any M&A transaction or asset deal that they are involved in are made in line with the relevant legislation. Therefore, any party to M&A transactions or asset deals is reminded to ensure that they comply with the PDPA as well as any other personal data or privacy-related obligation that may arise from relevant legislation, regulations or guidelines.

The primary act regulating the cross-border transfer of personal data is the PDPA. Section 129 of the PDPA provides that personal data may not be transferred outside Malaysia, except if one of the conditions under Sections 129(2) or (3) is met. Examples of these conditions include:

• the data subject has provided their consent to the transfer;
• the transfer is necessary for the performance of a contract between the data subject and data controller; and

• the data controller has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in the receiving place in any manner which would be in contravention of the PDPA.

Additionally, the Commissioner recently issued the Guideline on Cross Border Data Transfer (the “CBDT Guideline”) which acts as a guide for compliance with the conditions under Section 129(2) and (3) of the PDPA. For example, the CBDT Guideline provides that any person who wishes to rely on the consent of the data subject must first provide the data subject with a personal data protection notice containing the following details:

• the class of third parties to whom the data will be transferred; and
• the purpose of the transfer.

Therefore, any transfer of personal data outside Malaysia must be compliant with Section 129 of the PDPA, read in line with the CBDT Guideline.

ASEAN Framework on Personal Data Protection

As a member of the Association of South East Asian Nations, Malaysia is a signatory to the ASEAN Framework on Personal Data Protection, which aims to harmonise data protection standards across South-East Asia. In line with the principles under the ASEAN Framework on Personal Data Protection, the ASEAN Model Contractual Clauses for Cross Border Data Flows (“ASEAN MCCs”) were introduced. The ASEAN MCCs sets out the responsibilities, security measures and obligations of parties to the ASEAN MCCs and are designed for the use of private-sector parties in ASEAN member states.

The use of the ASEAN MCCs was recognised in the CBDT Guideline as a method to comply with Section 129(3)(f) of the PDPA, namely the requirement to take all reasonable precautions and exercise all due diligence. However, the CBDT Guideline recommends that data controllers review the ASEAN MCCs to determine whether any additional clauses need to be included.

In addition to the general personal data protection-related requirements, data controllers in certain sectors may also be required to meet the relevant sector-specific regulations or guidelines which impose requirements on cross-border data transfers. For example, financial institutions are required to comply with the relevant BNM guidelines, such as the RMiT, MCIPD and Outsourcing Policy Document. When engaging overseas cloud service providers, for example, financial institutions are required to first conduct due diligence on the service provider.

Malaysia currently does not require any registrations, filings or approvals from authorities for international transfers of data.

There are currently no strict data localisation or residency obligations in Malaysia. However, transfers of personal data outside Malaysia will need to comply with Section 129 of the PDPA.

There are currently no blocking or foreign-judgment control rules restricting foreign discovery, sanctions compliance, or cross-border disclosures in Malaysia.

Section 129 of the PDPA was amended by the Personal Data Protection (Amendment) Act 2024, which came into effect on 1 April 2025.

The Amendment Act removed the whitelist previously provided for under Section 129(1) of the PDPA as well as Section 129(3), which provided that personal data may be transferred outside Malaysia if the “transfer is necessary as being in the public interest in circumstances as determined by the Minister”.

Additionally, the Amendment Act introduced two new conditions, allowing data controllers to conduct their own assessments and transfer personal data outside Malaysia if:

• the receiving place has any law in force that is substantially similar to the PDPA; or
• the receiving place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.

The Commissioner has also issued the CBDT Guideline which is meant to be read together with Section 129 of the PDPA.