PDPA Malaysia 2024: Key Amendments & Business Compliance Guide

Rajvin Singh Gill
May 16
7 min read

Overview of the Personal Data Protection Act 2010

The Personal Data Protection Act 2010 (“PDPA” or “Act”)) sets out the legal framework for safeguarding personal data in commercial transactions, aiming to uphold consumer privacy while regulating how data is managed. Section 2 of the PDPA stipulates that the Act shall apply to businesses operating within Malaysia and also extends to entities outside the country if they handle, using equipment in Malaysia, personal data of individuals located in Malaysia. Any organization that collects, processes, or stores personal data is required to implement appropriate safeguards to prevent unauthorized access, misuse, or disclosure.

To comply effectively with the PDPA, businesses must familiarize themselves with the Act’s seven core data protection principles: the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle. These principles serve as the cornerstone of lawful and responsible data handling practices.

The Principles in Brief

Principle	Description
General Principle	a data controller is generally prohibited from processing personal data without the data subject’s consent, unless specific exceptions apply. For non-sensitive personal data, consent is required, while sensitive personal data must comply with stricter rules under section 40. However, personal data may be processed without consent if necessary for contract performance, legal compliance, vital interests, justice administration, or legal functions. Additionally, any data processing must serve a lawful purpose related to the data controller's activities, be necessary for that purpose, and involve data that is adequate but not excessive.
Notice and Choice Principle	a data controller must inform a data subject in writing when their personal data is being processed. The notice must include details such as the type of data collected, the purpose of processing, the data source, the data subject’s rights (including access and correction), potential data recipients, options to limit processing, whether providing the data is mandatory or voluntary, and the consequences of not providing it. This notice must be given as soon as practicable—either when data is first requested, collected, or before it is used for a new purpose or disclosed to third parties—and must be provided in both the national and English languages with clear instructions for the data subject to exercise their choices.
Disclosure Principle	personal data cannot be disclosed without the data subject's consent, except where the disclosure is for the original purpose it was collected or a purpose directly related to it, or to permitted third parties;
Security Principle	both data controllers and data processors are required to take practical and appropriate measures to safeguard personal data from loss, misuse, unauthorized access, alteration, or destruction. These measures must consider factors such as the sensitivity of the data, storage location, built-in security features, staff reliability, and secure data transfers. Where a data processor handles data on behalf of a data controller, the processor must provide adequate security assurances and take reasonable steps to ensure those safeguards are properly implemented.
Retention Principle	personal data must not be retained longer than necessary for the purpose it was collected. Once the data is no longer needed, the data controller is responsible for taking reasonable steps to ensure it is securely destroyed or permanently deleted.
Data Integrity Principle	A data controller must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up-to-date, considering the purpose for which it was collected and any related purposes.
Access Principle	A data subject has the right to access their personal data held by a data controller and request corrections if the data is inaccurate, incomplete, misleading, or outdated, unless such access or correction is lawfully denied under the Act.

Summary of Key Changes under the Personal Data Protection (Amendment) Act 2024 ("PDPA Malaysia 2024")

Terminology Update: “Data Controllers”

The term “data users” has been replaced with “data controllers” to align Malaysia’s PDPA with international standards such as the European Union’s General Data Protection Regulation. This change is mainly terminological and does not alter existing obligations but will require updates to documents such as privacy notices.

Biometric Data now Classified as Sensitive Personal Data

The amendment expands the definition of “sensitive personal data” to include biometric data (e.g. facial recognition, fingerprint, voice, retina, and keystroke patterns). As this category requires stricter consent and security measures, businesses must update consent forms, privacy notices, and security protocols accordingly.

Stricter Penalties for Non-Compliance

Fines for breaching PDPA’s core principles as set out above have increased from RM300,000.00 to RM1,000,000.00; with imprisonment term also being increased from two (2) years to three (3) years. This signals a move toward stronger enforcement and encourages businesses to conduct internal audits and reinforce compliance measures.

Direct Obligations on Data Processors

For the first time, data processors are directly bound by the PDPA’s Security Principle. They must implement adequate technical and organizational safeguards, and can now be penalized directly for non-compliance.

Mandatory Appointment of Data Protection Officers (DPOs) – effective 1 June 2025

Certain organisations engaging in large-scale personal data processing must appoint a Data Protection Officer (DPO), who must be registered with the Commissioner and based in Malaysia. The DPO will be responsible for overseeing PDPA compliance and liaising with authorities.

The Data Protection Officer Guidelines published by the Commissioner (which takes effect on 1 June 2025) provides (amongst others) that an organisation must appoint a DPO if it meets any one of the following conditions:

· it processes personal data of 20,000 or more individuals;

· it processes sensitive personal data, including financial data, of more than 10,000 individuals;

· its data processing activities involve regular and systematic monitoring of individuals.

Other matters to note:

· The DPO can be either an internal staff member or an external service provider.

· The appointed DPO must either reside in Malaysia or be easily reachable through any communication method.

· The organisation must protect the DPO’s responsibilities and ensure the role is properly integrated into its operations, including involving the DPO in all matters related to personal data protection.

· Appointing a DPO does not relieve the organisation of its obligation to comply with the PDPA, and the organisation remains accountable for any breaches of the law.

Mandatary Data Breach Notifications – effective 1 June 2025

Upon section 12B of the PDPA taking effect, a mandatory obligation shall be imposed on data controllers to notify both the Commissioner and affected individuals (data subjects) in the event of a personal data breach. A breach is broadly defined to include any loss, misuse, or unauthorized access to personal data.

Key matters to note:

· Data controllers must report breaches to the Commissioner if the incident is likely to cause significant harm to individuals or affects a significant scale (over 1,000 individuals). “Significant harm” includes physical, financial, reputational damage, or misuse of sensitive data;

· The Commissioner must be notified as soon as possible, but no later than 72 hours from the time the data controller becomes aware or reasonably believes a breach has occurred. In suspected cases, notification may still be required;

· Affected individuals must be informed without undue delay and no later than 7 days after notifying the Commissioner. The notice must explain the breach, its consequences, steps taken to address it, and suggested mitigation actions.

· The Data Breach Notification Guidelines published by the Commissioner (which takes effect on 1 June 2025) provides a standard notification form, submission channels, and instructions for handling different breach scenarios (e.g., delayed or phased notifications)

· Data controllers must include contractual terms requiring their data processors to promptly report breaches and assist in fulfilling breach notification obligations;

· Organisations should review and strengthen internal breach response policies and update contracts with data processors to include breach notification clauses and cooperation duties;

· Non-compliance with this Section 12B may result in a fine of up to RM250,000, imprisonment of up to two (2) years, or both;

New Right as to Data Portability

Individuals are now permitted to request the transfer of their personal data from one data controller to another of their choice—such as moving records from one healthcare provider to another. However, this right is not absolute and depends on factors like technical feasibility and data format compatibility.

To prepare, data controllers should begin establishing internal procedures and systems to handle data portability requests ahead of the upcoming Data Portability Guidelines to be issued by the Commissioner.

Cross-Border Data Transfers

Section 129 of the PDPA previously governed cross-border data transfers through two key mechanisms:

· Allowed transfers to countries officially listed in the Federal Gazette by the Minister, based on whether their data protection laws were comparable to Malaysia’s PDPA (“Allowed List”); or

· Permitted transfers if certain criteria under Section 129(3) were met, such as obtaining the data subject’s consent (“Alternative Condition”);

Since no countries have been gazetted as part of the Allowed List to date, the new amendments have removed the Allowed List mechanism, though the concept is not entirely discarded.

Under the amended framework, in addition to fulfilling the existing conditions, data controllers can now transfer personal data overseas if they can show that the destination country’s laws provide protection equivalent to the PDPA. Unlike other jurisdictions where such assessments are made by regulatory authorities, this responsibility now falls on the data controllers themselves.

This shift may present practical challenges, particularly for smaller organisations, as determining legal equivalence may require consulting legal experts, adding to compliance costs and administrative burden.

Conclusion

We encourage businesses to keep abreast of updates on the forthcoming guidelines and to start assessing and updating their internal data protection policies. We will be publishing further articles from time to time to keep you informed of these developments and their practical implications. We hope this summary provides a helpful overview of the latest PDPA developments. If you need further clarification or support regarding these changes or any aspect of personal data protection, please do not hesitate to contact us.

Glossary
“data controller”	means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor
“data processor”	means any person, other than an employee of the data controller, who processes the personal data solely on behalf of the data controller, and does not process the personal data for any of his own purposes
“data subject”	Means an individual who is the subject of the personal data and shall not include a deceased individual;
“Commissioner”	means the Personal Data Protection Commissioner;
“Personal Data”	refers to any information related to a commercial transaction that directly or indirectly identifies an individual and is:(a) processed using automated equipment,(b) recorded for future automated processing, or(c) part of, or intended to be part of, a structured filing system. It includes sensitive personal data and opinions about the individual but excludes data processed solely for credit reporting under the Credit Reporting Agencies Act 2010

The content presented in this article is meant solely for offering general information and should not be considered as legal opinion or professional advice

Comments