KUALA LUMPUR, August 28 — In an age of phishing, spam bombardment and potential scams, protecting personal data has never been more crucial.
That’s why the Personal Data Protection Act 2010 (PDPA) exists — its function is to protect the public from the misuse of their personal data through a set of principles that data controllers (or organisations or businesses that process personal data) must follow.
But what exactly is personal data? According to Malaysian Bar Council Personal Data Protection Committee’s chairperson Sathish Ramachandran, any information that can identify a person is considered personal data.
“That includes things such as name, email address, phone number, age, address, date of birth, IC number, photographs — these are all considered personal data.
“It’s basically anything that can identify (an individual) directly or indirectly,” he said.
The PDPA also outlines seven principles that data controllers and data processors must abide by, including:
- General Principle: Personal data can only be processed with the data subject’s consent and for a lawful purpose. The data collected must not be excessive for that purpose.
- Notice and Choice Principle: Data subjects must be informed in writing (in both Bahasa Malaysia and English) about the purpose of data collection, the type of data being collected, and their rights to access and correct the data
- Disclosure Principle: Personal data cannot be disclosed to a third party without the data subject’s consent.
- Security Principle: Data controllers must take reasonable steps to protect personal data from loss, misuse, modification, unauthorised accessor disclosure.
- Retention Principle: Personal data should not be kept longer than necessary for the purpose for which it was collected. It must be securely destroyed or deleted when it is no longer needed.
- Data Integrity Principle: Data controllers must take reasonable steps to ensure that the personal data they hold is accurate, complete, not misleadingand up-to-date.
- Access Principle: Data subjects have the right to request access to their personal data held by a data controller and to request correction of any inaccurate information.
The PDPA gives individuals rights as ‘data subjects,’ allowing them control over their information and how it is used.
The PDPA mandates that all data controllers register with the PDPC — a requirement that spans both public and private sectors.
Failure to comply carries serious consequences. Under the PDPA, all types of data controllers — whether in transportation, education, healthcare, finance, telecommunications, retail, or other industries handling personal data — who fail to register with the PDPC are committing a serious offence.
They are liable to a fine not exceeding RM500,000, imprisonment for up to three years, or both. This penalty is stipulated under Section 16(4) of the Personal Data Protection Act 2010.
In 2024, the Act underwent several amendments, which were officially implemented on April 1 and June 1 of this year.
What’s new with PDPA?
Driven by several key factors, the recent amendments to the PDPA aim to address the challenges of the modern digital landscape while aligning Malaysia’s data protection framework with international standards.
Among the changes that took effect on April 1 are the inclusion of biometric data such as fingerprints and facial scans, which are now considered sensitive personal data and must be handled with stricter security and consent requirements.
Another key change is the increase in maximum penalties for breaching PDPA principles — fines have risen from RM300,000 to RM1 million, and the maximum prison term has been extended from two to three years.
Other notable changes also include a new obligation for data processors — entities that process data on behalf of data controllers — who are now obligated to comply with the Security Principle of PDPA.
The second series of amendments, effective June 1, includes the mandatory appointment of a Data Protection Officer (DPO) by both data controllers and data processors to oversee compliance with the PDPA.
Data controllers are now required to promptly notify both the data subject and the Personal Data Protection Commissioner (PDPC) — the key enforcement authority under the PDPA — in the event of a personal data breach.
Data subjects now have the right to request that a data controller transfer their personal data directly to another controller of their choice, whenever technically feasible.
Dealing with personal data breaches
Personal data breaches are especially concerning when they involve high volumes of personal data.
However, this does not mean that small breaches of personal data are totally harmless, as it could also lead to harmful consequences such as identity theft, monetary loss and even emotional distress.
According to lawyer Vishnu Vijandran of Aqran Vijandran Advocates & Solicitors, when the unthinkable happens, swift and structured action can help limit further harm — including notifying the relevant parties and authorities, and filing a complaint with the PDPC.
In the event of a personal data breach, here’s what you can do:
Alert your financial institutions to freeze or monitor affected accounts.If criminal activity is suspected, filing a police report may trigger investigations under the Computer Crimes Act 1997 and, where applicable, the Penal Code.
As a data subject, you can contact the data controller via email or phone to request a halt to any harmful processing. They are required to cease any activity causing damage or distress and must respond within 21 days.
You may also file a complaint with the PDPC, which can issue an enforcement notice compelling the organisation to fix security gaps, stop processing, or delete the data.
Complaints to the PDPC are free and can be submitted in person at their Putrajaya office or online.
This process may offer swift relief without the need for litigation.If the outcome is disputed, individuals have the right to appeal through the PDPA Appeal Tribunal.
To opt out of direct marketing, you can send a written or email notice to the data controller requesting a stop to all advertising messages aimed at you. Non-compliance may result in an enforcement order.
Recent amendments to the PDPA now allow data subjects to transfer their personal data to a different data controller — meaning you can switch from a platform that mishandled your data to one you trust more.
As prevention is better than cure, Vishnu recommends strengthening online security by using unique passwords for each account and enabling multi-factor authentication (MFA).
Limitations of PDPA
Despite the recent amendments to the Act, the PDPA still has some limitations.
According to Sathish, one of the significant limitations of PDPA is that it can’t be applied to the federal and state governments.
While the introduction of the Data Sharing Act 2025 provides a legal framework for data exchange among public sector agencies, Sathish cautioned that it falls short of a complete solution — as its scope excludes the private sector.
One of the Act’s limitations is that it applies only to commercial transactions — meaning non-commercial activities, such as those by political parties, charities or non-profit organisations — fall outside its scope.
Under the PDPA, individuals do not have a statutory right to claim compensation for a data breach.
Do note that while the PDPC is the enforcement body for the PDPA, it does not have the authority to order compensation for damages.
However, they may still seek redress through separate legal avenues, such as filing a civil lawsuit based on the tort of negligence or breach of contract.
