Last modified 12 February 2026

Data Protection in Malaysia

Transfer of personal data in Malaysia

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Malaysia

Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 02, 2010 and came into force on November 15, 2013.

In 2024, amendments were introduced to the PDPA, namely the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”). This was pursuant to the Personal Data Protection Department (PDP Department) shortlisting 5 issues as key proposed amendments out of 22 issues set out in the Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020). The Amendment Act subsequently came into force in three stages throughout 2025.

Most notably, the Amendment Act introduced new requirements such as appointment of a data protection officer (DPO), data breach notification and right of data portability. The requirements for cross-border personal data transfers were also enhanced. The Amendment Act also replaced the term ‘data user’ with ‘data controller’ and expanded the definition of ‘sensitive personal data’ to include biometric data.

The PDP Department has also issued three (3) guidelines to complement the amendments to the PDPA, namely:

Personal Data Protection Guidelines on Data Breach Notification (DBN Guidelines);
Personal Data Protection Guidelines on the Appointment of Data Protection Officer (DPO Guidelines); and
Personal Data Protection Guidelines No. 03/2025 on Cross-Border Personal Data Transfer (CBPDT Guidelines) which provide further clarity and guidance on the amendments.

Specifically on the appointment of a DPO, the PDP Department issued guidelines specifically on DPO competency and training, which are:

Data Protection Officer (DPO) Competency Guideline (DPO Competency Guideline);
Data Protection Officer (DPO) Professional Development Pathway & Training Roadmap (DPO Development Roadmap); and
Management of Data Protection Officer (DPO) Training Service Providers Guidelines (DPO Training Providers Guidelines).

The Digital Minister, Gobind Singh Deo has stated that there will be other guidelines on automated decision making and profiling, data protection by design, data protection impact assessment and the right to data portability. For this purpose, the relevant Public Consultation Papers to gather public opinion and feedback have already been completed. The guidelines are expected to be issued in 2026.

The PDP Department has also issued a Public Consultation Paper on Proposed Amendments to the Personal Data Protection Regulations 2013 on August 22, 2025 to ensure alignment with the amendments to the PDPA.

Related resources

Definitions

Definitions in Malaysia

Definition of personal data

'Personal data' means any information in respect of commercial transactions that is:

Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
Recorded with the intention that it should wholly or partly be processed by means of such equipment; or
Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in each case

... that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, but shall not include a deceased individual.

Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

Definition of sensitive personal data

'Sensitive personal data' means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offense, biometric data, or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by published order. The Amendment Act defines the recently introduced definition of “biometric data” as “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”.

Other than the categories of sensitive personal data listed above, the Minister has not published any other types of personal data to be sensitive personal data as of February 10, 2026.

Related resources

Authority

National data protection authority in Malaysia

Pursuant to the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed to implement the PDPA's provisions. The Commissioner is advised by a Personal Data Protection Advisory Committee who are appointed by the Minister, and shall consist of one Chairman, three members from the public sector, and at least seven, but no more than eleven other members. The appointment of the Personal Data Protection Advisory Committee shall not exceed a term of three years; however, members can be appointed for two successive terms.

The Commissioner's decisions can be appealed through the Personal Data Protection Appeal Tribunal. The following are examples of appealable decisions:

Decisions relating to the registration of data controller under Part II Division 2 of the PDPA;
The refusal of the Commissioner to register a code of practice under Section 23(5) of the PDPA;
The service of an enforcement notice under Section 108 of the PDPA;
The refusal of the Commissioner to vary or cancel an enforcement notice under Section 109 of the PDPA; or
The refusal of the Commissioner to conduct or continue an investigation that is based on a complaint under Part VIII of the PDPA.

If a data controller is not satisfied with a decision of the Personal Data Protection Advisory Committee, the data controller may proceed to file a judicial review of the decision in the Malaysian High Courts.

Related resources

Registration

Registration in Malaysia

Currently, the PDPA requires the following classes of data controllers to register under the PDPA:

Communications

A licensee under the Communications and Multimedia Act 1998
A licensee under the Postal Services Act 2012

Banking and financial institutions

A licensed bank and licensed investment bank under the Financial Services Act 2013
A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
A development financial institution under the Development Financial Institution Act 2002

Insurance

A licensed insurer under the Financial Services Act 2013
A licensed takaful operator under the Islamic Financial Services Act 2013
A licensed international takaful operator under the Islamic Financial Services Act 2013

Health

A licensee under the Private Healthcare Facilities and Services Act 1998
A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998
A body corporate registered under the Registration of Pharmacists Act 1951

Tourism and hospitalities

A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992
A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992

Transportation

Certain named transportations services providers

Education

A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
A private school or private educational institution registered under the Education Act 1996

Direct selling

A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993

Services

A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961 carrying on business as follows:
- legal
- audit
- accountancy
- engineering
- architecture
A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961
A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981

Real estate

A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak

Utilities

Certain named utilities services providers

Pawnbroker

A licensee under the Pawnbrokers Act 1972

Moneylender

A licensee under the Moneylenders Act 1951

Certificates of registration are valid for at least one year, after which data controllers must renew registrations and may not continue to process personal data.

Data controllers are also required to display their certificate of registration at a conspicuous place at their principal place of business, and a certified copy of the certificate at each branch, where applicable.

The Commissioner may designate a body or a data controller as a data controller forum for a class of data controllers. Data controller forums can prepare codes of practice to govern compliance with the PDPA, which can be registered with the Commissioner. Once registered, all data controllers must comply with the provisions of the code, and non-compliance violates the PDPA. The Commissioner has published several codes of practice, including for the banking and financial sector, the aviation sector, the utilities sector, communications sector, the healthcare sector, and the insurance and takaful industry in Malaysia. There is also a general code of practice which applies to classes of data controllers required to be registered as data controllers under the PDPA who are currently not subject to any codes of practice registered by the Commissioner.

Related resources

Data protection officers

Data protection officers in Malaysia

Under the Amendment Act to PDPA, the data controller or data processor is required to appoint one or more DPO who shall be accountable to the data controller or data processor for the compliance with the PDPA. Such appointment will not discharge the data controller or data processor from all their duties and functions under the PDPA. This requirement has come into force on June 01, 2025.

The DPO Guidelines, provides that according to the Circular of Personal Data Protection Commissioner No. 01/2025 (Appointment of Data Protection Officer), the mandatory DPO appointment requirement applies only to data controllers or data processors where their processing of personal data involves:

Personal data exceeding 20,000 data subjects;
Sensitive personal data including financial information data exceeding 10,000 data subjects; or
Involves activities that require regular and systematic monitoring of personal data.

Although the DPO Guidelines provides there is no minimum professional qualification required to being appointed as a DPO, they are required to demonstrate the following skills, qualities and expertise at a sound level:

Knowledge on PDPA and requirements of data protection laws in the country;
Understanding of the data controller or data processor’s business operations and the personal data processing operations that are carried out;
Understanding of information technology and data security;
Personal qualities such as integrity, understanding of corporate governance and high professional ethics; an
Ability to promote data protection culture within the organisation.

To complement the DPO Guidelines, the DPO Competency Guideline was issued which outlines the core competencies expected, and the knowledge, skills and abilities expected of the DPO in those competencies to provide risk-based guidance to companies on appointing their DPO. Whereas the DPO Development Roadmap sets out a prospective development pathway and training roadmap to support the appointed DPOs. The DPO Training Provider Guidelines also provides a prospective framework to formally recognise and exercise oversight on training providers.

A DPO is allowed to carry out additional job functions beyond their data-specific roles as a DPO, provided it does not cause a conflict of interest. Additionally, it is also essential to note that a single DPO is allowed to serve multiple entities, provided the DPO is easily accessible to these entities receiving the DPO’s service. Hence, a data controller or data processer may appoint the DPO from existing employees or through an outsourcing service. To ensure responsiveness and accessibility, it is required the DPO shall be:

Resident in Malaysia; or
Easily contactable via any means; or
Proficient in Bahasa Melayu (the local language) and English language

The data controller or data processor who is required to appoint a DPO is required to register their appointed DPO by providing a notification to the Commissioner.

The DPO’s contact information shall be published at least on the official website or other official media of the data controller or data processor, in the personal data protection notice and/or in the security policies and guidelines.

Related resources

Collection and processing

Collection and processing in Malaysia

Under the PDPA, subject to certain exceptions, data controllers are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject under the age of eighteen (18) years of age, the data controller must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data controller.

Pursuant to PC01/2020, the Commissioner has sought feedback on its proposal to amend the General Principle provision to add clarity to the data subject's consent, whether it should be in a specific provision and the impact of having a default consent.

Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties.
The Personal Data Protection Standard 2015 (“Standards”) set out the Commission’s minimum requirements for processing personal data. The Standards include the following:

Security Standard For Personal Data Processed Electronically
Security Standard For Personal Data Processed Non-Electronically
Retention Standard For Personal Data Processed Electronically And Non-Electronically
Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically

However, the Commissioner has issued the Public Consultation Paper No. 04/2024: Personal Data Protection Standards (PC04/2024) on October 01, 2024 to seek feedback from the public on the revision of the above minimum requirements. The proposed revisions under the PC04/2024 include:

Replacing “black and white” rules (i.e. prescriptive and specific instructions or measures that data controllers must comply with) with requirements that are outcome based;
Removing the differentiation between personal data processed electronically or physically and provide the security standards which applies to personal data generally; and
The role of certification schemes to demonstrate compliance with the Standards.

No formal date has been announced for the issuance of the revised Standards.

Related resources

Transfer of personal data

Transfer of personal data in Malaysia

Pursuant to the Amendment Act, the data controllers may transfer any personal data of a data subject out of Malaysia to a country that has substantially similar laws or where the country ensures equivalent levels of protection to that of the PDPA. These amendments have come into force on April 01, 2025.

Even if these requirements are not satisfied, the cross-border transfer is permissible if it falls within the exceptions to this restriction under the PDPA, including the following:

The data subject has given his or her consent to the transfer;
The transfer is necessary for the performance of a contract between the data subject and the data controller;
The data controller has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA; and
The transfer is necessary to protect the data subject’s vital interests.

Additionally, the PDP Department has issued the Personal Data Protection Guidelines on Cross-Border Personal Data Transfer (CBPDT Guidelines) on April 29, 2025. The CBPDT Guidelines, among others, provides that the data controllers, who wish to transfer the data out of Malaysia on the ground that the destination has laws that are substantially similar to PDPA or has equivalent levels of protection, must conduct a Transfer Impact Assessment (TIA). The CBPDT Guidelines also recognised the adoption of cross border transfer mechanisms such as Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) and certifications under an approved certification scheme.

Under the CBPDT Guidelines, when a data controller enters into a contract with a third party or data processor, it shall include clauses on the processing of personal data, including the security of the data. The data controller is also responsible to ensure the data processor complies with the Security Principle and other subsidiary legislation, standard or guidelines relating to the protection of personal data.

Related resources

Security

Security in Malaysia

Under the PDPA, data controllers have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data controller must comply. The Amendment Act has also imposed the direct obligation on data processors to comply with the Security Principle under the PDPA.

In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data controllers to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. The Standards are currently under review.

Related resources

Breach notification

Breach notification in Malaysia

The Amendment Act has introduced a new Section 12B and imposed a mandatory personal data breach notification obligation on data controllers. These amendments have come into operation on June 01, 2025. A data controller shall notify the Commissioner as soon as possible if he has reason to believe that a personal data breach has occurred and it causes or is likely to cause significant harm. The ‘significant harm’ requirement is satisfied where there is a risk that the compromised personal data:

May result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
May be misused for illegal purposes;
Consists of sensitive personal data;
Consists of personal data and other personal data which, when combined, could potentially enable identity fraud; or
Is of significant scale (i.e. the number of affected data subjects exceeds 1,000).

If the personal data breach causes or is likely to cause any significant harm to the data subject, the data controller shall also notify the data subject of such data breach without unnecessary delay. The above list defining significant harm for notifying the Commissioner also applies to the notification to data subjects, except the criterion on significant scale.

The DBN Guidelines have also provided for the manner and form and timeframe for a data breach notification and the duty for data controllers to conduct assessments and maintain records of data breaches.

Related resources

Enforcement

Enforcement in Malaysia

Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the Commissioner has the power to inspect the systems used in personal data processing and the data controller is required, at all reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner or the inspection officers may require the production of the following during inspection:

The record of the consent from a data subject maintained in respect of the processing of that data subject's personal data by the data controller;
The record of required written notices issued by the data controller to the data subject;
The list of personal data disclosures to third parties;
The security policy developed and implemented by the data controller;
The record of compliance with data retention requirements;
The record of compliance with data integrity requirements; and
Such other related information which the Commissioner or any inspection officer deems necessary.

Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will have joint and several liability for non-compliance by the body corporate, subject to a due diligence defense.

Furthermore, Public Consultation Paper No. 04/2025: Proposed Amendments to the Personal Data Protection Regulations 2013 (PC04/2025) was issued on 22 August 2025 to seek feedback from the public on proposed amendments which could potentially lead to an enhanced enforcement climate. Specifically, the PC04/2025 proposes broadening the scope of inspection powers of the Commissioner by increasing the scope of information that may be requested. This oversight by the Commissioner has been proposed to also extend to data processors, who would be required to facilitate inspections to ensure adherence to the security principle.

There is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data controllers for breaches of the PDPA. However, under PC01/2020, the Commissioner has proposed to introduce a specific provision stating the right of a data subject to commence civil litigation against a data controller.

Related resources

Electronic marketing

Electronic marketing in Malaysia

The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that a data subject may, at any time by notice in writing to a data controller, require the data controller at the end of such period as is reasonable in the circumstances to cease or not to begin processing his or her personal data for direct marketing purposes. 'Direct marketing' means the communication by whatever means of any advertising or marketing material that is directed to particular individuals.

Pursuant to PC01/2020, the Commissioner is considering issuing a guideline to data controllers on the mechanism of digital and electronic marketing. The Commissioner has sought feedback on a proposed requirement on data controllers to provide a clear mechanism for data subjects to unsubscribe from online services and the elements to be considered in preparing the guideline on processing personal data in digital and electronic marketing.

The Commissioner is also considering issuing a guideline on the implementation of direct marketing for data controllers. Feedback from the public is sought as to whether a proposed data controller is allowed to make the first direct marketing call to the data subject, the use of the 'opt-out' method, and the important elements to be considered in the preparation of such guideline.

In addition to PDPA, the Malaysian Communications and Multimedia Commission (MCMC) has also launched a Public Consultation Paper on Unsolicited Commercial Electronic Messages (PC MCMC) on August 13, 2025. This is in light of amendments to the Communications and Multimedia Act 1988 which prohibit the sending of spam which is in contravention of the Act. It proposes that the recipient must consent to the sending of the message, either expressly or impliedly, and consent must be recorded. Implied consent may be relied on only where there is an established relationship between the sender and recipient. Furthermore, all messages must include a clear, functional and no-cost mechanism for the recipients to withdraw their consent and unsubscribe from future communications. However, it should be noted that these requirements have not yet come into force.

Related resources

Online privacy

Online privacy in Malaysia

There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data). However, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue further guidance on this issue in the future.

Related resources

Key contacts

Data protection lawyers in Malaysia

Jillian Chia

Partner

Skrine

Kuala Lumpur

Email Full bio

Even if these requirements are not satisfied, the cross-border transfer is permissible if it falls within the exceptions to this restriction under the PDPA, including the following:

The data subject has given his or her consent to the transfer;
The transfer is necessary for the performance of a contract between the data subject and the data controller;
The data controller has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA; and
The transfer is necessary to protect the data subject’s vital interests.

Quick links

Data Protection in Malaysia

Transfer of personal data in Malaysia

Continue reading