We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Malaysian personal data protection act 2010: enforcement update

1 August 2013

After a number of delays we are pleased to report the impending enforcement regime in Malaysia. There is a three month moratorium to enable businesses to get compliant.


In June 2010 the Parliament of Malaysia passed a Personal Data Protection Act (PDPA) with the aim of protecting the personal data of individuals with respect to commercial transactions. The PDPA 2010 is supposed, among other things, to diminish the amount of unsolicited and unwanted spam sent via SMS, most recently prevalent during the Malaysian General Election of May 2013.

From an organisational perspective, the PDPA 2010 has far-reaching impact  and affects the manner in which organisations interact with their employees, customers and 3rd party service providers, as well as how they store, handle and process personal data. The seven principles of the Act ensure that the collection and use of personal data must be consented to by the data subject, and steps must be taken to ensure that this personal data is updated, correct and securely stored.

Failure to comply with any of the seven principles of the PDPA 2010 is an offence punishable by a fine of RM300,000 or up to two years imprisonment; in some cases both are applied.


'Personal data' may be defined as any information that relates directly or indirectly to a data subject, who may be identified or identifiable from that information or from that and other information in the possession of a data user. Personal data may take many forms, from name to passport number, telephone number, photograph, fingerprint etc.

A 'data user' is the party using the personal data of that individual, referred to in the Act as the data subject.


There was some considerable delay in the implementation of this Act, but 16 the Malaysian Personal Data Protection Act 2010 will be enforced on 16 August 2013. A first set of subsidiary and supplemental legislation will be released, aimed at illustrating the interpretation and application of the PDPA at the same time. However, the Guidelines and Codes of Practice will not be released on this date.

A three month transition (or sunrise) period will run from 17 August - 14 November 2013 which will allow companies and organisations to develop their strategies and establish the necessary compliance policies. The first phase of the PDPA 2010 will commence on 15 November 2013 enforced by the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi - JPDP).

On 1 January 2014 the JPDP will be rebranded as the Personal Data Protection Commission.

The Personal Data Protection Commission Official Website will be launched by the end of 2013.

There will be 3 subsequent phases of enforcement:

  • First phase: the registration of data users and increasing of awareness
  • Second phase: advisory and compliance visits by the Commission  enforcement team
  • Third phase: audit visits by the Commission; risk of  prosecution for non-compliance. Companies and organisations must comply with the first phase of enforcement, the registration of data users, by 15 November 2013. Data users must register companies/organisations which come under the following categories:
    • Banking and finance
    • Insurance
    • Telecommunications
    • Utilities
    • Healthcare
    • Hospitality and Tourism
    • Education
    • Real Estate/Property Development
    • Marketing
    • Services (eg legal, accountancy, business consultancy, engineering, architecture, employment agencies, transportation)
    • Retail and wholesale

Thanks to our friend and expert advisor in Malaysia, Noriswadi Ismail, for providing us with information upon which we based this article and to our summer student, Helen Siviter, for her research and creativity.

For more information please contact Robert Bond, Partner

T: +44 (0)20 7427 6660