Search for:

In brief

Earlier this year, the Malaysian Personal Data Protection Department (PDPD) released several documents to aid data users in their compliance with the Malaysian Personal Data Protection Act 2010 (PDPA) – these include a guide on privacy notices, new codes of practice applicable to the private healthcare industry and the water utilities industry, as well as circulars reminding prescribed classes of data users of their registration obligations.

In more detail


The first in the series of documents issued by the PDPD was the publication of the Guide to Preparation of Personal Data Protection Notice – which aims to serve as a reference for data users in preparing simple, comprehensive and tailored privacy notices for compliance with the requirements of the Notice and Choice Principle under the Malaysian Personal Data Protection Act 2010 (PDPA).

It supplements obligations under the Notice and Choice Principle by requiring privacy notices to also state:

  • if any sensitive personal data will be processed;
  • if personal data of children below the age of 18 years will be processed;
  • if there is any regulatory requirement to collect certain personal data;
  • how long personal data will be retained in the processing;
  • when will personal data be disposed of;
  • what practical measures are taken to ensure personal data is secured;
  • what security measures are taken to ensure any disclosure of personal data is safe and secure;
  • the name of third parties to whom personal data is disclosed and for what purpose; and
  • the effective and last revision dates of the privacy notice.

The guide also emphasises that a privacy notice serves to notify data subjects of how their personal data is being processed, and should therefore not be used as a platform to obtain consent (especially a blanket consent) for processing their personal data.

While the guide does not appear to have legal force, data users are nevertheless encouraged to abide by the requirements set out in the guide as best practice.

Codes of practice

In February 2022, the PDPD published two industry codes of practice:

Data users falling within the prescribed sectors above should note that non-compliance with the code of practice is an offence under the PDPA, punishable with a fine up to MYR 100,000 (~ USD 24,000) and/or imprisonment up to one year.


The Personal Data Protection Commissioner also released two circulars in February 2022, reminding prescribed classes of data users of their obligation under the PDPA to register with the PDPD and to renew their certificates of registration before expiry:

A list of the 13 prescribed classes of data users can be found in the first of the aforementioned circulars (only available in the local Malay language).

Where a data user falls within the prescribed classes, processing personal data without a certificate of registration is an offence under the PDPA, which may attract liability to a fine up to MYR 500,000 (~ USD 120,000) and/or imprisonment up to three years. Failure of renewal may also result in a fine up to MYR 250,000 (~ USD 60,000) and/or imprisonment up to two years.

Looking ahead

These latest developments suggest an increasingly proactive stance being taken by the PDPD in enforcing and promoting compliance with the PDPA. Given the pace of data privacy reforms globally and in the region, businesses should continue to monitor developments under Malaysia’s data privacy regime.

* * * * *

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in IP, commercial litigation, corporate compliance, information technology and Internet regulatory issues. She is ranked in Tier 1 for IP in Malaysia by Chambers Asia Pacific which has noted that Kherk Ying is "an acclaimed figure in the sector, drawing praise as a lawyer who is 'really commercial, very practical' and 'knows her subject impressively well." Asia Pacific Legal 500 inducted her into its Hall of Fame in 2021 for IP, it had commented that she is "highly respected for contentious and non-contentious work". Kherk Ying was also named in Benchmark Asia-Pacific’s Top 100 Women in Litigation for IP and Commercial Transactions (2020-2021). Kherk Ying won the Women Lawyer of the Year at the ALB Malaysia Law Awards in 2019. She is highly regarded for IP litigation, and has been named the "Best Female Lawyer in IP Litigation" by Euromoney Asia Women in Business Law Awards 2014. She is also recognised as a Tier 1 lawyer in enforcement and litigation by the World Trademark Review 1000, and ranked as a Tier 1 litigation and transactions professional by IAM Patent 1000. Kherk Ying is a registered trade mark, patent and design agent in Malaysia and the principal author of the CCH published Intellectual Property Laws of Malaysia. She is among the few selected trainers for an IP valuation course by Intellectual Property Corp of Malaysia (MyIPO) and is an accredited IP valuer by the World Trade Institute.


Sonia is a partner in the Intellectual Property & Technology Practice Group of Wong & Partners. She returned to private practice after successful stints as general counsel of Hewlett-Packard Malaysia and Kimberly-Clark Malaysia, Philippines and Indonesia. In 2019, Sonia was recognised amongst leading in-house professionals in the Legal 500 GC Powerlist: Southeast Asia.


Chun Hau Ng is an Associate in Wong & Partners, Kuala Lumpur office.

Write A Comment