Search for:

In brief

The General Code of Practice of Personal Data Protection (“General CoP“) introduces new legal requirements to be complied with by data users caught within its ambit. It also seeks to provide best practice recommendations with respect to the implementation of principles under the Personal Data Protection Act 2010 and its subsidiary legislation (PDPA).

Some of the new legal requirements include providing additional mandatory information in a personal data protection notice, complying with data subjects’ written request not to process their personal data for direct marketing within reasonable time, maintaining a personal data system and establishing a PDPA compliance framework.


  1. In more detail

In more detail

The General CoP was issued by the Personal Data Protection Commissioner (“Commissioner“) and became effective from 15 December 2022.

Non-compliance with the provisions of the General CoP is an offense under the PDPA, which may attract a fine not exceeding MYR 100,000 (~ USD 24,000) and/or imprisonment for a term not exceeding one year (“Penalties“). Where the offense is committed by a body corporate, its directors and other officers in the management could be personally liable. 

Who does it apply to?

The General CoP appears to apply to classes of data users who are not presently, subject to a specific code of practice under the PDPA. To recap, the Commissioner had in the past registered a number of sector-specific codes of practice under the PDPA, including for the following (“Selected Sectors“):

  • Private hospitals in the healthcare industry
  • The utilities sector (water)
  • The utilities sector (electricity)
  • Licensees under the Communications and Multimedia Act 1998
  • The banking and financial sector
  • The insurance and takaful Industry
  • The aviation sector

Data users1 who fall within the Selected Sectors above would need to comply with their respective codes of practice. The General CoP is therefore aimed at classes of data users under the PDPA who do not fall within any of the Selected Sectors above (“Affected Data Users“). These may include, among others, certain businesses involved in tourism, education, direct selling, real estate and professional services (e.g., legal, audit, accountancy, engineering, architecture).

What are the new legal requirements?

Some of the new legal requirements introduced by the General CoP are briefly discussed below.

  • Additional Mandatory Information For Personal Data Protection Notices

On top of those specified in the PDPA, the General CoP requires a personal data protection notice issued by Affected Data Users to, among others, also address the following:

  1. If any sensitive personal data (i.e., relating to mental/physical health, political opinions, religious beliefs or commission of offense) will be processed
  2. If personal data of children below the age of 18 years will be processed
  3. If there is any regulatory requirement to collect certain personal data
  4. What practical and security measures are taken to ensure personal data and its disclosure is safe and secured
  5. The name of third parties to whom personal data is disclosed and for what purpose

These additional details have earlier been set out in the Guide to Prepare Personal Data Protection Notice published by the Commissioner’s office in January 2022, but the guide did not appear to have legal force. This uncertainty has now been put to rest with the General CoP.

  • Direct Marketing

“Direct marketing” is defined under the PDPA as the communication by whatever means of any advertising or marketing material which is directed to particular individuals. The PDPA expressly allows data subjects to notify a data user to cease or not begin to process their personal data, for purposes of direct marketing (“Cessation Notice”).

The General CoP now mandates that Affected Data Users must comply with the Cessation Notice within a reasonable time frame. Failing which, the Penalties will apply. Affected Data Users can therefore no longer attempt to ignore Cessation Notices.   

  • Personal Data System

“Personal data system” is defined under the PDPA to essentially mean a system used by a data user for the processing of personal data and it includes the records maintained for such processing.

The General CoP has in effect, confirmed the need for an Affected Data User to among others, establish a personal data system and which system, will need to include certain prescribed records (e.g., consent records, security policies). 

  • Compliance Framework

The General CoP also expressly requires Affected Data Users to develop and implement a compliance framework with appropriate compliance policies and procedures to ensure compliance with the General CoP and the PDPA.

Concluding remarks

The General CoP provides more clarity over the implementation of the general principles under the PDPA, especially for the Affected Data Users. It is also directionally, in line with the prevailing Malaysian Government’s emphasis on ensuring that personal data is processed appropriately and safely by data users.

Given the potential criminal exposure for non-compliance, businesses who are subject to the General CoP should undertake a thorough internal review of its personal data protection policies and frameworks to determine if they are in compliance with the new legal requirements under the General CoP.


1 “Data users” essentially mean those who have control over or authorize the processing of any personal data (excluding data processors). “Data processors” refer to those who process the personal data solely on behalf of the data user and not for any of their own purposes.

* * * * *

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Kherk Ying Chew heads the Intellectual Property and Dispute Resolution Practice Groups of Wong & Partners. She has decades of experience in IP, commercial litigation, corporate compliance, information technology and Internet regulatory issues. She is ranked in Tier 1 for IP in Malaysia by Chambers Asia Pacific which has noted that Kherk Ying is "an acclaimed figure in the sector, drawing praise as a lawyer who is 'really commercial, very practical' and 'knows her subject impressively well." Asia Pacific Legal 500 inducted her into its Hall of Fame in 2021 for IP, it had commented that she is "highly respected for contentious and non-contentious work". Kherk Ying was also named in Benchmark Asia-Pacific’s Top 100 Women in Litigation for IP and Commercial Transactions (2020-2021). Kherk Ying won the Women Lawyer of the Year at the ALB Malaysia Law Awards in 2019. She is highly regarded for IP litigation, and has been named the "Best Female Lawyer in IP Litigation" by Euromoney Asia Women in Business Law Awards 2014. She is also recognised as a Tier 1 lawyer in enforcement and litigation by the World Trademark Review 1000, and ranked as a Tier 1 litigation and transactions professional by IAM Patent 1000. Kherk Ying is a registered trade mark, patent and design agent in Malaysia and the principal author of the CCH published Intellectual Property Laws of Malaysia. She is among the few selected trainers for an IP valuation course by Intellectual Property Corp of Malaysia (MyIPO) and is an accredited IP valuer by the World Trade Institute.


Serene Kan is a Partner in Wong & Partners, Kuala Lumpur office.


Chun Hau Ng is an Associate in Wong & Partners, Kuala Lumpur office.

Write A Comment