Malaysia Personal Data Protection Department

List of Data User Forums in Malaysia

The Personal Data Protection Commissioner has appointed the following associations as data user forum for the following sectors:-

1. Institut Akauntan Malaysia for the accounting and audit sectors;
2. Persatuan Jualan Langsung Malaysia for the direct selling sector;
3. Persatuan Bank-bank Dalam Malaysia for the banking and financial sectors;
4. Institut Jurutera Malaysia for the engineering services sector;
5. Institut Insurans Hayat Malaysia for the insurance sector;
6. Pertubuhan Akitek Malaysia for the architecture sector;
7. Maxis Berhad for the telecommunications sector;
8. Persatuan Hotel Malaysia for the travel and hospitality sector.
9. Majlis Peguam, Persatuan Undang-Undang Sabah and Persatuan Peguambela Sarawak for the legal sector.

Last updated: 1 April 2015

Source: Personal Data Protection Department Registration Unit.

Survey Relating to Compounding Regulations

The Malaysia Personal Data Protection Commissioner Office wishes to enforce compounding regulations pursuant to the Personal Data Protection Act 2010. They have now issued a survey for the members of the public and organisations.

Any response to the survey should be submitted before 14 November 2014. For more details, go to

Download: Survey Form (in Malay language only)

Retirement of Haji Abu Hassan Ismail

With the retirement of Haji Abu Hassan Ismail as the Director General of the Personal Data Protection Department, Encik Mazmalek bin Mohamad has been appointed as the new Director General of the Personal Data Protection Department effective from 1st October 2014.

Personal Data Protection Act 2010: Our details are worth protecting

I was quoted by Rakyat Post in their article “Personal Data Protection Act 2010: Our details are worth protecting.

Personal Data Protection Act 2010: Our details are worth protecting

The Personal Data Protection Act 2010 intends to protect personal data and stop it from being distributed.

THE Personal Data Protection Act 2010 is necessary because personal data is often the cause of constant unwelcome calls from companies, and can be used by malicious people to break into networks.

Personal Data Protection Department Deputy Director-General Dr Zainal Abidin Sait said personal data used in commercial transactions had value while personal data available online may not.

“My name on Facebook would not be useful for marketing. I don’t give my real information in Facebook, but in commercial transactions, I give my real name, my real data.”

He said there were penalties for those who did not adhere to the law, but that was not the reason the law was gazetted.

“The intention of this law is not to issue summonses to people. The intention of the law is to ensure the personal data of all Malaysians, which is collected from all over the place by these agencies, is managed properly and systematically.”

Zainal Abidin also said the PDPA would not hamper doctors and banks.

This is because for doctors, processing without consent can still be carried out with conditions, while banking transactions made via contracts do not fall under the law.

Solicitor Foong Cheng Leong said laws similar to the Personal Data Protection Act (PDPA) 2010 had been implemented around the world.

“But in Southeast Asia, we are the first to come up this law. Singapore has a similar law. It came after ours, but came into force earlier than us.”

Foong is a lawyer focusing on Intellectual Property, Information Technology, Internet, Social Media and Cyber laws, Franchise, Privacy and Data Protection laws.

In the past, people had been selling personal data without repercussions, but that will all change now.

“The new law is to protect personal data and stop it from being distributed. Now under the law, it is subject to consent. If individuals want to receive all these things, then they (the companies) can send. Otherwise they can’t,” Foong said.

Websense Inc Asia Pacific Sales Engineering Director William Tam pointed out that personal information was highly valuable, not just to sell insurance or credit cards.

“When we look at what happened at many large retailers over the years, such as TJ Maxx and Target, personal data was pure gold to people with a malicious intent.”

He said cybercriminals were not just after credit card details as even simple personal contact details could be used in social engineering to create a very powerful lure that could be the way into a company’s network and lead to a highly targeted attack.

“Once individuals understand their rights under the PDPA, they can be the key driving force in encouraging businesses to comply with the same standard.”

There is no need for the Personal Data Protection Act 2010 because customer information is already treated with complete confidentiality, say stakeholders.

THE Personal Data Protection Act 2010 is unnecessary for the banking and health industry. It also hinders insurance agents and marketers in conducting their business.

Although banks will comply with the Act, Association of Banks in Malaysia (ABM) Executive Director Mei Lin Chuah said it was already common practice in banks to respect the personal data of those who bank with them.

“All this while, our members have taken the necessary steps to ensure that customer information is treated with the greatest of confidentiality as a matter of policy which, in a certain fashion, has now become a requirement of law.

“Our member banks have in place controls and systems to ensure that customer information is kept confidential at all times.

“Further to this, banks have their strict internal rules on confidentiality and information security which all bank employees must abide by. Failure to comply with the internal rules will lead to disciplinary action against the employee,” said Mei.

Malaysian Medical Association (MMA) President Datuk Dr N.K.S. Tharmaseelan said including doctors under the Act was redundant. It was unfair to slap them with a fine as no announcement on this had been made earlier, he added.

“The Commissioner of the Personal Data Protection Department did not send out any circular whatsoever to inform doctors about this registration exercise, but still expects all to know,” said Dr Tharmaseelan in a statement.

“Doctors were given till Feb 15, 2014 to register or be slapped with a fine of RM500,000.

“It appears redundant as the doctors are strictly regulated by MMC on confidentiality. Doctors now have to face this additional burden.

“Doctors have always been guided by the Hippocratic Oath since the birth of modern medicine, but now we have a law which has become a hippopotamus that will run through our practice.

“This was another law passed without consulting stakeholders, in this case doctors. But we hope common sense will prevail and an exemption is granted,” said Dr Tharmaseelan.

Insurance agents, direct sellers and telemarketers rely on gathering personal information to find customers.
“Basically, information about people can’t be passed around any more without their permission,” said an insurance agent who did not want to be named.

The Act made it more difficult to initiate contact with a person through the telephone, which is known as “cold calling”, and is often done using bank databases sold by middlemen.

“When you apply for a loan or credit card, whatever information you give them is what these databases will contain,” said the agent, adding that direct sellers and telemarketers relied heavily on such databases to make sales.

Guide in Dealing with Direct Marketing under Personal Data Protection Act (PDPA) 2010

The Personal Data Protection Commissioner has issued the Proposal Paper [No .1/2014] – Guide in Dealing with Direct Marketing under Personal Data Protection Act (PDPA) 2010. The Commissioner has invited feedback and opinion in respect of the matters raised in the Proposal Paper and shall be submitted before 20 February 2014.

Download: Proposal Paper

PDC Seminar on The Personal Data Protection Act on 28.05.2013

I will be speaking about the Personal Data Protection Act 2010 at the KL Bar on 28 May 2013. Details are below.

2 CPD Points ( 28052013/KLB/KLB1183/2 )

As part of its Professional Development Programme, the PDC is pleased to present the above Seminar by Mr Foong Cheng Leong on 28.05.2013 (Tuesday) from 3.00pm to 5.30pm. Venue: KL Bar Auditorium.

Areas to be covered:

• Introduction to Personal Data Protection Act 2010
• Highlights of the Personal Data Protection Act 2010
• 7 Principals
• Personal Data Protection Commissioner
• Registration of Data Users
• Transfer of Data Overseas
• Rights of Data Subjects
• Offences and Liability
• Transitional Period
• How would the Act affect Companies?
• Action Plan / Checklist
• Question & Answers
• Case Study

About the speaker
Foong Cheng Leong was called to the Malaysian Bar in 2005. He is currently the KL Bar Information Technology and Publications Chair and a member of the Bar Council Intellectual Property Committee. He is regularly featured in the media notably over topics regarding intellectual property, cyberlaw, data privacy and the like.


Pupils-in-Chambers / Law Students – RM30.00 per participant

Members of the Bar – RM60.00 per participant

Non-Members – RM100.00 per participant

Registration Must be Accompanied With Payment to Guarantee Your Place

Only 120 Seats Available. Click here to register.

Podcast: Resource Centre: The Personal Data Protection Act 2010

I was interviewed by Freda Liu of BFM Radio on the topic of Personal Data Protection Act 2010 (“PDPA”) on 15 January 2013.


The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.
PDPA came into force January 1, 2013.


PDPA: Businesses have responsibilities and burdens

I was invited to contribute to a monthly column in Digital News Asia which I named it as Bread & Kaya. The column will have legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

My first article “PDPA: Businesses have responsibilities and burdens” was published on 31 December 2012.

Dec 31, 2012

  • PDPA comes into force Jan 1, 2013, and companies have three months to comply
  • Many have waited, and now may not have enough time to processes in place
  • Bread & Kaya by Foong Cheng Leong

    WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

    You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”

    Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.

    It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.

    Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.

    What is the PDPA?

    The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.

    A person who processes personal data is called a data user. Companies processing individual customers or employees’ personal data must comply with the PDPA.

    Under the PDPA, a data user, in processing personal data, must comply with the following principles:

    (1) General Principle;
    (2) Notice and Choice Principle;
    (3) Disclosure Principle;
    (4) Security Principle;
    (5) Retention Principle;
    (6) Data Integrity Principle; and
    (7) Access Principle.

    Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).

    [RM1 = US$0.33]

    Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.

    Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.

    Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.

    The PDPA only applies to personal data processed in relation to “commercial transactions.”

    What do you need to do?

    If you are processing employees or individuals customers’ personal data, you are advised to, among others:-

  • Access how the PDPA affects your organization;
  • Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
  • Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
  • Prepare a Retention Policy for employees or customers’ personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
  • Establish a data access procedure for employees or customers to access their personal data;
  • Ensure that the storage of the employees and customers’ personal data is secure;
  • Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
  • Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
  • Review data collection forms so that personal data is not collected excessively; and
  • Ensure that personal data are transferred overseas lawfully.
  • Consent

    The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that “whenever consent is required for data processing, it’ll have to be given expressly rather than impliedly or be assumed.”

    This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals’ express consent by contacting the individual.

    In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.

    Express consent can be gained in a variety of ways — for example by filling in a form, ticking a box on a website, over the phone and face-to-face.

    Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia’s restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.

    Companies will need to wait for individuals’ express consent before they can roll out new projects.

    To give an example on how the PDPA will affect business:

    Company X wishes to roll out a new security system to enter the office. The system utilizes the employees’ personal data as unique identifiers. In view of the express consent requirement, Company X will need to get the employees’ express consent to use employees’ personal data. If certain employees refuse to do so, such system cannot be fully utilized.

    In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user’s services.

    However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.

    In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.


    The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.

    Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.

    The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department’s Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees” which sets out the class of data users that is required to register with the Commission. [Click here to download].

    The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.

    Malaysia Personal Data Protection Act to come into force Jan 1

    The Star Newspaper reported that the Malaysian Personal Data Protection Act 2010 will be in force on 1 January 2013.

    However, at the time of publication of this blogpost, the date of enforcement has not been gazetted in the Government Gazette.

    It’s alarming that the Deputy Minister has taken the view that consent to process personal data must be express and cannot be implied or assumed. It is certainly impractical to obtain express consent for all sorts of commercial transactions. For example, when someone visits an eCommerce website and transacts on the website, the website owner must obtain express consent for each personal data collected from the user. This may be some form of pop up or option for the user to click before he can proceed further. Imagine this popup and option appearing everytime new data is collected. Some data are collected in the background in order for the website to work. It’s disruptive to both the owner and user.

    Another example is when data is passed to a service provider of the data user for the former to provide services to the data subject. Assuming express consent is required, the service provider will need to approach the data subject for consent. Data subject will have a lot of calls asking for consent!

    I hope that the Commissioner will take a different approach ie by recognising implied consent.

    1 2  Scroll to top