You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Global
Contact
de
|
en
|
it
Rödl & Partner Italy advises LCF Alliance on 95 million financing with Societe Generale and BayernLB |
Worldwide
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Worldwide
Algeria
Angola
Argentina
Australia
Austria
Azerbaijan
Bahrain
Belarus
Belgium
Bosnia and Herzegovina
Botswana
Brazil
Bulgaria
Cambodia
Canada
Chile
China
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Ecuador
Egypt
Estonia
Ethiopia
Finland
France
Georgia
Germany
Ghana
Greece
Hong Kong (S.A.R.)
Hungary
India
Indonesia
Ireland
Italy
Japan
Kazakhstan
Kenya
Kuwait
Latvia
Libya
Liechtenstein
Lithuania
Luxembourg
Malaysia
Malta
Mauritius
Mexico
Moldova
Mongolia
Morocco
Mozambique
Myanmar
Namibia
Netherlands
New Zealand
Nigeria
North Macedonia
Norway
Oman
Pakistan
Paraguay
Peru
Philippines
Poland
Portugal
Qatar
Romania
Saudi Arabia
Serbia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Tunisia
Turkey
Uganda
Ukraine
United Arab Emirates
United Kingdom
Uruguay
USA
Uzbekistan
Vietnam
Zambia
Own offices of Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(Colours appear during mouseover)
We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our
data privacy statement
.
Services
Legal
Administrative Law
Banking Law
Commercial Contracts
Compliance 231
Corporate and Commercial Litigation
Corporate Law
Criminal Law
Data Protection & Privacy
Employment Law and Labour Consultancy
Food Law
Intellectual Property
Pharmaceutical and Medical Device Law
Tax advisory
International Tax Consulting
Tax Consulting
Tax Litigation
Transfer Pricing
VAT & Indirect Taxes
Interdisciplinary services
BPO & Tax Compliance
Data Protection, Cyber Security & Innovation
E-commerce & Digital Law
Internationalization
International Mobility
The Listing Process for SMEs
Mergers & Acquisitions
Restructuring and insolvency consulting
Sustainability
Valuation
Whistleblowing
Audit
Industries
Professionals
Media
Newsletter
Legal Newsletter
Tax Newsletter
Data Protection Bites
Press Release
Events
About us
Career
Insights
Malaysia: Amendments to Personal Data Protection Act 2010 and guidelines
Recent
Italian (Italy)
Currently selected
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Approfondimenti
Carriera
Cookie Policy
Cookie Policy
Eventi
Home
Informativa Privacy
Media
Privacy Policy
Professionisti
Servizi
Uno studio internazionale
Profile
Error 404!
Error 401!
Privacy
Disclaimer
Copyright
Malaysia: Amendments to Personal Data Protection Act 2010 and guidelines
Page Content
published on 22 July 2025 | reading time approx. 3 minutes
Personal Data Protection (Amendment) Act 2024 (“PDPA 2024”) was enacted on 1 January 2025 in an effort to align Malaysia’s data protection laws more closely with international standards and strengthen data protection in Malaysia. The PDPA 2024 is enforced in three phases, namely 1 January 2025, 1 April 2025 and 1 June 2025.
The salient amendments from PDPA 2024 include:
Subject
Personal Data Protection Act 2010
PDPA 20
24
Terminology for data user
Data user
Data controller
Cross border data transfer
Transfer of personal data out of Malaysia to whitelisted countries were allowed with the data subject´s consent. There was no list of whitelist countries
The whitelist regime for cross border data transfer has been removed and replaced by a regime of permitted transfers based on certain grounds
Penalties for breach of personal data protection principles
Penalties of up to RM 300,000 and/or imprisonment of 2 years
Increased penalties of up to RM 1 million and/or imprisonment of 3 years
Sensitive personal data
Not addressed
Biometric data is considered sensitive and are defined as data derived from the technical processing of physical, physiological and behavioral characteristics
Right to data portability
Not provided
The right to data portability is granted, subject to technical feasibility and data format compatibility
Personal data breach notification
Not provided
It is required to notify the Personal Data Protection Commissioner (“Commissioner”) as well as affected individuals if the breach causes or is likely to cause significant harm to the individuals
Obligations of data processors
Not provided
Data processors must adhere to security requirements and are subject to penalties for breaches
Appointment of Data Protection Officer (“DPO”)
Not provided
There is a new requirement to appoint a DPO if organizations meet certain thresholds
Following the PDPA 2024, the Commissioner issued the following guidelines to provide clarity on the new requirements:
Guideline
Content
Cross Border Personal Data Transfer Guideline
New conditions for cross-border transfer under PDPA 2024;
The adoption of Binding Corporate Rules;
Applicability of Standard Contractual Clauses;
Certification mechanism;
Record-keeping obligations.
Implementation of Data Breach Notification Guideline
The scope and threshold of notification to the Commissioner and affected data subjects;
Timeframe for notifications;
The manner and form of notifications;
Management of breached personal data;
The obligations of data controllers, including record-keeping obligations.
Appointment of DPO Guideline
The threshold for mandatory appointment of DPO;
Expertise, qualifications and residency requirement of DPO;
Key responsibilities of a DPO;
Notification of appointment of DPO;
Obligations of data controller and data processor.
The Commissioner is also set to publish a revised Personal Data Protection Standard which ensures security, storage and integrity and publish guidelines on for the following topics:
Data Protection Impact Assessments – a proactive process to help organizations assess the risks and impacts related to the processing of personal data to ensure compliance with legal requirements;
Data Protection by Design and by Default - provides guidance to organizations on integrating data protection at every stage of system and process design;
Automated Decision-Making & Profiling - Provides guidance on the regulation of data processing involving automated decision-making and profiling to ensure the protection of individual rights.
Further, the Commissioner has also launched the portal for the registration of a DPO for data controller and data processor that fulfils the requirements:
Processes personal data of more than 20,000 data subjects;
Processes sensitive personal data including financial information, biometric data or health data of more than 10,000 data subjects;
Involve activities that required regular and systematic monitoring of personal data.
As all changes contained in PDPA 2024 are now being enforced, data controllers and data processors are encouraged to carefully review and assess their compliance approach to ensure alignment with PDPA requirements and avoid potential non-compliance.
DATA PROTECTION BITES
Read all releases »
author
Felix Engelhardt
Manager
+60 3 2276 2755
Send inquiry
RÖDL & PARTNER Malaysia
Discover more about our offices in Malaysia.
Read more »
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
