
Key Takeaways
- →Malaysia's Personal Data Protection Act 2010 (Act 709) is the main data privacy law, enforced by the Personal Data Protection Commissioner through JPDP, and it covers personal data processed in commercial transactions.
- →The Personal Data Protection (Amendment) Act 2024 phased in across 2025 (1 January, 1 April, 1 June) and added mandatory breach notification, a mandatory Data Protection Officer, biometric data as sensitive data, and data portability.
- →Penalties rose sharply: breaching the data protection principles now carries a fine of up to RM1,000,000 and imprisonment of up to three years.
- →You hold rights of access, correction, consent withdrawal, and to stop direct marketing; if your data leaks, check accounts on Semak Mule and call the National Scam Response Centre at 997.
General information, not legal advice. The PDPA governs personal data in commercial dealings and does not bind the federal or state governments. The 2024 amendments are still rolling out through 2025 to 2026, so check the JPDP (pdp.gov.my) for the latest. Verified July 2026.
In This Guide
Data privacy in Malaysia, at a glance
Your personal data is already out there. In 2024 Malaysia recorded the highest rate of personal data leaks in Asia, according to Gogolook's Whoscall report. Among Malaysian users who checked their status, about 72.5% found their information had been compromised. Phone numbers were the most leaked field at 98%, followed by names at 89%, then addresses and emails.
The results are visible every day. Scam calls in Malaysia nearly doubled to 2.98 million in 2024, a rise of around 82.81% over 2023, with banking and debt-collection scams and impersonation of authorities among the most common. Losses to scams reached about RM1.57 billion for the year. Your NRIC number sits at the centre of the risk, because it is needed to register for mobile lines, bank facilities and government services, so a leaked NRIC lets someone register services or take loans in your name.
What the PDPA is
The Personal Data Protection Act 2010 (Act 709), known as the PDPA, is Malaysia's main data privacy law. It governs how personal data is handled in commercial transactions. Any individual or organisation that processes personal data in the course of commercial transactions counts as a data controller and must comply. Only the Federal and State Governments are exempt, and size does not matter, so a sole trader and a bank are both bound.
The law is built on seven principles: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access. Together they set out what an organisation may collect, how it must tell you, how it must protect the data, how long it may keep it, and your right to access and correct it.
Who regulates it
The regulator is the Personal Data Protection Commissioner, supported by the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP). JPDP was established on 16 May 2011 and sits under the Ministry of Digital. It registers data controllers, issues guidelines and codes of practice, handles complaints, conducts inspections, and takes enforcement action.
The 2024 amendments
The Personal Data Protection (Amendment) Act 2024 is the biggest update to the law since it began. It commenced in phases across 1 January, 1 April and 1 June 2025. The headline changes:
- Mandatory breach notification. Data controllers must notify the Commissioner when a personal data breach happens, and notify affected individuals where the breach is likely to cause significant harm.
- Data Protection Officer. Data controllers and data processors must appoint at least one DPO and notify the Commissioner.
- Higher penalties. The maximum fine for breaching the principles rose from RM300,000 to RM1,000,000, with imprisonment up to three years.
- Biometric data is now sensitive personal data, and data processors are directly bound by the Security Principle.
- Data portability gives you the right to have your data moved from one controller to another where technically feasible.
- The old cross-border transfer "whitelist" is removed in favour of an adequacy-style test.
At a glance
| Item | Detail |
|---|---|
| Main law | Personal Data Protection Act 2010 (Act 709) |
| Scope | Personal data processed in commercial transactions |
| Regulator | Personal Data Protection Commissioner, supported by JPDP |
| Ministry | Ministry of Digital |
| Core rules | Seven data protection principles |
| Latest update | Personal Data Protection (Amendment) Act 2024, phased in during 2025 |
| Max penalty | RM1,000,000 fine and/or up to 3 years' jail |
What the PDPA covers and the seven principles
The Personal Data Protection Act 2010 (Act 709), known as the PDPA, is Malaysia's main law for personal data privacy. It is enforced by the Personal Data Protection Commissioner through the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, or JPDP).
The Act has a specific scope. It governs the processing of personal data in commercial transactions. Section 4 defines a commercial transaction as any transaction of a commercial nature, whether contractual or not, covering matters such as the supply or exchange of goods or services, agency, investments, financing, banking, and insurance. If a bank, a telco, a retailer, a hospital, or an online platform collects your personal data to do business, the PDPA applies to how they handle it.
Two limits are worth knowing:
- The Act does not bind the government. Section 3(1) states that the PDPA shall not apply to the Federal Government and the State Governments. Personal data held by government departments falls outside this law.
- Data processed wholly outside Malaysia is excluded, unless that data is intended to be further processed in Malaysia (Section 3(2)).
The seven data protection principles
Section 5 of the Act sets out seven principles that every data user must follow. A data user is the organisation that controls the processing of your personal data. A data subject is you, the individual the data is about. The principles apply together, and breaching any one of them is an offence.
Here is what each principle requires, in plain terms.
| # | Principle | What it requires |
|---|---|---|
| 1 | General Principle | An organisation may only process your personal data with your consent, and only for a lawful purpose directly connected to its activities. Certain exceptions apply, for example where processing is needed to perform a contract you are party to. |
| 2 | Notice and Choice Principle | You must be told, in writing (in Malay and English), what data is collected, the purpose, your rights of access and correction, who the data may be disclosed to, and whether supplying the data is obligatory. This notice should be given at or before the point of collection. |
| 3 | Disclosure Principle | Your personal data must not be disclosed for any purpose other than the one you were told about, or to any third party outside the classes you were told about, without your consent. |
| 4 | Security Principle | The organisation must take practical steps to protect your data from loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction. This covers both technical measures and staff handling. |
| 5 | Retention Principle | Your personal data must not be kept longer than necessary for the purpose it was collected. Once the purpose is fulfilled, the data user has a duty to destroy or permanently delete it. |
| 6 | Data Integrity Principle | The organisation must take reasonable steps to keep your data accurate, complete, not misleading, and up to date for the purpose it is held. |
| 7 | Access Principle | You have the right to access your personal data held by an organisation and to correct it where it is inaccurate, incomplete, misleading, or out of date. Access may be refused only in limited circumstances set out in the Act. |
These seven principles are the foundation of every duty a business owes and every right an individual can claim under the PDPA. The rights of access, correction, withdrawal of consent, and objection to direct marketing all flow from them.
Your rights over your own data
The PDPA gives you a set of rights you can use directly against any company or organisation that holds your personal data. Under the 2024 amendments these organisations are now called data controllers (the old term was "data user"). You are the data subject. Here is what you can ask for, and how.
The rights you hold
| Right | What it lets you do | PDPA section |
|---|---|---|
| Access | Ask a company to confirm what personal data it holds about you, why it processes the data, and where it got the data from. | Section 30 |
| Correction | Ask the company to correct data that is inaccurate, incomplete, misleading, or out of date. | Section 34 |
| Withdraw consent | Take back your consent to processing at any time, for example when you no longer want a service. | Section 38 |
| Prevent damage or distress | Require a company to stop processing that is causing, or likely to cause, damage or distress to you. | Section 42 |
| Stop direct marketing | Require a company to stop using your data to send you marketing (calls, SMS, email). | Section 43 |
| Data portability | Ask that your data be transmitted directly to another data controller, where the format is technically feasible and compatible. This right came in under the 2024 amendments (in force from 1 June 2025). | Section 43A |
How to make a data access request
- Put it in writing. Send a letter or email to the company's Data Protection Officer (DPO) or its stated privacy contact. Since the 2024 amendments, data controllers must appoint a DPO, so most companies now publish a contact.
- Say clearly what you want. State that you are making a data access request under Section 30 of the PDPA, and describe the data you are asking about.
- Prove who you are. The company may ask for identification so it does not release your data to the wrong person.
- Expect a possible fee. A company may charge a reasonable fee to process the request. The maximum is capped under the Personal Data Protection (Fees) Regulations 2013, and it cannot be set so high that it stops you exercising the right.
What the company must do
- Respond within 21 days of receiving your access or correction request.
- Give the data in a form you can understand, together with the purposes of processing and the sources of the data.
- If it refuses, it must tell you and give its reasons. For a correction request, it must either make the change or explain why it will not.
Stopping marketing and withdrawing consent
To stop direct marketing, send a written notice (a "cease processing" request) to the company under Section 43. Once you do, the company must stop marketing to you within a reasonable period, and it should not restart unless you give fresh consent. To withdraw consent generally, send a written withdrawal under Section 38. After you withdraw, the company must stop processing your data for the purpose you consented to.
Practical steps
- Keep a copy of every request and note the date you sent it, so you can count the 21 days.
- Use the company's official DPO or privacy email where one is listed.
- Be specific: name the account, service, or type of data, so the company can find your records.
- If a company ignores you, refuses without a valid reason, or misses the deadline, you can lodge a complaint with the Personal Data Protection Department (JPDP) under the Personal Data Protection Commissioner.
The 2024 PDPA amendments
Malaysia's original Personal Data Protection Act 2010 stayed largely untouched for over a decade. The Personal Data Protection (Amendment) Act 2024 (Act A1727) is the first major update. Parliament passed it in July 2024, and its provisions came into force in stages through 2025, with the core new obligations taking effect on 1 June 2025. The Personal Data Protection Commissioner, under the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, or JPDP), enforces it.
One change runs through the whole Act. The term "data user" is replaced with "data controller", aligning Malaysian wording with international practice. Beyond the rename, four changes matter most.
Mandatory data breach notification
Before the amendment, an organisation that lost your data had no legal duty to tell anyone. Now a data controller who has reason to believe a personal data breach has occurred must notify the Commissioner as soon as practicable, within 72 hours of becoming aware of it. Where the breach is likely to cause significant harm, the affected individuals must also be told, within 7 days of the notification to the Commissioner. The detail sits in the JPDP guidelines issued in 2025. Failure to notify the Commissioner carries a fine of up to RM250,000 and/or imprisonment of up to 2 years.
Data Protection Officer
Both data controllers and data processors must now appoint at least one Data Protection Officer (DPO) accountable for PDPA compliance, and register the appointment with the Commissioner. The DPO is the internal point of responsibility for data handling and breach response. The thresholds that trigger the duty are set out in JPDP guidelines and cover organisations processing personal data at scale, including large volumes of records, large volumes of sensitive data, or systematic large-scale monitoring.
Right to data portability
You gain a new right to data portability. You may ask a data controller to transfer your personal data directly to another data controller, where this is technically feasible and the formats are compatible. This makes it easier to switch service providers, for example moving between banks or telcos, without starting your records from scratch.
Heavier penalties
The maximum penalty for breaching the data protection principles rose sharply, from a RM300,000 fine to RM1,000,000, and the maximum imprisonment term to up to three years.
Why it matters
For individuals: you now find out when your data is exposed, you have a named officer to hold organisations to account, and you can carry your data with you.
For businesses: the duties are concrete and the cost of ignoring them is much higher. Appoint a DPO, build a breach response plan that can move within 72 hours, and map where personal data sits so a portability or breach request can be answered on time. A note on biometric data: the amendment also brings it within the definition of sensitive personal data, so fingerprints and facial data attract stricter handling rules.
When your data is leaked
A data breach means an organisation that held your personal data (a telco, bank, retailer, employer, or government agency) lost control of it, whether through hacking, a misconfigured system, or an insider selling records. Once your IC number, phone number, address, or bank details are out, you cannot pull them back. What you can do is limit what someone does with them.
What notification you should receive
Since 1 June 2025, under the Personal Data Protection (Amendment) Act 2024, organisations that hold your data have a legal duty to report serious breaches.
- The organisation (the data controller) must notify the Personal Data Protection Commissioner at JPDP within 72 hours of discovering a breach that causes or is likely to cause significant harm.
- If the breach is likely to cause significant harm to you, the organisation must also notify you directly, without undue delay and no later than 7 days after it reported to the Commissioner. This is meant to reach you by email, SMS, or post. If direct contact is impractical, they may use a public announcement on their website, social media, or a newspaper.
- "Significant harm" covers breaches that expose data usable for identity theft, fraud, or extortion, breaches involving sensitive data (health, financial, religious, political, or criminal records), combinations of data like name plus IC number plus contact details.
If you receive such a notice, read it carefully. It should tell you what data was involved. Be aware that scammers also send fake "your data was breached" messages to trick you, so verify through the organisation's official channels before clicking any link.
Steps to protect yourself
Change your passwords. Start with the affected account, then any other account that shares the same password. Use a unique password for each important account. Turn on two-factor authentication (2FA) for banking, email, and social media.
Watch for targeted scams. Leaked data lets scammers sound convincing. They may call using your real name and IC number, or pose as your bank, a courier, or the police. Treat any unsolicited call or message asking for OTPs, passwords, or transfers as a scam. No bank or government agency will ask for your OTP.
Check bank accounts and numbers before you transact. Use the police Semak Mule portal (semakmule.rmp.gov.my) to check whether a bank account, phone number, or company name has been linked to fraud. It is free and needs no registration.
Monitor your accounts. Review bank and card statements for transactions you do not recognise. Check your credit standing through CCRIS (Bank Negara's central credit reference system) or CTOS.
If money is already gone, call the National Scam Response Centre at 997 immediately. The line runs 24 hours, and a call to 997 now counts as an official police report. Fast action gives the bank a chance to freeze the receiving account.
Malaysia's pattern of large leaks
Malaysia has seen repeated mass leaks, so the safest assumption is that some of your data is already circulating.
- In 2017, the personal data of more than 46 million mobile subscribers from at least 12 telcos and MVNOs was leaked online.
- In December 2022, a breach touched close to 13 million people, with data linked to Maybank, Astro, and the Election Commission appearing for sale.
- The Digital Ministry recorded 646 data breach cases in 2023, a 1,192% jump from 50 in 2022.
Given this pattern, treat protection as an ongoing habit. Assume your IC and phone number are known, and let that shape how carefully you handle every unexpected call and message.
Protecting your MyKad and NRIC number
Your NRIC number is the 12-digit number printed on your MyKad. In Malaysia it opens bank accounts, approves loans, registers prepaid SIM cards, signs contracts, and unlocks government services. That reach is exactly why it is sensitive. It is personal data protected under the Personal Data Protection Act 2010 (Act 709), and its handling is regulated by the Personal Data Protection Commissioner through the Department of Personal Data Protection (JPDP).
Because the number stays the same for life and appears on so many documents, one leaked copy can follow you for years.
How it gets misused
- Fraudulent loans and credit. Scammers use your NRIC and a MyKad copy to apply for personal loans or credit. Many victims only find out when debt collectors chase them for money they never borrowed.
- SIM card registration. Your details get used to register prepaid SIM cards, which are then used for further scams under your name.
- Impersonation scam calls. Callers pose as officers from the police, Bank Negara, or the National Scam Response Centre and pressure you to "verify" your NRIC, OTP, and bank details. The goal is to panic you into handing over data. These have been flagged repeatedly in MyCERT advisories.
- Account and subsidy fraud. Leaked NRIC data has been linked to mule accounts and misuse of schemes tied to MyKad, such as fuel subsidy registration.
When to give your NRIC number, and when not
| Reasonable to give | Be cautious or refuse |
|---|---|
| Opening a bank account | A caller who phoned you first |
| Government services and applications | Random online forms or contests |
| Signing a tenancy or employment contract | A shop asking "just for records" |
| Registering a SIM through an official channel | Anyone over WhatsApp in plain text |
The test is simple. Ask who is collecting it, why they need it, and whether the request came from you or from them. Under the PDPA, an organisation should only collect what is necessary for a stated purpose. You can ask for that purpose before you give anything.
Protect your MyKad copy
- When you hand over a photocopy or photo, write across the face of it: the date, the purpose, and the name of the company receiving it. This "crossing" or watermarking makes the copy hard to reuse for anything else.
- For SIM registration, MCMC requires dealers to watermark the MyKad copy. Your telco also provides a free way to check every prepaid SIM registered under your name.
- Never share your NRIC, OTP, or banking details with anyone who contacts you unexpectedly.
If your NRIC is compromised
- Lodge a police report. Calling the National Scam Response Centre at 997 counts as an official police report and operates 24 hours.
- Alert your bank. Contact your bank and Bank Negara Malaysia through BNMTELELINK at 1-300-88-5465.
- Check your credit record. Pull your CTOS report to see any loans or credit checks tied to your NRIC, and flag suspicious entries for dispute.
- File a statutory declaration. For a loan you did not take, submit a statutory declaration stating so, and give the lender your police report to dispute the debt.
- Keep records. Note every date, reference number, and officer's name. You will need them throughout the process.
If you believe your data was mishandled by an organisation, you can also complain to JPDP.
Spam, direct marketing and data-driven scams
Unwanted SMS, WhatsApp blasts and cold sales calls are the everyday face of a data problem. Most of them run on personal data that changed hands without you knowing. This section covers what the PDPA lets you do about marketing, why scammers already have your number and IC, and the practical steps that reduce the flow.
Your right to stop direct marketing
Section 43 of the Personal Data Protection Act 2010 gives you a specific right: you can require a company to stop processing your personal data for direct marketing. You do this by sending the company a written notice (a cessation notice). Once it receives that notice, the company must stop using your data for marketing within a reasonable period, and it should not restart unless you give fresh consent.
Steps that work in practice:
- Send it in writing. Email the company's data protection contact or use the "unsubscribe" link, and keep a copy with the date.
- Name the channel. State clearly that you want to stop marketing by SMS, call, email and any other channel.
- Escalate if ignored. If the company keeps marketing to you, you can complain to the Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi, JPDP). The Commissioner can direct the company to stop, and failing to comply with such a direction is an offence.
This right only reaches businesses that hold your data lawfully. It does not reach criminals, which is where the harder problem starts.
Why scammers already have your details
A cold caller who knows your full name, IC number and home address is usually working from leaked or sold data, not a lucky guess. Malaysia recorded the highest rate of personal data leaks among key Asian markets in 2024. In one check, 72.5 percent of Malaysians who ran their details through a screening tool found their data had been exposed, with phone numbers leaked in about 98 percent of cases and names in about 89 percent. One breach alone put an estimated 46.2 million Malaysian phone numbers at risk.
That leaked data feeds scams directly. Scam calls in Malaysia rose to 2.98 million in 2024, up from 1.63 million in 2023, and reported scam losses reached RM1.57 billion. When a caller can recite your real details, the pitch sounds credible, and that credibility is what the fraud relies on.
Cutting the flow
You cannot un-leak data that is already out, so the goal is to reduce new exposure and blunt the scams that follow:
- Give less at signup. Skip optional fields. A loyalty card rarely needs your IC number.
- Untick pre-ticked consent boxes and decline "share with partners" options.
- Use the Section 43 notice on companies that keep marketing to you.
- Never act on urgent unsolicited calls, even ones quoting your correct details. Hang up and call the institution back on its published number.
- Check before you pay or transfer. Use the police Semak Mule portal (semakmule.rmp.gov.my) to check a bank account, phone number or company name against known scam records.
- If money has already moved, call 997 (the National Scam Response Centre). It runs 24 hours, calls are treated as police reports, and acting within the first hours gives the best chance of freezing the mule account. Note that the NSRC only receives calls, so any "NSRC officer" phoning you is itself a scam.
For spotting fake messages, mule accounts and phishing links, see our full guide on scams and online safety.
PDPA compliance for businesses and SMEs
Any business that decides how and why personal data is collected counts as a data controller under the Personal Data Protection Act 2010 (PDPA), and the Personal Data Protection Amendment Act 2024 tightened the duties that come with that role. The Amendment Act came into force in three stages, on 1 January 2025, 1 April 2025, and 1 June 2025. The regulator is the Personal Data Protection Commissioner, who heads the Department of Personal Data Protection (JPDP). Here is what your business has to do.
Obtain valid consent
Consent must be specific to a stated purpose, and the individual can withdraw it at any time. Keep a record of when and how consent was given. Sensitive personal data, which now includes biometric data such as fingerprints and facial recognition data, needs explicit consent before you process it.
Issue a privacy notice
The Notice and Choice Principle requires you to tell people, in writing and in both Bahasa Malaysia and English, what data you collect, why you collect it, who you may share it with, and how they can access or correct it. Put this notice where customers see it at the point of collection: your checkout page, sign-up form, or booking screen.
Appoint a DPO where required
The Data Protection Officer requirement took effect on 1 June 2025. You must appoint at least one DPO if you process the personal data of more than 20,000 data subjects, process sensitive personal data (including financial data) of more than 10,000 data subjects, or carry out regular and systematic monitoring. The DPO must be proficient in Malay and English, and either resident in Malaysia or easily contactable. Notify the Commissioner of the appointment within 21 days.
Secure the data
The Security Principle requires practical steps to protect data from loss, misuse, and unauthorised access. Data processors (vendors who handle data on your behalf) now carry direct obligations under this principle, so vet your suppliers and put written terms in place.
Honour access and correction requests
Under the Access Principle, individuals can ask to see the data you hold and request corrections to anything inaccurate or outdated. Set up a channel to receive these requests and respond within the timelines the law allows.
Handle breaches
If a breach causes or is likely to cause significant harm, notify the Commissioner as soon as practicable and within 72 hours of becoming aware of it. Where the breach is likely to result in significant harm to the affected people, notify them too, within 7 days of notifying the Commissioner. Keep an internal record of every breach.
Non-compliance can draw a fine of up to RM1 million, imprisonment of up to three years, or both. Directors and managers can be held personally liable.
Compliance checklist for SMEs and e-commerce sellers
- Map what personal data you collect, where it is stored, and who can access it.
- Publish a bilingual privacy notice at every point of collection.
- Collect specific, purpose-based consent and log it; get explicit consent for sensitive or biometric data.
- Check whether you cross the DPO thresholds, and appoint and register a DPO if you do.
- Sign written data-processing terms with payment gateways, couriers, marketing platforms, and cloud vendors.
- Secure systems: encryption, access controls, staff training, and a retention schedule that deletes data you no longer need.
- Set up a process to handle access and correction requests.
- Write a breach response plan covering the 72-hour and 7-day notification clocks.
Complaints, enforcement and penalties
If an organisation has mishandled your personal data, you can complain to the Personal Data Protection Commissioner, who heads the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, or JPDP). Enforcement runs through this office.
Step one: raise it with the organisation first
Before going to the regulator, put your concern to the organisation directly. Ask them to explain what happened, correct the data, or stop the processing you object to. Keep copies of your request and their reply. If the answer does not satisfy you, take the matter to JPDP.
How to complain to JPDP
You can lodge a complaint through JPDP's online complaint form, by email, or by phone.
- Online: the complaint form on the JPDP website (pdp.gov.my)
- Email: [email protected]
- Phone: JPDP Call Centre at 03-7456 3888
- Post: Level 8, Galeria PjH, Jalan P4W, Persiaran Perdana, Precinct 4, 62100 Putrajaya
State who processed your data, what went wrong, which of the seven Personal Data Protection Principles you believe was breached, and attach your evidence and earlier correspondence.
How enforcement works
Once a proper complaint is lodged, the Commissioner can investigate. The Commissioner's powers include inspecting the organisation's personal data system, accessing computerised data, and searching and seizing material, in some cases without a warrant.
If the investigation finds a contravention, the Commissioner may serve an enforcement notice under Section 108. The notice sets out the breach, the remedial steps required, and the deadline to comply. It can also direct the organisation to stop processing the personal data. An organisation that fails to comply with an enforcement notice commits an offence.
Penalties under the amended PDPA
The Personal Data Protection (Amendment) Act 2024 raised the penalties, with the main changes in force from 2025. Data processors now carry direct liability, and directors and managers can be held personally liable unless they show the offence happened without their knowledge or consent and that they exercised due diligence.
| Offence | Maximum penalty |
|---|---|
| Breaching a Personal Data Protection Principle | RM1 million fine, or 3 years' imprisonment, or both |
| Failing to notify a personal data breach | RM250,000 fine, or 2 years' imprisonment, or both |
| Failing to comply with an enforcement notice (s.108) | RM200,000 fine, or 2 years' imprisonment, or both |
The principle-breach ceiling rose from the previous RM300,000 and 2 years. The breach notification duty (notify the Commissioner within 72 hours) and the requirement to appoint a Data Protection Officer both took effect from 1 June 2025.
What you can expect as a complainant
JPDP will assess your complaint and may open an investigation. Realistic outcomes are regulatory: the organisation may be ordered to fix or stop the processing through an enforcement notice, and it may face prosecution and a fine. The process is directed at the organisation's conduct and does not award you compensation or damages, so a civil claim in court is a separate route if you want to recover a loss.
If you disagree with the Commissioner's decision, including a refusal to investigate or the terms of an enforcement notice, you can appeal to the Personal Data Protection Appeal Tribunal by filing a notice of appeal.
Practical digital privacy
The PDPA sets the rules for organisations that hold your data. What you do on your own phone and laptop decides how much of that data exists in the first place. Good daily habits shrink your exposure and make you a harder target for scams. Here is a practical routine any Malaysian can follow.
Passwords and 2FA
Length matters more than symbols. A passphrase of four or more unrelated words is harder to crack than a short string like T3$7#x. Use a different password for every account so one leaked site does not open the rest.
- Use a password manager to generate and store long, unique passwords. You only need to remember the one that unlocks it.
- Turn on two-factor authentication (2FA) everywhere it is offered: banking, e-wallets, email, and social media. 2FA blocks the large majority of automated account takeovers even when a password leaks.
- Prefer an authenticator app over SMS codes. SMS one-time passwords can be intercepted through SIM-swap and other attacks. Authenticator apps generate codes on your device and change them every 30 to 60 seconds. Use SMS only when a service offers nothing else.
- Never give your password or OTP to anyone over a call, WhatsApp, or a link. No bank, telco, or government agency will ask for it. This is the single most common way Malaysians lose money to scams.
App permissions and phone settings
Every app you install asks for access. Grant only what the app needs to do its job.
- Review permissions in Settings on both Android and iPhone. A torch app has no reason to read your contacts or location.
- Set location to "While using the app" or "Ask every time" rather than "Always".
- Turn off microphone, camera, and contacts access for apps that do not clearly need them.
- Delete apps you no longer use. Each one is another holder of your data.
Social media settings
- Set profiles to private and review who can see your posts, friends list, and phone number.
- Remove your date of birth, IC number, home address, and full phone number from public view. Scammers assemble these to impersonate you.
- Turn off location tagging on photos.
- Be cautious with quizzes and "find your name" games that harvest personal details.
Public Wi-Fi
Free Wi-Fi at malls, cafes, and airports is convenient and often unsecured.
- Avoid banking, shopping, or logging in to important accounts on public Wi-Fi.
- Use your mobile data or a trusted VPN for anything sensitive.
- Turn off automatic connection to open networks.
Reduce your data footprint
- Check whether your email has appeared in a known breach at haveibeenpwned.com, then change the password anywhere you reused it.
- Give a secondary email for sign-ups and loyalty programmes.
- Unsubscribe from services you have stopped using and ask them to delete your data. Under the PDPA you can withdraw consent and request access to or correction of your data held by an organisation.
- Verify suspicious accounts and numbers on the police Semak Mule portal (semakmule.rmp.gov.my) before you pay or share details.
Quick checklist
| Area | Do this now |
|---|---|
| Passwords | Unique passphrase per account, stored in a password manager |
| 2FA | Enabled on banking, email, and social media; authenticator app preferred |
| Permissions | Location set to "while using"; revoke access unused apps do not need |
| Social media | Profiles private; IC, address, and full phone number hidden |
| Public Wi-Fi | No banking on open networks; mobile data or VPN instead |
| Footprint | Breach-check your email; delete unused accounts |
If you suspect a scam or an unauthorised transfer, call the National Scam Response Centre at 997 and make a police report as soon as possible.
The privacy outlook
The 2024 amendments moved Malaysia's law much closer to the way data protection works elsewhere. The Personal Data Protection (Amendment) Act 2024 came into force in three tranches across 2025 (1 January, 1 April, and 1 June), and the direction of travel is set: stronger obligations on organisations, clearer rights for individuals, and a regulator with more enforcement powers.
Alignment with global standards
Several changes echo the EU's General Data Protection Regulation (GDPR). The Act now uses "data controller" and "data processor" in place of the old "data user" term, applies the Security Principle directly to processors, treats biometric data as sensitive personal data, and adds mandatory breach notification to the Commissioner, mandatory Data Protection Officer (DPO) appointment for qualifying organisations, and a data portability right under the new Section 43A. Maximum penalties rose to a RM1,000,000 fine and up to three years' imprisonment.
Malaysia has taken its own path on cross-border transfers. Rather than a central "adequacy" list, the Cross-Border Personal Data Transfer Guidelines (Guideline No. 03/2025) put the burden on the controller to assess the destination country through a transfer impact assessment. So the framework borrows GDPR concepts while keeping a decentralised model that suits Malaysian businesses.
What is still coming
The Personal Data Protection Department (JPDP) has signalled more work ahead:
- A more independent regulator. The Personal Data Protection Commissioner has flagged plans to reconstitute JPDP as a standalone commission with wider authority over data governance.
- New guidelines in the pipeline. Public consultations closed in 2025 on Data Protection Impact Assessments, Privacy by Design, and Automated Decision-Making and Profiling, with data portability guidance still under development.
- AI and data policy converging. Malaysia issued its National Guidelines on AI Governance and Ethics in September 2024, and as ASEAN Chair in 2025 it has positioned itself on regional digital governance.
Some gaps remain against the GDPR benchmark. Malaysian law still gives individuals a right to correct inaccurate data, without the broad "right to be forgotten" (erasure) that EU residents enjoy. The reforms also focus on the private sector, and the Act continues to carve out much of the federal and state government.
The bottom line
The reforms raise the floor for how personal data must be handled in Malaysia, and they hand individuals real tools: a breach must now be reported, and you can ask for your data to be moved. For businesses, the compliance bar has clearly gone up, and it will keep rising as JPDP finalises its guidelines. The safe assumption for the years ahead is a stricter regime, closer to international norms, backed by a regulator with sharper teeth. Reading your privacy notices, exercising your access rights, and reporting misuse to JPDP all matter more now than they did before 2025.
Sources & References
This guide is cross-referenced against primary official sources, regulatory references, and locally relevant materials.
- Department of Personal Data Protection (JPDP) The regulator's official page on JPDP, its establishment, and its role in enforcing the PDPA.
- Personal Data Protection Act 2010 (Act 709) The full text of Malaysia's principal data protection law on the regulator's site.
- Personal Data Protection (Amendment) Act 2024 JPDP's page on Act A1727, the first major update to the PDPA.
- Principles of Personal Data Protection (JPDP) Official explanation of the seven data protection principles.
- Data Subject Rights (JPDP) The regulator's list of rights of access, correction, consent withdrawal, and objection to direct marketing.
- Complaints to the public (JPDP) Official complaint channels: online form, email [email protected], and Call Centre 03-7456 3888.
- National Scam Response Centre (NSRC) Government page on the 997 hotline, which runs 24 hours and treats calls as official police reports.
- Semak Mule (Royal Malaysia Police, CCID) Police portal to check bank accounts, phone numbers, and companies linked to fraud, free and no registration.
- Have I Been Pwned Tool to check whether your email address has appeared in known data breaches.
Further reading: Mayer Brown: Key Amendments to Malaysia's PDPA and Cross-Border Guidelines · Sidley: Important Changes to Malaysia's Data Protection Laws · DataGuidance: Malaysia PDP (Amendment) Act · DLA Piper Privacy Matters: Breach Notification and DPO Guidelines · Sinar Daily: Malaysia Tops Personal Data Leaks in Asia