Malaysia PDPA Guide: Your Privacy Rights Under the Personal Ochrana dat Act

Every time you sign up for a loyalty card, register at a clinic, or apply for a gym membership in Malaysia, you hand over personal data. Your name, IC number, phone number, address, and sometimes even your income level end up in corporate databases. But do you know what rights you have over that data?

Malaysia's Personal Data Protection Act 2010 (PDPA) — which came into force in 2013 — is the country's primary legislation governing how organisations collect, use, store, and share your personal information. Despite being over a decade old, many Malaysians remain unaware of the protections it provides.

What the PDPA Covers

The PDPA applies to any person or organisation that processes personal data in the context of commercial transactions. This includes:

• Banks and financial institutions
• Telcos (Celcom, Maxis, Digi, U Mobile)
• E-commerce platforms (Shopee, Lazada)
• Healthcare providers (private hospitals, clinics)
• Insurance companies
• Retailers and loyalty programme operators
• Online service providers

What Counts as Personal Data?

Under the PDPA, personal data means any information that directly or indirectly identifies you:

Category	Examples
Identity	Name, IC number, passport number
Contact	Phone number, email, address
Financial	Bank account, salary, credit history
Health	Medical records, prescriptions, blood type
Biometric	Fingerprint, facial recognition data
Digital	IP address, browsing history, location data

What the PDPA Does NOT Cover

Important gaps exist. The PDPA does not apply to:

• The federal and state governments
• Non-commercial activities (personal or household use)
• Data processed outside Malaysia (a significant limitation)
• Credit reporting agencies operating under the Credit Reporting Agencies Act 2010

This means that government agencies like JPN, LHDN, and PDRM operate under different rules, and data processed by foreign companies on overseas servers may not fall under Malaysian jurisdiction.

Your Seven Rights Under the PDPA

1. Right to Access (Section 12)

You have the right to request access to any personal data an organisation holds about you. The organisation must respond within 21 days and may charge a reasonable fee.

How to exercise it: Write a formal letter or email to the organisation's data protection officer requesting access to your personal data.

2. Right to Correct (Section 34)

If your personal data is inaccurate, incomplete, or misleading, you can request correction. The organisation must make the correction within 14 days.

3. Right to Withdraw Consent (Section 38)

You can withdraw consent for the processing of your data at any time. However, the withdrawal may affect the services you receive — for example, withdrawing consent from your telco may mean they cannot process your bills.

4. Right to Prevent Processing for Direct Marketing (Section 43)

You can instruct any organisation to stop using your data for direct marketing purposes. This is why you can tell companies to stop sending you promotional SMS messages and emails.

Practical tip: When you receive unwanted marketing messages, reply "STOP" or contact the organisation directly citing Section 43 of the PDPA.

5. Right to Prevent Processing Likely to Cause Damage (Section 42)

If data processing is causing or likely to cause substantial damage or distress, you can request it to stop.

6. Right to Be Informed (General Principle)

Organisations must inform you of:

• What data they are collecting
• Why they are collecting it
• Who they may share it with
• Whether it is obligatory or voluntary
• Your right to access and correct the data

This is the purpose of those privacy notices you see (and usually skip) when signing up for services.

7. Right to Compensation

If an organisation breaches the PDPA and you suffer damage, you may seek compensation through the courts.

The Seven Ochrana dat Principles

The PDPA establishes seven principles that organisations must follow:

Principle	What It Means
General	Consent required; data subject must be informed
Notice and Choice	Must provide clear privacy notice before collection
Disclosure	Cannot share data beyond the stated purpose
Security	Must protect data from loss, misuse, and unauthorized access
Retention	Cannot keep data longer than necessary
Data Integrity	Must ensure data is accurate and up to date
Access	Must allow data subjects to access and correct their data

Jak na to File a PDPA Complaint

If you believe an organisation has violated your privacy rights:

1. Complain to the organisation first. Most have a designated data protection officer or complaints channel.
2. If unresolved, file a complaint with the Personal Data Protection Commissioner (PDPC):
   • Online: www.pdp.gov.my
   • Email: aduan@pdp.gov.my
   • Phone: 03-8000 8000
3. Provide evidence: Screenshots, copies of communications, and details of how your data was misused.

The Commissioner can investigate, issue enforcement notices, and impose fines of up to RM500,000 or imprisonment of up to three years for serious violations.

Common PDPA Violations in Daily Life

The Unsubscribable Marketing Message

You keep receiving promotional SMS or calls from a company despite requesting removal. This violates Section 43. Document the messages and file a complaint.

The Oversharing Business

A property agent shares your phone number and IC details with multiple third parties without your consent. This violates the Disclosure Principle.

The Missing Privacy Notice

A clinic collects your IC number and medical details without providing a privacy notice explaining how the data will be used. This violates the Notice and Choice Principle.

The Únik dat Cover-Up

A company experiences a data breach affecting your personal information but fails to notify you. While the current PDPA does not have a mandatory breach notification requirement (a known gap), amendments are being considered.

Protecting Your Own Data

While the PDPA provides a legal framework, personal vigilance is equally important:

• Read privacy notices before consenting. Check what data is collected and who it is shared with.
• Ask "is this necessary?" when organisations request your IC number or other sensitive data. Many requests exceed what is legally required.
• Use minimal information when registering for services. If a field is optional, leave it blank.
• Regularly review permissions you have granted to apps on your phone.

Sdílení Personal Data Digitally

When you need to share IC numbers, bank account details, or other personal data with trusted parties — for insurance applications, property transactions, or job applications — avoid sending them in unprotected WhatsApp messages or emails.

LOCK.PUB allows you to share sensitive personal data through password-protected, encrypted links that expire after a set time. This is especially useful when sharing MyKad images or financial documents, as the information is not permanently stored in anyone's chat history.

Looking Ahead: PDPA Amendments

Malaysia's PDPA is undergoing significant review. Proposed amendments include:

• Mandatory data breach notification — requiring organisations to notify affected individuals within a set timeframe.
• Data portability — allowing you to transfer your data between service providers.
• Appointment of data protection officers — mandatory for large organisations.
• Cross-border transfer restrictions — tighter controls on data leaving Malaysia.

These changes would bring the PDPA closer to international standards like the EU's GDPR.

Know Your Rights

The PDPA exists to protect you, but it only works if you know your rights and exercise them. The next time a company asks for your IC number, ask them why they need it and how they will protect it. Your personal data has value — treat it that way.

---

Take control of your privacy. Share personal data securely with password-protected links at LOCK.PUB.