The Malaysia Personal Data Protection Act (PDPA) went into effect on November 15, 2013. It was designed the PDPA to give residents greater control over their personal and sensitive data and how individuals and organizations with whom they do business use it.

In this article, we'll go over the key similarities and differences between Malaysia's PDPA and the European Union's General Data Protection Regulation (GDPR) and how those differences may affect your business.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

The 7 Principles of the Malaysian PDPA

The 7 Principles of the Malaysian PDPA

All data users (data controllers) based in Malaysia or that use equipment in Malaysia to process data must comply with the following set of seven PDPA principles:

General Principle

The General Principle demands that data users refrain from processing personal data unless they've obtained written consent from the data subject (customer/client/website visitor).

After acquiring explicit consent, the only lawful circumstances in which a data user may process personal data is under the following conditions:

  • Directly related to your website's activity
  • Necessary for the lawful purpose of your website, and
  • Limited to the minimums necessary to fulfill your site's purpose

Notice and Choice Principle

The Notice and Choice Principle demands that data users inform data subjects of a broad range of issues related to the data subject's personal information.

You must provide a clear written statement in both English and Malay concerning the following:

  • Your intent to collect personal information
  • What kind of data you collect (personal, sensitive, both, etc.)
  • Why you are collecting the data (i.e., what you intend to do with it)
  • With whom you share data
  • The right of the data subject to access and rectify personal data
  • Whether the data collection is voluntary (i.e., as part of a contract) or is mandatory
  • How a data subject may limit the processing of their personal information
  • Your contact information

This can be done via a Privacy Policy. As you can see below, the information listed above is addressed in a standard Privacy Policy:

Amazon Privacy Notice with table of contents highlighted

Disclosure Principle

Under the Disclosure Principle, data users are prohibited from disclosing a data subject's personal information under the following conditions:

  • To any party other than those agreed upon by both the data user and data subject. In other words, you are forbidden from disclosing data to anyone outside a list of third-parties that you've specifically listed in your notice.
  • For any purpose other than what you've specifically stated in your notice

However, you can disclose personal data under the following circumstances:

  • Consent from the data subject has previously been acquired
  • To help prevent or detect a crime (during a legal action or criminal investigation)
  • Law enforcement agencies or the court have required or authorized the disclosure
  • You must legally disclose the information to third parties
  • Data users have a belief that data subjects would give consent to disclosure if they knew the circumstances and reasons for it
  • The disclosure was made in the name of public interest and in keeping with circumstances, which the acting Minister determines

Security Principle

Data users are obligated to take specific steps to protect a data subject's personal information under the PDPA's Security Principle.

Just some of these steps must include protecting personal data from:

  • Loss
  • Modification
  • Misuse
  • Unauthorized or accidental disclosure
  • Unauthorized or accidental destruction during processing

Additionally, your business must put in place a security policy, which details the following:

  • Who may access personal data. This must include a registration system to monitor access.
  • What steps are taken to make sure personal data is always managed in a confidential manner
  • What technical measures currently exist, such as recovery systems and secure storage
  • What steps are in place to make sure information is transferred safely

Your security processes should be noted at least generally in your Privacy Policy:

Amazon Web Services Privacy Notice: How we secure information clause

Retention Principle

The Retention Principle establishes that companies may only keep personal data for the length of time necessary for a data user to carry out the primary purposes for which a company collected the data. Once personal data is no longer needed for processing purposes, it must be destroyed.

Disclose this in your Privacy Policy, like so:

Bolder Play Privacy Policy: Data retention clause

With that said, there aren't any statutory limits placed on the amount of time you can keep personal data. As long as you're actively using that information for the purposes you made public; then time limits don't apply.

However, you must also recall that the personal data you collect is subject to inspection by the PDP. You, therefore, must maintain full and accurate records, including records of deleted data.

Access Principle

Data subjects are given the right to access and correct personal information under the PDPA's Access Principle. Specifically, if data subjects believe their information is incomplete, inaccurate, outdated, or misleading, the data subject may request access.

On the other hand, the PDPA outlines certain circumstances under which a data user can refuse access.

The 10 Fundamentals of Europe's GDPR

The 10 Fundamentals of Europe's GDPR

Europe's GDPR lays out regulations concerning how companies must process and protect the personal information of data subjects in the European Union.

The following are ten fundamentals that define the GDPR.

Under the GDPR, companies which process data must do so in a legal, fair, and transparent way. This means that:

  • All processing must be done for a legitimate reason
  • Companies are required to take responsibility and are held accountable for processing data that is not for legitimate purposes
  • Companies must keep data subjects informed about processing activities on their personal information

Limitation Data, Storage, and Purpose

Companies are expected to limit the processing of personal data. Under the GDPR, they must only collect data that is necessary and must not retain data once the purpose for which it was collected has been satisfied.

Rights of Data Subjects

The GDPR gives data subjects a number of rights. For example, they have the right to request information from companies about the precise information that companies have on them and what those companies do with that information. Additionally, data subjects may request corrections to that information.

Moreover, the data subject may formally object to having their data processed, ask for the transfer or deletion of their data, or lodge an official complaint.

Note user rights and how users can exercise them in a Privacy Policy clause like this one:

Clubhouse Privacy Policy: GDPR Rights clause excerpt

Data users must obtain clear and explicit consent from data subjects before processing personal data. That consent must be documented. Additionally, the data subject can withdraw consent at any time.

The best practice way to do this is with a checkbox that users must check to show consent:

Generic consent checkbox - Small

When it comes to processing individuals' personal data under the age of 16, companies must obtain the explicit consent of that person's parents before processing the data.

Personal Data Breaches

All companies must keep a Personal Data Breach Register. If there is a data breach, based on the severity of that breach, the data subject and the regulator must be informed within 72-hours once a breach has been identified.

Discover Card data breach notice

Privacy by Design

Organizations must include technical and organizational mechanisms to protect personal information when designing new processes and systems. In other words, companies must ensure privacy and protection from the very beginning. This is known as Privacy by Design.

Data Protection Impact Assessment

A Data Protection Impact Assessment must occur when implementing any change or starting a new project or developing a new product to estimate the impact of the proposed actions or changes.

The Transfer of Data

Data controllers are obligated to make sure that personal data is protected and that it remains private when being transferred outside the organization to any entity within the same organization or any third-party.

Data Protection Officer

Companies are required to assign a Data Protection Officer (DPOs) if they conduct significant data processing. The Data Protection Officer must aid the company in adhering to all the GDPR's demands.

Training and Awareness

Companies are required to promote awareness among their employees concerning the demands of the GDPR. To do so, they must engage in regular training to make sure their employees are aware of their responsibilities concerning personal data protection.

Major Differences Between the PDPA and the GDPR

Major Differences Between the PDPA and the GDPR

As stated at the beginning of this article, many of the governing principles of Europe's GDPR sound similar to those of Malaysia's PDPA. However, data subjects within the European Union are provided greater rights.

Below are the major differences.

Personal Data

Malaysia's PDPA defines personal data only in regard to commercial transactions through which data subjects may be identified. In contrast, the GDPR's categories of personal data are not restricted to commercial transactions only.

The two laws are similar, though, in that both the PDPA and GDPR concentrate on a data subject's "identifiability" or "identification potential" to decide if the data provided constitutes "personal data."

The Right to Be Forgotten

The GDPR provides EU residents with the right to have all of their personal data erased under certain circumstances. For example, if data subjects withdraw consent or if the organization no longer has lawful grounds to process personal data.

Moreover, Article 17 of the GDPR gives data subjects the right to object to the processing of their data and companies must respond to those objections within 30 days.

The PDPA, on the other hand, has no such provisions. The only thing that might compare is that companies in Malaysia can only keep personal data for as long as is necessary to satisfy the purpose for which it was collected. However, there is no time limit to that.

Right to Data Portability

Residents of the EU have the right to ask for their personal data in a machine-readable format. They can then transfer that information to another data controller without compromising its usability or security.

Malaysian data subjects do not enjoy the same rights as the PDPA does not address data portability. The PDPA provides data subjects the right to access their personal information and view it in documentary form. Businesses must also provide data subjects with copies of their data if viewing it in documentary form is not practical.

However, the PDPA doesn't provide for the explicit right of a data subject to transfer their information from one business to another.

Privacy by Design

As noted in the GDPR's ten fundamentals, businesses must take data privacy and protection into account when designing systems and processes. Additionally, companies must take organizational and technical steps to ensure that data protection principles are upheld at all times.

In contrast, the PDPA does not require data users to design their systems or processes with privacy or protection in mind.

Data Protection Officers

DPOs are required to have a full understanding of personal data protection laws under the GDPR. Organizations must give contact details for the DPO to the supervising authority, and they must have sufficient resources made available to them so that they can carry out their duties.

Additionally, Data Protection Officers must report to the highest management within the organizations they work with and must not perform any task that might cause a conflict of interest.

While the PDPA requires DPOs, their responsibilities and need for technical knowledge are not nearly as defined as their European counterparts. Unlike the GDPR, the PDPA does not require businesses to register their DPO with any supervising authority.

Moreover, Malaysia has no law demanding that the DPO must avoid conflicts of interest, report to the highest management, or that businesses must provide their DPOs with all necessary resources to perform their jobs at the highest level.


Key differences between Malaysia's PDPA and Europe's GDPR are found in areas such as:

  • Personal data
  • The right to be forgotten
  • The right to data portability
  • Privacy by design
  • Data protection officers

Both the Malaysian PDPA and Europe's GDPR are designed to protect their respective residents' privacy and information.

While there are many commonalities between these laws, companies doing business in either region need to understand the nuances of each when operating within them.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy