The Personal Data Protection (Amendment) Act 2024 and Guidelines on the Appointment of Data Protection Officer and Data Breach Notification 

The Personal Data Protection Act 2010 (“PDPA”) is the primary legislation in Malaysia which regulates the processing of personal data in respect of commercial transactions. 

The Minister of Digital has announced that amendments to the PDPA (pursuant to the Personal Data Protection (Amendment) Act 2024) (“PDPA Amendment”) will come into operation on a staggered basis. To provide clarity on these requirements, guidelines/regulations are expected to be issued before the relevant PDPA Amendment comes into force. Notably, guidelines relating to the appointment of data protection officers (“DPO”) and data breach notification (“DBN”) (“Guidelines”) have been issued on 25th February 2025. 

The first stage1 of the PDPA Amendment came into force on 1st January 2025. As such amendments are not material, this Article will focus on the more significant amendments coming into force in the next 2 stages as well as the Guidelines.

1. Amendments to the PDPA coming into operation on 1st April 20252

1.1 Data controller
3The term ‘data user’ will be changed to ‘data controller’. Data controllers are the entities who process (which includes collect, access, amend, modify, store) personal data in commercial transactions.

1.2 Biometric Data

  1. The PDPA Amendment introduces the term ‘biometric data’ which is defined as “any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person”4
  2. The term ‘sensitive personal data’ is revised pursuant to the PDPA Amendment to include ‘biometric data’.5

1.3 Personal Data Breach 

  1. The PDPA Amendment introduces the term ‘personal data breach’ which means “any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data”.6
  2. While the definition of ‘personal data breach’ will come into operation on 1st April 2025, the provision on mandatory DBN which refers to the term ‘personal data breach’ will only come into operation on 1st June 2025.7

1.4 Data Portability Request

The definition of ‘requestor’ in the PDPA will be amended to include those who make data portability requests.8 While the amended definition of ‘requestor’ will come into operation on 1st April 2025, the right of a data subject to a data portability request will only come into operation on 1st June 2025. 

1.5 Data subject excludes deceased individuals 

The PDPA Amendment makes it clear that a ‘data subject’ will not include a deceased individual. Accordingly, the personal data of deceased individuals will not be considered as personal data for the purpose of the PDPA. 

1.6 Increased Penalties9

The PDPA Amendment increases the penalties for breaching the personal data protection principles from a maximum fine of RM 300,000 to RM 1,000,000 and imprisonment terms from 2 years to 3 years. 

1.7 Compliance with the Security Principle by Data Processors10

  1. Data processor is defined under the PDPA “as persons other than an employee of the data controller, who process personal data solely on behalf of the data controller, and does not process the personal data for any of their own purposes”. Currently, the PDPA imposes an obligation on the data controller to ensure data processors’ compliance with the security principle under section 9 of the PDPA (“Security Principle”). 
  2. Pursuant to the new section 5(1A)11  and amendments to section 9 of the PDPA12, however, data processors will now be directly obligated to comply with the Security Principle and be subject to penalties for any breach. 

1.8 Data controller forum

The PDPA Amendment will allow the Commissioner to designate a single data controller as a data controller forum.13

1.9 Removal of “White-List Regime”14

  1. Currently, under the PDPA, the transfer of personal data outside of Malaysia is generally prohibited unless it is to such place as is specified by the Minister of Digital, upon the recommendation of the Commissioner, by notification published in the Gazette (a “White-List Regime”). To date, no countries have been published in the Gazette. Notwithstanding the general prohibition on transfers of personal data outside of Malaysia, the PDPA sets out the exceptions to the prohibition (e.g. where the data subject has given his consent to the transfer).
  2. Pursuant to the PDP Amendment, the White-List Regime will be removed. Instead, data controllers may transfer any personal data of a data subject to any place outside Malaysia if:
    • there is in that place in force any law which is substantially similar to the PDPA; or
    • that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.15
  3. It is anticipated that regulations will be issued to prescribe certain requirements in relation to the foregoing, including the possible requirement of conducting Transfer Impact Assessments (TIA) prior to any transfer of personal data outside Malaysia. 
  4. Moving forward, data controllers may seek to rely on this new legal basis, in addition to the existing ones (e.g. data subject’s consent).

2. Amendments to the PDPA coming into operation on 1st June 202516

2.1. Appointment of a DPO17

  1. The PDPA Amendment introduces a new section 12A in the PDPA which requires:
    • a data controller (and data processor) to appoint at least one DPO who will be accountable to the data controller (and the data processor) for the compliance with the PDPA; and
    • a data controller to notify the Commissioner on the appointment of DPO in the manner and form determined by the Commissioner. 
  2. The appointment of DPOs does not discharge the data controller or data processor from all duties and functions under the PDPA.

2.2 Data breach notification18

  1. The PDPA Amendment introduces a new section 12B in the PDPA which requires a data controller to:
    • notify the Commissioner as soon as practicable in the manner and form determined by the Commissioner if it reasonably believes a personal data breach has occurred; and
    • notify the data subject of the personal data breach without unnecessary delay in the manner and form determined by the Commissioner if the personal data breach causes or is likely to cause any significant harm to the data subject.
  2. A data controller who contravenes section 12B of the PDPA may be subject to a maximum fine of RM 250,000 and/or 2 years imprisonment.

2.3 Right to Data Portability for Data Subjects19

Pursuant to the PDPA Amendment, data portability request is introduced as a new right for data subjects under a new section 43A in the PDPA to request the data controller to transmit their personal data to another data controller of their choice directly.20 This right, however, is subject to technical feasibility and compatibility of the data format. 21

3. Guidelines on the Appointment of DPO 

3.1 Conditions for the Appointment of DPO

Data controllers and data processors are required to appoint one or more DPO(s) if their processing of personal data involves:

  1. personal data of more than 20,000 data subjects; 
  2. sensitive personal data including financial information of more than 10,000 data subjects; or
  3. activities that require regular and systematic monitoring of personal data.

Note: Examples of activities that require regular and systematic monitoring of personal data include, but are not limited to (a) any form of activity where data subjects are tracked and profiled online or offline for purposes of behavioural advertising; (b) activities such as operating a telecommunications network; (c) activities involving CCTV or connected devices such as smart cars, home automation system etc. 

3.2 Qualification Requirements of DPO

  1. Minimum Skills or Expertise: Data controllers and data processors must ensure that the appointed DPO can demonstrate a sound level of the following skills, qualities and expertise:
    • knowledge of the PDPA and requirements under the local data protection practices;
    • understanding of the data controller’s or data processor’s business operations and personal data processing obligations;
    • understanding of information technology and data security;
    • personal qualities such as integrity, understanding of corporate governance and high professional ethics; and
    • ability to promote data protection culture within the organisation.
  2. Additional Requirements: For better responsiveness and accessibility, the DPO is required to:
    • be resident in Malaysia (i.e. physically present in Malaysia for at least 180 days in one calendar year or easily contactable via any means); and
    • be proficient in English and Bahasa Melayu. 
  3. DPO Training: The Commissioner may decide on necessary or expedient mechanisms (e.g. determining courses and training programmes) for DPOs. 

3.3 Matters Relating to the Appointment of DPOs

  1. Conflict of Interest: Data controllers and data processors must ensure that the performance of tasks and functions does not result in a conflict of interest for the DPO. For example, if a data controller’s Head of Marketing is asked to lead a marketing campaign to promote the data controller’s products while also assuming the dual role of DPO within the company, the Head of Marketing should decline the DPO position. This is because the objectives of the two roles are inherently conflicting. Specifically, the primary goal of marketing is to maximize product sales, which may conflict with the DPO’s responsibility to safeguard customers’ personal data.
  2. Method of Appointment: A DPO may be appointed either from among existing employees or through outsourcing services. If outsourcing services are used, certain conditions must be met. 
  3. DPO Appointment for Multiple Entities: A DPO may be appointed to serve multiple data controllers or data processors, provided that the DPO is easily accessible by the different entities receiving the DPO’s service. 

    3.4 Notification of DPO Appointment

    Data controllers required to appoint a DPO must register the appointed DPO and submit his business contact information within 21 days of the appointment. If there is any change in the appointed DPO or his business contact information, the data controller must promptly update the changes via the Personal Data Protection System (SPDP) at https://daftar.pdp.gov.my no later than 14 days from the effective date of the change.

    3.5 Responsibilities of DPO

    The following include the core responsibilities of a DPO in respect of data processing activities:

    1. inform and provide advice to the data controller or data processor on the processing of personal data (e.g. educate the data controller or data processor regarding the requirements under PDPA);
    2. support the data controller or data processor in complying with PDPA and other related data protection laws (e.g. review the data controller’s or data processor’s data protection policies);
    3. support the carrying out of data protection impact assessments;
    4. monitor the personal data compliance of the data controller or data processor (e.g. conduct audits on the compliance of the data controller or data processor with their data protection policies);
    5. ensure proper data breach and security incident management by assisting the data controller or data processor to prepare, process and submit reports and other documents required by the Commissioner; 
    6. act as a facilitator and point of contact between data subjects and data controller or data processor (e.g. manage requests concerning the exercise of data subject’s rights); and
    7. act as the liaison officer and the main point of reference between the data controller or data processor and the Commissioner (e.g. prepare and submit information required by the Commissioner). 

      3.6 Contact Details of DPO

      A data controller and data processor shall create a dedicated official business e-mail account for the DPO. This account must be distinct from the DPO’s personal or other work-related email addresses, actively monitored, and maintained at all times. The data controller or data processor shall publish the business contact information of the DPO through:

      1. official website and other official media (e.g. social media platforms);
      2. personal data protection notices; or
      3. security policies and guidelines.

        3.7 Record Keeping

        Records of the appointed DPO shall be accurately maintained and retained by the data controller or data processor. 

        4. Guidelines on DBN

        4.1 Requirements for DBN to the Commissioner

        1. A data controller is only required to notify the Commissioner of a personal data breach if the personal data breach causes or is likely to cause “significant harm”, if there is a risk that the compromised personal data:
          • may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
          • may be misused for illegal purposes;
          • consists of sensitive personal data;
          • consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or
          • is of “significant scale” (i.e. if the number of affected data subjects exceeds 1,000).

        Note: Examples of “personal data breach scenarios (Commissioner)” include but are not limited to (a) an employee loses a laptop containing personal data of more than 1,000 customers; (b) an unauthorised third-party gains access to the medical records of patients; (c) an email containing the account statement of a customer was sent to the wrong recipient.

        1. Timeframes for DBN: A DBN shall be made as soon as possible and no later than 72 hours from the occurrence of the personal data breach.
        2. Computation of the 72-hour Timeframe: The following are examples of the computation of 72-hour timeframe for submission of a DBN:
          • Lost USB Key: If a USB key containing unencrypted personal data is reported as lost, the 72-hour timeframe starts as soon as the data controller is informed of the loss;
          • Network Compromise: If a data controller’s network is potentially compromised or infiltrated, the 72-hour timeframe begins once the data controller confirms, during system inspection, that the network has indeed been compromised; 
          • Data Processor Breach: Where a data processor processes data on behalf of a data controller, the 72-hour timeframe begins either when the data processor notifies the data controller of the breach or when the data controller obtains clear evidence of the breach, whichever occurs earlier.
        3. Manner of DBN: A DBN shall be made through completing:
          • the notification form available at www.pdp.gov.my; or
          • the notification form in Annex B of the Guidelines on DBN and submitting it to dpnpdp@pdp.gov.my or submitting the hard copy to the Commissioner
            (referred to as “Initial Notification”).

        The DBN will only be considered formally submitted once the Confirmation Notice has been issued by the Commissioner.

        1. Required Information: In addition to the mandatory fields in the notification forms, the data controllers shall also provide the following additional information:
          • the details of the personal data breach (e.g. date and time the personal data breach was detected, number of affected data subjects, nature of the breach etc.);
          • the potential consequences arising from the personal data breach;
          • chronology of events leading to the loss of control over personal data;
          • measures taken or proposed to be taken by the data controller to address the personal data breach and the affected data subjects; and
          • the contact details of the DPO or any other relevant contact person for further information.
        2. Notification in Phases: If the data controller cannot provide all the information requested at the time of the Initial Notification to the Commissioner, the remaining information may be submitted in phases, as soon as practicable and no later than 30 days from the date of the Initial Notification.
        3. Delayed DBN: If the data controller fails to notify the Commissioner within the 72-hour timeframe, a written notice must be submitted explaining the reasons for the delay and providing supporting evidence.

          4.2 Requirements for DBN to the Data Subjects

          1. A data controller is only required to notify the data subjects of a personal data breach if the personal data breach causes or is likely to cause “significant harm”. Note however that the “significant scale” criterion does not apply to this determination.

          Note: Examples of “personal data breach scenarios (data subjects)” include, but are not limited to (a) a financial institution experiencing a cyberattack leading to the theft of customers’ personal and financial information; (b) a cybercriminal bypassing a direct seller’s server security, gaining control of the data, and threatening to delete it unless a ransom is paid, especially if no backups exist.

          1. Timeframes for DBN: DBN must be made without necessary delay, not later than 7 days after the Initial Notification is made to the Commissioner.
          2. Manner of DBN: DBN shall be provided directly and individually (e.g. email, SMS etc.) to the data subjects in a practical manner using intelligible language appropriate to the circumstances. If direct notification is not practicable or requires a disproportionate effort, the data controller may use alternative means of notification (e.g. public communication – notification on the official website, social media post etc). Examples of disproportionate effort include situations where:
            • notifying a large number of data subjects across multiple states or countries would impose an excessive logistical, administrative, or financial burden; or
            • notifying data subjects with outdated or incorrect contact information would require extensive resources to obtain accurate details for each individual.
          3. Required Information: When notifying affected data subjects of a personal data breach, the data controller must include:
            • the details of the personal data breach;
            • the potential consequences arising from the personal data breach; 
            • measures taken or proposed to be taken by the data controller to address the personal data breach and mitigate its effects;
            • measures that the affected data subjects may take to reduce or eliminate adverse impacts; and
            • contact details of the DPO or relevant point of contact for further information.

            4.3 Governance Requirements on DBN

            1. Implementation of Plans: The data controller shall establish adequate data breach management and response plans.
            2. Periodic Training: The data controller should conduct periodic training, awareness programs and simulation exercises to ensure employees understand their roles and responsibilities in responding to the personal data breach.

            4.4 Personal Data Breach involving Data Processor

            The data controller must contractually obligate the data processor to promptly notify it of any data breach and provide all reasonable and necessary assistance to enable the data controller to meet its notification obligations under PDPA.

            4.5 Duty to Conduct Assessment of Data Breach

            The data controller should act promptly as soon as it becomes aware of any personal data breach to assess, contain and reduce the potential impact of the data breach and consider immediate containment actions such as to isolate and disconnect the compromised database or system from the network and suspend or disable compromised access rights.

            4.6 Obligations to Maintain Record

            The data controller shall keep records and maintain a register detailing personal data breaches for at least 2 years from the date of notification to the Commissioner (including those that did not meet the notification criteria). 

            1. The first stage consists of Sections 7, 11, 13, and 14 of the Personal Data Protection (Amendment) Act 2024 ↩︎
            2. The second stage consists of Sections 2, 3, 4, 5, 8, 10, and 12 of the of the Personal Data Protection (Amendment) Act 2024 ↩︎
            3.  Section 2 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            4.  Section 3(b) of the Personal Data Protection (Amendment) Act 2024 ↩︎
            5.  Section 3(c) of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            6.  Section 3(d) of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            7.  Section 6 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            8.  Section 3(e) of the Personal Data Protection (Amendment) Act 2024 ↩︎
            9.  Section 4(b) of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            10.  Section 5 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            11.  Section 4(a) of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            12.  Section 5 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            13.  Section 8 of the Personal Data Protection (Amendment) Act 2024 ↩︎
            14.  Section 12 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            15.  Section 12 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            16.  The third stage consists of Sections 6 and 9 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            17.  Section 6 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            18.  Section 6 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            19.  Section 9 of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            20.  Section 9(1) of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            21.  Section 9(2) of the Personal Data Protection (Amendment) Act 2024
              ↩︎
            error: Content is protected !!