This article is the latter part of “The Amendment of Personal Data Protection Act 2010 in 2024 (Part 1).”
Data Breach Notifications
Under Section 12B of the PDPA, data controllers are now required to notify the Commissioner “as soon as practicable”, and in any event, within 72 hours, if they have reason to believe that a personal data breach which causes or likely to cause “significant harm” has occurred. If it is not possible for the data controller to provide all the information required under the notification within 72 hours, further information may be provided in phases and as soon as practicable. In any case, the further information should not be provided later than 30 days from the day where the notification was lodged.
A “personal data breach” is defined as any breach of personal data, loss of personal data, misuse of personal data, or unauthorised access to personal data. The Guidelines on Data Breach Notification provide some examples of data breach, including:
a. an employee mistakenly sending an email containing personal data to the wrong recipient;
b. an external party unlawfully accessing the data controller’s network or user accounts and extracting personal data; and
c. the alteration of personal data without permission.
A breach is considered to result in “significant harm” where there is a risk that the compromised personal data:
a. may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
b. may be misused for illegal purposes;
c. consists of sensitive personal data;
d. could potentially enable identity fraud; or
e. affects more than 1,000 data subjects.
The Guidelines on Data Breach Notification clarifies the manner in which the data breach notification should be made and include, and this would include information such as the date and time of occurrence of the personal data breach, the nature of the personal data breach and how was the breach detected, number of data subjected affected, actual cause of the personal data breach, actions to be taken to contain and mitigate the harm, and others.
Failure to notify the Commissioner when required may result in a fine of up to RM 250,000 (approximately USD59,000) *1 and/or imprisonment for up to 2 years.
*1 Figure converted from RM to USD based on the middle rate published by Bank Negara Malaysia on 15 August 2025, and rounded up to the nearest thousand.
In addition, where a breach causes or is likely to cause significant harm to the affected data subject, the data controller must also notify the affected data subject “without unnecessary delay”, and within 7 days of the notification to the Commissioner.
Under the PDPA, there is no direct obligation regarding a data breach notification for a data processor. Therefore, in practice, the data controller is recommended to contractually impose an obligation on its data processor, in the data processing agreement, to promptly notify the data controller of any data breach that occurs, and to provide all reasonable and necessary assistance to the data controller to enable the data controller to meet its data breach notification obligations under the PDPA.
Cross-Border Data Transfer
Under Section 129 of the PDPA, a data controller may transfer the personal data of a data subject to a location outside Malaysia, provided that:
a. the destination has laws in force that are “substantially similar” to the PDPA (“Condition A”);
b. the destination has an “adequate level of protection” for the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA (“Condition B”); or
c. statutory exceptions apply e.g. consent has been obtained, transfer is necessary for performance of contract, and reasonable precautions and due diligence have been undertaken.
The Guidelines on Cross Border Personal Data Transfer clarify the requirements for compliance with conditions above. To ascertain whether Conditions A or B above are met, a transfer impact assessment (“TIA”), i.e. a risk assessment of the destination’s legal and regulatory framework, may be conducted.
As far as Condition A is concerned, the TIA should consider, among other things, the following factors:
a. whether the law provides data subjects with similar rights, e.g. the right of access and the right to correct personal data;
b. whether there are similar Personal Data Protection Principles in place, e.g. the Security Principle*2;
c. whether there are similar requirements and protection in relation to the processing of personal data including collection, disclosure, retention and cross border data transfer, DPO, data breach notification, data processor obligation; and
d. whether there is a regulatory authority comparable to Malaysia’s, with equivalent powers and functions.
*2 The Security Principle requires a data controller and a data processor to, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
Where data controllers who seek to rely on Condition B, the TIA should take into account, among other things, the following factors:
a. whether the receiver has security measures and policies that are in line with the Security Principle and the Personal Data Protection Standard;
b. whether the receiver holds any security related certifications which have assessed the systems in place and deemed to be secure;
c. whether the receiver has legally enforceable obligations that the data controller or data subject can enforce and whether the governing law is easily enforceable ;
d. the receiver’s compliance history with personal data protection laws;
e. whether the receiver requires, or is legally obliged to require, data processors to protect personal data; and
f. whether there is a regulatory authority comparable to Malaysia’s, with equivalent powers and functions.
The findings of a TIA are valid for up to 3 years, after which a follow-up TIA must be conducted. If there are changes to the relevant personal data protection laws, a review should be undertaken sooner to assess whether the condition still can be met.
With respect to the undertaking of reasonable precautions and due diligence under statutory exceptions, the Guidelines on Cross Border Personal Data Transfer states that all reasonable precautions and exercised due diligence may be demonstrated by the following mechanisms:
a. binding corporate rules (“BCR”);
b. contractual clauses; or
c. certification under an approved certification scheme.
Where it is unclear whether Conditions A or B are met, and it is difficult to obtain consent from the data subject, one of the above mechanisms may be implemented. In particular, for intra-group data transfers, the BCR are expected to be adopted.
Other Notable Changes
Several other key changes have been introduced under the amended PDPA. First, data subjects now have the right to data portability, enabling them to request the transfer of their personal data directly from one data controller to another, subject to technical feasibility and the compatibility of data formats. Secondly, deceased individuals have been excluded from the definition of “data subject” under the amended PDPA, as a result of which processing a deceased individual’s personal data is no longer subject to the PDPA. Finally, the amended PDPA extends the application of the Security Principle to data processors, marking a significant shift in accountability.
In light of the above changes, organisations should review and update their internal policies, reassess personal data transfer mechanisms, and ensure staff are properly trained on data protection obligations to ensure compliance with the amended PDPA.