Cloud Compliance Center

Malaysia

Select a Topic
Quick Links
Start Comparison
Data privacy and security
7. Are there any data privacy and/or data security laws that would apply?

Yes. The Personal Data Protection Act 2010 ("PDPA") governs the processing of personal data (which is defined broadly to include collecting, recording, holding, storing or carrying out any operations on personal data) in commercial transactions in Malaysia. Note, however, that the PDPA only imposes direct obligations in respect of the processing of personal data by data users. There is no provision under the PDPA that imposes a direct obligation for data processors to comply with the PDPA.

Where the cloud service providers are merely data processors that carry out data processing activities on behalf of the financial institutions (i.e., the data users), the PDPA requires the data users (in addition to other compliance obligations under the PDPA) to ensure that its data processors do the following:

  • Provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out.
  • Take reasonable steps to ensure compliance with those measures.
  • Comply with the security standards prescribed under the Personal Data Protection Standard 2015 ("Standards"). This relates to the security-related Standards in respect of processing personal data electronically.

In addition to the above, the following five amendments to the PDPA were expected to be tabled in Parliament in October 2022:

  • The requirement for data users to appoint a data protection officer
  • Mandatory data breach notification
  • Data processors being obligated to comply with the security principle under the MY PDPA
  • Introduction of data portability
  • Introduction of blacklisted countries such that transfers of personal data to these countries will be prohibited

(collectively, "2022 Proposals").

However, the 2022 Proposals were put on hold following the dissolution of the Malaysian Parliament in October 2022. In 2023, the new minister of communications and digital announced that the Malaysian Personal Data Protection Department is looking to enhance the 2022 Proposals before tabling the same in Parliament (the timeline of which has not been announced).

Quick Links
{{ $store.state.loadingScreen.message }} ...