Global Data and Cyber Handbook

Malaysia

Select a Topic
Start Comparison
Key Definitions
Jump to
Key Definitions Start Comparison
Personal data

Last review date: 31 December 2024

"Personal data" means any information relating to commercial transactions that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expressions of opinion about the data subject.

Note that effective 1 April 2025, the definition of "data subject" will no longer include deceased individuals. Given the definition of "personal data" refers to a "data subject," this effectively means that personal data of deceased individuals will be excluded from the requirements under the PDPA by 1 April 2025.

Sensitive/special personal data (including personal data subject to additional protections/ restrictions/breach notification obligations)

Last review date: 31 December 2024

Sensitive data includes:

         personal data revealing political opinions

         personal data revealing religious or philosophical belief

         genetic data

         biometric data for the purpose of uniquely identifying a natural person or biometric templates

         data concerning health/medical information

         personal data regarding an individual's criminal convictions or record

Controller vs Processor

Last review date: 31 December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

  • The controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • The processor/agent is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Answer: Yes.

Effective 1 April 2025, the term "data user" in the PDPA will be replaced with "data controller." The definition remains unchanged: a data user/controller is a person who, either alone, jointly, or in common with other persons, processes any personal data or has control over or authorizes the processing of any personal data, excluding a data processor.

A "data processor" is defined as any person, other than an employee of the data user/controller, who processes personal data solely on behalf of the data user/controller and does not process the personal data for any of their own purposes.

Note that the PDPA does not apply to the Government of Malaysia.

{{ $store.state.loadingScreen.message }} ...