5 Key Elements Every PDPA Notice in Malaysia Must Have

A Quick Guide on How to Prepare a PDPA Notice in Malaysia

When entering the Malaysian market, most businesses focus on expansion, setting up companies, hiring local teams, and launching products. One area that is often overlooked is the Personal Data Protection Notice, commonly referred to as a PDPA Notice or Privacy Notice.

The reality is simple.

The moment you start collecting Personal Data, you are already required to prepare a Personal Data Protection Notice under Malaysian law.

Many businesses are aware of this requirement, but in practice, they simply copy a Privacy Notice from the internet, make minor tweaks, or worse, publish it without any changes.

What is often missed is that most Privacy Notices found online are drafted to comply with US or EU data protection laws, such as GDPR. These notices are not necessarily compliant with the Personal Data Protection Act 2010 of Malaysia (PDPA).

How Is Personal Data Protected in Malaysia?

In Malaysia, the processing of personal data in commercial transactions is governed by the Personal Data Protection Act 2010 (PDPA).

Once a business starts collecting and processing personal data, it must comply with the PDPA.

Personal Data includes any information that relates directly or indirectly to an identifiable individual, such as names, email addresses, phone numbers, or any data that can identify a person.

Under the PDPA, you must comply with seven Personal Data Protection Principles, including the Notice and Choice Principle, which directly requires the issuance of a Personal Data Protection Notice. [Please click here for 7 PDPA Principles in Malaysia Every Entrepreneur Must Know.]

Personal Data Protection Notice in Malaysia Is A Must

Pursuant to Section 7 of the Personal Data Protection Act 2010, which sets out the Notice and Choice Principle, a data user must provide a written Personal Data Protection Notice to individuals whose personal data is being processed.

This notice is also commonly referred to as a Personal Data Notice or Privacy Notice.

This requirement applies regardless of whether the business is a startup, an SME, or a multinational corporation entering the Malaysian market.

The PDPA Notice must be provided in both English and Bahasa Malaysia, and it must be given at the point of first collection of personal data. Common examples include websites, sign-up forms, client onboarding documents, mobile applications, and other customer-facing touchpoints.

Failure to comply with the Personal Data Protection Principles, including the requirement to issue a PDPA Notice, may upon conviction result in a fine of up to RM300,000, imprisonment of up to two years, or both, under the PDPA.

5 Key Elements Every PDPA Notice Must Have

A compliant Personal Data Protection Notice in Malaysia should, at a minimum, clearly address the following five elements.

1. Types of Personal Data Collected

Your PDPA Notice must inform data subjects or your customers about the types of personal data being collected.

This may include:

• name and IC or passport number,

• email address and phone number,

• IP address, images, or recordings,

• sensitive personal data such as health or religious information,

• children’s personal data (below 18 years old), where applicable.

  
  

The description of personal data should be as specific as possible. Vague or overly broad statements undermine transparency and may create compliance risk under the PDPA.

2. Purpose of Collection and Processing of Personal Data

The PDPA Notice should clearly explain why personal data is collected and how it will be used. This includes whether the data is required for contractual or legal purposes, whether it will be used for marketing or promotional activities, how long it will be retained, and when it will be disposed of if it is no longer needed.

Under Malaysian law, personal data must not be used for purposes beyond what has been notified to the individual. Purpose limitation is a core compliance requirement under the Personal Data Protection Act.

3. Source of Personal Data

   
   

A compliant Personal Data Notice should also state how and where personal data is obtained This may include data collected directly through:

• websites or online forms,

• application or onboarding forms,

• mobile applications,

• business cards,

• cookies or online tracking tools,

• third-party sources, where applicable.

  
  

Disclosing the source of personal data enhances transparency and aligns with the expectations set out under the PDPA.

4. Disclosure of Personal Data to Third Parties

   
   

If personal data is disclosed to third parties, such as vendors, service providers, professional advisers, or related companies, this must be clearly stated in the PDPA Notice. The notice should explain why such disclosure is necessary and how it relates to the provision of services or the operation of the business.

Importantly, under the Personal Data Protection Act 2010, a business remains responsible for personal data even where third parties are engaged to process it on the business’s behalf. This point is particularly relevant for multinational companies that rely on regional or global service providers.

5. Rights of Data Subjects

   
   

Your PDPA Notice must inform individuals of their rights under the PDPA. This include:

• the right to access their personal data,

• the right to correct inaccurate or incomplete data,

• the right to withdraw consent for the processing of personal data,

• the right to limit processing, such as opting out of marketing communications,

• how to submit inquiries or complaints relating to personal data.

  
  

The notice should clearly explain how these rights can be exercised and provide accessible contact details for inquiries or complaints relating to personal data.

What This Means for Entrepreneurs and International Businesses

For businesses entering or operating in Malaysia, a Personal Data Protection Notice is the foundation of lawful personal data processing. It is not merely a formal document, but a key compliance mechanism under the Personal Data Protection Act.

A properly drafted PDPA Notice helps reduce regulatory risk, aligns Malaysian operations with international compliance expectations, builds trust with customers and business partners, and provides a level of protection if disputes or regulatory inquiries arise. Relying on a generic Privacy Notice drafted for other jurisdictions can expose a business to unnecessary compliance gaps under Malaysian law.

Need Help Drafting or Reviewing a PDPA Notice?

If your business is entering the Malaysian market or is unsure whether its existing Privacy Notice or PDPA Notice complies with the Personal Data Protection Act 2010, LAWENCO can assist.

Our team advises local and international businesses on:

• drafting PDPA-compliant Personal Data Protection Notices tailored to Malaysian law,

• reviewing existing Privacy Notices adapted from US, EU, or other jurisdictions,

• identifying compliance gaps and regulatory risk under the PDPA, and

• aligning Malaysian data protection practices with global compliance standards.

  
  

If you require a new PDPA Notice or an independent legal review of your existing notice, feel free to contact LAWENCO for a confidential discussion.

Written by,

Lawrence Tan 

Registered Trademark, Patent and Design Agent

LL.B (HONS), CLP

Advocate & Solicitor

Disclaimer:

This article is for general information purposes only and does not constitute legal advice. For advice tailored to your business or cross-border operations, please consult a qualified legal professional.