Types of Offences and Fines Imposed by Data Regulators in Malaysia

In March 2025, the Malaysian Personal Data Protection Commissioner (PDPC) issued a public list of data users and collectors penalised for non-compliance with the Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Registration of Data Users) Regulations 2013.

This highlights a growing trend: businesses in Malaysia face increasing scrutiny and hefty fines for data protection breaches. Many organisations underestimate the risks until enforcement action is taken. Below, we summarise the most common offences and penalties – and why businesses must take proactive steps to ensure compliance.

1. Failure to Process Personal Data with a Valid Certificate of Registration (Section 16(4) PDPA)

Many companies process personal data without first obtaining or maintaining a PDPA Certificate of Registration. This is a serious offence.

• Why it matters: Without registration, your business is operating outside the law. Customers, regulators, and business partners may lose trust in your ability to safeguard sensitive data.
• Fines and penalties: Current penalties range between RM10,000 – RM20,000, but regulators are empowered to impose up to RM500,000 in fines and/or 3 years’ imprisonment.
• Impact on business: Beyond financial penalties, reputational damage can result in loss of clients and even suspension of business operations.

📌 If you are unsure whether your organisation has a valid registration, now is the time to act.

2. Failure to Comply with PDPA Data Principles (Section 5(2))

The PDPA Data Protection Principles are the backbone of data privacy law in Malaysia. Non-compliance is increasingly common, often due to inadequate internal policies or lack of staff training.

• Trends observed: Fines range from RM12,500 – RM108,000, with potential penalties up to RM300,000 and/or 2 years’ imprisonment.
• Examples of violations: Collecting excessive personal data, using data for purposes not consented to, or failing to ensure adequate data security.
• Business impact: Aside from monetary loss, companies risk customer complaints, data breach claims, and legal disputes.

⚠️ Every breach weakens public trust. In competitive industries, a single violation can push clients towards competitors who demonstrate stronger compliance.

3. Failure to Renew Certificate of Registration & Non-Compliance with 2013 Regulations

Another recurring offence is failure to renew the PDPA registration or non-compliance with the 2013 Regulations.

• Why it is critical: Renewal ensures continuous compliance and demonstrates to regulators that your business takes data protection seriously.
• Case study: Several Malaysian SMEs have faced prosecution simply because they overlooked the renewal deadline. This administrative oversight cost them tens of thousands of ringgit in fines.
• Business impact: In addition to penalties, regulators may escalate enforcement, affecting licensing, tenders, and corporate reputation.

👉 Businesses should establish internal compliance checks and seek professional guidance to avoid these costly mistakes.

Conclusion: Don’t Risk Hefty PDPA Penalties

With regulators stepping up enforcement, data compliance in Malaysia is no longer optional. Whether you run an SME or a large corporation, failure to comply with the PDPA can result in severe financial loss, imprisonment, and reputational damage.

At Low & Partners, our legal team has extensive experience advising businesses on PDPA compliance, data protection audits, and regulatory defence.

📞 Contact us today to assess your compliance status and protect your business from unnecessary risks.