Common FAQs- Is Our Personal Data Protected?

The Complete Guide to PDPA Personal Data Protection Act and How it Affects You

With more and more personal data being shared and circulated on the internet, have you ever wondered how your personal data is protected? Would the website or company requesting your personal data abide to the privacy laws in Malaysia PDPA? If they don’t how can you pursue your rights?

There goes a saying, “When something goes out on the Internet, it’s out there forever”. In this article, we will explore some most commonly asked questions by general public while sharing the personal data to others.

  1. I always heard about the word PDPA, what is PDPA?

    PDPA is the short form for the act Personal Data Protection Act 2010. It is a law in Malaysia that regulates how commercial entities process the personal data given by an individual.

  2. What is Personal Data?

    Personal Data means any data that directly or indirectly allows someone to be able to tell your identity.

  3. What are the examples of Personal Data?

    Images of a person, addresses, telephone numbers, information describing your features or characters.

  4. Does everyone need to comply with the PDPA?

    Not all people need to comply with PDPA. PDPA only applies to someone who is using the personal information for commercial purposes. In addition, government bodies or those who are performing governmental duties do not need to comply with the PDPA.

  5. If someone took my photographs without my permission and post it on their social media to gain popularity, does that mean he has breached the PDPA?

    This will depend on the intention when he is using your personal data or the position he was in when he was taking the photographs. If the intention is connected to a commercial purpose, then he would have breached the PDPA.

  6. If the person or the company wants to process my personal data, must they obtain my permission first?

    Yes. They must obtain your permission before they can process your personal data. Meaning, they must specifically ask for your permission. They cannot assume or thought you would give permission. Exception for this would be in the scenario where they put up a notice telling you that if you don’t choose to either accept or reject, it will be deemed that you have given your permission for them to use your personal data.

  7. Can I withdraw my permission anytime after I have given the permission to post my photographs?

    Yes. You can withdraw your permission anytime. They should always have the procedure for you to withdraw your permission.

  8. I often get SMS and call from someone I don’t know on products marketing. They said they have obtained my contact from a shop that collected your personal data. So, is this considered a violation on the PDPA?

    Yes. The shop you initially collected your personal data from is not allowed to simply share your personal data (in this case your contact numbers) to another person unless the initial seller or the other person get specific permission from you.

  9. If I suspect my personal data was leaked to others by one of the staff from company collected my Personal Data to others, what can I do immediately?

    You can notify the company who had collected your personal data. They must be responsible to ensure the steps are taken to contain the leak (breach) and investigate what is the cause of the breach.

  10. For how long my Personal Data will be retained?

    Personal Data should only be retained until they no longer needed. In general, the personal data shall not be kept for more than ten (10) years.

  11. If I found out a person or a company has violated the PDPA or not responding to my request, what can I do?

    You can file a complaint to the Department of Personal Data Protection through the web portal. You will need fill up the form as provided on the website and attach any documents supporting your complaint.

  12. After I filed the complaint would I get any compensation who leaked my Personal Data?

    Unfortunately, the Department of Personal Data does not have the power to order any compensation to be paid by the person or company that leaked or cause the leak of your personal data.

    However, you can file a civil action against the person who had breached the PDPA in a court. In the civil action, you can demand for any damages or loss you had suffered as a result of their actions that leaked or cause the leak of your personal data.

  13. What are the things I need to do before making a complaint or initiating a court case?

    Firstly, you need to gather all the relevant evidence regarding the data breach. Examples of such evidence are (i) the personal data in question, (ii) how you found out about the leak, (iii) records showing how the data was misused, (iv) what are the impacts and consequences you experienced.

    You want to contain the damages as soon as possible, so it is advisable to speak to a lawyer. A lawyer will be able to identify what is the best action to take. Such actions would include (i) sending a cease and desist letter, (ii) filing an injunction, (iii) issuance of a letter of demand and etc.

  14. What are the punishments for someone who failed to comply with the PDPA?

    The sanctions will be depending on which offences you committed under the PDPA.

    Sections or Subject under the PDPA Punishments
    Personal Data Protection Principles (Sections 5-12) Fine not exceeding RM 300,000 and/or imprisonment not exceeding 2 years
    Sensitive Personal Data (Section 40) Fine not exceeding RM 200,000 and/or imprisonment not exceeding 2 years
    Code of Practice (Sections 21 – 29) Fine not exceeding RM 100,000 and/or imprisonment not exceeding 1 year
    Withdrawal of Consent (Section 38) Fine not exceeding RM 100,000 and/or imprisonment not exceeding 1 year
    Unlawful Collection, Disclosure & Sale (Section 130) Fine not exceeding RM 500,000 and/or imprisonment not exceeding 3 years


Previously, the PDPA was only enforced by the Personal Data Commission to prosecute any data infringers who violated the PDPA. With the case of Chan Ah Kien v Brite-Tech Berhad , the Malaysian court has started to recognise that the PDPA needs to cover a wider aspect that allows an individual to initiate a civil action against a person or company that violates the privacy laws based on the data protection principles in the PDPA.

As a result of these developments, we, as the Data Subject must preserve the integrity of our personal data by acknowledging the importance of our personal data and not to allow anyone to abuse them.

This article is written by 
Andrew Yoon
Senior Associate, Low & Partners
Joyce Ong
Associate, Low & Partners
Share this article

Related Articles  

The Role of Due Diligence in Private Acquisition

The Role of Due Diligence in Private Acquisition

Nov 15, 2021  
The Importance of Due Diligence in Private Acquisitions What is Private Acquisition? Private Acquisition refer to transaction whereby a buyer (“Buyer”) acquires privately owned companies, businesses or assets in Malaysia by way of either (i)...
Private Acquisition in Malaysia- Share Sale vs Business Sale

Private Acquisition in Malaysia- Share Sale vs Business Sale

Nov 15, 2021  
Private Acquisition in Malaysia: Share Sale vs Business Sale | Agreement In Malaysia, the two most common ways of acquisitions of privately owned companies, businesses or assets are by way of (i) acquisition of shares...

Questions? We're here to help

Send Us Inquiries/ Message/ Feedback :