Data Processing Agreement (Malaysia)
DATA PROCESSING AGREEMENT
Personal Data Protection Act 2010 (PDPA 2010, Act 709) | Contracts Act 1950 (Act 136)
THIS DATA PROCESSING AGREEMENT is made on [Effective Date]
BETWEEN:
(1) [Data User Name] (SSM No.: [Data User Number]) of [Data User Address] ("Data User"); AND
(2) [Processor Name] (SSM No.: [Processor Number]) of [Processor Address] ("Data Processor").
1. PROCESSING DETAILS
1.1 Categories of Personal Data: [Personal Data Categories]
1.2 Categories of Data Subjects: [Data Subject Categories]
1.3 Purposes of Processing: [Processing Purposes]
1.4 The Data Processor shall process personal data only on the documented instructions of the Data User and for no other purpose, in compliance with the General Principle under Section 6 of the Personal Data Protection Act 2010 (PDPA 2010, Act 709).
2. DATA PROCESSOR OBLIGATIONS
2.1 Security: The Data Processor shall implement appropriate technical and organisational security measures to protect personal data from unauthorised access, loss, modification, or disclosure, as required by the Security Principle under Section 9 of the PDPA 2010.
2.2 Confidentiality: The Data Processor shall ensure that persons authorised to process the personal data are subject to binding confidentiality obligations.
2.3 Sub-processors: The Data Processor shall not engage any sub-processor to process personal data without the prior written consent of the Data User. All sub-processors must be bound by equivalent data protection obligations.
2.4 Data Breach Notification: The Data Processor shall notify the Data User of any actual or suspected personal data breach within [Breach Notification Period] of becoming aware of the breach.
2.5 Audit Rights: The Data User has the right to audit the Data Processor's data protection practices upon reasonable notice, either directly or through an independent auditor.
3. DATA RETENTION AND DELETION
3.1 The Data Processor shall retain personal data for no longer than [Retention Period], consistent with the Retention Principle under Section 10 of the PDPA 2010.
3.2 Upon termination of the underlying services agreement or upon written request by the Data User, the Data Processor shall return or securely delete all personal data within thirty (30) days, and provide written confirmation of deletion.
4. CROSS-BORDER TRANSFERS
4.1 The Data Processor shall not transfer personal data outside Malaysia without the prior written consent of the Data User and in compliance with the Transfer Principle under Section 129 of the PDPA 2010.
5. GOVERNING LAW
5.1 This Agreement is governed by the laws of Malaysia. Disputes shall be resolved through the courts of Malaysia.
Authorised Signatory (Data User)
________________
Signature
Authorised Signatory (Data Processor)
________________
Signature
What Is a Data Processing Agreement (Malaysia)?
A Data Processing Agreement in Malaysia sets out the rights and obligations the parties agree to be bound by.
Under the PDPA 2010, a data user is defined in Section 4 as a person who processes personal data or has personal data processed on their behalf. Where a data user engages a third party (the data processor) to process personal data — for example, a cloud computing provider, payroll bureau, or customer support platform — the data user remains responsible for confirming the data processor handles the data in compliance with the PDPA 2010. Section 40 of the PDPA 2010 imposes criminal liability on data users and data processors (where the processor acts outside the data user's instructions) for breaches of the Act, with fines up to RM 500,000 and/or imprisonment.
The seven data protection principles under Section 5 of the PDPA 2010 — General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle — form the framework that a Data Processing Agreement must reflect. The Security Principle under Section 9 specifically requires data users to take practical steps to protect personal data from loss, misuse, modification, unauthorised disclosure, and destruction.
Malaysia's PDPA 2010 is undergoing amendments through the Personal Data Protection (Amendment) Act 2024, which introduces a mandatory data breach notification requirement (currently voluntary under the existing Act) and strengthens the powers of the Personal Data Protection Commissioner. The proposed amendments bring Malaysia's data protection framework closer to the European Union's General Data Protection Regulation (GDPR), which influences how multinational companies structure their Data Processing Agreements for Malaysian operations.
The legal framework governing the Data Processing Agreement (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Data Processing Agreement (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Personal Data Protection Act 2010 (Act 709) sets the foundational requirements.
When Do You Need a Data Processing Agreement (Malaysia)?
A Data Processing Agreement in Malaysia is required whenever a company shares personal data of Malaysian residents with a third-party service provider that processes that data on the company's behalf.
A Data Processing Agreement is needed when a company engages a cloud computing provider — such as Amazon Web Services (AWS), Microsoft Azure, or a local Malaysian cloud provider — to host systems that store or process customer or employee personal data. The cloud provider acts as a data processor, and the company as data user must contractually bind the provider to PDPA 2010 compliance standards.
A Data Processing Agreement is required when a company uses an outsourced payroll bureau, HR management platform, or benefits administration service that processes employee personal data — including NRIC numbers, salary details, and bank account information — on the company's behalf.
A Data Processing Agreement is needed when a financial institution regulated by Bank Negara Malaysia (BNM) or the Securities Commission Malaysia (SC) engages a fintech platform or data analytics vendor that processes customer financial data, as both BNM's Risk Management in Technology (RMiT) Policy Document and SC's Guidelines on Technology Risk Management require formal data processing contracts.
A Data Processing Agreement is required when a company engages a marketing agency, customer relationship management (CRM) platform provider, or customer support outsourcing firm that will access and process the company's customer personal data for marketing, analytics, or support delivery purposes.
A Data Processing Agreement is needed when a Malaysian subsidiary of a multinational corporation transfers personal data to a parent company or affiliate in another country for group-level data processing, as the Transfer Principle under Section 129 of the PDPA 2010 restricts cross-border transfers of personal data outside Malaysia.
Parties in Malaysia should prepare a Data Processing Agreement (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Processing Agreement (Malaysia)
A valid Data Processing Agreement in Malaysia under the PDPA 2010 must contain the following essential elements.
Parties and Roles: Clear identification of the data user (the party that determines the purpose of processing) and the data processor (the party processing data on the data user's behalf), with their SSM registration numbers and registered addresses. The agreement must specify the categories of personal data to be processed and the categories of data subjects (employees, customers, etc.).
Purpose and Instructions: A statement that the data processor shall process personal data only on the documented instructions of the data user and for no other purpose. This reflects the General Principle under Section 6 of the PDPA 2010, which requires personal data to be processed only for lawful purposes.
Security Measures: Specific technical and organisational security measures the data processor must implement, as required by the Security Principle under Section 9 of the PDPA 2010. These should include encryption of personal data in transit and at rest, access controls, employee confidentiality obligations, regular security audits, and ISO 27001 certification or equivalent.
Data Breach Notification: An obligation on the data processor to notify the data user of any actual or suspected personal data breach within a defined period (typically 24 to 72 hours of discovery), with details sufficient for the data user to comply with any applicable notification obligations under the PDPA 2010 or proposed amendments.
Sub-processor Controls: Restrictions on the data processor engaging sub-processors without the data user's prior written consent, and an obligation on the processor to impose equivalent data protection obligations on any approved sub-processors.
Data Retention and Deletion: The Retention Principle under Section 10 of the PDPA 2010 requires that personal data not be kept longer than necessary. The agreement must specify maximum retention periods and the data processor's obligation to delete or return personal data upon termination of the underlying service agreement.
Audit Rights: The data user's right to audit the data processor's data protection practices, either directly or through an independent auditor, to verify ongoing PDPA 2010 compliance.
Cross-Border Transfer Restrictions: Where personal data may be transferred to a country outside Malaysia, compliance with the Transfer Principle under Section 129 of the PDPA 2010 must be addressed, including confirmation that the recipient country provides adequate protection or that appropriate safeguards are in place.
Additional compliance elements for a Data Processing Agreement (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/policies/data-processing-agreement-malaysia
"Data Processing Agreement (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/policies/data-processing-agreement-malaysia.
@misc{formslegal-data-processing-agreement-malaysia,
author = {{Forms Legal}},
title = {Data Processing Agreement (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/policies/data-processing-agreement-malaysia}},
note = {Free legal document template. Based on Personal Data Protection Act 2010 (Act 709)}
}
Frequently Asked Questions
The Personal Data Protection Act 2010 (PDPA 2010, Act 709) does not explicitly mandate a written Data Processing Agreement in the same way as the EU's GDPR requires a data processing contract under Article 28. However, the PDPA 2010's Security Principle under Section 9 requires data users to take practical steps to protect personal data from loss, misuse, modification, or unauthorised access — and engaging a data processor without a formal agreement makes it nearly impossible for the data user to demonstrate compliance. The Personal Data Protection Commissioner, established under Section 42 of the PDPA 2010, can investigate complaints and impose enforcement orders. The proposed Personal Data Protection (Amendment) Act 2024 is expected to introduce more explicit requirements for data processor agreements. Practically, a Data Processing Agreement is essential for companies handling Malaysian personal data that are subject to sectoral regulations — BNM's RMiT Policy Document and the SC's Technology Risk Management Guidelines both require formal contracts with technology service providers.
The Personal Data Protection Act 2010 (PDPA 2010, Act 709) establishes seven data protection principles under Section 5 that govern the processing of personal data in Malaysia. The General Principle (Section 6) requires personal data to be processed only with the consent of the data subject and for lawful purposes specified in a notice. The Notice and Choice Principle (Section 7) requires data users to notify data subjects of the purposes of collection and processing and their right to access and correct their data. The Disclosure Principle (Section 8) prohibits disclosure of personal data to third parties without consent except in specified circumstances. The Security Principle (Section 9) requires appropriate technical and organisational measures to protect personal data. The Retention Principle (Section 10) prohibits keeping personal data longer than necessary. The Data Integrity Principle (Section 11) requires data to be accurate, complete, and kept up to date. The Access Principle (Section 12) gives data subjects the right to access their personal data and correct inaccuracies.
The Personal Data Protection Act 2010 (PDPA 2010, Act 709) prescribes criminal penalties for data users and, in some cases, data processors who breach the Act. Under Section 130 of the PDPA 2010, a data user who fails to comply with data protection principles is liable to a fine not exceeding RM 300,000 or imprisonment for a term not exceeding two years, or both. For aggravated offences — such as processing sensitive personal data without consent — the maximum fine increases to RM 500,000 with imprisonment up to three years. Officers of companies may also be personally liable under Section 133 where the offence is committed with their consent or connivance. The Personal Data Protection Commissioner has the power to investigate complaints, conduct audits, and issue enforcement orders under Sections 42 and 92 of the PDPA 2010. The proposed PDPA amendments in 2024 are expected to increase penalties and introduce mandatory breach notification obligations with specific notification timeframes.
Cross-border transfers of personal data outside Malaysia are restricted under the Transfer Principle in Section 129 of the Personal Data Protection Act 2010 (PDPA 2010, Act 709). Personal data may only be transferred to a place outside Malaysia if: (a) the recipient country is on the Minister's approved list of countries with adequate data protection laws; or (b) the data user obtains the data subject's consent to the transfer; or (c) the transfer is necessary for contract performance or legal proceedings. The Minister of Digital Malaysia has the power to designate approved countries under Section 129(2). As of 2025, the approved country list has not been comprehensively published, creating practical uncertainty for companies transferring data to standard cloud hosting locations. Multinational companies frequently rely on data subject consent or contractual safeguards (such as model clauses or a Data Processing Agreement with adequate security commitments) to justify cross-border transfers. The 2024 PDPA amendments are expected to provide clearer cross-border transfer mechanisms.
The Retention Principle under Section 10 of the Personal Data Protection Act 2010 (PDPA 2010, Act 709) requires data users not to retain personal data longer than is necessary for the fulfilment of the purpose for which the data was collected. The PDPA 2010 does not prescribe specific retention periods for all categories of personal data; instead, the retention period must be determined based on the purpose of collection and any applicable sector-specific requirements. For example, banks and financial institutions regulated by Bank Negara Malaysia are subject to the Financial Services Act 2013 and Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), which impose minimum retention periods of five to seven years for customer records and transaction data. Employment records may need to be retained for seven years for tax and Labour Department purposes under the Employment Act 1955 and the Income Tax Act 1967. The Data Processing Agreement should specify maximum retention periods for each category of personal data and the processor's obligation to securely delete data upon the expiry of the retention period.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Malaysia)
A Privacy Policy for Malaysia that discloses how a website or business collects, uses, stores, and discloses personal data in compliance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and its seven data protection principles. Required for all Malaysian websites and apps that collect personal data.
SaaS Agreement (Malaysia)
A Software as a Service (SaaS) Agreement for Malaysia governing subscription access to cloud-hosted software. Covers subscription fees, uptime SLA, data ownership, PDPA 2010 compliance, acceptable use, and termination under the Contracts Act 1950 and Electronic Commerce Act 2006.
Acceptable Use Policy (Malaysia)
An Acceptable Use Policy (AUP) for Malaysian websites, SaaS platforms, and internet service providers, defining permitted and prohibited uses of the service under the Communications and Multimedia Act 1998, Computer Crimes Act 1997, and PDPA 2010.