PDPA Data Access Request (Malaysia)

A PDPA Data Access Request in Malaysia puts on record the entitlement or interest the party seeks to protect or relinquish.

Section 30 of the PDPA 2010 grants every data subject the right to request from a data user: a copy of their personal data being processed; a description of the personal data; the purposes for which the data is being processed; the identities of any third parties to whom the data has or may be disclosed; and information about the source of the personal data where available. This right of access is fundamental to data subjects' ability to verify that their personal data is being processed lawfully and accurately.

Section 34 of the PDPA 2010 grants data subjects the right to request correction of personal data that is inaccurate, incomplete, misleading, or not up-to-date. Upon receiving a correction request, the data user must correct the data within 21 days of the request, or notify the data subject of the reasons for not correcting the data within 21 days. If the data user declines to make the correction, the data subject may require the data user to attach a statement of the correction requested to the personal data.

Data users may charge a prescribed fee for responding to access requests under the Personal Data Protection Regulations 2013. Data users may also refuse access requests on grounds specified in the Second Schedule to the PDPA 2010, including where disclosure would be contrary to national security, contrary to public interest, or would reveal information about a third party who has not consented to disclosure. Data subjects who are denied access or correction rights may lodge a complaint with the Personal Data Protection Commissioner (PDPC) under Section 43 of the PDPA 2010.

The legal framework governing the PDPA Data Access Request (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a PDPA Data Access Request (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Personal Data Protection Act 2010 (Act 709) sets the foundational requirements.

A PDPA Data Access Request is needed in Malaysia whenever an individual wishes to exercise their statutory rights under Sections 30 and 34 of the PDPA 2010 to understand what personal data a data user holds about them and to confirm that data is accurate and up-to-date.

A PDPA Data Access Request is needed when an individual suspects that incorrect personal data held by a bank, insurance company, credit bureau, or other financial institution may be affecting their credit applications, insurance premiums, or financial products. By obtaining access to the data under Section 30 and requesting correction under Section 34 of the PDPA 2010, the individual can identify and rectify errors.

A PDPA Data Access Request is needed by a former employee who wishes to know what personal data their former employer continues to hold about them after the employment relationship has ended, including performance records, disciplinary files, and reference letter content. The Retention Principle under Section 10 of the PDPA 2010 requires data users to stop retaining personal data once the purpose for which it was collected has been fulfilled.

A PDPA Data Access Request is needed by a customer of a telecommunications company, e-commerce platform, loyalty programme, or other digital service who wishes to obtain a copy of all personal data held about them — including transaction history, communication preferences, device identifiers, and location data — particularly before deciding to close or delete their account.

A PDPA Data Access Request is needed as a preliminary step before escalating a complaint to the PDPC. The PDPC's complaint procedures require a data subject to first attempt to exercise their rights directly with the data user before the PDPC will accept a formal complaint. A formal, documented access request with the data user's written response (or non-response) provides the evidentiary basis for a PDPC complaint under Section 43 of the PDPA 2010.

A PDPA Data Access Request is needed by an individual who has become a victim of identity fraud and wishes to trace the source of compromised personal data by requesting access from multiple data users to identify which organisation's data processing may have led to the breach.

A valid Malaysian PDPA Data Access Request under Sections 30 and 34 of the PDPA 2010 must contain the following essential elements.

Requester Identification: Full name, NRIC number, address, email address, and phone number of the data subject making the request. Proof of identity (copy of NRIC or passport) should be attached, as data users are entitled to verify the identity of the requestor before disclosing personal data to prevent unauthorised access by third parties.

Data User Identification: Full name and address of the data user (organisation) to whom the request is directed. For large organisations, the request should be addressed to the Data Protection Officer (DPO) or the designated privacy contact, as published in the organisation's privacy policy or PDPA notice.

Scope of Request: A clear statement of the specific personal data requested under Section 30 of the PDPA 2010 — whether the requestor seeks all personal data held, or specific categories (financial data, health records, employment records, marketing preferences, etc.). Specificity helps the data user respond accurately and reduces processing time.

Purpose of Request: A brief explanation of why the access is being requested — this is not a legal requirement under the PDPA 2010, but providing a reason often speeds up the data user's response and helps focus the scope of the disclosure.

Correction Request (if applicable): Under Section 34, if the requestor also wishes to correct specific inaccuracies, the request should identify the specific data believed to be inaccurate, incomplete, or outdated and state the correct information.

Deadline Reminder: A reminder to the data user of their obligation under Section 31 of the PDPA 2010 to respond to the access request within 21 days of receiving the request (or within such extended period as the PDPC may allow).

Complaint Intention: A statement that if the data user fails to respond within the statutory period or refuses access without lawful grounds, the requestor intends to lodge a complaint with the Personal Data Protection Commissioner (PDPC) under Section 43 of the PDPA 2010.

Additional compliance elements for a PDPA Data Access Request (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.