PDPA Consent Form (Malaysia)
PERSONAL DATA PROTECTION CONSENT FORM
Personal Data Protection Act 2010 (Act 709) | Personal Data Protection Regulations 2013 | Notice and Choice Principle (Section 7)
Data User: [Data User Name]
Address: [Data User Address]
Data Protection Officer / Privacy Contact: [DPO Contact]
PDPC Registration No.: [PDPC Registration]
PART A — DATA PROTECTION NOTICE (Section 7 PDPA 2010)
1. PERSONAL DATA COLLECTED
[Data User Name] ('we', 'us', or 'the Company') collects and processes the following personal data about you:
[Personal Data Types]
2. PURPOSES OF PROCESSING
Your personal data is collected and processed for the following purposes:
[Processing Purposes]
3. DISCLOSURE TO THIRD PARTIES
Your personal data may be disclosed to the following third parties in accordance with the Disclosure Principle under Section 8 of the PDPA 2010:
[Third Party Disclosure]
4. SENSITIVE PERSONAL DATA
[Sensitive Data]
5. OVERSEAS TRANSFER OF PERSONAL DATA
[Overseas Transfer]
6. YOUR RIGHTS UNDER THE PDPA 2010
You have the right to access your personal data (Section 30), to request correction of inaccurate or incomplete data (Section 34), and to withdraw consent at any time by written notice to our Data Protection Officer. Withdrawal of consent may affect our ability to provide services to you. To exercise your rights, contact: [DPO Contact].
PART B — CONSENT DECLARATION
I, [Data Subject Name] (NRIC: [NRIC]), confirm that:
7. I have read and understood the Data Protection Notice above.
8. I give my voluntary and informed consent to [Data User Name] to collect, process, store, use, and disclose my personal data for the purposes stated above.
9. I consent to the collection of sensitive personal data as described (if applicable).
10. I understand that I may withdraw this consent at any time by written notice to the Data Protection Officer, and that such withdrawal may affect the provision of services.
Date of Consent: [Consent Date]
Data Subject
________________
Signature
Data User Representative
________________
Signature
What Is a PDPA Consent Form (Malaysia)?
A PDPA Consent Form in Malaysia records the consent or release given and the scope of what the party agrees to.
The Notice and Choice Principle under Section 7 of the PDPA 2010 requires data users to notify data subjects of specified information before or at the time of collecting personal data, and to give data subjects the choice to consent or withhold consent to processing their data. The Personal Data Protection Regulations 2013 (PU(A) 335/2013) prescribe the minimum information that must be provided in the data protection notice and consent form.
The Personal Data Protection Commissioner (PDPC) — established under Section 76 of the PDPA 2010 and operating under the Ministry of Communications and Digital — enforces the PDPA 2010 and has issued guidelines on consent, data security, and data subject rights. The PDPC's Enforcement Guidelines 2020 and sector-specific codes of practice (including codes for the healthcare, insurance, banking, and communications sectors) supplement the PDPA 2010 requirements for data users in regulated industries.
The PDPA 2010 applies to personal data processed in Malaysia by data users registered under the mandatory registration scheme in Section 13, which covers data users in specified commercial sectors including banking and financial institutions under the Financial Services Act 2013, insurance companies, healthcare providers, telecommunications companies under the Communications and Multimedia Act 1998, and utilities. The PDPA 2010 also applies to any data user processing personal data in Malaysia for commercial transactions. Notably, the PDPA 2010 does not apply to the federal and state governments (Section 3(1)) and does not cover personal data processed for personal or domestic purposes.
The legal framework governing the PDPA Consent Form (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a PDPA Consent Form (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Personal Data Protection Act 2010 (Act 709) sets the foundational requirements.
When Do You Need a PDPA Consent Form (Malaysia)?
A PDPA Consent Form is needed in Malaysia whenever a data user collects, processes, stores, transfers, or discloses the personal data of individuals in connection with a commercial transaction, and relies on consent as the lawful basis for such processing.
A PDPA Consent Form is required when an employer collects personal data from job applicants and employees — including NRIC numbers, employment history, medical records, bank account details for salary payment, and EPF membership numbers. Under the PDPA 2010 and the Employment Act 1955, employee personal data requires explicit consent for purposes beyond the immediate employment relationship, such as sharing employee data with group companies or outsourced payroll providers.
A PDPA Consent Form is needed when a healthcare provider collects patient personal data — name, NRIC, medical history, diagnoses, medications, and insurance information — for the purpose of providing medical treatment and submitting insurance claims. The PDPC's Healthcare Sector Code of Practice under the PDPA 2010 imposes specific consent requirements for sensitive medical data under Section 40 of the Act, which designates health data as sensitive personal data requiring explicit consent.
A PDPA Consent Form is required when a financial institution under the Financial Services Act 2013 or the Islamic Financial Services Act 2013 collects customer data for KYC (Know Your Customer) purposes under Bank Negara Malaysia's Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 guidelines, and wishes to use that data for marketing products and services.
A PDPA Consent Form is needed when an e-commerce business, retailer, or service provider in Malaysia collects customers' personal data — name, address, email, phone, payment information — for the purposes of processing transactions, delivering goods, and sending promotional communications. The PDPC's guidelines require separate consent for marketing communications beyond the core transaction purpose.
A PDPA Consent Form is required when personal data is to be transferred outside Malaysia under Section 129 of the PDPA 2010, which restricts cross-border data transfers to countries listed in the Personal Data Protection (Countries and Territories Receiving Personal Data from Malaysia) Order 2014, unless the data subject's explicit consent is obtained for the transfer.
What to Include in Your PDPA Consent Form (Malaysia)
A legally compliant Malaysian PDPA Consent Form under the Personal Data Protection Act 2010 and Personal Data Protection Regulations 2013 must contain the following essential elements.
Data User Identification: Full name and registration details of the data user — the organisation collecting and processing personal data. For companies, include the SSM registration number under the Companies Act 2016 and the PDPC registration number if the company is in a sector requiring mandatory registration under Section 13 of the PDPA 2010.
Data Subject Identification: A section for the data subject (the individual giving consent) to provide their name, NRIC number, and signature. The form must be capable of identifying the specific individual who gave consent.
Purpose of Collection: A clear, specific, and exhaustive statement of the purpose(s) for which personal data is collected and will be processed — for example, processing a job application, providing a service, sending marketing communications, or sharing data with related companies. Vague purpose statements ('for business purposes') do not comply with the Notice and Choice Principle under Section 7 of the PDPA 2010.
Categories of Personal Data: A specific list of the types of personal data being collected — such as name, NRIC, date of birth, address, email, phone number, financial information, health data, or sensitive personal data under Section 40. Sensitive personal data (health information, racial/ethnic origin, religious beliefs, political opinions, criminal records, biometric data) requires explicit separate consent.
Recipients and Disclosure: Identification of the third parties to whom personal data may be disclosed — affiliates, subsidiaries, service providers, outsourced data processors, regulatory authorities, and overseas recipients. Under the Disclosure Principle in Section 8 of the PDPA 2010, data may only be disclosed to third parties specified in the consent form.
Data Subject Rights: A statement informing the data subject of their rights under Section 30 (right of access to personal data), Section 34 (right to correct personal data), and Section 43 (right to withdraw consent and its consequences). The contact details for exercising these rights must be provided.
Withdrawal of Consent: A clear statement that consent may be withdrawn at any time by written notification to the data user, and the consequences of withdrawal — such as the inability to continue providing the service or processing the application.
Additional compliance elements for a PDPA Consent Form (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). PDPA Consent Form (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/policies/pdpa-consent-form-malaysia
"PDPA Consent Form (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/policies/pdpa-consent-form-malaysia.
@misc{formslegal-pdpa-consent-form-malaysia,
author = {{Forms Legal}},
title = {PDPA Consent Form (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/policies/pdpa-consent-form-malaysia}},
note = {Free legal document template. Based on Personal Data Protection Act 2010 (Act 709)}
}Frequently Asked Questions
The Personal Data Protection Act 2010 (Act 709) applies to all data users in Malaysia who process personal data for commercial transactions — whether or not they are registered under the mandatory registration scheme in Section 13. The mandatory registration scheme in Section 13 covers data users in specified commercial sectors prescribed by the Personal Data Protection (Registration of Data Users) Regulations 2013: communications, banking and financial institutions, insurance, health, tourism and hospitality, transportation, education, direct sales, services, and utilities. Data users in these sectors must register with the PDPC and pay the prescribed annual fee. However, data users outside these sectors are still bound by the seven data protection principles under the PDPA 2010 even if they are not required to formally register. Failure to comply with the PDPA 2010 principles — including the Notice and Choice Principle requiring consent — is an offence under Section 10 carrying a maximum fine of RM 100,000 or imprisonment up to 1 year.
Sensitive personal data under Section 40 of the Personal Data Protection Act 2010 (Malaysia) is a defined category of personal data that requires explicit consent for processing and is subject to heightened protection obligations. Section 40 of the PDPA 2010 lists the following categories as sensitive personal data: physical or mental health or condition; political opinions; religious beliefs or other beliefs of a similar nature; the commission or alleged commission of any offence; any other personal data the Minister may prescribe. Under the PDPA 2010 regulations, biometric data, racial or ethnic origin, and sexual orientation are also treated as sensitive. Processing sensitive personal data without explicit consent is a criminal offence under Section 40(3) of the PDPA 2010, punishable by a fine up to RM 200,000 or imprisonment up to 2 years. In practice, explicit consent for sensitive personal data processing requires a separate, clearly identified consent box or signature specifically for that category of data.
Under the Personal Data Protection Act 2010, consent is one of several lawful bases for processing personal data, but it is not the only basis. Schedule 2 of the PDPA 2010 lists the conditions that legitimise processing without consent: processing necessary for the performance of a contract to which the data subject is a party; processing required to comply with a legal obligation applicable to the data user; processing to protect the vital interests of the data subject; processing for the administration of justice or the exercise of functions conferred by law; and processing necessary for the legitimate interests of the data user or third parties, provided those interests do not override the fundamental rights of the data subject. In practice, many Malaysian data users collect consent even where processing could be justified on other grounds, as it simplifies compliance documentation and reduces the risk of complaints to the PDPC.
Penalties for non-compliance with the Personal Data Protection Act 2010 in Malaysia are imposed under various sections of the Act. Failure to comply with the seven data protection principles (including the Notice and Choice Principle requiring consent) under Sections 5 to 10 is an offence under Section 10 carrying a maximum fine of RM 300,000 or imprisonment up to 2 years. Processing sensitive personal data without explicit consent under Section 40 carries a maximum fine of RM 200,000 or imprisonment up to 2 years. Failure of a mandatory-registration data user to register with the PDPC under Section 13 carries a fine up to RM 500,000 or imprisonment up to 3 years. Transferring personal data outside Malaysia without satisfying the requirements of Section 129 carries a fine up to RM 300,000 or imprisonment up to 2 years. The PDPC has the power to conduct investigations, issue enforcement notices, and prosecute offenders under Sections 73 to 109 of the PDPA 2010.
Malaysia's Personal Data Protection Act 2010 shares structural similarities with the European Union's General Data Protection Regulation (GDPR) but differs in several important respects. Both regimes require notice, consent (or alternative lawful basis), purpose limitation, data minimisation, and data subject access rights. However, the PDPA 2010 differs from GDPR in key areas: the PDPA 2010 does not apply to the federal and state governments (GDPR applies to public authorities); the PDPA 2010's mandatory registration scheme is sector-specific (GDPR abolished the old registration/notification requirement); the PDPA 2010 does not include a data breach notification obligation (GDPR requires notification within 72 hours — though Malaysia's PDPA amendments proposed in 2023 would add a breach notification requirement); PDPA 2010 penalties are substantially lower than GDPR's maximum of EUR 20 million or 4% of global annual turnover; and the PDPA 2010 does not explicitly recognise the right to be forgotten (right to erasure) to the same extent as GDPR Article 17.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
PDPA Data Breach Notification (Malaysia)
A Personal Data Protection Act 2010 data breach notification letter for Malaysia, notifying affected data subjects and the Personal Data Protection Commissioner (PDPC) of a personal data security incident under the Security Principle of the PDPA 2010 (Act 709) and the PDPC's Data Breach Management Guidelines 2023.
PDPA Data Access Request (Malaysia)
A Personal Data Protection Act 2010 Data Subject Access Request (DSAR) for Malaysia, enabling individuals to request access to their personal data held by a data user and to request corrections, under Sections 30 and 34 of the PDPA 2010 (Act 709).
Privacy Policy (Malaysia)
A Privacy Policy for Malaysia that discloses how a website or business collects, uses, stores, and discloses personal data in compliance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and its seven data protection principles. Required for all Malaysian websites and apps that collect personal data.