PDPA Data Breach Notification (Malaysia)

A PDPA Data Breach Notification in Malaysia gives formal notice of the matter it concerns to the recipient.

The Security Principle under Section 9 of the PDPA 2010 imposes a duty on data users to take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, and destruction. A data breach represents a failure to comply with the Security Principle, and data users who fail to implement adequate security measures may be liable for an offence under Section 9(3) of the PDPA 2010, carrying a fine of up to RM 100,000 or imprisonment up to one year.

The PDPA (Amendment) Bill 2024, which was tabled in Parliament, proposes to introduce mandatory breach notification within 72 hours of a data user becoming aware of a breach — aligning Malaysia's data protection framework with the European Union's GDPR Article 33. When enacted, this amendment will make breach notification a legal obligation rather than a best-practice recommendation. Data users in regulated sectors (banking under Bank Negara Malaysia's Risk Management in Technology (RMIT) Policy, telecommunications under the Communications and Multimedia Commission's guidelines, and healthcare under the Ministry of Health's health data guidelines) already face sector-specific breach notification obligations independent of the PDPA 2010.

The PDPC's Data Breach Management Guidelines 2023 recommend a four-step response process: Contain (isolate the breach), Assess (evaluate the scope and impact), Notify (inform affected parties), and Review (implement corrective measures). The Guidelines recommend notifying the PDPC within 72 hours of confirming a significant breach, and notifying affected data subjects without undue delay where there is a real risk of harm.

The legal framework governing the PDPA Data Breach Notification (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a PDPA Data Breach Notification (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Personal Data Protection Act 2010 (Act 709) sets the foundational requirements.

A PDPA Data Breach Notification is needed in Malaysia whenever a data user experiences a security incident that compromises the personal data of individuals and poses a real risk of harm to those individuals.

A PDPA Data Breach Notification is needed when a Malaysian company suffers a cyberattack — such as a ransomware attack, SQL injection, or credential stuffing — resulting in unauthorised access to customer or employee personal data stored in the company's systems. The notification informs affected individuals of the breach, the nature of compromised data, and protective measures they should take.

A PDPA Data Breach Notification is required under Bank Negara Malaysia's Risk Management in Technology (RMIT) Policy 2019 when a financial institution regulated under the Financial Services Act 2013 experiences a technology-related incident that compromises customer data. Banks must notify Bank Negara Malaysia within one hour of detecting a major incident and notify customers promptly.

A PDPA Data Breach Notification is needed when an e-commerce platform experiences a data breach exposing customers' names, NRIC numbers, email addresses, phone numbers, and payment card information. The notification must comply with both the PDPA 2010 requirements and, where payment card data is involved, the Payment Card Industry Data Security Standard (PCI DSS) incident response requirements.

A PDPA Data Breach Notification is needed following a physical data breach — such as the loss of an unencrypted laptop, a physical break-in to an office containing paper records with personal data, or the accidental mailing of documents containing one customer's data to another customer.

A PDPA Data Breach Notification is required when a data processor (a third-party vendor processing personal data on behalf of a data user) experiences a breach. Under the PDPA 2010, data users remain responsible for personal data processed by their data processors and must confirm contractual data security obligations under Section 9 are fulfilled.

A legally effective Malaysian PDPA Data Breach Notification under the PDPC's Data Breach Management Guidelines 2023 and the Security Principle of the PDPA 2010 must contain the following essential elements.

Data User Identification: Full name, SSM registration number, PDPC registration number (if applicable), address, and contact details of the data user reporting or responding to the breach. The notification should state the name and contact details of the Data Protection Officer (DPO) or equivalent responsible person.

Description of the Breach: A clear description of the nature of the breach — whether it was an unauthorised external access, insider threat, system error, physical loss, or other type of incident. The description should include the date the breach was discovered, the estimated date the breach occurred (if known), and the duration of the breach.

Categories and Volume of Affected Data: The types of personal data compromised (names, NRIC numbers, financial data, health data, passwords, biometric data, etc.) and the estimated number of affected data subjects. If sensitive personal data under Section 40 of the PDPA 2010 (health information, financial information, racial origin, etc.) was compromised, this must be specifically identified.

Affected Data Subjects: Identification of the categories of affected individuals (customers, employees, suppliers, or other third parties) and, where possible, direct notification to specifically identified affected individuals.

Likely Consequences: An honest assessment of the likely consequences of the breach for affected data subjects — risk of identity theft, financial fraud, reputational harm, discrimination, or physical harm.

Remedial Measures: A description of the technical and organisational measures the data user has taken or proposes to take to address the breach, contain the damage, and prevent recurrence — including system patches, password resets, notification to law enforcement (Royal Malaysia Police, PDRM), and enhanced security measures.

Contact for Data Subjects: A dedicated contact point (email, phone, or online portal) where affected data subjects can obtain further information, ask questions, or exercise their rights under Section 30 and Section 34 of the PDPA 2010.

Additional compliance elements for a PDPA Data Breach Notification (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.