Privacy Policy (Malaysia)
PRIVACY POLICY
Personal Data Protection Act 2010 (PDPA 2010, Act 709) | Malaysia
Effective Date: [Effective Date]
This Privacy Policy explains how [Company Name] (SSM Registration No. [Registration Number]) ('we', 'us', 'our'), of [Company Address], collects, uses, stores, discloses, and protects your personal data in accordance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and its seven data protection principles.
1. PERSONAL DATA WE COLLECT
[Company Name] collects the following categories of personal data through [Website URL] and our other business channels:
[Personal Data Collected]
Sensitive Personal Data: [Sensitive Data Handling]. Where we collect sensitive personal data (including health information, religious beliefs, or other categories under Section 40 of the PDPA 2010), we obtain your explicit consent before processing such data.
2. PURPOSES OF COLLECTION AND PROCESSING
Under the General Principle (Section 6) and the Notice and Choice Principle (Section 7) of the PDPA 2010, [Company Name] processes your personal data only for the following specified and lawful purposes:
[Collection Purposes]
You have the right to withdraw your consent to marketing communications at any time by contacting us at [Contact Email].
3. DISCLOSURE TO THIRD PARTIES
Under the Disclosure Principle (Section 8) of the PDPA 2010, [Company Name] may disclose your personal data to the following categories of third parties:
[Third Party Disclosures]
Transfer Outside Malaysia: [Cross Border Transfers]. Countries of transfer: [Transfer Countries]. Cross-border transfers are made only in compliance with the Transfer Principle under Section 129 of the PDPA 2010.
4. DATA RETENTION
Under the Retention Principle (Section 10) of the PDPA 2010, [Company Name] retains personal data only for as long as necessary for the stated purposes. Retention periods: [Retention Period]. After the retention period, personal data is securely deleted or anonymised.
5. SECURITY MEASURES
Under the Security Principle (Section 9) of the PDPA 2010, [Company Name] implements appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse, and disclosure. Security measures in place: [Security Measures].
6. COOKIES
Cookies used: [Cookies Used]. Types of cookies: [Cookie Types]. You can control cookies through your browser settings. Disabling certain cookies may affect website functionality.
7. YOUR RIGHTS UNDER THE PDPA 2010
Under the Access Principle (Section 12) of the PDPA 2010, you have the right to request access to your personal data held by [Company Name]. Under Section 34, you have the right to request correction of inaccurate, incomplete, or out-of-date personal data.
To exercise your rights, contact us at:
Email: [Data Subject Rights Contact]
Phone: [Contact Phone]
Address: [Company Address]
We will respond to access and correction requests within 21 days of receipt.
8. AMENDMENTS TO THIS PRIVACY POLICY
[Company Name] may update this Privacy Policy from time to time to reflect changes in our data practices or Malaysian data protection law, including any amendments under the Personal Data Protection (Amendment) Act 2024. The updated Privacy Policy will be published on [Website URL] with the revised effective date.
For complaints about the handling of your personal data, you may contact the Personal Data Protection Commissioner at the Ministry of Digital Malaysia or file a complaint at www.pdp.gov.my.
What Is a Privacy Policy (Malaysia)?
A Privacy Policy in Malaysia establishes the rules and responsibilities that govern the conduct it addresses.
The Notice and Choice Principle under Section 7 of the PDPA 2010 requires data users to notify data subjects — at or before the time of collection — of the purposes for which their personal data is collected and processed, the categories of third parties to whom the data may be disclosed, and the data subject's right to access and correct their personal data. A Privacy Policy is the standard mechanism for satisfying this notice requirement for websites, mobile applications, and online services.
The PDPA 2010 applies to personal data processed in Malaysia in connection with commercial transactions. It does not apply to federal and state governments, personal data processed outside Malaysia, or personal data processed for purely personal or domestic purposes. The Act protects two categories of personal data: general personal data (name, address, identification number, contact details) and sensitive personal data (health information, political opinions, religious beliefs, and criminal records) under Section 40, which attracts stricter consent requirements.
Malaysia's PDPA 2010 framework is being strengthened through proposed amendments in the Personal Data Protection (Amendment) Act 2024, which aim to introduce mandatory data breach notification (within 72 hours), mandatory Data Protection Officer (DPO) appointments for certain data users, and data portability rights for data subjects — bringing Malaysia's data protection framework closer to the EU's GDPR and Singapore's PDPA 2012. Websites collecting data from EU residents must additionally comply with the GDPR, and a single Privacy Policy can address both if drafted thoroughly.
The legal framework governing the Privacy Policy (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Privacy Policy (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Personal Data Protection Act 2010 (Act 709) sets the foundational requirements.
When Do You Need a Privacy Policy (Malaysia)?
A Privacy Policy in Malaysia is required for any website, mobile application, or business that collects personal data from Malaysian residents in connection with commercial activities.
A Privacy Policy is needed for any Malaysian e-commerce website that collects customer names, addresses, phone numbers, email addresses, and payment information in connection with online sales. The Notice and Choice Principle under Section 7 of the PDPA 2010 requires disclosure before collection.
A Privacy Policy is required for any mobile application operating in Malaysia that collects device information, location data, user profiles, or usage analytics from Malaysian users, whether the app is published by a Malaysian or foreign company.
A Privacy Policy is needed for any business that uses online contact forms, newsletter subscriptions, event registrations, or customer account systems to collect personal data, as each collection point triggers PDPA 2010 notice obligations.
A Privacy Policy is required for websites that use cookies or tracking technologies — including Google Analytics, Facebook Pixel, or LinkedIn Insight Tags — that collect browsing behaviour data associated with individual users. Such data may constitute personal data under the PDPA 2010's definition in Section 4.
A Privacy Policy is needed for Malaysian companies that receive resumes and job applications online, as applicant personal data including NRIC numbers, educational background, and employment history is collected and processed in connection with a commercial activity (employment).
A Privacy Policy is required for SaaS platforms operating in Malaysia that process personal data on behalf of their business customers, both to satisfy the SaaS platform's own PDPA obligations as a data user and to provide transparency to end users of its customers' platforms.
Parties in Malaysia should prepare a Privacy Policy (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Privacy Policy (Malaysia)
A PDPA 2010 compliant Privacy Policy for Malaysia must contain the following essential elements reflecting all seven data protection principles.
Data User Identity: The full registered name, SSM registration number, and contact details of the data user — the company responsible for collecting and processing personal data. This is required under the Notice and Choice Principle (Section 7) so data subjects know who controls their data.
Categories of Personal Data Collected: A clear description of the types of personal data collected, including name, NRIC number, email address, phone number, payment information, and any sensitive personal data. The distinction between general and sensitive personal data under the PDPA 2010 must be reflected, with appropriate consent mechanisms for sensitive data.
Purposes of Collection and Processing: Specific purposes for which personal data is collected — for example, order fulfilment, customer support, marketing, legal compliance, or analytics. The General Principle under Section 6 of the PDPA 2010 requires processing only for specified, lawful purposes with consent.
Disclosure to Third Parties: Identification of categories of third parties to whom personal data may be disclosed — such as payment processors, logistics partners, cloud service providers, and government authorities — as required by the Disclosure Principle under Section 8 of the PDPA 2010.
Data Retention Period: The period for which personal data will be retained, reflecting the Retention Principle under Section 10 of the PDPA 2010. Retention periods must not exceed what is necessary for the stated purpose.
Security Measures: A description of the technical and organisational measures implemented to protect personal data from unauthorised access, loss, and misuse, as required by the Security Principle under Section 9 of the PDPA 2010.
Data Subject Rights: The Access Principle under Section 12 of the PDPA 2010 gives data subjects the right to access their personal data held by the data user and to request correction of inaccurate data. The Privacy Policy must explain how data subjects can exercise these rights and the contact details for submitting requests.
Cross-Border Transfers: Disclosure of any transfer of personal data outside Malaysia, and the basis for such transfers under the Transfer Principle in Section 129 of the PDPA 2010.
Cookie Policy: If the website uses cookies, a disclosure of the types of cookies used, their purposes, and how users can manage or disable cookies, consistent with international best practice and PDPA 2010 transparency requirements.
Additional compliance elements for a Privacy Policy (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/policies/privacy-policy-malaysia
"Privacy Policy (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/policies/privacy-policy-malaysia.
@misc{formslegal-privacy-policy-malaysia,
author = {{Forms Legal}},
title = {Privacy Policy (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/policies/privacy-policy-malaysia}},
note = {Free legal document template. Based on Personal Data Protection Act 2010 (Act 709)}
}
Frequently Asked Questions
A Privacy Policy is effectively legally required for any Malaysian website or mobile application that collects personal data from users in connection with commercial transactions, by virtue of the Notice and Choice Principle under Section 7 of the Personal Data Protection Act 2010 (PDPA 2010, Act 709). Section 7(1) requires a data user to inform the data subject, before or at the time of collecting personal data, of the purposes for which the data is collected, the categories of persons to whom it may be disclosed, and the data subject's right to access and correct the data. A publicly accessible Privacy Policy displayed prominently on the website (typically in the footer and at points of data collection) is the standard mechanism for satisfying this obligation. Failure to comply with the Notice and Choice Principle is a criminal offence under Section 130 of the PDPA 2010, with fines up to RM 300,000 and/or imprisonment up to two years. The Personal Data Protection Commissioner can investigate complaints and issue enforcement orders.
Under Section 4 of the Personal Data Protection Act 2010 (PDPA 2010, Act 709), personal data means any information in respect of commercial transactions that relates directly or indirectly to a data subject who is identified or identifiable from that information, and includes sensitive personal data. General personal data includes name, identification number (NRIC), address, email address, phone number, date of birth, photograph, and IP addresses associated with identifiable individuals. Sensitive personal data — which attracts higher protection and stricter consent requirements under Section 40 — includes: physical or mental health information, political opinions, religious beliefs or other beliefs of a similar nature, commission or alleged commission of criminal offences, and other personal data as prescribed by the Minister. Business contact information (name, title, company email) collected exclusively for business-to-business purposes may not constitute personal data under the PDPA 2010, as the Act focuses on commercial transactions involving individuals rather than purely B2B interactions.
Valid consent for personal data collection under the Personal Data Protection Act 2010 (PDPA 2010, Act 709) must be freely given, specific, and informed. The General Principle under Section 6 of the PDPA 2010 requires the data subject's consent before processing personal data for specified purposes. For websites, consent is typically obtained through a clear and prominent notice (Privacy Policy) disclosing the purposes of collection, combined with an affirmative action by the user — such as ticking an unchecked consent checkbox or submitting a form with a clear consent statement. Pre-ticked consent boxes do not constitute valid consent under good privacy practice, though PDPA 2010 does not expressly prohibit them (unlike the GDPR). Data subjects must also be given a genuine choice — including the ability to withdraw consent — which means mandatory, non-consensual data collection should be limited to what is strictly necessary for the service. For sensitive personal data, Section 40 of the PDPA 2010 requires explicit consent.
The Personal Data Protection Act 2010 (PDPA 2010, Act 709) applies to personal data processed in Malaysia in connection with commercial transactions. Section 2 of the PDPA 2010 applies it to any person established in Malaysia who processes personal data. For foreign companies with no physical presence in Malaysia, the extraterritorial application of the PDPA 2010 is less settled than, for example, the GDPR's explicit extraterritorial reach under Article 3. However, foreign companies that collect personal data from Malaysian residents through websites, mobile applications, or other commercial channels targeting the Malaysian market may face PDPA 2010 scrutiny, particularly if they have Malaysian subsidiaries, employees, or agents. The proposed 2024 PDPA amendments are expected to clarify the extraterritorial scope. In practice, foreign companies that process significant volumes of Malaysian personal data typically adopt PDPA 2010 compliance as a matter of good governance and to serve their Malaysian customers' expectations and contractual obligations.
The Personal Data Protection Act 2010 (PDPA 2010, Act 709) does not currently provide an explicit right to erasure or 'right to be forgotten' comparable to Article 17 of the EU's GDPR. The Access Principle under Section 12 of the PDPA 2010 gives data subjects the right to access their personal data and request correction of inaccurate data under Section 34. Requests for deletion are not expressly provided for in the current PDPA 2010 text, though data users are required under the Retention Principle (Section 10) to delete or anonymise personal data when it is no longer needed for the original purpose. The proposed Personal Data Protection (Amendment) Act 2024 is expected to introduce a data portability right and potentially a right to erasure. In practice, many Malaysian companies voluntarily process deletion requests as a matter of good customer service and to align with international standards, particularly those also subject to the GDPR or Singapore's PDPA 2012, which does provide an explicit right of withdrawal of consent and de-registration.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Malaysia)
A Data Processing Agreement (DPA) for Malaysia that governs the processing of personal data by a data processor on behalf of a data user, as required by the Personal Data Protection Act 2010 (PDPA 2010, Act 709). Covers the seven PDPA data protection principles, security obligations, data breach notification, and sub-processor controls.
Cookie Policy (Malaysia)
A Cookie Policy for Malaysian websites disclosing the use of cookies and tracking technologies in compliance with the Personal Data Protection Act 2010 (PDPA 2010) and international best practice. Covers cookie categories, consent mechanisms, and user opt-out rights.
Terms of Service (Malaysia)
A comprehensive Terms of Service agreement for Malaysian websites, SaaS platforms, and online services, compliant with the Consumer Protection Act 1999, Electronic Commerce Act 2006, and Digital Economy Act. Covers user obligations, intellectual property, liability limitations, and governing law.