PDPA Correction Request (Malaysia)
REQUEST FOR CORRECTION OF PERSONAL DATA
Pursuant to Section 34 of the Personal Data Protection Act 2010 (PDPA 2010)
Date: [Request Date]
TO:
[Data User Name]
[Data User Address]
Attention: [DPO Name]
FROM:
[Data Subject Name]
NRIC/Passport: [NRIC/Passport]
[Data Subject Address]
Email: [Data Subject Email]
Tel: [Data Subject Phone]
RE: FORMAL REQUEST FOR CORRECTION OF PERSONAL DATA UNDER SECTION 34, PERSONAL DATA PROTECTION ACT 2010
I, [Data Subject Name] (NRIC/Passport: [NRIC/Passport]), am a data subject whose personal data is held by [Data User Name] ("the Data User"). I write to formally request the correction of my personal data pursuant to my rights under Section 34(1) of the Personal Data Protection Act 2010 (PDPA 2010).
1. INACCURATE PERSONAL DATA
1.1 Account / Reference: [Account Reference]
1.2 The following personal data held by the Data User is inaccurate, incomplete, misleading, or not up to date:
Current incorrect data: [Incorrect Data]
1.3 The correct personal data that should replace the above is:
Correct data: [Correct Data]
2. SUPPORTING DOCUMENTATION
2.1 In support of this request, I attach the following documentation evidencing the correct personal data:
[Supporting Documents]
2.2 The Data User is requested to verify the attached documentation and confirm its sufficiency for the purposes of processing this correction request.
3. LEGAL BASIS AND OBLIGATIONS
3.1 Section 34(1) of the PDPA 2010 grants every data subject the right to request in writing that the data user correct personal data that is inaccurate, incomplete, misleading, or not up to date.
3.2 Under Section 34(2) of the PDPA 2010, the Data User is required to respond to this request within 21 days of receipt. If the Data User agrees to correct the data, the corrected data must be transmitted to every person to whom the data was disclosed during the preceding 12 months.
3.3 The Data Integrity Principle under Section 10 of the PDPA 2010 independently obliges the Data User to take reasonable steps to maintain personal data that is accurate, complete, not misleading, and up to date.
4. RELIEF SOUGHT
4.1 I request that the Data User:
(a) Correct my personal data as specified in paragraph 1.3 above within 21 days of receiving this request;
(b) Transmit the corrected data to every person or organisation to whom my personal data was disclosed during the preceding 12 months;
(c) Provide written confirmation that the correction has been made, the date of correction, and the identity of any third parties to whom the corrected data has been transmitted.
4.2 If the Data User declines to make the correction, the Data User is required under Section 34(3) of the PDPA 2010 to inform me in writing of the reasons for the refusal, and I will be entitled under Section 34(4) to require the Data User to attach to my personal data record a statement that a correction was requested and refused.
5. FURTHER ACTION
5.1 If the Data User fails to respond within 21 days, provides an unjustified refusal, or otherwise fails to comply with its obligations under Section 34 of the PDPA 2010, I reserve the right to:
(a) Lodge a complaint with the Personal Data Protection Commissioner under Section 104 of the PDPA 2010;
(b) Commence civil proceedings in the High Court of Malaya for breach of the PDPA 2010 and seek damages for any loss or damage suffered.
Yours faithfully,
[Data Subject Name]
Data Subject
Date: [Request Date]
Data Subject
________________
Signature
What Is a PDPA Correction Request (Malaysia)?
A PDPA Correction Request in Malaysia records the information the relevant body requires to process the matter.
The right to request correction applies to all sectors covered by the PDPA 2010, including banking and finance, insurance, telecommunications, transportation, utilities, health, and professional services as listed in the Personal Data Protection (Class of Data Users) Order 2013. Government agencies are currently excluded from the PDPA 2010's application but may be subject to separate data governance frameworks under the Communications and Multimedia Act 1998.
Under Section 34(1) of the PDPA 2010, a data subject may at any time request in writing that the data user correct personal data that is inaccurate, incomplete, misleading, or not up to date. The data user must within 21 days of receiving the request either correct the data and transmit the corrected data to each person to whom the data was disclosed within the previous 12 months, or inform the data subject in writing of the reason for refusing to correct the data. A refusal to correct does not automatically discharge the data user's obligation — the data subject may under Section 34(4) attach a statement to the personal data record noting that a correction was requested and refused.
The PDPC enforces the PDPA 2010, and data subjects who are aggrieved by a data user's refusal to correct may lodge a complaint with the PDPC under Section 104 of the PDPA 2010. The Commissioner may investigate and, if satisfied that the data user has breached the Data Integrity Principle, issue a notice of enforcement or refer the matter for prosecution. Conviction for breach of the Data Integrity Principle under Section 10 may result in a fine of up to RM 300,000 or imprisonment of up to two years under Section 129 of the PDPA 2010.
A PDPA Correction Request differs from a PDPA Access Request under Section 30, which entitles a data subject to request a copy of their personal data, and from a withdrawal of consent under Section 38, which stops future processing. The Correction Request is the appropriate instrument where the data subject has identified specific errors in data already held — for example, a wrong address, incorrect employment history, or inaccurate credit record shared with a financial institution reporting to Sistem Maklumat Rujukan Kredit (CCRIS) operated by Bank Negara Malaysia.
When Do You Need a PDPA Correction Request (Malaysia)?
A PDPA Correction Request in Malaysia is needed whenever a data subject discovers that a data user holds inaccurate, incomplete, misleading, or outdated personal data that requires correction.
A PDPA Correction Request is required when a bank, insurance company, or financial institution licensed by Bank Negara Malaysia holds incorrect personal details — such as a wrong NRIC number, inaccurate date of birth, or erroneous employment information — that affect the data subject's credit profile, loan eligibility, or insurance premiums.
A PDPA Correction Request is needed when a telecommunications company licensed under the Communications and Multimedia Act 1998 holds outdated contact information — such as an old address or superseded mobile number — that results in incorrect billing or service interruptions.
A PDPA Correction Request is required when a healthcare provider or hospital covered by the PDPA 2010 has recorded inaccurate medical information, incorrect diagnoses, or wrong patient details that could affect future treatment decisions or insurance claims under policies regulated by Bank Negara Malaysia.
A PDPA Correction Request is needed when an employer or HR department holds incorrect employment records — such as wrong salary figures, inaccurate performance ratings, or erroneous disciplinary records — that the employee discovers upon accessing their personnel file.
A PDPA Correction Request is required when a credit reporting agency registered under the Credit Reporting Agencies Act 2010 (CRAA 2010) holds inaccurate credit data about an individual, affecting the individual's credit score and borrowing capacity.
A PDPA Correction Request is needed when an e-commerce platform, financial technology company, or digital service provider holds incorrect personal data — for example, a wrong delivery address or inaccurate date of birth — that causes service failures or identity verification problems.
Parties in Malaysia should prepare a PDPA Correction Request (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your PDPA Correction Request (Malaysia)
A valid PDPA Correction Request in Malaysia under Section 34 of the Personal Data Protection Act 2010 must contain the following essential elements.
Identification of Data Subject: The request must state the full name and NRIC number (or passport number for foreign nationals) of the data subject, along with current contact details. This allows the data user to locate the correct record and verify the identity of the requestor.
Identification of Data User: The request must clearly identify the data user — the organisation, company, or entity holding the personal data — including its registered name, registration number under the Companies Act 2016 or the Registration of Businesses Act 1956, and address. Data users in regulated sectors must hold a certificate of registration issued by the PDPC under Section 16 of the PDPA 2010.
Description of Inaccurate Data: The request must precisely identify the personal data that is inaccurate, incomplete, misleading, or not up to date. The data subject should state the current incorrect version held by the data user and the correct version that should replace it.
Evidence Supporting Correction: The request should attach supporting documentation evidencing the correct information — for example, a copy of the NRIC card, a utility bill showing the correct address, a birth certificate, or an official employment letter. Section 34 of the PDPA 2010 does not explicitly require evidence, but attaching it expedites the data user's processing and reduces grounds for refusal.
Reference to PDPA 2010 Rights: The request should explicitly invoke the data subject's rights under Section 34(1) of the PDPA 2010, putting the data user on formal notice that the 21-day response period under Section 34(2) has commenced.
Relief Sought: The request should state the specific correction sought — for example, updating the address, correcting a date of birth, removing erroneous entries — and request written confirmation once the correction has been made and transmitted to any third parties to whom the data was previously disclosed.
Escalation Notice: The request should state that failure to correct within 21 days or unjustified refusal will result in a complaint to the Personal Data Protection Commissioner under Section 104 of the PDPA 2010 and, if warranted, civil proceedings in the High Court of Malaya for breach of statutory duty.
Additional compliance elements for a PDPA Correction Request (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). PDPA Correction Request (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/government/declarations/pdpa-correction-request-malaysia
"PDPA Correction Request (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/government/declarations/pdpa-correction-request-malaysia.
@misc{formslegal-pdpa-correction-request-malaysia,
author = {{Forms Legal}},
title = {PDPA Correction Request (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/government/declarations/pdpa-correction-request-malaysia}},
note = {Free legal document template. Based on Personal Data Protection Act 2010 (Act 709)}
}Frequently Asked Questions
The legal basis for a PDPA Correction Request in Malaysia is Section 34 of the Personal Data Protection Act 2010 (PDPA 2010). Section 34(1) grants every data subject the right to request in writing that a data user correct personal data that is inaccurate, incomplete, misleading, or not up to date. The data user must respond within 21 days under Section 34(2) — either by making the correction and notifying all recipients from the past 12 months, or by providing written reasons for refusal. The Data Integrity Principle under Section 10 of the PDPA 2010 independently obliges data users to maintain accurate and current data. A data user who fails to comply with a correction request without lawful excuse commits an offence under Section 129 of the PDPA 2010, which carries a fine of up to RM 300,000 or imprisonment of up to two years.
Under Section 34(2) of the Personal Data Protection Act 2010, a data user in Malaysia must respond to a PDPA Correction Request within 21 days of receiving it. If the data user agrees to the correction, the corrected data must also be transmitted to every person to whom the data was disclosed within the preceding 12 months. If the data user refuses to make the correction, the data user must inform the data subject in writing within the 21-day period, stating the reasons for refusal. Where the data user refuses, the data subject is entitled under Section 34(4) to require the data user to attach to the personal data a statement that a correction was requested and refused. Persistent non-compliance may be referred to the Personal Data Protection Commissioner for investigation and enforcement action.
If a data user refuses to correct personal data in Malaysia, the data subject has several avenues of redress. Under Section 34(4) of the PDPA 2010, the data subject may require the data user to attach a correction statement to the personal data record, noting that a correction was requested and refused — this statement must be included in all future disclosures of that data. The data subject may lodge a complaint with the Personal Data Protection Commissioner under Section 104 of the PDPA 2010; the Commissioner has power to investigate, issue enforcement notices, and refer cases for prosecution. The Commissioner may also direct the data user to comply with the correction request. In addition, the data subject may commence civil proceedings in the High Court of Malaya for breach of the Data Integrity Principle under Section 10 of the PDPA 2010, seeking damages for any loss suffered.
The Personal Data Protection Act 2010 currently does not apply to the Federal Government and State Governments of Malaysia. Section 3(1) of the PDPA 2010 explicitly excludes the Federal Government and State Governments from the definition of 'data user'. This means a data subject cannot use Section 34 of the PDPA 2010 to compel a government department — such as the National Registration Department (Jabatan Pendaftaran Negara, JPN), the Inland Revenue Board (LHDN), or the Malaysian Immigration Department (Jabatan Imigresen) — to correct personal data. However, data subjects may seek correction of government-held records through separate administrative mechanisms, such as applying to JPN for NRIC corrections under the National Registration Regulations 1990, or through the Administrative Law remedies available in the High Court of Malaya.
The Personal Data Protection Act 2010 applies to data users in commercial transactions in Malaysia who are registered under the Personal Data Protection (Class of Data Users) Order 2013. Covered sectors include banking and finance (institutions licensed by Bank Negara Malaysia under the Financial Services Act 2013 and Islamic Financial Services Act 2013), insurance, telecommunications (licensees under the Communications and Multimedia Act 1998), transportation, healthcare, hospitality, utilities, retail, and professional services. Data users in these sectors must register with the Personal Data Protection Commissioner and comply with all seven PDPA 2010 data protection principles, including the Data Integrity Principle under Section 10. Failure to register is itself an offence under Section 16(6), punishable by a fine of up to RM 500,000 or imprisonment of up to three years.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Malaysia)
A Privacy Policy for Malaysia that discloses how a website or business collects, uses, stores, and discloses personal data in compliance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and its seven data protection principles. Required for all Malaysian websites and apps that collect personal data.
Data Processing Agreement (Malaysia)
A Data Processing Agreement (DPA) for Malaysia that governs the processing of personal data by a data processor on behalf of a data user, as required by the Personal Data Protection Act 2010 (PDPA 2010, Act 709). Covers the seven PDPA data protection principles, security obligations, data breach notification, and sub-processor controls.
Non-Disclosure Agreement (Malaysia)
A legally binding Non-Disclosure Agreement (NDA) for Malaysia that protects confidential business information under the Contracts Act 1950. Covers unilateral and mutual confidentiality obligations, trade secrets, proprietary data, and permitted disclosures. Enforceable by injunction in the Malaysian High Court.