• Locations
  • Insights
  • Desks
  • Awards
  • Careers
  • Solutions
  • Teams
  • Insights
  • Our Firm
  • Locations
  • Desks
  • Awards
  • Careers
© Copyright DFDL 2025. All Rights Reserved.
  • Privacy Policy
  • Solutions
  • Locations
  • Teams
  • Insights
  • Our Firm
DFDL logo
  • Search
  • Contact Us
  • Back
Legal and Tax Updates

Malaysia: Implementation of the Personal Data Protection (Amendment) Act 2024

Jan 9 2025
Written by Hui Lynn Tan

*Our previous article on the proposed amendments introduced by the Personal Data Protection (Amendment) Bill 2024 is accessible here.

Pursuant to a notification in the Gazette published on 24 December 2024, the Personal Data Protection (Amendment) Act 2024 (“PDPA Amendment Act”), which received royal assent on 9 October 2024, is set to come into effect in 3 phases. The first phase will commence on 1 January 2025, followed by the second phase scheduled on 1 April 2025, and the final phase on 1 June 2025. We set out below an overview of each phase.

First phase

Sections 7, 11, 13 and 14 of the PDPA Amendment Act to be effective on 1 January 2025

  • Allows for service of notices or any other document which may be given under the Personal Data Protection Act 2010 (“PDPA”) upon any person by way of electronic means. 
  • The amendments are generally administrative in nature and do not impose new obligations.

Second phase

Sections 2 – 5, 8, 10 and 12 of the PDPA Amendment Act to be effective on 1 April 2025

(a) Change in terminology and revision to definitions

  • Substitution of the term “data user” with “data controller”.
  • Definition of “sensitive personal data” expanded to include “biometric data”.
  • “Personal data breach” defined to mean any breach, loss, misuse or unauthorized access of personal data.
  • Exclusion of personal data of deceased individuals from the scope of the PDPA.

(b) New obligation on data processors

  • Data processors will be directly regulated under the security principle outlined in section 9 of the PDPA when processing personal data.
  • Non-compliance will result in penalties imposed directly on data processors.

(c) Increased penalties

  • Maximum penalties for non-compliance with the personal data protection principles increased to a fine of RM1,000,000 from RM300,000 and/or imprisonment for a term of 3 years from 2 years.

(d) Amendments to cross-border data transfers

  • Removal of whitelisting regime.
  • Permits for the transfer of personal data to countries with substantially similar data protection laws or equivalent levels of protection.

Third phase

Sections 6 and 9 of the PDPA Amendment Act to be effective on 1 June 2025

(a) Mandatory appointment of data protection officer

  • Both data controllers and data processors must appoint a data protection officer to oversee compliance with the PDPA.

(b) Mandatory data breach notification

  • Data controllers are required to notify the Personal Data Commissioner (“Commissioner”) of personal data breaches.
  • Where the breach is likely to cause significant harm to the data subject, to notify the data subject.

(c) New rights to data portability for data subjects

Guidelines and Revised Personal Data Protection Standard to be Issued

According to an announcement by the Commissioner on 18 November 2024, four guidelines and a revised version of the Personal Data Protection Standard are expected to be issued in early 2025, with the remaining three guidelines to follow in the third quarter of 2025. The first four guidelines to be published addresses areas such as the Data Protection Officer, Data Breach Notification, Cross-border Data Transfer and Data Portability. It is anticipated that these guidelines will provide clearer details and practical steps to facilitate compliance with the amended regulations. While we await the finalized guidelines, businesses and organizations are encouraged to review its existing privacy policies and personal data processing practices, and to identify any updates require to align with the amendments introduced by the PDPA Amendment Act.

DFDL Compliance and Investigations Practice Group

DFDL’s compliance and investigations practice works side-by-side with other practice groups and leverages our expertise across a range of compliance risks including data protection, cyber security, anti-bribery and anti-corruption, anti-money laundering, legal design for UX/UI compliance, and human rights supply-chain due diligence. With our extensive experience in Asian emerging markets we can help in proactively assessing compliance risks, developing policies and procedures, as well as support with compliance failure mitigation and investigations.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

Hui Lynn Tan
Partner
Malaysia
Hui Lynn’s areas of expertise include cross border corporate and commercial transactions, FDIs, regulatory compliance, providing legal advice to Malaysian companies listing in foreign countries, prospectus drafting, private mergers and acquisitions, private equity and venture capital, and issues relating to the Labuan IBFC.
View Profile

Related Articles

Energy, Natural Resources and Infrastructure
27, Sep
2024
Robin Teow

Malaysia’s Progress in Green Investment: A General Overview
Corporate and M&A
26, Sep
2024
Bin Hau Lee

Malaysia: Launch of the Forest City Special Financial Zone and Securities Commission FAQs on Family Office
Compliance and Investigations
04, Sep
2024
Hui Lynn Tan

Malaysia: Proposed Amendments to the Personal Data Protection Act 2010
Corporate and M&A
04, Sep
2024
Bin Hau Lee

Malaysia: Licensing and Regulatory Framework for Digital Insurers and Takaful Operators
DFDL logo

We provide practical and creative legal solutions
and insights to complex business challenges.

Sign up for our Newsletter
  • Solutions
  • Teams
  • Insights
  • Locations
  • Desks
  • Networks
© Copyright DFDL 2025. All Rights Reserved.
  • Privacy Policy