Personal Data Protection Act 2010 will be Enforced from 01.01.2013 — Or so it was said…

By Sonny Zulhuda

That is it. No more waiting or being complacent.

The Minister of Information, Communications and Culture  of Malaysia, Datuk Seri Rais Yatim was reported today (23 Oct 2012) as saying that the crucial Act will be enforced beginning of the year 2013 — that is less than two months from now. The report from The Sun Daily can be viewed here.

Credit: The Sun Daily (c) 2012
Credit: The Sun Daily (c) 2012

And when it is implemented, as prescribed by the Act itself, data users will have three months to prepare to comply with the rules and regulations on personal data that they collect, process or otherwise store. In total, companies as well as individual data users will only have five months to prepare themselves before the Data Protection Commissioner can knock their doors if he wishes to inspect their personal data system and the level of compliance.

Also, it would mean that the consumers, termed as data subjects, would be able to come and check the accuracy of their personal data collected and processed at their bankers, telecommunications providers, or any other services providers that they had contract with.

Who will be implicated?

ImageIf you or your company “process” personal data of individuals for “commercial transaction” other than that related to credit rating business; and then process such data in “automated” manner or otherwise non-automated but using a “structured filing system”, then you will be implicated because you are a “DATA USER.” Despite the fact that you are operating as incorporated entity, an individual proprietor or as partners.

However, if your processing activities are not located in Malaysia (such as those personal data you disclose at your Facebook), then those data are not subject to the PDP Act 2010.

Likewise, if you collect data only for your own personal, household or non-commercial activities, then you are out too (Click on the left image to zoom on the chart).

The fact that you as data owner do not process such personal data on your own, but instead get someone else do it for you (such as in an outsourced service), does not exclude you from being a data user under the Act. It will instead add to your obligations some other duty to ensure your outsourcing service provider provides equal protection. This service provider is termed under PDPA 2010 as DATA PROCESSOR.

From the perspective of the Data Processor company/party, they will not be obliged with the same duties as the Data User, but they will be responsible nonetheless to similar obligations through their service agreement with the Data User. And on top of that, the PDP Commissioner is empowered to conduct inspection directly on your data system.

Therefore, either you are a Data User or a Data Processor under definitions of the Act, this enforcement date can be your “make or break” moment.

You can have a copy of the PDP Act 2010 from the Ministry’s website here.



At the time this post note is provided (mid-July 2013), there has not been any official announcement or declaration by the Government on the enforcement of the Personal Data Protection Act 2010, which means, the Act is in status quo, not yet in force. 



The Act is now in force! It’s been officially gazetted on 15th November 2013.

-Sonny Zulhuda-


  1. Has the PDPA come into force in terms of implementation wef from 01.01.2013? There is ‘market industry’ talk that it has yet to be effected as the Ministry Of Information is still ‘putting-up’ the relevant issue and policies in place to ‘kick-start’. Pls advise

    1. Since it was so “announced” and published by media, there is no further official announcement we’ve heard from the Government. Therefore, in so long it is not officially announced/declared and gazetted, the PDP Act 2010 is still not in force. Perhaps the matter should be best referred to the Authority concerned. Thanks for dropping by! 🙂

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s