Malaysia: New legal requirements under the General Code of Practice of Personal Data Protection

In brief

The General Code of Practice of Personal Data Protection ("General CoP") introduces new legal requirements to be complied with by data users caught within its ambit. It also seeks to provide best practice recommendations with respect to the implementation of principles under the Personal Data Protection Act 2010 and its subsidiary legislation (PDPA).

Some of the new legal requirements include providing additional mandatory information in a personal data protection notice, complying with data subjects' written request not to process their personal data for direct marketing within reasonable time, maintaining a personal data system and establishing a PDPA compliance framework.

In more detail

The General CoP was issued by the Personal Data Protection Commissioner ("Commissioner") and became effective from 15 December 2022.

Non-compliance with the provisions of the General CoP is an offense under the PDPA, which may attract a fine not exceeding MYR 100,000 (~ USD 24,000) and/or imprisonment for a term not exceeding one year ("Penalties"). Where the offense is committed by a body corporate, its directors and other officers in the management could be personally liable. 

Who does it apply to?

The General CoP appears to apply to classes of data users who are not presently, subject to a specific code of practice under the PDPA. To recap, the Commissioner had in the past registered a number of sector-specific codes of practice under the PDPA, including for the following ("Selected Sectors"):

  • Private hospitals in the healthcare industry
  • The utilities sector (water)
  • The utilities sector (electricity)
  • Licensees under the Communications and Multimedia Act 1998
  • The banking and financial sector
  • The insurance and takaful Industry
  • The aviation sector

Data users1 who fall within the Selected Sectors above would need to comply with their respective codes of practice. The General CoP is therefore aimed at classes of data users under the PDPA who do not fall within any of the Selected Sectors above ("Affected Data Users"). These may include, among others, certain businesses involved in tourism, education, direct selling, real estate and professional services (e.g., legal, audit, accountancy, engineering, architecture).

What are the new legal requirements?

Some of the new legal requirements introduced by the General CoP are briefly discussed below.

  • Additional Mandatory Information For Personal Data Protection Notices

On top of those specified in the PDPA, the General CoP requires a personal data protection notice issued by Affected Data Users to, among others, also address the following:

  • If any sensitive personal data (i.e., relating to mental/physical health, political opinions, religious beliefs or commission of offense) will be processed
  • If personal data of children below the age of 18 years will be processed
  • If there is any regulatory requirement to collect certain personal data
  • What practical and security measures are taken to ensure personal data and its disclosure is safe and secured
  • The name of third parties to whom personal data is disclosed and for what purpose

These additional details have earlier been set out in the Guide to Prepare Personal Data Protection Notice published by the Commissioner’s office in January 2022, but the guide did not appear to have legal force. This uncertainty has now been put to rest with the General CoP.

  • Direct Marketing

“Direct marketing” is defined under the PDPA as the communication by whatever means of any advertising or marketing material which is directed to particular individuals. The PDPA expressly allows data subjects to notify a data user to cease or not begin to process their personal data, for purposes of direct marketing (“Cessation Notice”).

The General CoP now mandates that Affected Data Users must comply with the Cessation Notice within a reasonable time frame. Failing which, the Penalties will apply. Affected Data Users can therefore no longer attempt to ignore Cessation Notices.   

  • Personal Data System

“Personal data system” is defined under the PDPA to essentially mean a system used by a data user for the processing of personal data and it includes the records maintained for such processing.

The General CoP has in effect, confirmed the need for an Affected Data User to among others, establish a personal data system and which system, will need to include certain prescribed records (e.g., consent records, security policies). 

  • Compliance Framework

The General CoP also expressly requires Affected Data Users to develop and implement a compliance framework with appropriate compliance policies and procedures to ensure compliance with the General CoP and the PDPA.

Concluding remarks

The General CoP provides more clarity over the implementation of the general principles under the PDPA, especially for the Affected Data Users. It is also directionally, in line with the prevailing Malaysian Government's emphasis on ensuring that personal data is processed appropriately and safely by data users.

Given the potential criminal exposure for non-compliance, businesses who are subject to the General CoP should undertake a thorough internal review of its personal data protection policies and frameworks to determine if they are in compliance with the new legal requirements under the General CoP.


1 “Data users” essentially mean those who have control over or authorize the processing of any personal data (excluding data processors). "Data processors" refer to those who process the personal data solely on behalf of the data user and not for any of their own purposes.

* * * * *

This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.