Malaysia: Personal Data Protection Commissioner adopted circular on personal data breach notification (Circular No. 2/2025)

On 21 May 2025, the Malaysian Personal Data Protection Commissioner adopted the circular on personal data breach notification (Circular No. 2/2025). Under the circular, data controllers must notify the Commissioner as soon as practicable upon suspecting a breach and submit detailed information within 72 hours of the incident. If the breach is likely to cause significant harm, affected individuals must also be informed within seven days of the Commissioner being notified, using clear and accessible communication. The circular outlines circumstances that constitute significant harm, including physical injury, financial loss, damage to credit records, the risk of illegal misuse or identity fraud, involvement of sensitive personal data, or breaches affecting more than 1’000 individuals. Notifications must include the circumstances of the breach, the types and volume of data affected, a timeline of events, the potential consequences, the measures taken in response, and contact details for further inquiries. Data controllers are required to keep detailed breach records for a minimum of two years and may be subject to investigation to verify compliance. Non-compliance may result in fines of up to RM 250’000, imprisonment for up to two years, or both.