Malaysia: Data Protection Authority closes consultation on regulation amending Personal Data Protection Regulations (335/2013)

On 8 September 2025, the Malaysian Data Protection Authority closes the consultation on the regulation amending the Personal Data Protection Regulations 2013 (335/2013). First, the draft regulation changes all references in the original Regulation from “data user” to “data controller”. Second, the draft regulation obliges data controllers to display business contact information for appointed Data Protection Officers or other individuals responsible for handling matters relating to personal data. This information must be included in the personal data protection notice in Malay and English, to be given to the data subject. Third, the phrase “minimum requirements” was replaced with the phrase “specified requirements” to emphasise the binding nature of the requirements and to set expected results for data controllers. Fourth, the draft regulation clarifies the definition of “valid consent” and the requirement to obtain consent before data processing occurs, rather than during or after processing. Fifth, security policies must now explicitly include procedures for managing data breach incidents. Sixth, data controllers must have a written contract with any data processors they use. This contract must specify the purpose, data types, security measures, and the rights and obligations of each party. Seventh, data processors are now directly obligated to protect personal data against threats and can be fined directly for violations (up to MYR 250'000, imprisonment up to two years, or both). Eighth, the scope of information that can be requested by inspecting officers is clarified and expanded. These changes aim to harmonise the terms used in the Regulation with those used in a parallel amendment to Act 709.