Malaysia: Department of Personal Data Protection released Personal Data Protection Guideline on Automated Decision-Making and Profiling (ADMP)

On 30 April 2026, the Malaysian Department of Personal Data Protection (JPDP) released Version 1.0 of the Personal Data Protection Guideline on Automated Decision-Making and Profiling (ADMP), issued by the Personal Data Protection Commissioner under the Personal Data Protection Act 2010 (Act 709). The Guideline is directed at data controllers and data processors implementing ADMP in commercial transactions and supplements Act 709, which does not specifically regulate ADMP. The Guideline defines automated decision-making as decision-making by wholly or partly automated means without human involvement, and profiling as automated processing of personal data to evaluate or predict personal aspects of a data subject. The Guideline addresses ADMP processes that produce legal effects on a data subject or significantly affect the data subject's circumstances, behaviour, choices, or access to services. The Guideline directs Data Protection Officers to oversee ADMP systems and to ensure a Data Protection Impact Assessment is conducted for any planned processing involving ADMP, with reassessment after 2 years. The Guideline addresses compliance with the Notice and Choice Principle under section 7, the right to withdraw consent under section 38, and the conditions for processing sensitive personal data under section 40 of Act 709, and sets out best practices for the use of Artificial Intelligence in ADMP, providing that AI should not be the sole factor in decisions concerning data subjects.