Malaysia PDPA 

Data controllers and processors have to comply with the Personal Data Protection Principles outlined in the text of the law. These are as follows: 

• General Principle: Organizations must ensure that personal data is processed in a lawful and fair manner. The data collected should only be used for specific purposes that are explicitly stated and agreed upon by the individual (data subject).
• Notice and Choice Principle: When collecting personal data, organizations must inform the individual why the data is being collected and how it will be used. The individual should also be given the option to either provide their data or refuse, and be made aware of the consequences of their choice.
• Disclosure Principle: Organizations must not share personal data with third parties without the individual’s consent, unless required by law. Any data shared should be only what is necessary and for the purpose that was originally stated to the individual.
• Security Principle: Organizations are required to take appropriate measures to protect personal data from unauthorized access, misuse, or loss. This includes implementing security practices and protocols to safeguard the data.
• Retention Principle: Personal data should not be kept longer than necessary. Once the data is no longer needed for the purpose it was collected, it must be securely deleted or destroyed.
• Data Integrity Principle: Organizations must ensure that personal data is accurate, complete, and up-to-date. Reasonable steps should be taken to correct any inaccurate or outdated information.
• Access Principle: Individuals have the right to access their personal data held by an organization. They can request to review, update, or correct their data. Organizations must respond to such requests within a reasonable time frame.
• Accountability Principle: Organizations are responsible for complying with the PDPA and must be able to demonstrate their compliance. This includes appointing data protection officers and maintaining records of data processing activities.

In addition to these, covered businesses must also appoint one or more data protection officers accountable for compliance with the Act, and in the event of a data breach, must notify the Commissioner “as soon as practicable” and the affected data subjects if a breach occurs, “where the personal data breach causes or is likely to cause any significant harm to the data subject, [...] in the manner and form as determined by the Commissioner without unnecessary delay.”

The Malaysian data privacy law also stipulates that certain classes of data controllers, as specified by the government, need to register with the supervisory authority, with all others having to follow the Act's rules without having to register. In addition to these, the Minister may require specific classes of data controllers to register after consulting with relevant parties. 

Data controllers required to register must follow a series of obligations related to the registration process, such as applying, paying a fee, and submitting necessary documents. The Commissioner may request additional information; failure to provide it will result in the application being withdrawn. The Commissioner may approve or deny the registration. If approved, a certificate is issued with possible conditions. Operating without required registration is a serious offense. 

Data controllers must renew their registration at least 90 days before expiration. The renewal may include changes to conditions, and the Commissioner can refuse renewal for non-compliance. The Commissioner can revoke registration for non-compliance or other reasons, but the data controller must be given a chance to explain. Continuing to operate without registration after revocation is an offense. If registration is revoked, the data controller must return the certificate within seven days. Failing to do so is an offense.

The Commissioner will maintain a Register of Data Controllers, listing those who have been registered and their details.