PDP Commissioner invites feedback on proposed amendments to the Personal Data Protection Regulations 2013

29 August 2025

On 22 August 2025, the Personal Data Protection Commissioner (“PDPC”) launched a public consultation on proposed amendments to the Personal Data Protection Regulations 2013 (“PDP Regulations”). The proposed amendments seek to align the PDP Regulations with the obligations recently introduced for data controllers and data processors under the Personal Data Protection Act 2010 (“PDPA”).

This article highlights the key proposals set out in the public consultation, which concludes on 8 September 2025.

Key definitions

The PDPC proposes new definitions and refinements to existing terms in the PDP Regulations to ensure that Malaysia’s personal data protection framework remains consistent, clear, and effective.

These proposed amendments include:

• revising the definition of “standard” to refer to binding measures determined by the PDPC that set out the minimum standards and expected outcomes for processing personal data, rather than merely imposing “minimum requirements” on data controllers or data processors;
• distinguishing “business contact information” from “personal data” under the PDPA to provide clarity and facilitate compliance by data controllers. “Business contact information” will be defined as information about an individual provided in a business context such as name, position or title, business telephone number, business address, and business email address; and
• introducing the term “personal data protection notice” to refer to the written notice that data controllers are required to provide to data subjects under the PDPA.

Personal data protection principles

The proposed amendments aim to provide greater clarity on how data controllers and data processors are expected to apply the personal data protection principles under the PDPA in practice.

The key proposed amendments include:

• clarifying the methods data controllers should utilise in obtaining valid consent from data subjects, and when such consent is required;
• requiring data controllers to take reasonable steps to verify consent from parents, guardians, or individuals with legal responsibility over the data subject;
• requiring data controllers to display the business contact information of their appointed Data Protection Officer or representative in either the personal data protection notice mandated by the PDPA or through other accessible channels, enabling data subjects to lodge complaints or exercise their rights under the PDPA;
• expanding the obligation to establish and implement a security policy setting out measures to safeguard personal data to data processors as well, and not only to data controllers;
• requiring the incorporation of a data breach management plan in the data controller or data processor’s security policy; and
• requiring data controllers to enter into a written agreement with their data processors, incorporating the following terms:
• Subject matter, duration, nature, and purpose of the data processing;
• Types of personal data processed;
• Security measures to be implemented; and
• Obligations of the data processor and rights of the data controller.

The PDPC will also revise the Personal Data Protection Standard 2015 to set out additional compliance measures under the PDPA including retention policies, disposal schedules, secure destruction methods, data rectification procedures, and periodic monitoring requirements.

Moving forward

The proposed amendments would confer broad investigative and monitoring powers on the PDPC and its inspection officers, enabling them to obtain information from data controllers and data processors to assess compliance with the PDPA and the PDP Regulations. Data controllers or data processors found in breach of the PDP Regulations may, upon conviction, be liable to a fine of up to RM250,000, imprisonment for a term of up to two years, or both.

Feedback on the proposals in the consultation paper may be submitted via this form until 8 September 2025.  

Further information

This article has been prepared with the assistance of Associates Siah An Gel and Mohamad Syafiq bin Mohamad Tazri.