The recent amendments to the Personal Data Protection Act 2010, implemented through the Personal Data Protection (Amendment) Act 2024 (the “Amendment Act”), brought about several additional legal obligations on the part of data controllers in Malaysia. One such key obligation that has stirred up many discussions among the Malaysian public would no doubt be the obligation for data controller to notify the Personal Data Protection Commissioner (“PDPC”), and possibly the data subjects, in the event of a personal data breach.
When the Amendment Act was first published, it raised many questions. Are all personal data breaches required to be notified regardless of the scale and impact? How does one carry out a personal data breach notification? When should a personal data breach notification be carried out? What information should be provided in a personal data breach notification? Fortunately, the PDPC has issued a circular and guidelines on data breach notification on 25 February 2025 (the “Circular and Guidelines”) which shed some light to these questions.
Our article aims to provide a summary of data controller’s obligation in handling a personal data breach, particularly concerning the procedures of undertaking a data breach notification as set out in the Circular and Guidelines.
1. What is a Personal Data Breach?
To determine when would a data controller be required to carry out data breach notification, we first need to understand what constitutes a personal data breach. The term “personal data breach” is defined under the Personal Data Protection Act 2010 (the “PDPA”) as “any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data”. Most would associate a personal data breach with the action of an external party intending to cause harm, such as a malicious threat actor hacking into the IT system of a data controller to steal its information, including personal data stored by the data controller. The Circular and Guidelines made it clear however that given the broad definition of the term “personal data breach”, it would also cover breach caused internally by the personnel of the data controller, whether accidental or deliberate. As such, data controller needs to be mindful that personal data breach also extends to scenarios where a rogue employee steals personal data maintained by the company, or where a careless employee accidentally sent an email containing personal data of customers to a third party. Essentially, it can be said that as long as the personal data being processed by a data controller is accessible or has been accessed by a third party unintentionally, there is a personal data breach.
2. When is a Personal Data Breach Required to be Notified?
Under the PDPA, data controller possesses two (2) data breach notification obligations – one to the PDPC and the other to the data subjects. The triggers for each of these data breach notification obligations differ, and data controllers should undertake separate considerations on whether both of the notification obligations would apply.
(i) Data breach notification to the PDPC
In the event of a personal data breach, data controller should first assess whether there is a need to notify the incident to the PDPC. According to the Circular and Guidelines, the PDPC is only required to be notified of a personal data breach if it causes or is likely to cause “significant harm”. A personal data breach is considered to cause or is likely to cause “significant harm” if there is a risk that the compromised personal data:
- • may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
- • may be misused for illegal purposes;
- • consists of sensitive personal data;
- • consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or
- • is of significant scale in that it would affect more than one thousand (1,000) data subjects.
If any one of the five (5) scenarios above is met, a personal data breach is considered to be of significant harm, and the data controller should notify the PDPC accordingly.
(ii) Data breach notification to the data subjects
Once a data controller has established the need to notify the PDPC of a personal data breach, it should then consider whether there is also a need to notify the affected data subjects of the breach. Similarly, data controller is only required to notify data subjects of a personal data breach if the breach results in or is likely to result in “significant harm” to the data subjects. A personal data breach is considered to result in or is likely to result in “significant harm” to the data subjects if there is a risk that the compromised personal data:
- • may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property of impacted data subjects;
- • may be misused for illegal purposes;
- • consists of sensitive personal data; or
- • consists of personal data and other personal information which, when combined, could potentially enable identity fraud towards the affected data subjects.
If any of the four (4) scenarios above is met, a data controller will have to notify the affected data subjects of the personal data breach, in addition to notifying the PDPC.
3. What is the Timeframe to Carry Out Data Breach Notification?
The Circular and Guidelines prescribe a fixed timeframe for the carrying out of data breach notification:
(i) Data breach notification to the PDPC
In the case of a data breach notification to the PDPC, it should be made within seventy-two (72) hours from the data controller having been informed of the breach or having detected an incident that entails personal data breach.
(ii) Data breach notification to the affected data subjects
If data breach notification to data subjects is required, it has to be carried out within seven (7) days of the PDPC having been notified of the same personal data breach.
4. How to Carry Out a Data Breach Notification?
Likewise, the Circular and Guidelines also prescribe the manner in which the data breach notification should be carried out.
(i) Data breach notification to the PDPC
When notifying a personal data breach to the PDPC, data controller is required to adopt the notification form published by the PDPC on its official website and submit the completed form to the PDPC either in hard copy or through email to dbnpdp@pdp.gov.my.
Completing the notification form is relatively straightforward, as it only requires the data controller to provide its basic information and some details about the personal data breach. What is tricky is that the data controller is also required to additionally submit the following information:
- a) Details of the personal data breach, including:
- • the date and time the personal data breach was detected by the data controller;
- • the type of personal data involved and the nature of the breach;
- • the method used to identify the breach and the suspected cause of the incident;
- • the number of affected data subjects;
- • the estimated number of affected data records; and
- • the personal data system affected, which resulted in the breach;
- b) the potential consequences arising from the personal data breach;
- c) the chronology of events leading to the loss of control over personal data;
- d) the measures taken or proposed to be taken by the data controller to address the personal data breach, including steps implemented or planned to mitigate the possible adverse effects of the breach;
- e) measures taken or proposed to be taken to address the affected data subjects; and
- f) the contact details of the data protection officer or any other relevant contract person from whom further information on the personal data breach may be obtained.
Given that it may take time for a data controller to collate the additional information required as highlighted above, it is possible for the data controller to first submit only the notification form to the PDPC to meet the 72-hour timeline, and to provide the additionally required information subsequently in phases, as long as they are provided within thirty (30) days from the date of submission of the notification form.
(ii) Data breach notification to the affected data subjects
In the case of notifying the affected data subjects of personal data breach, it is a requirement under the Circular and Guidelines that the data controllers provide direct and individual notifications to each of the affected data subjects. Essentially, every single one of the affected data subjects needs to receive individual notification directed at them to inform them of the personal data breach. Examples of methods through which data controllers can notify data subjects are email, SMS, direct messaging, and postal communication.
If however, it is impractical or requires a disproportionate effort for the data controller to provide direct notification to each of the affected data subjects, such as in cases where it would result in excessive financial burden on the data controller due to the sheer number of data subjects, or where it would be difficult for the data controller to ascertain the contact details of the data subjects, the data controller can opt for public communication (through notification on the data controller’s website, publication of notice in printed media or social media) of data breach notification.
The notification to the affected data subjects is required to contain, at a minimum, the following information concerning the personal data breach:
- • the details of the personal data breach that has occurred;
- • details of the potential consequences resulting from the personal data breach;
- • measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
- • measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the data breach; and
- • the contact details of the data protection officer or other contact point from whom more information regarding the personal data breach can be obtained.
Conclusion
Data breach notification is certainly not as straightforward as most would have preferred it to be. We can certainly appreciate however the need for such extensive information to be furnished during data breach notification, given that personal data breach could have disastrous adverse impact on data subjects. Data controllers should take its data breach notification obligations seriously. Otherwise, in addition to negative publicity and financial penalty, the management of the data controllers may also be individually exposed to the possibility of jail term. Having a trusted legal adviser or a well-qualified data protection officer will certainly help data controllers with the compliance of these statutory obligations.
At Halim Hong & Quek, our Technology Practice Group has extensive experience in data protection law and has advised clients across various industries on managing data breaches, including regulatory notifications, risk mitigation, and legal compliance. We are well-equipped to assist businesses in responding to data breaches efficiently while ensuring full compliance with the law. Should you require guidance on handling a personal data breach or strengthening your data protection framework, our team is ready to support you.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
.
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
More of our Tech articles that you should read:
