Iubenda logo
Start generating


Table of Contents

Malaysia’s Personal Data Protection Act 2010 & iubenda

No time to read? Scroll all the way down to the conclusion.


The privacy policies generated with iubenda are by design compliant with international laws and regulations. Our policies are intended to be a framework to help as many as possible create a compliant privacy notice for their websites or apps. That’s why our policies are based on European data protection rules, which are by far considered to be the strictest.

Additional wording and clauses have been added to cover certain international agreements of notoriety such as COPPA (Children’s Online Privacy Protection Rule)

That being said, does iubenda fit the Malaysia Personal Data Protection Act 2010?

This decision will have to be made independantly, based on the following information which outlines the rules covering the requirement to give notice, a requirement which iubenda has tools to help you comply with.

There are other elements to take into account such as consent, language, and whether actual compliance with the act is required, as well as the validity of the potential transfer of personal data.

Malaysia Personal Data Protection Act 2010 & iubenda

You can find the Data Protection Commission here for more information and contacts. The legislation itself can be read here.

The act itself is easy to read, but additional guiding material in English is not easily come accross.

Section 5. Personal Data Protection Principles

The act is based on 7 guiding principles as set out below:

(1) The processing of personal data by a data user shall be in compliance with the following Personal Data Protection Principles, namely—

  1. the General Principle;
  2. the Notice and Choice Principle;
  3. the Disclosure Principle;
  4. the Security Principle;
  5. the Retention Principle;
  6. the Data Integrity Principle; and
  7. the Access Principle.

We will not go over the main part of the general principle that codifies the need for either consent or the requirement that it be necessary to process personal data. In our case – since we are to examine the form of the privacy notice – the notice and disclosure principles are the most important.

Section 7. Notice and Choice Principle

The following is copied verbatim from the code:

(1) A data user shall by written notice inform a data subject—

  1. that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;
  2. the purposes for which the personal data is being or is to be collected and further processed;
  3. of any information available to the data user as to the source of that personal data;
  4. of the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;
  5. of the class of third parties to whom the data user discloses or may disclose the personal data;
  6. of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
  7. whether it is obligatory or voluntary for the data subject to supply the personal data; and
  8. where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.

(2) The notice under subsection (1) shall be given as soon as practicable by the data user

  1. when the data subject is first asked by the data user to provide his personal data;
  2. when the data user first collects the personal data of the data subject; or
  3. in any other case, before the data user—
    1. uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or
    2. discloses the personal data to a third party.

(3) A notice under subsection (1) shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.

We’ve highlighted sections that will have an impact on the use of iubenda. To summarise:

  • The notice needs to be readily available (footer of the page as the international best practice)
  • The notice shall be in the national and English languages, meaning you need to translate into the languages you need on top of English
  • Letters f-h: these are quite dependent on your own handling of personal data and iubenda, for the most part, has no pre-written text for this. There is also the option to consider a custom text block to handle these cases if applicable to your site.

Section 8. Disclosure Principle

The disclosure principle basically says to stay true to what your privacy notice states and therefore doesn’t add any other form requirements.

Conclusion for iubenda as a privacy notice framework for Malaysia based websites & apps

The main rules for the content of your privacy notice are summarized in the above-quoted section 7 of the Personal Data Protection Act 2010.

  • We believe that iubenda has a great framework covering the first actual content rules.
  • However, you should take another look if you need to add some wording regarding potentially limiting the collection of personal data and the obligatory or voluntary nature of your data processing.
  • Depending on your language needs, in addition to English, you will need to translate into one of the national languages.

Click here to generate your privacy policy