[Malaysia] 'Data Breach Notification' Circular and Guidelines

Similar to the ‘Appointment of Data Protection Officer’ Circular, on 25 Feb 2025, the ‘Data Breach Notification’ Circular (Issue 2 of 2025) was launched. It was then published on 26 or 27 Feb, and comes into force on 1 Jun.¹ The Circular is in Malay, and it comes with a Guideline v1.0 that’s in Malay and English.

Because Malaysia’s Personal Data Protection Act (PDPA), Circular, and Guideline contain different obligations, and the Circular seems to modify/clarify the PDPA, and the Guideline further modifies/clarifies the Act and Circular, it’s important to read all three documents together.

Key / interesting points

A. Standing of the Guideline

The Guideline seems to modify (or clarify?) Malaysia’s PDPA and the Circular in some areas, so I think it’s important to understand whether it is mandatory or not.

The Guideline itself only says that it does not override any specific data protection laws or regulations in effect², and I have not found any clarifications on the Personal Data Protection Commissioner’s website. However because the Guideline also says that it sets out the procedure for data controllers to notify the Commissioner and affected data subjects of a personal data (PD) breach³, I think it it is mandatory and binding.

(Edit 1: A reader who attended the launch of the Circular and Guideline said that the regulator said the Circular must be complied with while the Guideline is merely a guideline. That would also be troubling because for example, it is the Guideline that says that not all data breaches need be notified to the Commissioner but only those that cause or are likely to cause significant harm.

Edit 2: A second reader who also attended the launch, said that they were told that the guidelines are non-binding but are to be read together with the Circular, which is binding. Compliance with the Guideline will be a defence in the case of a data breach complaint.)

B. Definition of “personal data breach”

The amended PDPA defines “personal data breach” means any breach, loss, or misuse of personal data (PD), or unauthorised access to PD.⁴

[In a previous Substack post on Malaysia’s draft amendments to its PDPA, I had suggested that it’s circular to say that a PD breach is a breach of PD. Unfortunately this circularity was retained.]

The Circular adds on to the definition by saying that “personal data breach” is as defined under the PDPA “and is not limited to alteration, copying, modification or destruction”.⁵