Malaysia's Personal Data Protection Act 2010 (PDPA) was enforced in late 2013, and various issues have arisen since its implementation. Our goal is to provide you with a working knowledge of the PDPA and tips on what organisations should do to comply.

The Personal Data Protection (Registration of Data User) Regulations 2013 ("the Regulations") and the Personal Data Protection (Class of Data Users) Order 2013 ("the Order") were enforced together with the PDPA on 15 November 2013. The Regulations set out the requirements and procedures on registration of data users that fall under the 11 classes of data users as provided in the Order. Data users were given a three-month grace period until 14 February 2014 for data user registration, and generally, their registration, once approved, was valid for two years.

Depending on the date of the applications for data user registration, many of the certificates of registration issued by the Personal Data Protection Commissioner ("the Commissioner") to registered data users in 2014 would expire by the first quarter of this year.

Data users may make an application for the renewal of the certificate of registration no later than 90 days before the date of expiry of the certificate of registration. However, s 17(1) of the PDPA provides that no application for renewal shall be allowed where it has been made after the date of expiry of the certificate of registration. It is currently unclear whether any extension of time or late application to renew a data user registration would be granted or allowed by the Commissioner.

Starting on 11 January 2016, data users may renew their certificates of registration online via a designated website ( operated by the Commissioner ("SPDP Online"). In order to file the application to renew a certificate of registration via SPDP Online, a data user must first be a registered user of SPDP Online. A user manual, available on the site, provides guidance to data users in the registration and renewal process. Data users may also opt to renew the certificate of registration manually at the Personal Data Protection Department, Ministry of Communications and Multimedia.

A data user who fails to renew the certificate of registration and continues to process personal data after the expiry of the certificate of registration may be liable to a fine not exceeding RM250,000 or imprisonment for a term not exceeding two years, or both.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.