Malaysia’s PDPA Compliance: 13 Sectors Mandated for Data Controller Registration

In an era defined by rapid digital transformation, the Personal Data Protection Department (PDP) has intensified its focus on corporate accountability. Under Section 15 of the Personal Data Protection Act 2010 (Act 709), companies falling within 13 specific categories are legally required to register as Data Controllers (formerly “Data Users”) or face severe criminal penalties.

The 13 Mandated Sectors

The mandatory registration requirement applies to organizations processing personal data within these key industries:

1. Communications: Telecommunications and courier service providers.
2. Banking & Financial Institutions: Licensed banks and investment firms.
3. Insurance: Licensed insurers under the Financial Services Act.
4. Healthcare: Private hospitals, pharmacies, and medical or dental clinics.
5. Tourism & Hospitality: Travel agencies and hotels.
6. Transportation: Registered airline and transport service providers.
7. Education: Private schools and higher education institutions.
8. Direct Selling: Licensees under the Direct Sales and Anti-Pyramid Scheme Act.
9. Real Estate: Licensed housing developers and property agencies.
10. Utilities: Electricity and water supply providers.
11. Services: Legal, audit, accounting, engineering, and architectural firms.
12. Pawnbrokers: Licensees under the Pawnbrokers Act.
13. Moneylenders: Licensed entities under the Moneylenders Act.

Critical Compliance Deadlines (2025–2026)

The PDPA (Amendment) Act 2024 introduced significant changes that came into effect in stages:

• April 1, 2025: Data processors became directly accountable for security principles.
• June 1, 2025: Mandatory appointment of a Data Protection Officer (DPO) and a 72-hour Data Breach Notification requirement.
• 2026 Updates: The PDP continues to monitor the “Phase 1” voluntary penalty waivers for specific administrative filings, emphasizing that late registration for the 13 classes remains a high-risk liability.

Penalties for Non-Compliance

Failure to register as a Data Controller is a criminal offense. Upon conviction, a company can be liable for:

• Fines of up to RM500,000.
• Imprisonment for a term not exceeding three years.
• Or both.

How to Register

Eligible organizations must submit their applications online through the Personal Data Protection System (SPDP) portal at daftar.pdp.gov.my. Certificates of registration are valid for one year and must be renewed annually to maintain legal compliance.