Repro Blog

Personal Data Protection Act in the South East Asia Region
report Tue, Apr 21, 2020
Repro APAC Written by Repro APAC

Personal Data Protection Act in the South East Asia Region

Table of Contents

A good understanding of the Personal Data Protection Act (PDPA) is very important before venturing your business into the South East Asian Region.

*Please take note that this article is just meant to be used as guideline and should not be used as a legal reference . 

Data Protection in SEA

DLA Piper, a global law firm operating through various separate and distinct legal entities, created the DLA Piper protection handbook, which ranks the enforcement of the country's data protection regulation and enforcement under four categories: Limited, Moderate, Robust and Heavy. Under this categorization, Malaysia & Singapore fall under the "Robust" category, Thailand under "Moderate" while Indonesia being "Limited". 

On the other hand, the Commission nationale de l'informatique et des libertés (CNIL), an independent French administrative, regulatory body, whose mission is to ensure that data privacy law is applied to the collection begs to differ. Despite Malaysia and Singapore fall under the Robust category in the DLA Piper protection handbook, they are still considered inadequate in EU standards. 

The difference while DLA Piper looks at the adequacy of the data protection within the country, CNIL is comparing the level of Data Protection and enforcement to GDPR standard.  


PDPA Malaysia

The Personal Data Protection Act 2010 (PDPA) was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013. Malaysia has a unique definition of personal data when it comes to PDPA. Based on their definition, "Personal Data" refers to any information related to commercial transactions. 

Definition of Sensitive Data

Sensitive data is interpreted as any personal information related to an individual's physical mental health or any condition of the data subject; his religious beliefs or other beliefs in a similar nature; the commission or alleged commission by him or her of any offense or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by published order.


PDPA registration is required for organization involved in these sectors: Communications, Banking and financial institution, Insurance, Health, Tourism and hospitalities, Transportation, Education, Direct Selling, Service, Real estate, Utilities, Pawnbrowker, and Moneylenders.

Data Protection Officers

The appointment of a Data Protection Officer is not required by law in Malaysia. 

Collection & Processing

Consent is required for data collection and processing with some exceptions. If the data subject is less than 18 years old, the data user must obtain consent from the parent, guardian or person who has parental responsibilities of the subject. Malaysia law also imposes an additional requirement, including but not limited to, notifying the data subjects regarding the purpose of personal data collection and requirement to maintain a list of any personal data disclosures to third parties. 

Data Transfer

According to the PDPA, a data user may not transfer personal data outside of the jurisdiction of Malaysia with a few exceptions: 1) The data subject has given his or her consent to the transfer, 2) The transfer is necessary for the performance of a contract between the data subject and the data user, 3) The data user has taken all reasonable steps to ensure it the data will not be processed in a manner that contravenes the PDPA, and 4) The transfer is required to protect the data subject's vital interest. 

Security & Breach Notification 

The data users have obligations to take "practical" steps to protect personal data and must implement a security policy. No breach notification is required under the PDPA for this moment. 

Electronic Marketing & Online Privacy

There is no specific provision in PDPA for both electronic marketing and online privacy. However, both of them still subject to the PDPA.


PDPA Singapore

Unlike Data Protection Act in Malaysia, Singapore Data Protection Act has an extraterritorial effect, meaning that the acts apply to organizations regardless if they have a physical presence in Singapore or it is a company registered in Singapore.

In addition to the Act, Singapore's Data Protection Commission provided both general and sector-specific guidelines for organizations. Although these guidelines are not legally binding and advisory in nature, the Commission will interpret the Act in accordance with the guidelines., Therefore, it's best practice to carefully observe those guidelines. 

Definition of Personal Data

Personal data is defined in the Act referring to an individual, whether true or not, alive or recently deceased that can be identified through the data or other data that the organization has access to. However, this Act does not apply to business information such as individual position, business telephone number, and address.

The Act does not provide any definition for sensitive personal data. However, the Commissioner issued non-binding guidance, especially to data that are especially sensitive such as data on physical and mental health, recommending encryption. In addition, the Commission has also issued a set of guidelines for the collection of the National Registration Identification Card number (NRIC).


There is no registration requirement for the PDPA however the Commission highly encourages organizations to register their Data Protection Officers (DPO) with the Commission. 

Data Protection Officers

In Singapore, it is mandatory for each organization to appoint one or more DPO to ensure the organization's compliance with the Act. This can be either a person or a team. 

The DPO can be non-citizenship of a non-resident of Singapore; however, the DPO must be easily contactable during Singapore's business hours, and the telephone numbers provided should be Singapore telephone numbers. 

Collection & Processing

According to the Act, organizations can only collect, use, or disclose data if consent has given. The consent should be collected without a condition for providing a product or service, beyond what is reasonable. 

In instances where consent is unavailable, deemed consent can be accepted as well or in cases where limited exclusion prescribed in the Act applies.

Data Transfer

Data transfer is allowed if consent has been given and should have a written agreement. The Act also contains offshore transfer restriction, requiring an organization to ensure comparable agreement written on the Act.

Security & Breach Notification

Singapore Act requires organizations to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.

Although there is no mandatory requirement for organizations to inform users in case of a data breach, the aggrieved parties may either make a complaint to the Commission or may take out a private action in civil proceedings. 

Electronic Marketing & Online Privacy

The Act applies to any marketing activities such as electronic marketing, which involves the collection, use, and disclosure of personal data. Electronic marketing activities are also regulated under the Spam Control Act (Cap 311A) ("SCA"), meaning the sending of unsolicited commercial communications in bulk by Email, SMS, or MMS to a mobile phone number. 


PDPA Thailand

On 28 May 2019, the Personal Data Protection Act ("PDPA") became law in Thailand. Unlike other SEA countries, there is a one-year grace period for an organization to become compliant with the PDPA and for the formation of regulators and issuance of subordinate regulations. 

Thailand's PDPA also introduces two key roles in collecting, processing, and transfer of personal data. The Personal Data Controller ("Data Controller") which have an overall responsibility to determine and control the use of personal data; and the Personal Data Processor ("Data Processor") which is responsible for using, disclosing or processing the data on behalf of, or in accordance with, the instructions of a Data Controller.

Personal data is defined as "any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased". Unlike Singapore, Thailand explicitly excluded the decreased from the definition of personal data. 

Sensitive data is defined as any data relating to a person's race, ethnicity, political opinion, religious or philosophical beliefs, sexuality, health, genetic, criminal record, physical or psychological condition.


There is no registration requirement for the PDPA nor the data controllers or data processing activities.

Data Protecting Officers

A data protection Office (DPO) is required to be appointed by the Data Controllers and the Data Processors. 

Collecting & Processing

Consent is required for data processing and should be given in the form of writing or through electronic means. However, consent is not required when: 1) A data subject is required to perform a contract with the said organization, 2) The Data Controller has legal obligation to perform such data processing and 3) It is necessary for the performance of tasks carried out by a public authority or private organization acting in the public interest. 


Transfer of personal data is not permitted unless the recipient country has a data protection standard equivalent to Thailand's PDPA. However, there are exceptions to these rules: 1) The data subject has given proper consent, 2) The data transfer is quired to perform a contract between the data subject and Data Controller and 3) In order to protect the vital interest of data subject.

Security & Breach Notification

Data Controllers are required to have appropriate security measures to protect the stored Personal Data, and this security measure should subject to periodical review. 

It is interesting to note that Thailand is the only country that has a breach notification requirement. In the event of a data breach, the Data Controllers must report the breach to the Regulator within 72 hours of becoming aware of it. 

Electronic Marketing & Online Privacy

As the PDPA does not specifically address electronic marketing and data privacy, the PDPA rules apply. In addition, consumers are also protected by Thailand's relevant consumer protection laws. 


PDPA Indonesia

When it comes to Personal Data Protection Act, Indonesia's situation is very different from other countries as it does not have a Personal Data Protection Act. However, other Laws do which involve the management of electronic information and transactions such as the: 1) Electronic Information and Transactions, 2) Government Regulation No. 71 of 2019 regarding Provisions of Electronic Systems and Transactions 3) Minister of Communications & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System.

In the Government Regulation No. 71, personal data is defined as any data of an individual who can be identified from the data or when it comes from other data. 


At the moment, there is no legal obligation for an organization to register to the Data Protection Authority unless there is a data transfer is required. 

Data Protection Officers

The appointment of a data protection officer is not required. 

Collecting & Processing

As the general rule to process personal data, EIT Law, Reg. 71, all personal data should obtain consent from the owner of the data. In addition, the collection of data should only be limited to relevant and suitable information in accordance with its purpose. 


There is no restriction on the transfer of data but the transfer of data is required to be notified to the Ministry of Communication and Information Technology and should be done before the transfer happens.

Security & Breach Notification

In the case of data security, a law on Data Protection, the electronic systems provider takes the utmost effort to protects the data while protecting the privacy of the users.


Although there isn't a regulation regarding the data breach, however, according to Article 28 (c) of the MOCI Regulation, a written notice is required if the Personal Data Owner fails to protect the secrecy of the Personal Data in the Electronic System. 

Electronic Marketing & Online Privacy

There is no law directly regulation the use of electronic emails nor online privacy. 


Don’t forget to share this post!

Repro APAC
Repro APAC

Learn how Repro can help your Business Grow.

Schedule a 30-minutes personalized consultation

Get a Demo