{"id":104292,"date":"2025-04-29T10:14:15","date_gmt":"2025-04-29T10:14:15","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=104292"},"modified":"2025-08-27T09:42:26","modified_gmt":"2025-08-27T09:42:26","slug":"malaysia-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/malaysia-data-protection-cybersecurity\/","title":{"rendered":"Malaysia: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-104292","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-malaysia"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Shin Associates<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/08\/Shin-Associates.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Shin Associates<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/08\/Shin-Associates.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Malaysia<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Data Protection<\/u><\/p>\n<p>Malaysia\u2019s data protection and privacy regime is anchored by the Personal Data Protection Act 2010 (\u201c<strong>PDPA<\/strong>\u201d), its subsidiary legislation, regulations, guidelines, and sectoral Codes of Practice (\u201c<strong>COPs<\/strong>\u201d). The PDPA:<\/p>\n<ul style=\"padding-left: 0\">\n<li>applies to persons processing personal data in commercial transactions, including foreign data controllers using equipment located in Malaysia to process personal data;<\/li>\n<li>is enforced by the Malaysian Personal Data Protection Commissioner (\u201c<strong>Commissioner<\/strong>\u201d);<\/li>\n<li>was recently amended vide the Personal Data Protection (Amendment) Act 2024, with provisions coming into effect in stages across 2025;<\/li>\n<li>imposes obligations regarding collection, use, disclosure, and security of personal data; and<\/li>\n<li>has introduced new obligations such as appointment of Data Protection Officers (\u201c<strong>DPOs<\/strong>\u201d), and mandatory data breach notifications (\u201c<strong>DBNs<\/strong>\u201d).<\/li>\n<\/ul>\n<p><u>Cybersecurity<\/u><\/p>\n<p>Cybersecurity is mainly governed by the Cyber Security Act 2024 (\u201c<strong>CSA<\/strong>\u201d), the Computer Crimes Act 1997 (\u201c<strong>CCA<\/strong>\u201d), the Communications and Multimedia Act 1998 (\u201c<strong>CMA<\/strong>\u201d), and their subsidiary regulations, guidelines, and sectoral COPs (for the CSA).<\/p>\n<p>The CSA:<\/p>\n<ul style=\"padding-left: 0\">\n<li>applies to National Critical Information Infrastructure (\u201c<strong>NCII<\/strong>\u201d) sectors (e.g., banking, transport, defence, ICT, utilities) and NCII entities (\u201c<strong>NCIIEs<\/strong>\u201d);<\/li>\n<li>applies extraterritorially if an offence affects NCII;<\/li>\n<li>is overseen by the National Cyber Security Committee (\u201c<strong>NCSC<\/strong>\u201d); while the National Cyber Security Agency (\u201c<strong>NACSA<\/strong>\u201d) regulates and enforces compliance, and empowers NCII Sector Leads (\u201c<strong>NSLs<\/strong>\u201d) to issue COPs and oversee sectoral-level compliance;<\/li>\n<li>grants the Chief Executive of NACSA (\u201c<strong>Chief Executive<\/strong>\u201d) significant powers, including establishing the National Cyber Coordination and Command Centre System (\u201c<strong>NC4<\/strong>\u201d), issuing directives, gathering information, appointing cybersecurity experts, approving COPs, and managing the licensing of cybersecurity service providers (\u201c<strong>CSPs<\/strong>\u201d); and<\/li>\n<li>mandates licensing for CSPs providing certain services (e.g., managed security operation centre monitoring, penetration testing), annual risk assessments, biennial audits, mandatory incident reporting, and penalties including fines and\/or imprisonment.<\/li>\n<\/ul>\n<p>The CCA:<\/p>\n<ul style=\"padding-left: 0\">\n<li>applies extraterritorially if the offence involves a computer, program or data located in or accessible from Malaysia;<\/li>\n<li>prohibits unauthorised access to computer programs or data (including to facilitate fraud or dishonesty); unauthorised modification of data or impairment of computer operations; and wrongful communication of access credentials, among others; and<\/li>\n<li>is enforced by the Royal Malaysian Police.<\/li>\n<\/ul>\n<p>The CMA:<\/p>\n<ul style=\"padding-left: 0\">\n<li>regulates the communications and multimedia industries;<\/li>\n<li>is enforced by the Malaysian Communications and Multimedia Commission (\u201c<strong>MCMC<\/strong>\u201d);<\/li>\n<li>empowers the MCMC to direct individuals and service providers to implement measures against \u201cnetwork security risks\u201d; and<\/li>\n<li>creates specific offences including unauthorised use of network devices; fraudulent or improper use of network facilities; unlawful interception and disclosure; damage to network infrastructure; and fraud involving access devices.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Data Protection<\/u><\/p>\n<p>From 1 June 2025, certain PDPA amendments will take effect, introducing mandatory appointment of DPOs for certain processing activities, mandatory DBNs, and data portability rights. The Commissioner announced in January 2025 that guidelines on data protection impact assessments (\u201c<strong>DPIAs<\/strong>\u201d), data protection by design, automated decision-making\/profiling (\u201c<strong>ADMP<\/strong>\u201d) and an updated version of the Personal Data Protection Standard 2015 (\u201c<strong>PDPS<\/strong>\u201d) are anticipated for release in 2025.<\/p>\n<p><u>Cybersecurity<\/u><\/p>\n<p>Additional cybersecurity regulations and guidelines are anticipated under the CSA, such as COPs for NCIIEs, and enforcement guidelines to strengthen risk assessment, audit, licensing, and incident\u2011reporting obligations.<\/p>\n<p>The Data Sharing Act 2025 (\u201c<strong>DSA<\/strong>\u201d) (which was gazetted on 20 February 2025 but will only come into force on a date to be determined by the Malaysian Digital Minister (\u201c<strong>Digital Minister<\/strong>\u201d)), aims to regulate structured data exchange among government agencies while enforcing strict privacy and cybersecurity measures.<\/p>\n<p>The CMA was amended in February 2025. Certain amendments on preservation of communications data and restrictions on unsolicited commercial electronic messages will only come into force on a date to be determined by the Malaysian Communications Minister (\u201c<strong>Communications Minister<\/strong>\u201d).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><u>Data Protection<\/u><\/p>\n<p>The PDPA requires 13 classes of data controllers to register with the Commissioner. These classes include the communications, banking and finance, insurance, health, tourism and hospitality, transportation, education, direct selling, services, real estate, utilities, pawnbroking, and moneylending sectors.<\/p>\n<p>Applicants must pay prescribed fees, submit required documents, and obtain a registration certificate from the Commissioner. Processing personal data without registration constitutes an offence, punishable by fines up to RM500,000 and\/or imprisonment up to 3 years. Registration is revocable for PDPA noncompliance.<\/p>\n<p>Registration exemptions apply to data controllers who fall outside the prescribed classes. Please refer to Q8 for further information on general exemptions.<\/p>\n<p><u>Cybersecurity<\/u><\/p>\n<p>Under the CSA, CSPs must secure a licence from the Chief Executive, meeting eligibility criteria, and have no criminal record related to fraud, dishonesty, or moral misconduct. Unlicensed provision\/advertising of prescribed cybersecurity services is an offence, with fines up to RM500,000 and\/or 10\u00a0years\u2019 imprisonment on conviction.<\/p>\n<p>CSPs are exempted from licensing if they are government entities, an individual serving related companies, or provide cybersecurity services in respect of computer systems located outside Malaysia.<\/p>\n<p>Under the CMA, providers of network facilities, network or application services, or content applications services must hold an individual or class licence (subject to limited exemptions and ministerial dispensations). Unlicensed operations may incur fines up to RM1,000,000 and\/or 10\u00a0years\u2019 imprisonment and potential deregistration.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Key definitions under the PDPA are as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Biometric data: \u201c<em>any personal data resulting from technical processing relating to the physical, physiological or behavioural characteristics of a person<\/em>\u201d;<\/li>\n<li>Commercial transactions: \u201c<em>any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010<\/em>\u201d;<\/li>\n<li>Data controller (\u201c<strong>Controller<\/strong>\u201d): \u201c<em>a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor<\/em>\u201d;<\/li>\n<li>Data processor (\u201c<strong>Processor<\/strong>\u201d): \u201c<em>any person, other than an employee of the data controller, who processes the personal data solely on behalf of the data controller, and does not process the personal data for any of his own purposes<\/em>\u201d;<\/li>\n<li>Data subject (\u201c<strong>Subject<\/strong>\u201d): \u201c<em>an individual who is the subject of the personal data and shall not include a deceased individual<\/em>\u201d;<\/li>\n<li>Personal data: \u201c<em>any information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010<\/em>\u201d;<\/li>\n<li>Personal data breach: \u201c<em>any breach of personal data, loss of personal data, misuse of personal data or unauthorized access of personal data<\/em>\u201d;<\/li>\n<li>Processing: \u201c<em>collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including: (a) the organization, adaptation or alteration of personal data; (b) the retrieval, consultation or use of personal data; (c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or (d) the alignment, combination, correction, erasure or destruction of personal data<\/em>\u201d; and<\/li>\n<li>Sensitive personal data (\u201c<strong>SPD<\/strong>\u201d): \u201c<em>any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence, biometric data, or any other personal data as the Minister may determine by order published in the Gazette<\/em><em>\u201d<\/em>.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA outlines 7 Personal Data Protection Principles (\u201c<strong>PDP Principles<\/strong>\u201d) applicable to personal data processing:<\/p>\n<p><u>General Principle<\/u><\/p>\n<p>Controllers must process personal data only with the Subject\u2019s consent, for lawful purposes necessary for and directly related to the Controller\u2019s activities, and without collecting excessive information.<\/p>\n<p>However, consent is not required if processing is necessary for:<\/p>\n<ul style=\"padding-left: 0\">\n<li>performance of a contract to which the Subject is a party;<\/li>\n<li>taking steps at the request of the Subject with a view to enter into a contract;<\/li>\n<li>Controller\u2019s compliance with legal obligations (non-contractual);<\/li>\n<li>protection of the Subject\u2019s vital interests;<\/li>\n<li>administration of justice; or<\/li>\n<li>exercise of functions conferred by\/under law.<\/li>\n<\/ul>\n<p>Please refer to Q7 for SPD processing consent requirements.<\/p>\n<p><u>Notice and Choice Principle<\/u><\/p>\n<p>Controllers must issue a written personal data protection notice (\u201c<strong>PDP Notice<\/strong>\u201d) (in both Bahasa Malaysia and English languages) to Subjects.<\/p>\n<p>The PDP Notice must inform the Subject that their personal data is being processed by\/on behalf of the Controller, and provide a description of:<\/p>\n<ul style=\"padding-left: 0\">\n<li>the categories of personal data processed, including any SPD or data of minors (below 18 years);<\/li>\n<li>the purpose(s) for collecting and processing personal data;<\/li>\n<li>any regulatory data collection requirements and applicable retention periods;<\/li>\n<li>source of data collection;<\/li>\n<li>Subject&#8217;s right to request access and correct their personal data and the contact details for requests;<\/li>\n<li>the classes of third parties to whom the personal data may be disclosed;<\/li>\n<li>available options for Subjects to restrict the processing of their personal data (including any linked third\u2011party data); and<\/li>\n<li>whether providing the personal data is mandatory or voluntary, and the consequences if mandatory data is not supplied.<\/li>\n<\/ul>\n<p>The PDP Notice must be provided to Subjects at the point of first requesting or collecting personal data, and before any use or disclosure for purposes beyond its stated scope.<\/p>\n<p><u>Disclosure Principle<\/u><\/p>\n<p>Personal data may only be disclosed with the Subject\u2019s consent, solely for the purpose stated at collection (or a directly related purpose), and only to the third parties or classes thereof specified in the PDP Notice.<\/p>\n<p>However, personal data may be disclosed without consent:<\/p>\n<ul style=\"padding-left: 0\">\n<li>where disclosure is necessary for the purpose of preventing or detecting crime, or for investigatory purposes;<\/li>\n<li>where the disclosure was required or authorised by or under any law or by court order;<\/li>\n<li>where the Controller reasonably believed they were legally entitled to disclose the data or that the Subject would have consented if informed of the circumstances;<\/li>\n<li>where the Digital Minister justifies disclosure for public interest;<\/li>\n<li>for the administration of justice;<\/li>\n<li>to discharge regulatory functions;<\/li>\n<li>for anonymized statistical or research purposes; or<\/li>\n<li>for protection of the Subject\u2019s vital interests.<\/li>\n<\/ul>\n<p><u>Security Principle<\/u><\/p>\n<p>Controllers must implement reasonable, proportionate safeguards (taking into account data sensitivity, storage location and existing system security) to protect personal data from loss, misuse, unauthorized access, disclosure, alteration or destruction.<\/p>\n<p>Under the PDPS, Controllers and Processors must implement baseline security controls (such as access management, secure storage and transfer protocols). Controllers must ensure Processors guarantee and adhere to these measures, and Processors now carry direct legal duties and penalties under the amended PDPA.<\/p>\n<p><u>Retention Principle<\/u><\/p>\n<p>Controllers must retain personal data only as long as necessary to fulfil the original processing purpose and securely delete it thereafter. While the PDPA leaves exact retention periods to Controllers\u2019 determination (subject to overriding legal requirements), the PDPS recommends disposing of data with no legal value within\u00a014\u00a0days and inactive data within\u00a024\u00a0months.<\/p>\n<p><u>Data Integrity Principle<\/u><\/p>\n<p>Controllers must take reasonable steps (proportionate to the processing purpose) to ensure personal data remains accurate, complete, up\u2011to\u2011date and not misleading; provide mechanisms for Subjects to update or correct their data; and adhere to any data integrity standards issued by the Commissioner.<\/p>\n<p><u>Access Principle<\/u><\/p>\n<p>Subjects have the right to:<\/p>\n<ul style=\"padding-left: 0\">\n<li>request access to their personal data held by a Controller (via a Data Access Request (\u201c<strong>DAR<\/strong>\u201d)); and<\/li>\n<li>correct their personal data where it is inaccurate, incomplete, misleading, or not up-to-date (via a Data Correction Request (\u201c<strong>DCR<\/strong>\u201d)),<\/li>\n<\/ul>\n<p>except where compliance with a DAR\/DCR is refused (please refer to Q27).<\/p>\n<p>Breaches of the PDP Principles may result in fines up to RM1,000,000 and\/or imprisonment up to 3 years.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, consent is a fundamental requirement for personal data processing (please refer to the General Principle in Q5).<\/p>\n<p>The PDPA does not specify the exact form and type of consent, but consent must be capable of being recorded and maintained per the Personal Data Protection Regulations 2013 (\u201c<strong>PDPR<\/strong>\u201d).<\/p>\n<p>Consent may be given in a variety of forms: written (e.g. by signature or tick on a form), electronic opt\u2011in (e.g. clicking an unchecked box), deemed (e.g. where notification and continued use of a service indicates agreement), verbal (provided it is recorded, for instance via call logging), or by conduct (where consent is signified by Subject\u2019s actions).<\/p>\n<p>Consent can be express or implied. Implied consent can be construed in certain situations, such as non-objection to processing after being informed and continuing to use a service. However, for SPD, explicit consent that can be recorded and maintained is required.<\/p>\n<p>Consent may be incorporated into broader documents, such as terms of service or application forms. The PDPA does not explicitly address bundling consents for multiple processing operations in a single request. However, the Notice and Choice Principle mandates that each processing purpose be presented separately and transparently, so that consent is specific and informed rather than a blanket approval.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers are restricted from processing SPD unless the Subject has given explicit consent. While the PDPA does not define &#8220;explicit consent&#8221;, the consent must be capable of being recorded and maintained (please refer to Q6).<\/p>\n<p>SPD may be processed without explicit consent:<\/p>\n<ul style=\"padding-left: 0\">\n<li>where necessary for the purpose of any legal proceedings, obtaining legal advice, or establishing\/exercising\/defending legal rights;<\/li>\n<li>for protection of the Subject\u2019s or another person\u2019s vital interests, where consent cannot be given or reasonably obtained;<\/li>\n<li>for exercising or performing a Controller\u2019s right or obligation under law in connection with employment; or<\/li>\n<li>by a healthcare professional or someone with equivalent confidentiality duties (in the healthcare context).<\/li>\n<\/ul>\n<p>PDP Notices must disclose processing of minors\u2019 personal data, and consent must be obtained from a parent or guardian.<\/p>\n<p>Health information is classified as SPD under the PDPA, and all SPD requirements apply equally to health data. Given its sensitivity, SPD demands enhanced security safeguards particularly in healthcare environments where large volumes of SPD are handled.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the PDPA:<\/p>\n<ul style=\"padding-left: 0\">\n<li>does not apply to the Federal and State Governments;<\/li>\n<li>does not apply if the data is processed extraterritorially and not intended for further processing within Malaysia;<\/li>\n<li>does not apply to credit reporting agencies (for processing of credit information); and<\/li>\n<li>excludes deceased individuals from the definition of \u2018data subjects\u2019.<\/li>\n<\/ul>\n<p>The PDPA provides exemptions from certain PDP Principles under specific circumstances. These include exemptions from the General Principle, Notice and Choice Principle, Disclosure Principle, and Access Principle, and related provisions, where personal data is:<\/p>\n<ul style=\"padding-left: 0\">\n<li>used for personal, family, or recreational purposes;<\/li>\n<li>processed solely for journalistic, literary, or artistic purposes;<\/li>\n<li>processed solely for anonymized research and statistics;<\/li>\n<li>processed for preventing or detecting crimes, prosecuting offenders, or assessing taxes;<\/li>\n<li>used in legal matters, including for obtaining legal advice;<\/li>\n<li>processed for discharging regulatory functions; or<\/li>\n<li>processed for the exercise of functions conferred under law.<\/li>\n<\/ul>\n<p>Where SPD is processed, Controllers are exempted from the Access Principle and other related provisions (e.g. DARs\/DCRs) if compliance is likely to prejudice the Subject.<\/p>\n<p>Subjects&#8217; rights under the PDPA, such as the right to access and the right to prevent processing, are also subject to limitations (please refer to Q27).<\/p>\n<p>A Subject\u2019s right to prevent processing applies to processing likely to cause damage or distress to the Subject or another person. However:<\/p>\n<ul style=\"padding-left: 0\">\n<li>this does not apply where the Subject has consented to the processing; and<\/li>\n<li>processing may continue if necessary for:\n<ul style=\"padding-left: 5\">\n<li>the performance of a contract to which the Subject is a party;<\/li>\n<li>taking steps at the Subject\u2019s request before entering into a contract;<\/li>\n<li>compliance with Controllers\u2019 legal obligations, other than a contractual obligation; and\/or<\/li>\n<li>protection of the Subject\u2019s or another person\u2019s vital interests.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The Digital Minister may, by order published in the Gazette, exempt any Controllers or class thereof from PDPA provisions; and\/or impose terms and conditions on such exemptions and revoke them.<\/p>\n<p>COPs under the PDPA may contain provisions modifying the obligations or rights of Controllers or Subjects within that sector (for example, the COP for private hospitals in the healthcare industry states that such rights may be modified, enhanced, or substituted by the COP) and may be registered by the Commissioner, provided the COP offers an adequate level of protection consistent with the PDPA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While the PDPA does not presently mandate risk assessments or DPIAs, a public consultation issued by the Commissioner in March 2025 (\u201c<strong>PCP<\/strong>\u201d) indicates that proposals for mandatory DPIAs for large-scale or SPD processing are being deliberated and emphasize identifying, assessing, and managing data-related risks.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While there are no standalone COPs specifically addressing processing of different data types, tailored COPs on data processing for banking and finance; private healthcare; communications; water and electricity utilities; insurance and takaful; and aviation sectors, along with a General COP applicable to all other sectors that do not have specific COPs, have been published. The COPs each include sector\u2011specific PDPA compliance guidance, and provisions on handling different data types (e.g. SPD) within the respective sectors.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Controllers must keep comprehensive processing records (consents; notices; DARs\/DCRs; third\u2011party disclosure lists; retention schedules; data updates; and transfers (including removable\u2011media\/cloud transfers with management approval)). COPs may impose additional record\u2011keeping rules, and the Commissioner may inspect these records.<\/p>\n<p>Organisations typically meet these requirements by, among others:<\/p>\n<ul style=\"padding-left: 0\">\n<li>establishing internal policies (e.g., employee data handling, data processing inventories, DBN procedures, data retention and disposal policies, disposal schedules for inactive data, disaster recovery\/business continuity plans);<\/li>\n<li>having written agreements with Processors;<\/li>\n<li>documenting data flows;<\/li>\n<li>retaining documentation for potential regulatory review;<\/li>\n<li>appointing DPOs when required;<\/li>\n<li>mapping all personal data activities and risks;<\/li>\n<li>incorporating employee training in their data protection frameworks;<\/li>\n<li>enforcing and documenting technical and organisational security measures and clear workflows for DARs\/DCRs; and<\/li>\n<li>regularly reviewing and updating policies in line with legislative changes.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Please refer to the Retention Principle in Q5 and documentation in Q11 above. The PDPS requires Controllers to determine retention periods based on legislation, keeping data no longer than necessary unless legally required, maintaining records of disposal, disposing of collection forms within a specific timeframe, and preparing a disposal schedule for inactive data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While not explicitly termed &#8220;consultation&#8221; in all cases, interaction or communication with the Commissioner is required in the following contexts:<\/p>\n<ul style=\"padding-left: 0\">\n<li>notification on personal data breaches;<\/li>\n<li>notification on DPO appointment and DBNs;<\/li>\n<li>application for registration;<\/li>\n<li>cooperation for inspections and investigations; and<\/li>\n<li>complaints by Subjects.<\/li>\n<\/ul>\n<p>Consultation with the Commissioner is recommended if:<\/p>\n<ul style=\"padding-left: 0\">\n<li>there is uncertainty or ambiguity as to which COP applies to a particular Controller\/class thereof; and\/or<\/li>\n<li>there is uncertainty in interpreting or applying PDPA provisions or related regulations.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, effective 1 June 2025, an organisation must appoint a DPO if it satisfies at least one of the following threshold requirements (per the Guidelines on Personal Data Protection (Appointment of Data Protection Officer) and Circular No. 1\/2025 (Appointment of Data Protection Officer issued in early 2025 (collectively, \u201c<strong>DPO Guidelines<\/strong>\u201d)):<\/p>\n<ul style=\"padding-left: 0\">\n<li>it processes personal data exceeding 20,000 Subjects;<\/li>\n<li>it processes SPD, including financial information, exceeding 10,000 Subjects; or<\/li>\n<li>its processing involves activities requiring regular and systematic monitoring of personal data.<\/li>\n<\/ul>\n<p>Organisations must register their DPO with the Commissioner within 21 days from the appointment date and provide the DPO&#8217;s business contact information.<\/p>\n<p>The DPO Guidelines outline DPO responsibilities, including:<\/p>\n<ul style=\"padding-left: 0\">\n<li>acting as the organisation\u2019s main contact point with the Commissioner;<\/li>\n<li>serving as the liaison point between the organisation and its Subjects;<\/li>\n<li>advising and supporting the organisation in its data processing activities;<\/li>\n<li>providing advice and support on implementation of DPIAs based on Commissioner-determined requirements; and<\/li>\n<li>monitoring the organisation\u2019s compliance with the PDPA (e.g., ensuring proper data breach and security incident management) and its data protection policies, including assigning responsibilities under such policies, raising awareness, conducting employee training, and carrying out personal data protection audits.<\/li>\n<\/ul>\n<p>Other important points to note regarding the DPO role:<\/p>\n<ul style=\"padding-left: 0\">\n<li>appointments can be internal or external;<\/li>\n<li>minimum DPO expertise and qualifications include an understanding of corporate governance, IT, and data security, and expertise should be appropriate for the organisation&#8217;s data processing activities;<\/li>\n<li>DPOs must be ordinarily resident in Malaysia (i.e. physically present in Malaysia for at least 180 days within a calendar year) or if not resident, easily contactable by any means. The DPO must, however, be proficient in both Bahasa Malaysia and English languages;<\/li>\n<li>the organisation must involve the DPO in all its matters relating to personal data protection; and<\/li>\n<li>DPO appointment and responsibilities are in addition to the organisation\u2019s PDPA compliance obligations.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the PDPA itself does not explicitly require employee training, multiple industry COPs (e.g., banking, healthcare, communications, utilities, aviation) emphasize the need for training and awareness. These COPs typically mandate initial and refresher sessions covering PDP Principles, policies, and security measures.<\/p>\n<p>The DPO Guidelines require DPOs to provide employee training on PDP Principles, the organisation\u2019s policies, and personal data handling responsibilities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Please refer to the Notice &amp; Choice Principle in Q5 above. PDP Notices can be presented physically or digitally.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, while Controllers retain primary PDPA accountability (including ensuring Processor agreements guarantee adequate technical and organisational security), recent amendments also impose direct duties on Processors (e.g. Security Principle compliance, mandatory DBN requirements and DPO appointment obligations).<\/p>\n<p>The implications are such that Processors now bear direct PDPA obligations and penalties, requiring them to review and strengthen security measures and compliance frameworks. This expansion of responsibility enhances overall data protection by holding every processing party directly accountable, and will likely incur additional costs for appointing and training DPOs.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not specifically address or define ADMP, or monitoring or tracking technologies such as cookies. However, the Digital Minister announced in January 2025 that ADMP guidelines will be developed over the course of 2025. The PCP indicates that such guidelines may potentially include a right for Subjects to refuse to be subjected to decisions based entirely on ADMP. Potential exclusions include contractual or legal necessity for ADMP, or if undertaken with explicit consent. Although there is no dedicated legislation on tracking technologies, they remain subject to the PDP Principles and related obligations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While targeted or behavioural advertising are not specifically defined, the concept of targeted\/behavioural advertising relies on profiling individuals based on their data, which is similar to direct marketing (please refer to Q21) and may potentially be specifically regulated in future (please refer to Q18).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While the PDPA does not define \u201csale\u201d, it directly criminalises the sale and offering for sale of personal data collected unlawfully (i.e., knowingly or recklessly collecting\/disclosing\/procuring disclosure of data without the consent of the Controller holding that data). Violators face fines up to RM500,000 and\/or imprisonment up to 3 years.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, direct marketing (defined as \u201c<em>the communication by whatever means of any advertising or marketing material which is directed to particular individuals<\/em>\u201d) is restricted. Subjects have the right to opt out by providing written notice, compelling Controllers to cease or avoid initiating processing for direct marketing purposes for a reasonable period.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please refer to Q4 for the definition of biometric data. The PDPA classifies biometric data as SPD, and SPD-related requirements (please refer to Q7 above) apply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not specifically address AI. However, the proposed ADMP guidelines may apply to certain AI elements if AI is involved in ADMP as automated decision-making tools and have significant effects on individuals. Based on the PCP, the ADMP guidelines may include rights for Subjects such as the right to refuse ADMP, to information on ADMP, and to human review of automated decisions.<\/p>\n<p>However, the National Guidelines on AI Governance &amp; Ethics contain overarching AI considerations in the country and emphasize responsible data protection throughout the AI lifecycle. It also mandates that AI systems incorporate privacy-by-design and security-by-design principles; informed consent is obtained when processing personal data for AI training and deployment; and implementation of robust technical safeguards (such as encryption and access controls) to prevent misuse, bias, or unauthorized access to sensitive information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, cross-border transfers are allowed where the recipient jurisdiction offers adequate protection equivalent to the PDPA. Otherwise, transfers must rely on explicit written consent, contractual necessity or vital\u2011interest grounds and have appropriate safeguards. No prior notice or approval is required if these exceptions apply, and the Commissioner\u2019s forthcoming guidelines are expected to endorse mechanisms such as binding corporate rules and standard contractual clauses.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In addition to the Security Principle obligations highlighted in Q5, Controllers must ensure that any engaged Processors adhere to sufficient technical and organisational security measures under clearly defined contractual terms. Following the PDPA amendments, Processors also have direct security obligations (please refer to Q17).<\/p>\n<p>Controllers in regulated industries (such as banking) must also comply with additional regulator\u2011issued security guidelines along with sectoral COPs, with the strictest standard prevailing in any conflict.<\/p>\n<p>Documented security governance, physical and logical access controls and secure data\u2011transfer protocols are also mandated by the PDPS.<\/p>\n<p>Additional security obligations vis-\u00e0-vis DBNs (please refer to Q26) and DPO appointments (please refer to Q14) also apply to Controllers and Processors.<\/p>\n<p>Non\u2011compliance exposes Controllers and Processors to increased fines, imprisonment and enforcement actions by the Commissioner.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, please refer to Q4 for the definition of \u201cpersonal data breach\u201d. In addition to Security Principle obligations, the PDPA requires Controllers to contractually obligate Processors to notify the Controller of data breaches and assist the Controller in handling breaches; submit a DBN to the Commissioner within 72 hours of breach detection; and inform affected Subjects within 7 days. DBNs must detail the breach&#8217;s nature, timing, affected data, suspected cause, number of impacted individuals and records, and remedial measures to enable Subjects to mitigate potential harm.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA establishes individual rights for data access and correction (please refer to the Access Principle in Q5). Although there is no explicit &#8220;right to deletion&#8221;, Subjects are entitled to withdraw consent, obligating Controllers to cease processing immediately.<\/p>\n<p>Controllers must generally comply with a DAR\/DCR within 21 days of receipt. If the Controller cannot comply within this period, they must inform the requestor in writing of the inability and the reasons therefor, before the period expires. Controllers have a maximum of 14 additional days after the initial period in order to fully comply with the DAR\/DCR.<\/p>\n<p>Controllers may refuse a DAR or DCR if:<\/p>\n<ul style=\"padding-left: 0\">\n<li>the requester\u2019s identity cannot be adequately verified;<\/li>\n<li>compliance would disclose another individual\u2019s data without consent or reasonable justification;<\/li>\n<li>access provision cost\/burden is disproportionate to the privacy risk;<\/li>\n<li>compliance would violate a court order;<\/li>\n<li>it would reveal the Controller\u2019s confidential commercial information;<\/li>\n<li>data access is regulated\/restricted by another law;<\/li>\n<li>the data was processed for crime prevention, detection, prosecution or tax assessment;<\/li>\n<li>the data pertains to physical or mental health information; and\/or<\/li>\n<li>the data is retained solely for backup or archival purposes.<\/li>\n<\/ul>\n<p>If a Controller refuses a DAR\/DCR, they must provide written notice and reasons for refusal to the Subject within 21\u00a0days of the request.<\/p>\n<p>Controllers may charge the maximum fee prescribed by the PDPR for access requests, with fees varying by data type (personal or sensitive) and whether a copy is requested.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No. The PDPA does not create a private right of action for Subjects. The Malaysian Court of Appeal in the case of <em>Ranjan Paramalingam &amp; Anor v Persatuan Penduduk Taman Bangsar Kuala Lumpur [2023] 1 MLJ 459<\/em> determined that PDPA violations do not give rise to a civil cause of action.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please refer to Q28.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Commissioner oversees PDPA enforcement, and is empowered to issue enforcement notices, conduct investigations and inspections, and authorize officers to exercise enforcement powers. Offenders may be arrested without a warrant and may be liable to fines and\/or imprisonment. Please refer to Q31 for the scope of such penalties.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>PDPA violations can result in fines from RM10,000 up to RM1,000,000 and\/or imprisonment up to 3 years, depending on the specific offence. Specific breaches, such as failing to submit a DBN, may incur fines up to RM250,000 and\/or imprisonment up to 2 years, while unauthorized data collection or selling can attract fines up to RM500,000 and\/or up to 3 years&#8217; imprisonment. Additional penalties exist for obstruction and non-compliance with data transfer regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No. The PDPA specifies maximum fines and imprisonment terms but does not include detailed guidelines or rules for calculating fines or sanction thresholds. Authorities assess penalties based on the nature and severity of the violation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Affected parties may seek judicial review in the High Court on grounds of illegality, unreasonableness, or procedural impropriety. Under the PDPA, aggrieved parties may file a notice of appeal within 30 days to the Appeal Tribunal. Appeals can address decisions such as registration refusals, enforcement notices, or investigation actions. The appeal notice must outline the decision&#8217;s substance and include appellant\u2019s contact information. The Appeal Tribunal\u2019s decision is final, binding, and enforceable with leave from the Sessions Court if required.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Commissioner has adopted a proactive enforcement stance, conducting more audits, inspections and investigations (especially on security breaches) in view of the PDPA amendments, and is prioritizing elevated compliance standards and modernized oversight to treat data as a national asset and bolster accountability and protection.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under the CSA, NCIIEs must conduct annual risk assessments, and biennial audits at a minimum (or more frequently if directed); submit each report to the Chief Executive within 30\u00a0days; and comply with any follow\u2011up directives or mandated cybersecurity exercises. Sector-specific COPs to be issued are expected to contain further controls.<\/p>\n<p>CSPs must also retain detailed service records (client, service type, date\/time) for at least 6 years and produce them on demand.<\/p>\n<p>Although the CCA does not prescribe specific controls, it criminalizes unauthorized access and modification of computer systems, effectively requiring organisations to implement reasonable security measures to prevent such misuse.<\/p>\n<p>The CMA enshrines information security and network reliability as core objectives and empowers the MCMC to issue binding written notices under its network security provisions, where failure to comply carries fines up to RM1,000,000 and\/or imprisonment up to 10\u00a0years. It also authorises registration of certifying agencies; requires licence\u2011holders to prevent their services from facilitating offences and to comply with regulatory notices; and grants the Communications Minister authority to mandate record\u2011keeping and communications\u2011data retention to support cybersecurity investigations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While no Malaysian cybersecurity law explicitly mandates supply\u2011chain management, CSA\u2011required risk assessments and audits must evaluate supplier vulnerabilities, and forthcoming sector\u2011specific COPs may potentially introduce dedicated supply\u2011chain controls.<\/p>\n<p>Although the CMA does not explicitly mandate supply\u2011chain controls, its broad security objectives and notice powers can target vendors whose products pose network risks; require licensees to oversee partners; extend record\u2011retention obligations to supplier communications; and empower MCMC\u2011registered certifying agencies to audit compliance with any adopted supply\u2011chain standards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The CSA requires information on cybersecurity incidents to be provided to the Chief Executive (please refer to Q41).<\/p>\n<p>The DSA requires government agencies to share data via a structured framework; comply with prescribed security and legal protocols (e.g. confidentiality, national security); restrict use to authorized purposes; and report each data\u2011sharing request (including request details, outcomes and reasons for any refusal) to the Director\u00a0General of the National Digital Department (\u201c<strong>DG<\/strong>\u201d).<\/p>\n<p>Under the CMA, the MCMC can issue written notices compelling information disclosure to mitigate network risks (including data-sharing); authorised officers may demand preservation and disclosure of communications data for investigations; the Communications Minister can prescribe record\u2011keeping and retention rules; and the MCMC may conduct audits with full access to information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While not explicitly mandating a \u201cchief information security officer,\u201d the CSA requires NCIIEs to designate personnel responsible for cybersecurity, who need to:<\/p>\n<ul style=\"padding-left: 0\">\n<li>implement and oversee COPs;<\/li>\n<li>conduct and report annual cyber\u2011security risk assessments and biennial audits to the Chief Executive;<\/li>\n<li>appoint contact point to fulfil obligations for providing information to, and notifying, their NSL of new or materially changed NCII;<\/li>\n<li>assign accountability for interpreting and complying with Chief Executive\u2019s directives; and<\/li>\n<li>ensure participation in any cybersecurity exercises as directed.<\/li>\n<\/ul>\n<p>By contrast, the DSA requires government agencies to report particulars of inter\u2011agency data sharing to the DG, while the CCA addresses criminal offences related to computer misuse without prescribing specific cybersecurity roles within organisations.<\/p>\n<p>The CMA does not expressly require dedicated cybersecurity roles, but licensees\u2019 obligations, the MCMC\u2019s directive powers, and the general emphasis on information security and network reliability imply that appointing responsible individuals may be mandated via subsidiary legislation, guidelines or specific instructions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, there are sector-specific guidelines and regulations for different industries. For example, the Central Bank of Malaysia under its Risk Management in Technology (RMiT) Policy Document, mandates that all licensed financial institutions establish and maintain a formal technology\u2011risk management framework, covering governance, risk assessment, security controls, and incident response; the Securities Commission Malaysia\u2019s Guidelines on Technology Risk Management for capital markets firms requires enhanced oversight of technology\u2011related risks, periodic audits, and frameworks for outsourcing and third\u2011party arrangements; and the MCMC\u2019s Information and Network Security Guidelines set best practices for the communications sector aimed at enhancing information and network security and resiliency.<\/p>\n<p>Further, under the CSA, each NSL is responsible for preparing a COP to be endorsed by the Chief Executive. Such COPs have yet to be published at the time of writing but are required to outline necessary measures, standards, and processes required to secure sectoral NCIIs.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>International standards such as the ISO\/IEC 27001 play a major role in shaping Malaysia\u2019s cybersecurity framework and aligning it with international best practices. In response to rising cyber threats and the growing digital landscape, the government mandated in 2010 that all NCIIEs implement an Information Security Management System (ISMS) based on this standard. This move supports multiple national goals such as addressing increasing cyber threats and strengthening Malaysia\u2019s position in international digital economy relations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the CSA, a \u201ccybersecurity incident\u201d is &#8220;<em>an act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardizes or adversely affects the cybersecurity of that computer or computer system or another computer or computer system<\/em>&#8220;.<\/p>\n<p>NCIIEs must notify the Chief Executive and the relevant NSLs of any cybersecurity incidents within 6 hours of discovery and submit details of the authorised person, NCIIE, sector, NSL, and information about the incident (type, description, severity, date\/time of occurrence and discovery) via the NC4. Within 14 days, further updates on the incident must be provided, including potential impact, action taken, and tactics, techniques, and procedures used. Failure to comply with subsequent directives may result in corrective measures, fines up to RM200,000, and\/or imprisonment for up to 3 years.<\/p>\n<p>Under the CMA, the MCMC may issue written notices to impose measures against \u201cnetwork security risks\u201d (broadly including cybersecurity incidents), with non\u2011compliance attracting significant penalties, and its directive powers (together with licensees\u2019 general duties) allow incident\u2011management and notification requirements to be introduced via subsidiary legislation, guidelines or specific instructions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Enforcement is carried out via a multi-layered framework:<\/p>\n<ul style=\"padding-left: 0\">\n<li>under the CSA, the Chief Executive may exercise various enforcement powers (please refer to Q43);<\/li>\n<li>authorised officers possess full investigative powers\u2014search, seizure, data access and production of records\u2014under both the CSA and the Criminal Procedure Code;<\/li>\n<li>non\u2011compliance with codes, reporting or licensing obligations (including operating without a CSP licence) attracts fines and\/or imprisonment, and the Chief Executive may issue, renew, suspend or revoke such licences; and<\/li>\n<li>prosecutions for any CSA, CCA or DSA offences require the Public Prosecutor\u2019s written consent.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the CSA, the Chief Executive may issue binding directives to NSLs and NCIIEs; compel the production of information and documentation; appoint experts; endorse sectoral COPs; approve and mandate risk assessments and audits (including frequency and scope); conduct cyber\u2011security exercises; investigate incidents through authorised officers endowed with police\u2011grade search, seizure and data\u2011access powers; license and regulate CSPs, and require immediate notification of security incidents.<\/p>\n<p>Under the DSA, the DG is empowered to demand relevant information from government agencies and to require them to report both authorised and unauthorised data\u2011sharing activities.<\/p>\n<p>The CMA is mainly enforced by the MCMC through investigations, information gathering, issuing directions and mandatory standards, and facilitating the prosecution of offences. The MCMC is empowered to ensure compliance and address network security risks, with substantial penalties for non-compliance. New amendments on network security enhance the MCMC&#8217;s ability to enforce measures against network security risks.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The range of sanctions for cybersecurity law violations (variable depending on specific offence and security) are as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>CSA: fines from RM100,000 to RM500,000 and\/or up to 10 years\u2019 imprisonment. COP non-compliance attracts similar sanctions.<\/li>\n<li>CCA: fines from RM25,000 to RM150,000 and\/or imprisonment from 3 to 10 years.<\/li>\n<li>DSA: fines up to RM1,000,000 and\/or imprisonment up to 5 years.<\/li>\n<li>CMA: fines up to RM1,000,000 and\/or imprisonment up to 10 years.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No. The CSA, CCA, DSA, and CMA specify maximum fines and imprisonment terms but do not include detailed rules or guidelines for calculating fines or sanction thresholds. Enforcement authorities assess penalties based on the nature and severity of violations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Affected parties may seek judicial review in the High Court on grounds of illegality, unreasonableness, or procedural impropriety. For decisions under the CSA, such as licensing refusals, appeals must be lodged in writing to the Communications Minister within 30 days. Decisions under the CMA, may first be challenged by requesting a written statement of reasons and then appealed to the Appeal Tribunal (whose merits\u2011based review is final) for most MCMC decisions or directions (with certain exclusions). For other enforcement actions, including forfeiture orders, the case may progress through the court hierarchy for review.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity enforcement has intensified following the CSA\u2019s enactment and CMA amendments. Key priorities under the CSA include mandatory incident reporting, regular risk assessments, and audits for NCIIEs, while deterrence of offensive online content under the CMA has increased focus. The CSA expands regulatory coverage to 11 NCII sectors and imposes strict penalties for non-compliance, including fines and imprisonment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">8357<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/104292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=104292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}