Personal Data Protection Act (PDPA): Types, Obligations, & Templates for Employers

When you collect resumes, write interview notes, or update payroll records, you are dealing with someone’s personal information.

This may seem like normal HR work, but under the law, it is a serious responsibility.

In Malaysia, the Personal Data Protection Act (PDPA) sets clear rules on how to manage personal data.

Whether you are part of a small business or a large HR team, you must follow these rules.

Keep reading to learn what the Malaysian PDPA means for HR work, with simple examples from real situations.

What is the Personal Data Protection Act (PDPA)?

PDPA is a law introduced in Malaysia in 2010 to regulate how personal data is handled in commercial settings.

The main goal is to protect the privacy of individuals by setting rules for how businesses collect and use their data.

HR and employees cannot collect, store, or use your employee or candidate data without a proper reason, notice, and consent.

This applies during hiring, onboarding, payroll, performance reviews, and even after someone leaves the company.

Who Does PDPA Apply To?

The PDPA applies to any party involved in handling personal data in a commercial setting, including:

Employers and HR departments that collect employee records.
Recruiters, job portals, and talent acquisition teams handle candidate CVs, interview records, and background checks.
Payroll and HR vendors that manage employee databases on behalf of companies.

So even if you outsource your HR services, your company is still responsible for how the data is handled.

Types of Personal Data Covered Under PDPA

PDPA protects any data that can identify an individual, either directly or indirectly. For HR purposes, this includes:

Employee names, IC numbers, addresses, and contact details.
Bank account numbers, salary slips, tax files, and EPF information.
Medical records, emergency contacts, and insurance documents.
CVs, interview notes, and performance evaluations of job candidates.

Even notes taken during an interview or copies of academic certificates fall under personal data.

Principles of PDPA Employers Must Follow

To stay compliant, there are seven key principles under the PDPA that HR and employers must apply to their daily work.

1. General Principle

You must get consent before collecting or using any personal data. For example, you cannot use a candidate’s phone number to promote job openings without asking them first.

2. Notice and Choice Principle

You need to inform employees and candidates about why their data is being collected, how it will be used, and who will have access to it.

This is usually done through a privacy notice.

3. Disclosure Principle

You can only share someone’s personal data with another company if:

It’s part of the original reason you collected the data, or
The person has clearly agreed to it.

Example:

It’s okay to share employee information with a payroll service provider because it’s related to salary processing.

But it’s not okay to share the same information with a marketing company unless the employee agreed.

4. Security Principle

You must take steps to keep employee and candidate data safe from leaks, theft, or misuse.

This includes protecting digital files with passwords and limiting access to authorised staff only.

5. Retention Principle

You should only keep personal data for as long as it is needed. Once an employee leaves and their data is no longer relevant, it should be deleted securely.

6. Data Integrity Principle

Make sure the information you store is accurate and up to date. So, if an employee updates their address, the HR system should reflect the change.

7. Access Principle

Employees have the right to view and request corrections to their personal data. You must provide access within a reasonable time if they request it.

PDPA Obligations for Employers

To stay compliant with the law, HR teams need to take some important steps:

Draft a clear internal privacy policy that explains how employee and candidate data is handled.
Get written consent forms from employees and job applicants before collecting their personal information.
Use safe and organised systems to store personal records, whether digital or physical.
If you work with a third-party vendor (such as for payroll or background screening), make sure their process also respects PDPA standards.

Consequences of Non-Compliance with PDPA

Ignoring PDPA comes with serious risks. If your company is found to mishandle personal data, it could face:

Legal penalties up to RM500,000 or even imprisonment for severe cases.
Loss of trust from employees, who may feel their privacy is not valued.
Reputation damage if word gets out about poor data protection practices.

For companies, especially in recruitment and HR, your credibility depends on how well you handle sensitive information.

How to Ensure PDPA Compliance in HR and Recruitment

Start by building a privacy-aware culture in your organisation. A few things you can do:

Train your HR and recruitment team on PDPA basics and best practices.
Include data protection policies in your employee handbook or onboarding material.
Use secure HR software to manage staff records with restricted access.
Review contracts with third-party vendors to ensure they follow PDPA-compliant processes.

Don’t forget to do small actions, too, like locking cabinets, using encrypted email, or limiting who can access digital employee folders.

These actions can also go a long way in protecting data.

Checklist for PDPA Compliance in HR

Here’s a quick list you can use to stay on track:

Only collect data that is necessary for employment purposes.
Always inform employees and candidates about the purpose of collecting their data.
Get their written consent before collecting or processing personal information.
Limit who can access sensitive employee or candidate data.
Review your data regularly and securely dispose of anything outdated or no longer relevant.

Templates & Resources

Employee Consent Form

[Header Company Name]

Employee Personal Data Protection Consent Form

Purpose: In line with the Personal Data Protection Act 2010 (PDPA), this form seeks your consent for the collection, use, and processing of your personal data for employment and related purposes.

Personal Data Collected May Include (but not limited to):

Full name
NRIC number
Contact details
Bank account details
Emergency contact information
Employment history and qualifications
Medical records and health status
Performance appraisals
Disciplinary records

How Your Data Will Be Used: Your data will be used for administrative, operational, and legal employment purposes, such as payroll, benefits administration, performance tracking, and compliance with labour laws.

Your Rights: You have the right to access and request correction of your personal data held by the company. All data will be handled securely and retained only for as long as needed.

Consent Statement:

I, the undersigned, hereby give my consent to [Company Name] to process my personal data for legitimate employment purposes in accordance with the PDPA.

Employee Name: _________________________
NRIC No.: _________________________
Signature: _________________________
Date: _________________________

Job Applicant Privacy Notice

[Header Company Name]

Personal Data Protection Notice for Job Applicants

Dear Applicant,

Thank you for your interest in working with [Company Name]. As part of the recruitment process, we will collect and process your personal data. This notice is provided in accordance with the Personal Data Protection Act 2010 (PDPA).

What Personal Data We Collect
During the recruitment process, we may collect the following data:

Full name, contact information, and NRIC number
CV, resume, and cover letter
Academic qualifications and work history
References and referee contact details
Interview notes and assessments
Any other information you provide voluntarily

Purpose of Data Collection
Your personal data is collected strictly for recruitment purposes, such as evaluating your application, conducting background checks, contacting referees, and determining your suitability for employment.

Who We May Share Your Data With
Your data may be shared with internal HR staff, hiring managers, and third-party service providers involved in background screening. We will only share what is necessary and treat your data confidentially.

Data Retention
Your application data will be stored for [e.g., 6 months] after the recruitment process ends. After that, your data will be deleted or anonymised unless you have given consent for us to retain it for future opportunities.

Your Rights
You may request to access, correct, or withdraw your data at any time by contacting us at [insert contact email/phone number].

By submitting your application, you agree to the processing of your personal data as described above.

Sincerely,

[Company HR Department]
[Email / Contact Number]
[Date]

Internal PDPA Policy Template

[Header Company Name]

Internal Personal Data Protection Policy

Effective Date: [Insert Date]

1. Introduction

This policy outlines how [Company Name] handles personal data in accordance with the Personal Data Protection Act 2010 (PDPA). It applies to all employees, interns, and contractors who have access to employee or candidate personal data.

2. What is Personal Data?

Personal data includes any information that identifies a person directly or indirectly, such as:

Full name, IC number, contact details
Employment records
Bank account and salary information
Medical records
CVs, interview notes, and reference checks

3. Purpose of Data Collection

We collect and process personal data to manage employment and recruitment matters, such as:

Hiring and onboarding
Payroll and statutory submissions
Performance evaluations and HR administration
Health and safety compliance

4. Principles We Follow

Our team must follow these PDPA principles:

Consent must be obtained before collecting personal data.
Notice must be given about why and how the data is collected.
Data can only be used for the purpose it was collected.
Data must be stored securely to prevent leaks or misuse.
We retain data only as long as necessary.
All personal data must be kept accurate and up to date.
Employees have the right to access and correct their data.

5. Internal Responsibilities

HR is responsible for obtaining consent forms and maintaining secure records.
Managers must treat employee data as confidential.
IT must maintain security protocols for systems storing personal data.

6. Sharing of Data

Personal data may be shared only with:

Payroll vendors and statutory bodies (e.g, EPF, SOCSO)
Government agencies, when legally required
Third-party services with PDPA-compliant agreements

7. Breach Handling

If a data breach occurs, report immediately to the HR Manager. A review will be conducted, and affected parties will be notified when required.

8. Employee Rights

Employees can:

Request access to their personal data
Request corrections if the data is inaccurate
Submit concerns about how their data is handled

Approved by:
[Name, Designation]
[Date]

Contact for PDPA matters:
HR Department – [email/phone]

FAQ

Can I use a candidate’s data after they are rejected?

Only if you told them beforehand and they agreed. Otherwise, it must be deleted once the hiring process is over.

Do I need to get consent from employees every year?

No, but if there are changes in how their data is used, you should inform them again and update the records.

How long can I keep an ex-employee’s records?

Keep only what is necessary, such as tax or payroll records for statutory purposes. All other information should be deleted after a reasonable time.

Do small businesses need to comply with PDPA?

Yes. As long as you collect or process personal data for commercial reasons, the PDPA applies to your business, no matter the size.

Looking to Hire a New Team?

Let AJobThing help you find the right people who will grow with your company.

Post your job ads and connect with top talent across platforms like Maukerja, Ricebowl, and Epicareer today.