top of page

withdrawal of consent under personal data protection act (pdpa) 2010: protecting data subject rights

In this digital age, the protection of personal data has become an increasingly vital concern. Many countries have enacted comprehensive laws to safeguard individuals' personal information, and Malaysia is no exception with its Personal Data Protection Act 2010 (“PDPA 2010”). In the context of PDPA 2010, a data subject is the person to whom a set of personal data pertains. Data subjects have rights and protections under the law, including the right to access their personal data, the right to have their data corrected and the right to have their data deleted under certain circumstances. One crucial aspect of the PDPA 2010 is the provision for data subjects to withdraw their consent regarding the processing of their personal data.[1]

A notable case, Genting Malaysia Bhd v Pesuruhjaya Perlindungan Data Peribadi & Ors (2021)[2], illustrates the importance of adherence to the PDPA 2010. In this judicial review, The applicant runs an integrated resort business in Genting Highlands, Pahang (also known as the Resort World Genting), with its main business activities covering leisure and hospitality services such as gambling, lodging, food and drink, theme parks, retail, and entertainment attractions. The Inland Revenue Board Of Malaysia as 3rd Respondent (“the Revenue”) sought access to personal data under section 81 of the Income Tax 1967 (“ITA 1967”) stating that such information would assist them to enlarge its tax base and increase tax collection. The Applicants further request the court to overturn the decision made by the 1st and 2nd Respondents regarding the disclosure of customer data to the Revenue without customer’s consent leading the court to rule in favour of the data subjects’ rights. The ITA 1967 does not grant the Revenue authority to disregard data protection principles. This case emphasizes the need for any party seeking personal data to adhere to the principles of the PDPA 2010 and demonstrate a valid reason for data access.

The Right to Withdraw Consent

Under Section 38 of the PDPA 2010, a data subject has the right to withdraw their consent to the processing of personal data related to them by submitting a written notice. This provision empowers individuals to take control of their personal information, ensuring that they are not subjected to unwanted or unauthorized data processing.

Obligations of Data Users

Upon receiving the withdrawal notice, data users are legally obligated[3], to cease the processing of the personal data in question. This means that the data user must promptly halt any data processing activities concerning the data subject's personal information.

Protection of Data Subject Rights

Importantly, the failure of a data subject to exercise the right to withdraw consent does not affect any other rights conferred upon them by the PDPA 2010[4], This safeguards the data subject's broader rights to their personal information.

Exceptions under Section 42(2) of the PDPA 2010

There is an exception to the withdrawal of consent[5], which allows data users to continue processing data without consent in situations where processing is either consented to or necessary. In such cases, data users must notify the data subject within 21 days of receiving the withdrawal notice, indicating their compliance or intention to comply and providing reasons for any failure to comply or the extent of compliance.

Recourse for Data Subjects

If data users fail to comply with the data subject's withdrawal of consent, the data subject can submit an application to the Commissioner for Personal Data Protection. If the Commissioner is satisfied that non-compliance has occurred, they can require the data user to comply.

For data users who fail to comply with the withdrawal of consent, the non-compliance constitutes an offence. Upon conviction, data users can face substantial penalties, including fines up to Ringgit Malaysia One Hundred Thousand (RM100,000.00) or an imprisonment for a term not exceeding one year, or both.[6]

Appeal Mechanism

Data subjects may appeal the decisions made by the Commissioner to the Appeal Tribunal within 30 days from the date of the Commissioner's decision[7]. This ensures a fair process for all parties involved.


In conclusion, the PDPA 2010 grants individuals the right to withdraw their consent for the processing of their personal data, with clear guidelines for data users and potential legal consequences for non-compliance. This law helps protect individuals' privacy and data rights, fostering a more responsible and secure digital environment in Malaysia.

[1] Section 38 of Personal Data Protection Act 2010

[2] [2021] MLJU 2847

[3] Section 38(2) of Personal Data Protection Act 2010

[4] Section 38(3) of Personal Data Protection Act 2010

[5] Section 42(2) of Personal Data Protection Act 2010

[6] Section 38(4) of Personal Data Protection Act 2010

[7] Section 93 of Personal Data Protection Act 2010

Authored by Khairul Nur Afiqah Binti Khairul Ariffin

Kindly note that this legal article does not, and is not intended to, constitute formal legal advice by the Firm, instead all information, content and materials available on this site are for general informational purposes only. If readers require further clarification or legal advice, please email


bottom of page