About the PDPA 2010
The Personal Data Protection Act 2010 (Act 709) came into force on 15 November 2013. It regulates the processing of personal data of individuals in commercial transactions in Malaysia. The Act establishes seven core data protection principles that data users must follow.
Official reference: www.pdp.gov.my →
📋 Important distinction: Under the PDPA, Bulk SMS Singapore · Powered by iSMS Malaysia · MobiWeb Sdn Bhd acts as a data processor — we transmit messages on your instruction. You, the iSMS user, are the data user — the party who determines why and how personal data (mobile numbers, names, etc.) is collected and used. This means PDPA compliance obligations rest primarily with you, not with MobiWeb.
The 7 PDPA Principles — What They Mean for You
As a data user sending bulk SMS, you must comply with all 7 principles of the PDPA:
1. General Principle — Consent & Purpose
You must only process personal data (including mobile numbers) with the consent of the data subject, and only for the purpose for which consent was given. Do not use a mobile number collected for one purpose (e.g. a purchase) to send unrelated marketing without separate consent.
2. Notice & Choice Principle
When collecting personal data, you must inform individuals of your identity, the purpose of collection, their right to access and correct their data, and whether their data will be disclosed to third parties. This notice must be given before or at the time of collection.
3. Disclosure Principle
Personal data must not be disclosed to any third party without the consent of the data subject, unless required by law. Do not share, sell, or pass your contact database to other parties without consent.
4. Security Principle
You must take practical steps to protect personal data from loss, misuse, unauthorised access, disclosure, or alteration. Secure your iSMS account credentials and do not share login access with unauthorised parties.
5. Retention Principle
Personal data must not be kept longer than necessary for the purpose it was collected. Regularly review and purge your contact database of inactive, opted-out, or outdated records.
6. Data Integrity Principle
You must take reasonable steps to ensure that personal data is accurate, complete, and up to date. Do not send SMS to numbers you know to be incorrect or belonging to someone other than the intended recipient.
7. Access Principle
Data subjects have the right to request access to their personal data that you hold, and to request corrections. You must have a process in place to handle such requests.
Who Must Register with the PDPA Commissioner?
Organisations in the following industries that process personal data in commercial transactions are required to register with the Personal Data Protection Commissioner under the Personal Data Protection (Class of Data Users) Order 2013:
Communications
Banking & Financial Institutions
Insurance
Health & Medical
Tourism & Hospitality
Transportation (Malaysian airlines)
Education
Direct Selling
Professional Services (Legal, Audit, Accountancy, Engineering, Architecture)
Real Estate
Utilities
"A person who belongs to the class of data users as specified in the order made under subsection 14(1) and who processes personal data without a certificate of registration commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both."
— Laws of Malaysia Act 709, Personal Data Protection Act 2010
Practical Steps to Comply with PDPA When Using iSMS
✅ What you should do to comply:
- Collect numbers lawfully. Only use mobile numbers that were given to you directly by the individual, with their knowledge and consent for marketing or communication purposes.
- State your purpose clearly. When collecting a number, tell the person what you will use it for — e.g. "We will send you promotional SMS about our products." Do not use numbers collected for one purpose to send unrelated messages.
- Provide an opt-out in every marketing SMS. Include a clear opt-out instruction in your messages, such as "Reply STOP to unsubscribe" or a contact to reach. Process opt-out requests promptly and remove those numbers from your list.
- Keep your contact database clean. Regularly remove opted-out, inactive, or incorrect numbers. Do not retain data longer than necessary.
- Do not purchase or rent third-party databases without verifying that the individuals on the list have given proper consent for their data to be shared and used for your marketing purposes.
- Secure your iSMS account. Do not share your login credentials. Use a strong password and log out when not in use.
- Handle data access requests. If a customer asks what data you hold about them or requests a correction or deletion, respond within a reasonable timeframe.
- Register with the PDPA Commissioner if your organisation falls under one of the regulated classes of data users above.
Your Obligations as an iSMS User — Liability
All bulk SMS sending activities are logged and traceable to your iSMS account. As the data user, you are solely responsible for:
- The lawfulness of your contact database and the consent status of each recipient
- The content of all messages sent through your account
- Compliance with the PDPA 2010 and all other applicable Malaysian laws
- Handling opt-out, data access, and correction requests from recipients
⚠️ MobiWeb's Position: Bulk SMS Singapore · Powered by iSMS Malaysia · MobiWeb Sdn Bhd processes personal data solely on your instruction as a data processor. MobiWeb will not accept any liability for PDPA violations arising from your use of the iSMS platform — including unlawful data collection, lack of consent, or failure to honour opt-outs. You agree to fully indemnify MobiWeb against any fines, penalties, regulatory action, or third-party claims arising from your non-compliance.
How MobiWeb Handles Your Data
Bulk SMS Singapore · Powered by iSMS Malaysia · MobiWeb Sdn Bhd is committed to responsible handling of data entrusted to us by our users. The following describes our practices — though we do not make guarantees beyond what is reasonably practicable:
- Contact data uploaded to iSMS is used solely for the purpose of delivering your messages and maintaining activity records
- MobiWeb does not sell, rent, or share your contact database with any third party for commercial purposes
- Activity logs are maintained for operational, audit, and legal compliance purposes
- Access to user data is restricted to authorised MobiWeb personnel on a need-to-know basis
- MobiWeb will comply with any lawful disclosure request from relevant authorities
For full details on how MobiWeb handles your personal data, refer to our Privacy Policy.
📋 Registration: If your organisation falls under one of the regulated classes listed above, you are required to register with the Personal Data Protection Commissioner. Forms and guidance are available at
www.pdp.gov.my. This is your organisation's obligation — not MobiWeb's.