PDPA Compliance
How Loyalti protects personal data under Malaysia's Personal Data Protection Act 2010 — and what it means for you.
Last updated: 28 March 2026
What Is the PDPA?
The Personal Data Protection Act 2010 (PDPA)is Malaysia's primary legislation governing the processing of personal data in commercial transactions. Enacted in 2010 and brought into full force in 2013, the PDPA establishes seven core data protection principles that all data users — businesses that collect and process personal data — must comply with.
The PDPA is enforced by the Jabatan Perlindungan Data Peribadi (Department of Personal Data Protection, JPDP), operating under the Ministry of Digital Malaysia. The Department has the authority to conduct investigations, issue enforcement notices, and prosecute non-compliant organisations.
Loyalti Sdn Bhd is registered as a data user under the PDPA and takes our obligations under this legislation seriously. This page explains how we implement the PDPA's seven principles across our Platform.
The Seven Principles
PDPA Data Protection Principles
The PDPA establishes seven legally binding principles that govern how personal data must be handled. Here is how Loyalti implements each one.
Principle 1
General Principle
Personal data may only be processed with the consent of the data subject, except in specific circumstances permitted by law. We obtain explicit consent at every data collection point on the Platform.
Principle 2
Notice & Choice
Data subjects must be informed of the purpose for which their data is collected, the types of third parties to whom it may be disclosed, and their right to request access and correction. Loyalti's privacy notice is available in both Bahasa Malaysia and English.
Principle 3
Disclosure Principle
Personal data must not be disclosed to third parties for purposes other than those for which it was originally collected, unless the data subject consents or disclosure is required by law. We never sell personal data.
Principle 4
Security Principle
Data users must take practical steps to protect personal data against loss, misuse, modification, unauthorised or accidental access, and disclosure. We employ AES-256 encryption at rest and TLS 1.3 in transit.
Principle 5
Retention Principle
Personal data must not be kept longer than is necessary for the purpose it was collected. We purge deleted accounts within 90 days and retain financial records only as required by Malaysian tax law.
Principle 6
Data Integrity Principle
Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up to date. We provide self-service tools for users to update their data at any time.
Principle 7
Access Principle
Data subjects have the right to access their personal data and to request corrections. Loyalti provides a data access request portal and responds to all requests within 21 days, per PDPA requirements.
Our Commitments
How Loyalti Complies
Compliance is built into how we design, build, and operate the Platform — not added as an afterthought.
Explicit consent collected at Customer registration for each Vendor programme
Privacy notice available in both Bahasa Malaysia and English
Data access request portal for all registered users
Right to deletion: full account deletion with 90-day data purge
AES-256 encryption for all data at rest
TLS 1.3 encryption for all data in transit
Data stored in Southeast Asia region (Singapore/Malaysia)
72-hour breach notification commitment to affected individuals and authorities
Annual independent security audits and penetration testing
Staff training on data protection and PDPA obligations
Data processing agreements in place with all third-party processors
Vendor data isolation — each Vendor accesses only their own Customers' data
Data Subject Rights
Your Rights Under the PDPA
As a data subject under the PDPA, you have the following rights in relation to your personal data held by Loyalti.
Right of Access
Request a copy of all personal data we hold about you, including how it is used and with whom it has been shared.
Right of Correction
Request that any inaccurate, incomplete, or outdated personal data be corrected or updated.
Right to Withdraw Consent
Withdraw your consent to marketing messages or other non-essential processing at any time without affecting prior lawful processing.
Right to Request Deletion
Request deletion of your account and associated personal data, subject to mandatory retention periods under Malaysian law.
To exercise any of your rights, email our Data Protection Officer at privacy@loyalti.my. Please include your name, registered email address, and a description of your request. We will acknowledge receipt within 3 business days and respond fully within 14 business days, as required under the PDPA.
Data Protection Officer
Data Protection Officer
Loyalti Sdn Bhd
Email: privacy@loyalti.my
Response time: Within 14 business days of receiving your request (per PDPA requirements)
Acknowledgement: Within 3 business days of receipt
If you are dissatisfied with our response, you may also lodge a complaint with the Jabatan Perlindungan Data Peribadi (JPDP) at www.pdp.gov.my.
Questions about PDPA?
Our team is happy to answer any questions about how we handle personal data, your rights, or our compliance programme.