Trishelea Sandosam, partner, and Han Yang Quek, senior associate, at Wong & Partners, explain how Malaysia’s PDPA amendments reshape the boundaries of employee surveillance
The recent backlash against a Malaysian manager who asked an employee to share their live location while on vacation has reignited debate over workplace surveillance.
The request sparked outrage online, with many questioning whether employers should ever have the right to track staff outside working hours.
The case highlights how easily personal data collection can cross into sensitive territory. Even well-meaning requests may appear intrusive, undermining trust and raising the risk of legal breaches.
In Malaysia, such monitoring falls squarely within the scope of the Personal Data Protection Act 2010 (PDPA), which sets strict standards on how organisations handle personal data in employment relationships.
At the same time, major PDPA amendments came into force in June 2025. These changes impose new obligations on employers, including the appointment of a mandatory Data Protection Officer (DPO) and data breach notification rules.
With global attention on employee rights and digital privacy, HR and legal leaders must urgently review their policies to ensure compliance.
To unpack what these developments mean for employers, HRD Asia spoke with Trishelea Sandosam, Partner, and Han Yang Quek, Senior Associate, at Wong & Partners, a member firm of Baker McKenzie International.
When surveillance crosses the line
Sandosam and Quek caution that requiring staff to share location data outside working hours is difficult to justify.
“It would be difficult to argue that an employer’s request of that data is necessary, or that it is proportionate; especially when taken in light of the fact that the employee is not actively performing their work duties which necessitates their tracking, nor is there an established need for the organisation to verify the use of their leave entitlement through their location,” they explain.
Such practices, they add, may “fall foul of Malaysia’s privacy laws, and could expose a requesting employer to challenges or liabilities.”
The PDPA’s wide scope
The PDPA defines personal data broadly, covering any information that identifies or can identify a person.
In this instance, employee location data clearly falls under its protection. “It could therefore, in this context, include data relating to an employee’s location,” they note.
One of the PDPA’s core requirements is consent. “Personal data can only be processed with the employee’s consent, unless certain exceptions apply,” Sandosam and Quek explain.
“That personal data can also only be processed if it is necessary for and proportionate to a lawful purpose.”
This means employers must show both necessity and proportionality before collecting such data.
Risks of non-compliance
Failure to comply with PDPA principles carries steep consequences.
“If an employer fails to process personal data in compliance with the principles of the PDPA, they could be exposed to penalties under the PDPA, including a fine of not more than RM 1 million and/or imprisonment of up to three years,” they warn.
But the damage is not just legal. “An employer which excessively or unnecessarily processes such information may potentially undermine the mutual trust and confidence between the employer and the employee, which could, in turn, open the gates to potential challenge from the employee, including a constructive dismissal claim.”
When surveillance becomes constructive dismissal
Excessive monitoring does more than erode trust. It can be grounds for constructive dismissal.
Sandosam and Quek stress that if employees feel forced into an untenable situation because of invasive data collection, they may resign and bring claims against their employer.
This shifts surveillance from a compliance question into a potential employment dispute, with reputational and financial consequences.
Beyond consent: other PDPA principles
Employers must also comply with other PDPA principles. These include:
- Notice and Choice Principle: “Employees must be informed of the purpose, scope, and consequences of data collection at the time the data is obtained.”
- Security and Retention Principles: “Employers must ensure that surveillance data is protected against unauthorised access, and that they do not retain the personal data for longer than is necessary.”
Together, these obligations demand transparent policies, proper safeguards, and limited retention periods.
The 2025 amendments: new compliance priorities
With the June 2025 amendments, employers face new obligations. “With the introduction of key amendments that impose new obligations on data controllers (such as employers) and provide for new rights of data subjects (such as employees), organisations are encouraged to keep the following developments at the forefront of their privacy governance,” Sandosam and Quek explain.
Appointment of Data Protection Officers
“Firstly, a DPO must be appointed by every data controller’s organisation to oversee the organisation’s compliance with the PDPA” in circumstances where they handle large amounts of data or engage in systematic monitoring.
This is required if the data controller:
- Processes the personal data of over 20,000 data subjects;
- Processes sensitive personal data, including financial information data exceeding 10,000 data subjects; or
- Is involved in activities that require regular and systematic monitoring of personal data, which includes, for example, any form of activity where data subjects are tracked and profiled (whether online or offline) for behavioural advertising purposes.
For HR, this means policies on recruitment, employee monitoring, or GPS tracking should be reviewed with the DPO.
“Surveillance or processing of employee information that lacks an obvious demonstrable commercial necessity should be considered carefully in tandem with the DPO, and based on the principles of the PDPA.”
Breach notification rules
Malaysia now requires organisations to report serious data breaches.
“Any such breaches must be notified to the Commissioner within 72 hours of the breach,” they explain.
HR teams must therefore implement incident response protocols and ensure systems are secured against misuse.
Expanding sensitive data categories
The amendments also broaden the definition of sensitive data to cover biometric identifiers.
“HR systems that collect biometric data (such as facial or fingerprint data, among others, potentially for employee monitoring and attendance tracking) must now ensure that such personal data is processed based on the principles of the PDPA,” they note.
This includes explicit consent, secure storage, and limited retention periods.
Cross-border data transfers: A multinational challenge
Many Malaysian employers use global HR platforms hosted overseas.
Sandosam and Quek note that when employee data is transferred abroad, employers must ensure compliance with PDPA safeguards.
If not, they risk liability both at home and internationally. This makes it essential for multinational companies to align local practices with global systems.
Practical steps for HR and legal teams
The lawyers recommend practical measures to align HR practices with the new rules:
- Data mapping to identify all personal data collected from employees.
- Revised contracts and privacy notices to reflect PDPA principles.
- Data breach response plans with clear timelines and escalation procedures.
- Surveillance system audits to ensure only necessary data is collected.
- Training for managers on data protection responsibilities.
Embedding PDPA into contracts and policies
Beyond policies, Sandosam and Quek stress the importance of reflecting data obligations in employment contracts and staff handbooks.
Clear references to data collection and processing help avoid disputes later.
This ensures HR has contractual as well as policy support when handling sensitive information.
AI monitoring tools: a new frontier
Some companies are experimenting with AI tools that track mood, engagement, or burnout risk.
Sandosam and Quek acknowledge the potential but warn of possible consequences.
“With the evolution of the workspace, companies in Malaysia are no stranger to assistive AI tools and have become increasingly adaptive with its use, to monitor employee productivity and workplace concerns,” they say.
But proportionality and consent remain key.
“AI systems that track behavioural signals must therefore be deployed with a specific operational or wellbeing-related objective. Employees must be given a clear explanation of what data is being collected, how it will be used, and they must consent to the processing of such data.”
They add: “Tracking general engagement through anonymised surveys may be proportionate, but scraping individual private messages or monitoring keystrokes could likely be excessive.”
Ethics and Malaysia’s AI guidelines
Malaysia’s National Guidelines on AI Governance and Ethics (2024) complement the PDPA by promoting principles like fairness, transparency, and accountability.
“These guidelines promote seven core principles, including fairness, transparency, accountability, and human benefit, and recommend that AI systems be designed to avoid bias, respect privacy, and include human oversight,” they explain.
While not legally binding, the guidelines reflect policy direction and may influence enforcement.
Privacy is part of trust and reputation
For Malaysian employers, the lesson is clear. Surveillance, whether through GPS, biometric systems, or AI, must be grounded in necessity, proportionality, and consent.
Heavy-handed monitoring not only risks PDPA penalties but can also give rise to constructive dismissal claims and reputational harm.
As Sandosam and Quek emphasise, responsible data governance is now inseparable from HR practice.
Privacy is not just a compliance requirement but a test of an organisation’s culture.
In today’s competitive labour market, embedding privacy into workplace culture is also about retaining talent and protecting employer brand: the standards by which employees, regulators, and the public will judge them.
