Due diligence in a business acquisition necessarily involves personal data. Employee salaries, customer contact details, supplier relationships, medical records of staff — all of these flow from the target business to the buyer's advisors for review. Most transaction parties treat this as an administrative process. The Personal Data Protection Act 2010 (PDPA) says otherwise.
Malaysia's PDPA has been in force since 2013 and applies to commercial transactions involving the processing of personal data. M&A transactions are commercial, and they involve personal data processing. The combination means PDPA compliance is not optional in deal execution — it is a legal obligation, and enforcement is increasing.
What Personal Data Is Involved in M&A
A typical Malaysian SME acquisition will involve the following categories of personal data:
Employee data: Names, identity card numbers, salary details, EPF contribution records, employment history, performance reviews, disciplinary records, medical certificates, emergency contact information.
Customer data: Customer names and contact details, purchase history, communication records, CRM data, accounts receivable ledgers with personal information.
Supplier contact data: Names and contact details of individuals at supplier companies who are individual traders or whose information is personally identified.
Management and director information: Directors' biographical information, shareholding records, passport copies, income tax return references.
Not all of these categories carry the same sensitivity. Employee salary information is highly sensitive; a customer's company name and phone number may be less so. The PDPA's seven data protection principles apply to all personal data, but the practical compliance burden is heavier for sensitive categories.
PDPA's Relevance to Due Diligence Data Sharing
The PDPA applies to "data users" — entities that process personal data in connection with commercial transactions. In an M&A context, both the target company (as the original data user) and the buyer (as a new processor of the shared data) have obligations.
The target company's obligations when sharing personal data with a buyer and their advisors in due diligence:
The PDPA requires that data subjects be informed of the purposes for which their data is processed. Employee data collected for employment purposes is not collected for "potential future disclosure to an acquiring company." This creates a technical PDPA issue: sharing employee personal data with a buyer in due diligence may not fall within the original consent or notification given to employees.
In practice, responsible advisors manage this by:
-
Anonymising where possible. Many due diligence questions about employees can be answered with anonymised data — "47 full-time employees, average salary RM 3,200/month, with 12 employees on more than 5 years' service." Only when the buyer requires specific personal information (for key person assessments or employment liability reviews) should identified data be shared.
-
Purpose limitation in data room access. The data room should include a clear statement that access is provided solely for the purpose of evaluating the proposed transaction, and that recipients are prohibited from using any personal data for any other purpose. This should be reinforced in the NDA.
-
Access controls. Limit who within the buyer's team has access to sensitive personal data. The financial team needs salary totals and EPF compliance records; only the legal team and HR advisors need individual employee records.
Important:
Sharing an unredacted employee list — containing names, IC numbers, salaries, and performance records — with a buyer who has not yet signed an NDA is a PDPA breach. Even after NDA signing, sharing personal data beyond what is reasonably necessary for due diligence purposes is a PDPA compliance risk. The penalty for non-compliance under PDPA can include fines up to RM 500,000 per offence and imprisonment. More practically, a PDPA breach by the target company during a sale process creates a liability that a buyer will discover and price into their offer.
How to Structure a PDPA-Compliant Data Room
Categorise and control access by data sensitivity. A well-structured data room has tiered access: general financial and operational information accessible to all NDA signatories; sensitive personal data accessible only to designated reviewers (legal counsel, HR advisor) with a specific purpose statement.
Redact personal identifiers where the specific identity is not required. Employee salary schedules for due diligence purposes typically do not require individual names — a role-level anonymised schedule satisfies most due diligence requirements. If specific individuals are material (key management, unusually high earners, employees with significant notice periods or claims history), provide identified data for those individuals only.
Include a data processing notice in the data room. A brief document stating: the data room contains personal data; access is provided solely for purposes of evaluating the transaction; all personal data must be treated in confidence; it must not be used for any other purpose; and it must be returned or deleted upon request or transaction termination. Recipients should acknowledge this notice as a condition of data room access.
Maintain a data sharing log. Record which personal data was shared, with whom, on what date, and for what stated purpose. This creates an audit trail that demonstrates compliance if questions arise later.
Buyer Assessment of Target PDPA Compliance
From a buyer's perspective, due diligence should include an assessment of the target's PDPA compliance. Relevant questions:
- Does the target have a written privacy policy and has it been communicated to customers and employees?
- Is the target registered with the Personal Data Protection Commissioner where required? (Certain industries require mandatory registration.)
- Has the target experienced any personal data breaches? Have they been reported as required under PDPA?
- Does the target have a data retention and destruction policy?
- Are third-party data processors (payroll providers, cloud services, CRM vendors) governed by appropriate data processing agreements?
A target with poor PDPA compliance is a regulatory liability that transfers to the buyer on completion. This is increasingly being treated as a warranty matter in SPAs — with specific warranties that the target is in material compliance with PDPA — and a specific indemnity for pre-completion PDPA breaches.
Post-Completion Data Transfer
When the transaction completes, the buyer takes ownership of the target's data assets, including all personal data held by the target. For some buyers — particularly those acquiring technology, fintech, or data-intensive businesses — the customer data is itself a primary asset.
For this transfer to be PDPA-compliant, the data subjects (customers, employees) need not be individually notified of the change of ownership in most cases — the data continues to be processed by the same entity (the target company) under the same policies. However, if the post-completion business plan involves materially changing how customer data is used — sharing it with group companies, using it for new marketing purposes, transferring it to new platforms — additional consent or notification steps may be required.
Sellers negotiating warranties in the SPA should be careful about making absolute warranties of PDPA compliance. A qualified warranty — "to the best of the seller's knowledge and belief, the target is in material compliance with applicable data protection legislation" — is more defensible than an unqualified absolute warranty.
Related reading
The SC and CMSA: When Malaysian Capital Markets Law Applies to Your DealPDPA is one regulatory layer; the CMSA is another. Understanding both helps you manage the full regulatory picture in a transaction.
Related reading
Due Diligence Checklist for F&B Acquisitions in MalaysiaPDPA compliance sits within the broader due diligence framework — see how it fits alongside other legal and regulatory checks.