Insights
Is Your Recruitment Software Putting You in Breach of Malaysia's PDPA?
Most organisations in Malaysia have no idea they are breaking the law — every single time a candidate uploads a CV.
Whether you are a multinational running BambooHR for regional hiring, an SME using Breezy HR to manage a handful of roles, or a growing company that recently signed up for Workable — the same exposure applies. Most organisations assume that because a software vendor ticks a GDPR box, they are covered everywhere else too.
They are not.
The Law Most HR Teams Have Not Read
Malaysia's PDPA has been in force since 2013. Section 129 prohibits the transfer of personal data outside Malaysia unless the destination country provides a comparable standard of data protection. The United States — where most recruitment SaaS platforms store their data — has no adequacy determination with Malaysia. No bilateral agreement, no formal framework.
What this means in practice:
- Every CV uploaded to a US-hosted platform is a cross-border data transfer under Malaysian law
- Your organisation, as the data user, is legally responsible — not the software vendor
- "I did not know where the data was stored" is not a defence
To be clear: Section 129(3)(a) allows cross-border transfer if candidates are explicitly informed — before they apply — that their data will be stored overseas and they consent to that specific disclosure. The problem is that almost no organisation in Malaysia — whether an SME, a large enterprise, or a specialist recruiter — has that disclosure correctly in place. A generic "I agree to the privacy policy" checkbox does not meet the standard. The legal pathway exists. The practical compliance almost never does.
What Is PII and Why Does It Matter?
PII stands for Personally Identifiable Information — any data that can identify a specific individual, either on its own or combined with other information. A standard Malaysian candidate CV is essentially a PII document: it contains the candidate's full name, personal email, mobile number, home address, IC or passport number, date of birth, photograph, employment history, and education details.
Under the PDPA, all of it is protected personal data. The moment it is uploaded to a platform hosted outside Malaysia — without the correct consent in place — a breach of Section 129 occurs.
Where Is Your Candidate Data Actually Going?
We reviewed the published privacy and security policies of widely-used platforms. Here is what they say in their own words.
Workable — data "may be stored by Workable's hosting service provider on servers in the USA." No Southeast Asia option.
BambooHR — hosted in "the United States, Canada, or Ireland." No Asia Pacific option for Malaysian customers.
Greenhouse — entire infrastructure on AWS, all candidate files stored on US servers.
Breezy HR — explicit in its vendor policy: "If you are based in the US or anywhere else in the world, we host your data on AWS' US servers." EU and UK get Frankfurt. Everyone else gets the US.
Zoho Recruit — assigns data centres by IP at signup. No dedicated Southeast Asia region confirmed for this product. Likely routed to US or India. Unclear at best; probably non-compliant.
And it goes beyond storage. When these platforms use AI to screen CVs, they send CV text — including candidate names, IC numbers, and contact details — to external AI APIs hosted in the United States for inference. That is another layer of cross-border PII processing most organisations have no idea is happening.
7 Questions to Ask Your Vendor Right Now
1. Where exactly are your servers located?
Push for a specific AWS region code. ap-southeast-1 is Singapore. us-east-1 is Virginia. "The cloud" is not an answer.
2. When a candidate uploads a CV, which country does that file land in first? Upload, storage, and processing can happen in different locations. You need all three.
3. Does your AI screening send CV content to a third-party API? Where is it hosted? Ask whether PII is stripped before transmission and whether the AI provider uses your data for model training.
4. Does your DPA specifically address Malaysia's PDPA Section 129? Most vendor DPAs are written for GDPR. Ask explicitly. The honest answer from most will be no.
5. Can we choose Malaysia or Singapore as our data region? AWS Malaysia Region, Azure Malaysia, and Google Cloud Malaysia are now live. Ask if your vendor supports any of them.
6. If there is a data breach, who notifies affected candidates — you or us? Under the PDPA, your organisation carries the notification obligation. Get your vendor's incident response commitment in writing.
7. What sub-processors access our candidate data, and where are they based? Email, analytics, support tools, and AI features each add sub-processors. Each one is a potential additional cross-border transfer.
What Are Your Options?
Option A — Zero risk tolerance or BNM-regulated Standard global SaaS cannot meet your requirement. You need platforms hosted on Malaysian sovereign cloud infrastructure — AWS Malaysia, Azure Malaysia, or Google Cloud Malaysia — or purpose-built tools already on Malaysian soil. None of the mainstream global platforms currently offer this.
Option B — Low to medium risk (most Malaysian SMEs and enterprises) At minimum: add a correct Section 129(3)(a) disclosure to your career page that names the country and vendor before candidates apply; sign a DPA that addresses Malaysian law; and move toward a Malaysia or Singapore-hosted platform where possible.
Option C — Accept the risk A legitimate decision if made consciously and documented. Have a response ready for when a GLC client, enterprise procurement team, or regulator asks the question — because they increasingly are.
The Enforcement Reality
The 2024 PDPA amendments significantly increased penalties for data breaches. If an overseas server hosting your candidates' CVs is compromised, your organisation faces the fines and reputational fallout in Malaysia — not the vendor. Enterprise procurement teams are beginning to ask "where does our candidate data go?" as a standard due diligence question.
The organisations that address this now will have a clear answer. The ones that wait will be scrambling.
OPAL: Built for Malaysian Data Residency
OPAL, Oxydata's AI-powered recruitment screening platform, was built with this problem in mind. All candidate data is stored on servers in Malaysia. Before AI scoring runs, PII is stripped from CV content — name, IC number, email, phone number — so only anonymised professional content is transmitted externally for inference. The original PII never leaves Malaysian infrastructure.
Whether you are an SME hiring ten people a year or an enterprise processing hundreds of applications a month, the compliance story is the same: your candidate data stays in Malaysia.
Oxydata Software Sdn Bhd is a Malaysia Digital-certified Microsoft Technology Partner based in Petaling Jaya.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified Malaysian data protection practitioner for guidance specific to your organisation.