Part 2: Automated Decision-Making and Profiling Guideline (“ADMP Guideline”)
Introduction
This article is the second in our three-part series on the guidelines issued by the Malaysia Department of Personal Data Protection (“DPDP”) on 30 April 2026 pursuant to subsection 48(g) of the Personal Data Protection Act 2010 (“PDPA”).
In Part 1, we examined the Data Protection Impact Assessment Guideline (“DPIA Guideline”), which introduced a risk-based framework for identifying, assessing and mitigating personal data protection risks.
In this article, we summarise the key requirements and practical implications of the ADMP Guideline.
What is ADMP Guideline?
The ADMP Guideline provides guidance on the implementation of automated decision-making and profiling in the context of personal data processing. While the PDPA does not currently contain specific provisions on Automated Decision-Making and Profiling (“ADMP”), all processing activities involving ADMP must comply with the PDPA, in particular the Personal Data Protection Principles (“PDP Principles”).
The ADMP Guideline explains that ADMP comprises two related concepts:
- Automated Decision-Making (“ADM“) refers to the process of making decisions without human involvement using wholly or partly automated means. The ADMP Guideline clarifies that a process may still constitute ADM where human involvement is minimal, such as where a person merely inputs data and an automated system subsequently make the decision.
- Profiling refers to any form of automated processing of personal data used to evaluate, analyse, predict or infer aspects relating to a data subject. This may involve predictive elements, where personal data is used to generate insights relating to a data subject’s characteristics, and/or inference elements, where generalised inferences are drawn about a data subject.
ADMP always triggers a DPIA
The ADMP Guideline expressly identifies ADMP as one of the qualitative factors that triggers the requirement to carry out a DPIA, regardless of the nature or extent of its intended use. Accordingly, before carrying out any planned processing involving ADM or Profiling, the DPO should ensure that a DPIA is carried out in accordance with the DPIA Guideline.
ADMP Threshold
The Guideline may not apply to all ADMP activities. The ADMP threshold is met where the outcome of an ADMP process may:
- result in legal effects concerning the data subject, such as where an automated system terminates a contract or entitlement, or refuses a social benefit prvided under the law; or
- significantly affect the data subject’s circumstances, behaviour or choices, have a prolonged or permanent impact, or result in discrimination against the data subject. This may include, for example, outcomes that impair an individual’s access to essential services, employment opportunities, credit eligibility or reputation.
ADMP Involving Sensitive Personal Data
The ADMP Guideline notes that the processing of sensitive personal data, including biometric data, remains subject to Section 40 of the PDPA. In particular, processing may only be undertaken where:
- the data subject has provided explicit consent; or
- the processing falls within one of the circumstances prescribed under Section 40(1)(b), including:
- compliance with employment law obligations;
- protection of the data subject’s vital interests;
- medical purposes carried out by a healthcare professional; or
- legal proceedings or the obtaining of legal advice.
The ADMP Guideline further recommends that organisations implement appropriate safeguards when processing sensitive personal data, including:
- technical safeguards such as encryption; and
- organisational safeguards such as stricter access controls.
Compliance with PDP Principles and Data Subject Rights
The ADMP Guideline emphasises that the PDP Principles and data subject rights under the PDPA apply equally to ADM and Profiling activities.
Notice and Choice Principle
Where personal data processing involves ADM or Profiling, the data controller shall inform the data subject through a written notice. The ADMP Guideline further provides that, to the extent reasonably practicable, the written notice may explain:
- the types of decisions made through ADM or profiling;
- the reasons for those decisions; and
- the possible consequences arising from those decisions,
The level of information provided need not extend to confidential information, trade secrets, intellectual property, proprietary rights or other similar information. The written notice should also be readily accessible to data subjects and updated as soon as practicable in line with the evolution of ADMP activities.
Withdrawal of Consent
The ADMP Guideline reiterates that data subjects retain the right to withdraw consent to the processing of their personal data, including where such processing involves ADM or Profiling. Upon receiving written notice of such withdrawal, the data controller shall cease the processing of the data subject’s personal data.
Organisations implementing ADMP systems should ensure that accessible, straightforward and user-friendly mechanisms and processes are established to enable data subjects to exercise this right. The right to withdraw consent, together with the available mechanisms and processes for doing so, should also be made known to data subjects.
Use of Artificial Intelligence (AI) in ADMP
The ADMP Guideline clarifies that not all processing of personal data involving ADM or Profiling utilises AI, including Generative AI. The AI-related recommendations under the ADMP Guidelines apply only where AI is used for the processing of personal data involving ADMP. In simpler terms, if an organisation uses AI to process personal data for automated decisions making or profiling, the ADMP Guideline applies. But if the automated decisions making or profiling does not use AI, then the ADMP Guideline does not apply.
Where AI is used in connection with ADMP, organisations should consider adopting the following best practices:
- identify the commercial objectives of using AI and assess the associated risks before deployment;
- use AI in a manner that respects the data subject’s dignity, ensures accurate outputs, acknowledges the limitations of AI, considers potential adverse impacts, and restricts the use of AI to its intended purpose;
- inform data subjects of the use of AI in ADMP activities through an appropriate privacy notice, using explanations that are not excessively lengthy or overly technical;
- implement appropriate measures to mitigate the risks of over-dependence on AI systems or services;
- provide appropriate training to relevant personnel to ensure adequate understanding of the operation, limitations and compliance requirements relating to AI;
- ensure that AI is not relied upon as the sole factor when making policies and/or decisions concerning a data subject; and
- designate appropriately trained personnel to review, evaluate and interpret the use of AI in ADMP.
Key Takeaways (ADMP Guideline)
Organisations should consider:
- identifying whether any business processes, systems or technologies involve automated decision-making, profiling or AI-enabled functionalities;
- ensuring that a DPIA is carried out before implementing any planned processing involving ADM or Profiling;
- reviewing personal data protection notices, consent mechanisms and internal processes to ensure compliance with the requirements relating to ADMP activities and data subject rights;
- assessing whether the processing of sensitive personal data, including biometric data, is supported by an appropriate legal basis and adequate safeguards;
- implementing appropriate technical and organisational safeguards, including access controls and staff training; and
- ensuring that AI is not relied upon as the sole factor when making decisions concerning data subjects.
As organisations increasingly adopt AI-driven tools and automated processes, the ADMP Guideline emphasises the need to balance innovation with accountability, transparency and the protection of data subject rights.
This alert is for general information purposes only and does not constitute legal advice. For further information, kindly contact us at general@wenlaw.co.