Accessibility & Settings


Search For:

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Data Protection Policy

1.         General Principles

1.1. MYNIC values trust and committed in protecting all personal data belonging to the data subject. As issues of privacy continues to be a subject of great scrutiny in today's increasingly connected world and to ensure the confidence of the data subject in supplying personal data to MYNIC while using our products and/or services, this Policy will outline the best practices concerning how personal data will be administered by MYNIC in line with the Malaysian laws and regulations.

1.2. For avoidance of doubt, in the event of conflict of laws, the PDPA shall prevail and be applicable. As and when required, the Policy shall be updated accordingly to reflect any changes in either internal or external circumstances to avoid conflicts or inconsistencies.

1.3. The Policy shall be reviewed in its entirety annually or when required to ensure its contents' continued relevance and appropriateness.

1.4. The Policy is confidential and contains proprietary information and is the intellectual property of MYNIC. An unauthorized third party shall not disclose any information contained hereinunder any circumstances without the express written permission of MYNIC

2.         The Personal Data Protection Principle

2.1. The PDPA asserts seven (7) Personal Data Protection Principles to be complied with when processing personal data, namely:

2.1.1. General Principle – This principle prohibits the data user/data controller from processing a data subject’s personal data without his or her consent unless such processing is necessary. Processing of sensitive personal data, such as data on physical or mental health conditions, political opinions, religious beliefs or other similar beliefs, requires explicit consent of the data subject;

2.1.2. Notice and Choice Principle - The data user/data controller is compelled to inform the data subject by written notice as to the type, purpose, extent, accuracy and consequences of the personal data being processed;

2.1.3. Disclosure Principle - This principle prohibits the disclosure of personal data without the consent of the data subject except for some limited circumstances, such as instances where the disclosure is authorized by an Order of a Court or request by law enforcement authorities;

2.1.4. Security Principle - The PDPA imposes obligations on the data user/data controller to take reasonable steps to protect the personal data being processed from any loss, misuse, unauthorized or accidental access or disclosure, alteration, or destruction;

2.1.5. Retention Principle - The data users/data controllers are to ensure that the personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it is collected and processed;

2.1.6. Data Integrity Principle - The data user/data controller has an obligation to take reasonable steps to ensure that the data kept is accurate, complete, not misleading and up-to-date, having regard to the purpose of which the data was collected and processed; and

2.1.7. Access Principle - The PDPA gives the data subject the right to access his/her own personal data and to correct the personal data, which is inaccurate, incomplete, misleading or outdated, save and except under certain circumstances stipulated in section 32 PDPA.

2.2. Types of Personal Data – MYNIC and/or Registrar may collect, use, store and transfer different kinds of personal data about the Registrant, details of which have been grouped as follows:

2.2.1. Identity Data includes first name, maiden name, last name, username or similar identifier, identification supporting documents (including national registration or passport number), marital status, title, job title, company name, date of birth, and gender.

2.2.2. Contact Data includes billing address, delivery address, email address, and telephone numbers.

2.2.3. Financial Data includes bank account and payment card details (if any).

2.2.4. Transaction Data includes details about payments to and from the Registrant and other details of products and services purchased by the Registrant from MYNIC.

2.2.5. Technical Data includes internet protocol (“IP”) address, cookies, java script, web beacons, clear gifs, HTTP headers, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, and platform.

2.2.6. Profile Data includes usernames and passwords, purchases or orders made, Registrant’s interests, preferences, feedback, survey responses, and any unsolicited personal data not otherwise covered by this Policy that the Registrant choose to submit in an inquiry or webchat, on a blog forum or in-person to a MYNIC representative at an event.

2.2.7. Usage Data includes information about how the Registrant uses the website (for example time of day, duration of visit, pages visited, actions taken on pages, or other automatically collected meta-data), and/or our products and services.

2.2.8. Marketing and Communications Data includes the Registrant’s communication preferences in receiving marketing materials from MYNIC and third parties.

2.2.9. Sensitive Personal Data includes any personal data consisting of information as to the physical or mental health or condition of a Registrant, political opinions, religious beliefs, or other beliefs of a similar nature.

2.3. Collection of Personal Data – MYNIC and/or Registrar may collect personal data directly from Registrants authorised representatives, or publicly available sources in the following manners:

2.3.1. When the Registrant communicates with MYNIC (for example when a contact form is submitted on our website, or when the Registrant contact MYNIC for any inquiries by phone, LiveChat, or ticketing system);

2.3.2. When the Registrant subscribes to a specific product and/or service from MYNIC;

2.3.3. When the Registrant registers an account with MYNIC via online or offline;

2.3.4. When the Registrant participate in any of surveys, competitions, contests, or loyalty programs run or organized by MYNIC;

2.3.5. When the Registrar commence a business relationship with MYNIC (for example, as a service provider/business partner);

2.3.6. When the Registrant lodge a complaint or provide feedback to MYNIC;

2.3.7. When the Registrant visit or browse MYNIC’s websites;

2.3.8. When one interacts with MYNIC via social media or interactive applications including but not limited to Facebook, Twitter, and Instagram; or

2.3.9. Any other method of communication on any channel between MYNIC and/or Registrar.

2.4. Use & Processing of Personal Data – MYNIC and/or Registrar will process the Registrant’s personal data only for fair, lawful, and legitimate reasons, including but not limited to the following purposes:

2.4.1. Administering .MY domain name registration and maintenance of Registrant’s accounts;

2.4.2. Operation of .MY domain name registry;

2.4.3. To improve our Platforms' performance, content, and services;

2.4.4. To perform information analysis, compliance audits, data metrics, develop new services, and protect the Platforms and integrity of any of our services or programs;

2.4.5. To respond to any questions, comments, inquiries, feedback, including those concerning our services or programs provided by registry operators as well as Registrars;

2.4.6. To administer participation or registration in any of our services, marketing activities, programs, meetings, and platforms, including sending electronic communications related to such participation or registration;

2.4.7. To provide updates, news and other information regarding our programs, events, advertisements and service delivery;

2.4.8. To process any financial transactions;

2.4.9. To perform relevant contractual obligations with other third parties;

2.4.10. To comply with applicable laws, rules, regulations, court orders, and law enforcement requests; and

2.4.11. To market new services, provide information on services and promotions.

2.5. Disclosure of Personal Data – By submitting the registration of .MY domain name, the Registrant consents MYNIC to disclose their personal data to the following stakeholders to serve its purpose:

2.5.1. Business partners – MYNIC may provide personal data to a MYNIC business partner, such as Registrar of domain names, to facilitate or perform services on our behalf. The business partners have a contractual binding agreement with MYNIC to ensure continued privacy and security of the Registrant’s personal data information at all material times.

2.5.2. Service providers – MYNIC partner’s with, and are supported by, service providers around the world. Personal data will be made available to these parties when necessary to fulfill the service request such as dispute resolution services, software system and platform support, direct marketing services; cloud hosting services, advertising services, data analytics as well as other services from time to time.

2.5.3. Legal authorities – MYNIC may provide personal data to such third parties, government authorities and agencies (upon request) for the following purposes: to comply with applicable laws, regulations, legal processes, or enforceable governmental requests; if permitted or required by law or in response to law enforcement or other legal request; to protect MYNIC’s or a third party's legal rights; to comply with any Court Order or legal proceeding; to comply with MYNIC’s accountability and transparency principles and disclosure policies; to detect, prevent or otherwise address fraud or other criminal activity or errors, security, or technical issues; or to protect against imminent harm to MYNIC’s rights, property, or the safety of our users or the public as required or permitted by law.

2.5.4. WHOIS Display - The public WHOIS service is a standard feature of domain name systems with the purpose of allowing users to obtain information about the existence and status of the .MY domain name. MYNIC shall disclose and make the following information available in the WHOIS searchable database in line with the laws and regulations:

Domain Name;

Registrar Name & URL

Registered date, expiry date and last update;

Technical details (DNSSEC status, Name Server, IP address glue record) MYNIC do not guarantee the accuracy or availability of the WHOIS records and will not be liable for any damages or loss of any kind arising out of or in connection with the records, omissions, or errors in the WHOIS; MYNIC reserves its rights to change the WHOIS records, or withdraw the service, at any time.

2.6. Processing of Personal Data Information

2.6.1. It is obligatory for the Registrant to provide their personal data information to enable MYNIC and/or Registrar to collect and process the application, to provide customer and technical support, to perform a contractual agreement, and to communicate about the Registrants account on the .MY domain names.

2.6.2. In the event consent is withdrawn by the Registrant to collect or process their personal data, MYNIC and/or Registrar will not be able to access the application and to administer the products/services that have been signed up by the Registrant.

2.7. Security and Retention of Personal Data

2.7.1. MYNIC implements security measures to protect Registrant’s personal data against unauthorized access, misuse, disclosure, copying, use, alteration, accidental loss or theft, destruction, or damage. Such security measures include technical protection of MYNIC's system, training of MYNIC personnel’s, and the implementation of Management policies under ISO standards.

2.7.2. MYNIC's compliance to PDPA and its subsidiary legislation as well ISO 27001 and ISO 27701 forms the foundation for our activities to secure systems and services and protect our customers’ personal data.

2.7.3. MYNIC and/or Registrar will only retain the Registrants personal data electronically and non-electronically as long as needed for the purposes for which it is gathered and processed.

2.7.4. The Registrant’s personal data will be collected and retained for a period of seven (7) years upon the non-renewal of the .MY domain name in line with the statutory requirements under the Companies Act 2016 and Income Tax 1967, after which the personal data will be destroyed or permanently deleted in accordance with the retention principle under the General Code of Practice of Personal Data Protection.

2.8.    Registrant’s Obligation and Rights on Personal Data

2.8.1. The Registrant is responsible for providing accurate, complete, and not misleading information to MYNIC and/or Registrar and ensure their personal data is kept up to date by having regard to the purpose for which the data is collected and processed.

2.8.2. The Registrant may request MYNIC and/or Registrar in writing to access their personal data that is being processed and a copy thereof. The request shall be complied with no later than twenty-one (21) days from the date of receipt of the data access request. In the event of unable to comply, MYNIC and/or Registrar shall inform the Registrant in writing the reason for unable to comply.

2.8.3. The Registrant may also make a data correction request to MYNIC and/or Registrar in writing to correct their personal data if it is inaccurate, incomplete, misleading, or not up to date. This request shall be processed by MYNIC and/or Registrar within twenty-one (21) days upon receipt of the request. However, MYNIC and/or Registrar may refuse to comply with the Registrant request in the event insufficient information is provided or not up to the satisfaction of MYNIC and/or Registrar.

2.8.4. The Registrant may request MYNIC and/or Registrar in writing to cease or not to process their personal data (opt-out) for purposes of direct marketing by sending an email to

2.9.    Protection of Minors

2.9.1. Children (users under the age of 18 years) are not eligible to use MYNIC's services. Children are not encouraged to submit any personal data to MYNIC. Should the Registrant believe their child, or anyone has provided us with the personal data information, kindly notify MYNIC via email at

2.9.2. MYNIC and/or Registrar shall take reasonable steps to delete the information as soon as possible, except where MYNIC is required to keep the personal data information based on applicable laws and regulations or by legal authorities.

2.10.  International Transfers

The Registrant’s personal data may be transferred and processed in countries where MYNIC’s Registrar or third-party service providers are located provided always:

2.10.1. The Registrant’s consent has been obtained;

2.10.2. The transfer is necessary for the performance of a contract between the Registrant and MYNIC and/or Registrar;

2.10.3. MYNIC and/or Registrar has taken all reasonable steps and exercised all due diligence to ensure the personal data will not be processed in a manner that would contravene PDPA;

2.10.4. The transfer is necessary for the purpose of legal proceedings or to obtain legal advice; and

2.10.5. The transfer is necessary to protect the individual’s vital interest and for public interest.

2.11   Breach of Personal Data Protection Principles

Upon conviction, any breach of the seven (7) Personal Data Protection Principles is punishable by a fine not exceeding Ringgit Malaysia Three Hundred Thousand (RM300,000) and imprisonment up to a term not exceeding two (2) years.

2.12.     Notification of Breach of Personal Data Information

MYNIC and/or Registrar shall act as soon as it is aware of a data breach. This includes notifying the relevant law enforcement agencies including but not limited to the Personal Data Protection Commissioner.


Modification may be necessary, among other reasons, to maintain compliance with laws and regulations or accommodate organizational changes within MYNIC. As such, MYNIC review this Policy in its entirety annually or when required to ensure continued relevance and appropriateness of its contents.