Legal Documents

Privacy
Policy

LexNoctis Legal · Level 28, Integra Tower, 182 Jalan Tun Razak, 50400 Kuala Lumpur, Malaysia · Last updated: 1 January 2026

1. General Provisions

This Privacy Policy governs the collection, processing, storage and protection of personal data of users of the LexNoctis Legal website, available at lexnoctis.europe.com (the "Website"), and clients of LexNoctis Legal (the "Firm").

The Firm operates in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia, the Personal Data Protection Regulations 2013, the Personal Data Protection Standard 2015, and all other applicable data protection and privacy legislation in force in Malaysia.

By using the Website or engaging the Firm's services, you confirm that you have read this Policy and consent to the processing of your personal data as described herein. This notice is issued pursuant to Section 7 of the PDPA 2010.

2. Data User (Controller)

The data user responsible for processing your personal data is:

  • Name: LexNoctis Legal
  • Registered address: Level 28, Integra Tower, The Intermark, 182 Jalan Tun Razak, 50400 Kuala Lumpur, Malaysia
  • Email: lexnoctis@europe.com
  • Phone: +60 3-2181 4790
  • Regulator: The Firm is registered with the Malaysian Bar; data protection matters are overseen by the Department of Personal Data Protection (JPDP), Ministry of Digital, Malaysia
  • PDPA Registration: Registered under the PDPA 2010, Registration No. PDP-MY-2012-0847

3. What Data We Collect

Depending on the nature of your interaction with the Firm, we may collect the following categories of personal data:

Data you provide directly:

  • Full name
  • Email address
  • Phone number
  • Company name and registration details (for corporate clients)
  • MyKad / passport number and nationality (where required for legal services)
  • Content of messages, enquiries and situation descriptions submitted via the contact form
  • Documents and materials provided in connection with legal services
  • Payment information (upon entering into a service agreement)

Data collected automatically when you visit the Website:

  • IP address and approximate geographic location
  • Browser type and version, operating system
  • Date, time and duration of your visit
  • Pages viewed and navigation path
  • Referring URL (source of your visit)
  • Cookie data (see our Cookie Policy for full details)
  • On-site interaction data (clicks, scroll depth, form engagement)

Sensitive personal data:

  • Under the PDPA 2010, sensitive personal data includes health information, political opinions, religious beliefs, criminal records and biometric data
  • We do not intentionally collect sensitive personal data unless it is strictly required for the delivery of specific legal services and only with your explicit written consent
  • Where the nature of your legal matter involves sensitive personal data, it will be processed solely for the purpose of providing legal advice and representation, and handled with the highest level of confidentiality

4. Purposes of Processing

We process your personal data for the following purposes, in accordance with the PDPA 2010:

  • Provision of legal services: processing enquiries, delivering legal advice and representation, preparing legal documents, invoicing and client file management
  • Communication: responding to your enquiries, scheduling consultations, providing updates on your matter
  • Marketing (with consent): sending legal newsletters, regulatory updates and event invitations where you have opted in
  • Website operation and security: ensuring the Website functions correctly, preventing fraud and unauthorised access, analysing traffic to improve user experience
  • Legal and regulatory compliance: fulfilling obligations under the Legal Profession Act 1976, Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), Income Tax Act 1967, and other applicable Malaysian legislation
  • Legal professional privilege: data processed in connection with legal representation is protected by solicitor–client privilege and advocate–client confidentiality under Malaysian law

5. Disclosure of Personal Data

We do not sell your personal data. Disclosure is permitted only in the following circumstances:

  • Sub-processors and service providers: third-party technical providers (hosting, email, CRM) operating under written data processing agreements and bound by confidentiality obligations consistent with the PDPA 2010
  • Co-counsel and partner firms: where specialist counsel or partner law firms are engaged — only with your prior consent and under a confidentiality agreement
  • Public authorities: courts, the Malaysian Bar, Bank Negara Malaysia, the Inland Revenue Board (LHDN), the Malaysian Anti-Corruption Commission (MACC) and other regulators — exclusively where required by law, court order or statutory obligation
  • International transfers: where personal data is transferred outside Malaysia, the Firm ensures adequate protection through contractual safeguards consistent with Section 129 of the PDPA 2010 and the whitelist of countries approved by the Minister
  • Professional indemnity insurers: in the event of a professional liability claim, limited data may be disclosed to our insurers on a strictly confidential basis

6. Retention Periods

  • Contact form data (where no engagement follows): retained for 6 months from the date of last contact, then permanently deleted
  • Client files and legal documentation: retained for 7 years from the conclusion of the matter, in accordance with Malaysian Bar guidelines and the Limitation Act 1953
  • Accounting records and invoices: retained for 7 years in accordance with the Income Tax Act 1967 and Companies Act 2016
  • Analytics cookie data: no longer than 13 months, after which data is aggregated or deleted
  • Security logs: 90 days, unless longer retention is required for an ongoing incident investigation
  • Marketing consents: until consent is withdrawn, plus 3 years to evidence the existence of the consent
  • AML / KYC records: 6 years from the end of the business relationship, as required by the AMLA 2001

7. Your Rights as a Data Subject

Under the Personal Data Protection Act 2010, you have the following rights in relation to your personal data:

  • Right of access (Section 30 PDPA): request a copy of the personal data we hold about you and information on how it is being processed
  • Right to correction (Section 34 PDPA): require correction of personal data that is inaccurate, incomplete, misleading or not up to date
  • Right to withdraw consent (Section 38 PDPA): withdraw consent to the processing of your personal data at any time, subject to legal and contractual restrictions
  • Right to prevent processing for direct marketing (Section 43 PDPA): opt out of direct marketing communications at any time
  • Right to prevent processing likely to cause damage or distress: object to processing that is causing or is likely to cause unwarranted damage or distress
  • Right to lodge a complaint: with the Department of Personal Data Protection (JPDP) at pdp.gov.my or by calling 03-8911 5000

To exercise any of the above rights, send a written request to lexnoctis@europe.com marked "PDPA Data Request". We will acknowledge your request within 7 business days and respond fully within 21 days as required by the PDPA 2010.

8. Data Security

We apply the following technical and organisational measures to protect your personal data, consistent with the Personal Data Protection Standard 2015:

  • TLS 1.3 encryption for all data transmitted via the Website
  • AES-256 encryption for stored confidential client data
  • Multi-factor authentication (MFA) for all staff with access to client data
  • Regular security audits and vulnerability assessments
  • Principle of least privilege access controls
  • Mandatory data protection training for all staff upon onboarding and annually thereafter
  • Incident response procedure: notification to affected data subjects and the JPDP where required by law
  • Physical office security: access control, CCTV, secure document destruction
  • Data loss prevention (DLP) controls on all devices used to process client data

9. Cookies

The Website uses cookies and similar tracking technologies. Full details of the types of cookies used, their purposes and how to manage them are set out in our separate Cookie Policy.

  • Strictly necessary cookies ensure the basic functionality of the Website and are always active
  • Analytics cookies are only placed with your consent via the cookie banner
  • You can change your cookie preferences at any time by clearing site data in your browser or contacting us

10. Children's Data

  • The Website and the Firm's legal services are intended solely for individuals aged 18 and over
  • We do not knowingly collect personal data from individuals under 18 without verifiable parental or guardian consent
  • If you believe a minor has submitted their data to us without appropriate consent, please notify us immediately at lexnoctis@europe.com
  • We will delete such data within 72 hours of receiving notification

11. Third-Party Links

  • The Website does not currently contain links to third-party websites outside the Firm's control
  • Should such links be added in future, this Policy will not apply to those external sites
  • We accept no responsibility for the personal data protection practices of third-party websites

12. Changes to This Privacy Policy

  • We may update this Policy from time to time to reflect changes in law or the Firm's practices
  • The current version is always available on the Website at lexnoctis.europe.com/privacy.html
  • For material changes affecting your rights, we will notify existing clients by email and display a prominent notice on the Website
  • The date of the most recent update is shown at the top of this page
  • Continued use of the Website after publication of changes constitutes acceptance of the updated Policy

13. Contact Information

For all personal data protection enquiries, please contact us at:

  • Email: lexnoctis@europe.com
  • Phone: +60 3-2181 4790
  • Postal address: LexNoctis Legal, Level 28, Integra Tower, 182 Jalan Tun Razak, 50400 Kuala Lumpur, Malaysia
  • Office hours: Monday–Friday, 09:00–18:00 (MYT, UTC+8)

If you are not satisfied with our response or believe your rights under the PDPA 2010 have been infringed, you may lodge a complaint with the Department of Personal Data Protection (JPDP): pdp.gov.my · +60 3-8911 5000.