This notice provides the key concepts of the full Tenaga Nasional Berhad Personal Data Protection Policy, which is available at our webpage (www.tnb.com.my (“Policy”)).

We may collect your personal data such as personal information directly from you, your authorized representatives, third parties or from publicly resources.

We use your personal data to enable us to provide our services and matters related to it, send information on our services, for the purpose of audit and to comply with the regulatory obligations or industry codes.

We disclose your personal data to the third parties located within or outside Malaysia who work on our behalf or help to provide our services.

We may not be able provide you with our services for if the personal data given is incomplete.

You may access and correct your personal data held by us.

Your personal data will be retained to fulfil the purpose for which it is collected or to comply with legislation and internal requirements in which we will keep it safe.

By submitting your personal data to us, you consented to the use of it as set out in this Policy.

Contact us at [email protected] or 1-300-88-5454.

For more information, please download our full PDPA Policy here:

• - Download PDPA Policy [ENGLISH] in PDF
• - Download PDPA Policy [BM] in PDF

TNB’s cybersecurity framework adopts a strict no-ransom policy and implement defense measures through 2025. The initiative includes enhanced business continuity planning and international security standards compliance. Key measures include coordinating with the Energy Commission on cybersecurity guidelines, conducting system-wide risk assessments, and reviewing remote access protocols. Among others, the Risk Management Department oversees updates to cybersecurity risk elements including data privacy and ransomware mitigation strategies, while the Legal Service Department ensures regulatory compliancy and assesses TNB performance against local and global benchmarks including Malaysia's Cyber Security Act 2024. TNB plans to achieve ISO/IEC 27001 certification across its ICT operations and will undergo thorough IT and OT security audits. TNB will also develop detailed contingency plans and crisis communication protocols.

In addition to our 24-hour cyber threat monitoring, the following measures prioritising cybersecurity are undertaken:

• - Enhance cybersecurity situational awareness through threat intelligence.
• - Adopt cybersecurity risk assessment protocols for both IT and OT systems.
• - Annual cybersecurity resilience assessments of TNB's key installations conducted by the Jawatankuasa Pemeriksaan Keselamatan Sasaran Penting under the leadership of the Malaysia Chief Government Security Officer (CGSO).
• - Group-wide effort to classify data according to criticality and sensitivity levels.

Cybersecurity awareness programme is implemented across the Group through multiple learning modalities, including e-learning modules, newsletters, and hybrid engagement sessions. Employees across all organisational levels are equipped with knowledge of cybersecurity risks and mitigation strategies. This educational framework extends beyond internal stakeholders to encompass contractors and vendors, ensuring a uniform approach to cybersecurity awareness across our entire operational ecosystem.

TNB is committed to safeguard data subjects’ personal data in accordance with the Personal Data Protection Act 2010 (PDPA), Personal Data Protection Code of Practice for The Utilities Sector (Electricity) Version 2.0 and other relevant internal policies, guidelines and circulars for the processing and handling of data subjects’ personal data. Additionally, TNB places a high priority on personal data protection, ensuring that our customers personal data is managed with the utmost care and in full compliance with the relevant laws and regulations including having a comprehensive Personal Data Protection (PDP) Policy. The PDP Policy is also applicable to TNB’s subsidiaries.

We facilitate customer data management through Data Access and Correction Request Forms whereby our customers can easily make requests to access or rectify their personal data in the event of any inaccuracies. A structured data retention framework is implemented, aligned with corporate policies and contractual agreements, whereby data is maintained only for the duration necessary to protect stakeholder interests whilst ensuring compliance with legislative requirements.

In addressing the demands of global digital integration, we implement security protocols, including identity verification mechanisms to safeguard customer privacy within TNB's ecosystem. We maintain stringent controls over international data transfers to external entities including our service providers and business partners. These external entities are bound by contractual obligations that mandate equivalent data protection standards and restrict data utilisation exclusively to agreed-upon services.

TNB via its Cyber Security Operating Model (CSOM) have taken proactive and reactive measures in safeguarding our data from breaches or leakages via robust data governance such as the Enterprise Data Governance (EDG) initiative, emulating best practices through international certifications (ISO27001 and PCI DSS), technology controls and 24x7 strict monitoring by our Security Operation Center (SOC). However, in the event of data breach or leakage, our incident response plan will ensure that TNB can swiftly contain the incident and protect the affected entities involved.

TNB practices a strict onboarding and offboarding policy for employees and contractors, guided by international cybersecurity standards, i.e. National Institute of Standards and Technology (NIST). We adopt best practices and leverage on advanced technology to ensure secure onboarding and offboarding experience for our employees and contractors.

TNB maintains continuous PDPA compliance through systematic implementation of regular training programmes and awareness sessions across TNB and its subsidiaries. Annual observational audits of personal data protection practices are conducted at designated premises to ensure adherence to the PDPA. Additionally, TNB also implements PDPA e-learning initiative with the identified business units in TNB based on operational needs.

TNB actively engages with the Personal Data Protection Commissioner's Office (PDP Commissioner’s Office) to establish good working relationships, seek guidance and actively participate in discussion. TNB also proactively provides comprehensive feedback on the PDPA amendments and Public Consultation Papers issued by the PDP Commissioner’s Office. This collaborative relationship facilitates informed guidance and strategic direction for personal data protection initiatives.

For any enquiries or concerns regarding the administration of customer personal data related to electricity supply, we encourage our customers to reach out to our dedicated Customer Care team. Additionally, for matters related to TNB PDP Policy, our designated Data Protection Officer team is readily available to facilitate any concern.