New Guidelines on Cross-Border Personal Data Transfer
On 29 April 2025, the Personal Data Protection Commissioner of Malaysia (“PDPC”) issued the Guidelines on Cross-Border Personal Data Transfer (“Guidelines”) to regulate the transfer of personal data out of Malaysia.
This article outlines the key requirements set out in the Guidelines that data controllers must implement to ensure compliance with the Personal Data Protection Act 2010 (“PDPA”).
Transferring personal data outside Malaysia
The Guidelines stipulate that personal data can be transferred outside Malaysia under the following conditions:
- The receiving country has laws which are substantially similar to the PDPA (“Condition 1A”), or ensures an adequate level of protection of personal data processing which is at least equivalent to the level of protection under the PDPA (“Condition 1B”);
- If any of the exceptions listed under section 129(3) of the PDPA applies (“Condition 2”).
We elaborate on the aspects of these conditions below.
Condition 1A: Receiving country has substantially similar laws to the PDPA
In order to determine whether a cross-border data transfer is caught by Condition 1A, data controllers may conduct a risk assessment of the receiving country’s legal and regulatory framework known as a transfer impact assessment (“TIA”). The Guidelines provide that a TIA should be carried out as follows:
- Identify the countries to which the personal data is to be transferred;
- Assess the personal data protection laws in the receiving country by taking into consideration factors such as whether the law provides similar rights to data subjects, and whether there are similar data protection principles and requirements in place;
- Determine whether a law substantially similar to the PDPA is in force in the receiving country; and
- Ensure that the decision to transfer the personal data complies with the PDPA.
The findings of the TIA are only valid for a period of three years, and a follow-up TIA must be conducted after the period lapses.
Condition 1B: Adequate level of protection
In determining whether the receiving country has an adequate level of protection that is at least equivalent to the protection afforded under the PDPA, data controllers are required to conduct a TIA and take into consideration factors such as whether the receiver has any security related certifications in place, and whether there is a regulatory authority similar to the PDPC in the receiving country.
The findings of the TIA in determining the level of protection in the receiving country are valid for a period of three years, and a follow-up TIA must be conducted after the period lapses.
Condition 2: Exceptions under the PDPA
A data controller may transfer personal data outside Malaysia if the purpose of the transfer falls under one of the exceptions outlined in the PDPA, for example, where the transfer is necessary for the performance of the contract or if the transfer is necessary for purposes of legal proceedings.
One of the key clarifications provided in the Guidelines relates to the exception under section 129(3)(f) of the PDPA, which provides that personal data can be transferred outside Malaysia if the data controller has exercised all due diligence to ensure that the personal data will not be processed in contravention of the PDPA.
The Guidelines clarify that such due diligence measures would include situations where the data controller has incorporated the following reasonable precautions in any agreement with the receiving party:
- Binding corporate rules, that is, personal data protection policies regulating personal data processing within a group of companies, are in place;
- Contractual clauses are in place that ensure an adequate level of protection of personal data, such as the Association of Southeast Asian Nations Model Contractual Clauses for Cross Border Data Flows or the European Union General Data Protection Regulation Standard Contractual Clauses; or
- Certification has been obtained by the receiving country under an approved certification scheme, verifying that the data controller has adequate policies in place regarding the processing of personal data.
Moving forward
Data controllers should assess all transfer of personal data outside Malaysia to ensure that they are in line with the Guidelines. The method of transferring personal data should be secure so as to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Record-keeping is also a crucial component in ensuring that any transfers of personal data outside of Malaysia is in line with the requirements under the PDPA, which will include keeping records of all recipients of personal data transferred.
Further information
This article has been prepared with the assistance of Associates Siah An Gel and Mohamad Syafiq bin Mohamad Tazri.
