Malaysian Guidelines on Cross-Border Data Transfers

On 29 April 2025, the Personal Data Protection Commissioner of Malaysia issued the Guidelines on Cross Border Personal Data Transfer (“Guidelines”), providing comprehensive guidance on the transfer of personal data out of Malaysia. These Guidelines are intended to clarify the requirements under the amended Section 129 of the Personal Data Protection Act 2010 (“PDPA”) and to assist data controllers in ensuring compliance when engaging in cross border personal data transfers. The Guidelines should be read in conjunction with the PDPA and any other relevant legislative instruments.

Scope and Legal Provisions

Section 129 of the PDPA regulates the transfer of personal data out of Malaysia. The Guidelines, issued pursuant to subsection 48(g) of the PDPA, set out the conditions and mechanisms by which such transfers may be lawfully conducted. The Guidelines apply to all data controllers in Malaysia who intend to transfer personal data to recipients outside Malaysia.

Key amendments made to section 129 of the PDPA include:

• Removal of the Whitelist Regime: Section 129 previously provided for a whitelist whereby a data user (now known as “data controller”) could transfer personal data out of Malaysia, if it was a placed specified by the Minister. Now, the PDPA allows for cross-border data transfers if one of the prescribe conditions is met.
• Removal of public interest condition: Under the new Section 129, there is no longer a condition that permits cross-border data transfers if the transfer is necessary as being in the public interest in circumstances determined by the Minister.

Key Conditions for Cross-Border Personal Data Transfer

A data controller may transfer personal data outside Malaysia if one of the following conditions is met:

• Substantially Similar Law: The destination country has in force a law that is substantially similar to the PDPA. Data controllers may conduct a Transfer Impact Assessment (“TIA”) to satisfy this condition. 
• Adequate Level of Protection: The destination country provides an adequate level of protection equivalent to the PDPA. Data Controllers may conduct a TIA to satisfy this condition.
• Data Subject Consent: The data subject has given explicit consent to the transfer, after being provided with a personal data protection notice detailing the class of third parties and the purpose of the transfer. Consent must be recorded and maintained.
• Contractual Necessity: The transfer is necessary for the performance of a contract between the data subject and the data controller, or for the conclusion or performance of a contract between the data controller and a third party at the request or in the interests of the data subject. The transfer must be for the fulfilment of a specified purpose and there must be no feasible alternative means to fulfil this specified purpose.
• Legal Proceedings: The transfer is required for legal proceedings, obtaining legal advice, or establishing, exercising, or defending legal rights.
• Reasonable Grounds: The data controller has reasonable grounds to believe the transfer is necessary to avoid or mitigate adverse action against the data subject, it is not practicable to obtain consent for the transfer, and the data subject would have given consent if practicable.
• Reasonable Precautions and Due Diligence: The data controller has taken all reasonable precautions and exercised due diligence to ensure the personal data will not be processed in a manner contrary to the PDPA. Mechanisms that can demonstrate that reasonable precautions and due diligence has been undertaken may include Binding Corporate Rules (“BCRs”), Contractual Clauses (which include the ASEAN Model Contractual Clauses for Cross Border Data Flows and/or EU GDPR Standard Contractual Clauses for the Transfer of Personal Data to Third Countries), or recognised certifications under an approved certification scheme (such as Europrivacy, the APEC Cross Border Privacy Rules System Certification or APEC Privacy Recognition for Processors Certification).
• Vital Interests: The transfer is necessary to protect the vital interests of the data subject, such as in medical emergencies.

Responsibilities of Data Controllers

Data controllers remain responsible for the security of personal data during cross-border transfers. They must:

• Take practical steps to protect personal data from loss, misuse, unauthorised access, disclosure, alteration, or destruction.
• Ensure that contracts with third parties or data processors include clauses on the security and processing of personal data.
• Maintain records of all cross-border transfers, including details of the receiver, country, type of data, purpose of transfer, and evidence of compliance with Section 129 of the PDPA.

Dealing with third parties/ data processors

When data controllers enter into contracts with third parties/data processors, these contracts should contain clauses governing the security and processing of personal data. Data controllers should ensure that the data processor(s) they deal with comply with Section 9 of the PDPA, subsidiary legislation, and any other applicable data protection standards and guidelines.

Record Keeping

Data controllers must keep and maintain records of:

• The receiver’s details (name, registration number, contact details of the receiver’s Data Protection Officer or such other person).
• The country that the personal data is being transferred to.
• The type of personal data transferred.
• The purposes of the transfer.
• Such other information as the data controller deems necessary.
• Evidence of compliance with the relevant condition under Section 129 (e.g., TIA reports, consent records, contracts, BCRs, certificates).

Records must be retained in accordance with the Retention Principle under the PDPA and any applicable subsidiary legislation.

Click here to refer to the Guidelines.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Malaysian data protection regime under the PDPA and its subsidiary legislation; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.