Introduction
Section 129 of the Personal Data Protection Act 2010 [Act 709] (“PDPA”) (as amended by the Personal Data Protection (Amendment) Act 2024) provides the grounds in which the data controller may transfer any personal data to a place outside Malaysia.
Pursuant to Section 48(g) of the PDPA, the Personal Data Protection Commissioner (“Commissioner”) had, on 29 April 2025, issued the Cross Border Personal Data Transfer (CBPDT) Guideline (“CBPDT Guideline”):
- to clarify the requirements to be complied with for each of the grounds specified under Section 129 of the PDPA; and
- to assist the data controller in determining the applicable grounds that can be relied upon by the data controller for the cross border personal data transfer.
This article is written to highlight the grounds for the cross border personal data transfer (under Section 129 of the PDPA) as explained by the CBPDT Guideline.
Grounds for the Cross Border Personal Data Transfer As Explained By the CBPDT Guideline
The personal data may only be transferred by data controller to a place outside Malaysia if any of the following grounds listed under Section 129 of the PDPA has been fulfilled:
| No. | Grounds | Explanation under the CBPDT Guideline |
| The country of the receiver1 has a substantially similar law with the PDPA2 | Data controller may transfer any personal data to a place outside Malaysia if the receiving country has a substantially similar law with the PDPA3. In determining the above, data controller may conduct a Transfer Impact Assessment (“TIA”)4 in accordance with the following steps5: data controller must identify the receiving country; thereafter, data controller must assess the personal data protection laws available in the receiving country. In doing so, data controller is required at a minimum, to take into consideration the factors mentioned in Paragraph 5.4 of the CBPDT Guideline; based on the aforesaid assessment, data controller must determine whether such laws are substantially similar to the PDPA; and if the answer to the above is affirmative, data controller must ensure that the decision to transfer the personal data complies with the PDPA. TIA finding is only valid for a period of three (3) years and a follow-up TIA in accordance with the above-mentioned steps needs to be conducted upon the expiry of such 3-year period6. If there is any change in the personal data protection laws of the receiving country during the TIA validity period, data controller must review such changes to determine whether such laws are still substantially similar to the PDPA pursuant to such changes7. | |
| The country of the receiver has an adequate level of protection8 | Data controller may transfer any personal data to a place outside Malaysia if the level of personal data protection accorded by the receiving country is equivalent to the PDPA. In determining the above, data controller may conduct a TIA in accordance with the following steps9: data controller must identify the receiving country; thereafter, data controller must assess the mechanism to protect the personal data in the receiving country. In doing so, data controller is required to take into consideration the factors mentioned in Paragraph 6.3 of the CBPDT Guideline; based on the aforesaid assessment, data controller must determine: whether there are adequate level of personal data protection measures in place in the receiving country; and whether further measures are required to ensure there is adequate personal data protection in the receiving country. if it is determined that adequate level of personal data protection measures are in place in the receiving country, data controller must ensure that the decision to transfer the personal data complies with the PDPA. Similar to Paragraph 1 above, TIA finding is only valid for a period of three (3) years and a follow-up TIA in accordance with the above-mentioned steps needs to be conducted upon the expiry of such 3-year period10. If there is any significant change in the systems or policies in the receiving country that relate to the security and protection of personal data during the TIA validity period, data controller must review such changes to determine whether the personal data is still provided with adequate protection as per the PDPA pursuant to such changes11. | |
| The data subject has given his consent for the transfer of his personal data12 | Data controller may transfer any personal data to a place outside Malaysia if the data subject has given his consent for such transfer. However, prior to the transfer, data controller is required to provide the data subject with notice specifying13: the third party to whom the personal data will be transferred to; and the purpose of such transfer. Upon giving the aforesaid notice, the consent for such transfer must be obtained by the data controller from the data subject, and such consent must be recorded and maintained according to the Personal Data Protection Regulations14. | |
| The transfer is necessary for the performance of contract between data controller and data subject15 | Data controller may transfer any personal data to a place outside Malaysia if there is a contract between data controller and data subject and: such transfer is necessary for the performance of data controller’s obligation under such contract; and such obligation is the core purpose of the contract16. The term “necessary” used under (a) above does not imply that the cross border personal data transfer is “absolutely essential” but such transfer must fulfill all the following conditions17: such transfer is not just a practice or is carried out on a regular basis; such transfer is made to achieve a specific purpose only and not for general purpose; and such specific purpose cannot be reasonably achieved by data controller through any other alternative ways which can be feasibly carried out. (“Transfer Conditions”). The phrase “core purpose of the contract” used under (b) above means that such transfer must be directly related to and for the purposes of performing the obligations of the data controller as mentioned under the contract18. | |
| The transfer is necessary for the conclusion or performance of a contract between data controller and third party19 | Data controller may transfer any personal data to a place outside Malaysia if there is a contract between data controller and a third party and: such transfer is necessary (i.e. fulfills all the Transfer Conditions) for the conclusion or performance of such contract; and such contract was executed: at data subject’s request made in writing or via other means20; or in data subject’s interest21. | |
| The transfer is for the purpose of legal interest22 | Data controller may transfer any personal data to a place outside Malaysia if such transfer is for the purpose of: legal proceedings, which include the following: claims brought before the court or tribunal; administrative or regulatory procedure; or out-of-court procedure such as mediation or arbitration. obtaining legal advice; or establishing, exercising and defending legal rights. However, except in the circumstances provided in Paragraphs 10.3.1 to 10.3.3 of the CBPDT Guideline, data controller may not rely on this ground if there is only a possibility that such proceeding may be brought in the future. | |
| The transfer by the data controller is based on reasonable grounds23 | Data controller may transfer any personal data to a place outside Malaysia if it has a reasonable ground to believe that: such transfer is to avoid or reduce adverse action against the data subject; the obtainment of a written consent from the data subject is impractical; and the data subject would have consented to such transfer if it was practical to obtain such consent24. Data controller may rely on this ground only if it is not possible to obtain data subject’s consent, for example, if the data subject is unconscious.25 | |
| The transfer is upon meeting reasonable precautions and the exercise of due diligence26 | Data controller may transfer any personal data to a place outside Malaysia if all reasonable precautions and due diligence have been undertaken by the data controller to ensure that the personal data will not (in that place) be processed in any way that would contravene the PDPA. Data controller may rely on this ground if it manages to show the fulfilment of any of the following three mechanisms: Binding Corporate Rules – Data controller has personal data protection policies (which comply with the requirements specified in Paragraph 12.4 of the CBPDT Guideline) that binds its corporate group; Contractual Clauses – There is a set of clauses (which comply with Paragraph 12.7 of the CBPDT Guideline) inserted in a contract entered into between data controller and the receiver to ensure adequate level of protection in relation to processing of personal data; or Certification under an approved certification scheme – The receiver of the personal data possesses a certificate verifying that its level of personal data protection is adequate and in compliance with the personal data protection laws. | |
| The transfer is necessary to protect the vital interests of the data subject27 | Data controller may transfer any personal data to a place outside Malaysia if such transfer is necessary (i.e. fulfills all the Transfer Conditions) to protect the vital interests of the data subject28. Data controller may rely on this ground if the risks to data subject’s vital interest outweigh any personal data protection concerns29. |
Conclusion
The CBPDT Guideline issued by the Commissioner serves as a valuable reference to clarify the compliance requirements in respect of the grounds for the cross border personal data transfer under Section 129 of the PDPA as well as to guide the data controllers in determining the applicable grounds for cross border personal data transfer intended by them. All data controllers are advised to carefully read and understand the CBPDT Guideline to ensure their full compliance with the provisions relating to cross border personal data transfer under Section 129 of the PDPA.
For further information, please contact:
Khairul Fazli Abdul Kadir, Partner, Azmi & Associates
khairul.fazli@azmilaw.com
- Paragraph 3.2 of the CBPDT Guideline defines the term “receiver” as “data controller and/or data processor who receives personal data of subject data outside of Malaysia”.
- Section 129(2)(a) of the PDPA.
- According to Paragraph 5.2 of the CBPDT Guideline, “A law is substantially similar to the PDPA if the content of the law such as protection, rights and requirements related to processing including collection, disclosure, retention and cross border personal data transfer are similar to those provided under the PDPA”.
- Paragraph 3.2 of the CBPDT Guideline defines the term “Transfer Impact Assessment” as “a risk assessment conducted to evaluate the legal and regulatory framework where personal data is being transferred to ensure that receiving country/ jurisdiction provides a law substantially similar to Act 709 or adequate level of protection in relation to the processing of personal data”.
- Paragraph 5.3 of the CBPDT Guideline.
- Paragraph 5.6 of the CBPDT Guideline.
- Paragraph 5.7 of the CBPDT Guideline.
- Section 129(2)(b) of the PDPA.
- Paragraph 6.2 of the CBPDT Guideline.
- Paragraph 6.5 of the CBPDT Guideline.
- Paragraph 6.6 of the CBPDT Guideline.
- Section 129(3)(a) of the PDPA.
- Paragraph 7.2 of the CBPDT Guideline.
- Paragraph 7.3 of the CBPDT Guideline.
- Section 129(3)(b) of the PDPA.
- Paragraph 8.1 of the CBPDT Guideline.
- Paragraph 8.3 of the CBPDT Guideline.
- Paragraph 8.5 of the CBPDT Guideline.
- Section 129(3)(c) of the PDPA.
- Paragraph 9.2 of the CBPDT Guideline.
- as explained under Paragraph 9.3 of the CBPDT Guideline.
- Section 129(3)(d) of the PDPA.
- Section 129(3)(e) of the PDPA.
- Paragraph 11.1 of the CBPDT Guideline.
- Paragraph 11.2 of the CBPDT Guideline.
- Section 129(3)(f) of the PDPA.
- Section 129(3)(g) of the PDPA.
- Paragraph 13.1 of the CBPDT Guideline.
- Paragraph 13.2 of the CBPDT Guideline.
