Cross Border Personal Data Transfer Guidelines Launched
29 April 2025
On 29 April 2025, the Department of Personal Data Protection launched the Cross Border Personal Data Transfer Guidelines (“CBPDT Guidelines”), to clarify the requirements for compliance with each condition specified under Section 129 of the Personal Data Protection Act 2010 (“PDPA”) and to assist data controllers in deciding which condition may be referred to for any cross border personal data transfer.
Under the Personal Data Protection (Amendment) Act 2024 ("Amendment Act"), personal data may only be transferred outside of Malaysia if:
- The destination jurisdiction has a law that is substantially similar to the PDPA;
- The destination jurisdiction ensures an adequate level of protection comparable to the PDPA; or
- Any of the exceptions apply e.g. where consent has been obtained, the transfer is necessary for the performance of a contract, and reasonable precautions and due diligence have been undertaken.
The cross-border transfer provisions under the Amendment Act came into effect on 1 April 2025.
Key highlights of the CBPDT Guidelines:
- Clarifies what qualifies as a "substantially similar law" and "adequate level of protection".
- Outlines the required assessments, including Transfer Impact Assessments (TIA) and relevant considerations.
- Provides practical examples of the other applicable exceptions, including:
- What qualifies as "necessary" for contractual performance;
- What amounts to sufficient precautions and due diligence (e.g., Binding Corporate Rules, Contractual Clauses, and Certifications).
Organisations should review their current data transfer mechanisms and documentation to ensure compliance moving forward.
This article/alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.