As stated in our previous Alert, the Department of Personal Data Protection officially launched the Cross Border Personal Data Transfer Guidelines (“CBPDT Guidelines”) on 29 April 2025.
 
As background, the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) introduced amendments to Section 129 of the Personal Data Protection Act 2010 (“PDPA”), notably the removal of the whitelist regime and placing the responsibility of determining whether the receiving jurisdiction has adequate laws or protection to safeguard personal data on the data controller (instead of the Minister). The amended Section 129 of the PDPA came into force on 1 April 2025.
 
Following the amendments, the Personal Data Protection Commissioner (“Commissioner”) issued the CBPDT Guidelines to clarify the requirements for compliance with each condition specified under Section 129 of the PDPA, and to assist data controllers in identifying and applying the appropriate condition for any cross-border transfer of personal data.
 
Conditions for the Cross Border Personal Data Transfer



^    In relation to transfers (i) necessary for the performance of a contract between a data subject and data controller, (ii) necessary for the performance of a contract between the data controller and a third party; or (iii) necessary to protect the vital interests of the data subject, the CBPDT Guidelines provides that:
 

• a transfer is ‘necessary’ if (i) it is not just practice or is carried out on a regular basis; (ii) it is made to achieve a specific purpose only and not for general purpose; and (iii) the specified purpose cannot be achieved through any alternative means which can be feasibly carried out; and
• when making the “necessity” assessment, the data controller must take into account (i) the reasons why the transfer is required, (ii) the purposes of the transfer; and (iii) whether there are feasible alternatives.

Other Key Obligations under the CBPDT Guidelines
 
The CBPDT Guidelines also prescribe specific responsibilities and obligations of the data controllers for the transfers of personal data:
 

• Security: Responsible for the security of personal data when transferring out of Malaysia, in line with the Security Principle under the PDPA, subsidiary legislation, standard and any other applicable guidelines relating to protection of personal data.
• Dealing with third party/data processor: Ensure that contracts entered into with third party/ data processors contain clauses governing the processing of personal data, including the security of personal data.
• Record keeping requirements: Maintain records of any cross border transfers, which must contain the following:
  • Details of the receiver (name, company registration number (if applicable), contact details of the Data Processing Officer);
  • The country that the personal data is being transferred to;
  • The type of personal data transferred;
  • Purposes of the transfer;
  • The conditions relied on to effect the transfer and the relevant documentation (e.g. record and findings of TIA, privacy notice, record of data subject’s consent); and
  • Such other information as the data controller deems necessary.

Organisations intending to rely on the new conditions under Section 129 of the PDPA are advised to peruse the CBPDT Guidelines to determine the feasibility of relying on the conditions and prescribed process. Additionally, organisations should also begin reviewing existing cross-border data transfer documentation to ensure compliance with the record-keeping requirements outlined in the CBPDT Guidelines. It is imperative that organisations evaluate their current data transfer mechanisms and documentation to ensure compliance moving forward.
 
For further information, please contact Jillian Chia (Head/Partner), Natalie Lim (Partner) and Charmayne Ong (Partner) of the Personal Data Protection Practice of Skrine.