SCAM ALERT NOTICE!

Launch of Personal Data Protection Guideline for Cross Border Data Transfers

Viewpoints
  • Launch of Personal Data Protection Guideline for Cross Border Data Transfers

Introduction

Following from our previous Legal Update setting out our analysis on the latest amendments to the Personal Data Protection Act 2010 (“PDPA“) pursuant to the Personal Data Protection (Amendment) Act 2024 (“Amendment Act“), which can be accessed here, and our Legal Update on the launch of the Personal Data Protection Guidelines for Data Protection Officer Appointment (“Data Protection Officer Guideline“) and Mandatory Data Breach Notification (“Data Breach Notification Guideline“), which can be accessed here, the Personal Data Protection Commissioner (“Commissioner“) has just launched the Personal Data Protection Guideline on Cross Border Data Transfers (“CBDT Guideline“).

By way of background, the Digital Minister (“Minister“) announced in early 2024 that the Commissioner would be developing and issuing a suite of personal data protection guidelines over the course of 2024 and 2025 to supplement the latest amendments to the PDPA. These guidelines are intended to be released in two tranches as follows:

First Tranche of Guidelines 

  1. Data Protection Officer Guideline;
  2. Data Breach Notification Guideline;
  3. Data Portability Guideline;
  4. Cross-Border Data Transfer Guideline;

Second Tranche of Guidelines 

  1. Data Protection Impact Assessment Guideline;
  2. Privacy by Design Guideline; and
  3. Profiling and Automated Decision-Making Guideline.

The Data Protection Officer Guideline and Data Breach Notification Guideline were issued on 25 February 2025. Following from this, the CBDT Guideline is the third guideline to be issued by the Commissioner pursuant to the Amendment Act.

Following the issuance of the CBDT Guideline on 29 April 2025, the remaining guideline under the first tranche of guidelines, namely the Data Portability Guideline, is expected to be issued by Q2 this year.

Overview of the Key Requirements under the CBDT Guideline

This Legal Update seeks to provide a brief overview of the key provisions under the CBDT Guideline.

By way of background, section 129 of the PDPA sets out the conditions for the transfer of personal data outside Malaysia. The CBDT Guideline now provides data controllers with additional guidance on compliance with each condition set out under sections 129(2) and (3) of the PDPA, pursuant to the amendments introduced by the Amendment Act.

Key requirements for each condition provided under the CBDT Guideline are as follows:

  1. A law substantially similar to the PDPA (section 129(2)): A data controller may rely on this condition if the data controller has conducted a transfer impact assessment (“TIA“) to review the relevant personal data protection law of the receiving country, subject to the following conditions:
      • it must consider the factors listed under the CBDT Guideline, such as whether the law provides data subjects with similar rights;
      • the results of the TIA are valid for a period no longer than three years; and
      • any changes or amendments to the relevant personal data protection law must be reviewed to determine whether, as a result of the change or amendment, the law is still substantially similar to the PDPA.
  1. A place with an adequate level of protection (section 129(2)(b)): A data controller may rely on this condition if the data controller has conducted a TIA to review the relevant personal data protection law of the receiving country, subject to the following conditions:
      • it must consider the factors listed under the CBDT Guideline, such as whether the recipient has security measures and policies in place that are in line with the Security Principle and Personal Data Protection Standards issued by the Commissioner;
      • the results of the TIA are valid for a period no longer than three years; and
      • any significant changes or amendments to the systems or policies relating to the safety and security of personal data during the validity period of the TIA must be reviewed to determine whether, as a result of the change or amendment, personal data is still provided with adequate safeguards equivalent to that provided under the PDPA.
  1. Consent (section 129(3)(a)): A data controller may rely on this condition if it:
      • provides the data subject with its personal data protection notice containing details regarding the class of third party that the receiving data controller or data processor belongs to and purposes of the transfer; and
      • the consent obtained is capable of being recorded or maintained in accordance with the requirements of the Personal Data Protection Regulations 2013.
  1. Transfer necessary for the performance of a contract between data subject and data controller (section 129(3)(b)): A data controller may rely on this condition if:
      • the transfer is necessary[1] for the data controller to carry out its obligations in the contract; and
      • the obligations must be for the core purpose of the contract.
  1. Transfer necessary for the conclusion or performance of a contract between the data controller and a third party (section 129(3)(c)): A data controller may rely on this condition if:
      • the transfer is necessary for the conclusion or performance of the contract;
      • the contract is entered into at the request of the data subject or is in the interests of the data subject;
      • where the contract is entered into at the request of the data subject, the request is provided in written form or has been recorded and maintained in such a way that it can be shown as proof that the data subject has made such a request;
      • where the contract is entered into in the interests of the data subject, the interest must be clear and substantial, direct and targeted towards the data subject; and
      • the transfer is necessary for the conclusion or performance of the contract.
  1. Transfer for the purposes of legal proceedings (section 129(3)(d)): A data controller may rely on this condition if is for the purposes of any legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights.
  1. Reasonable grounds of the data controller (section 129(3)(e)): A data controller may rely on this condition if it has reasonable grounds for believing that:
      • the transfer is for the avoidance or mitigation of adverse action against the data subject;
      • it is not practicable to obtain the consent in writing of the data subject to that transfer; and
      • if it was practicable to obtain such consent, the data subject would have given his consent.
  1. Requirement to take all reasonable precautions and exercise all due diligence for cross-border transfers of personal data (section 129(3)(f)): A data controller who utilises the following mechanisms may rely on this condition:
      • Binding Corporate Rules. These are personal data protection policies typically implemented by multinational groups or other groups of undertakings or enterprises to regulate the transfer of personal data within the group;
      • Standard Contractual Clauses. These are a set of clauses inserted into a contract that legally binds both parties to ensure that there are adequate and appropriate safeguards in place to ensure the security of personal data; and
      • Certification. This refers to personal data protection certifications certifying that the data controller has in place adequate policies and processes that comply with a particular data protection law or is able to provide an adequate level of protection to safeguard personal data.
  1. Transfer necessary to protect the vital interests of the data subject (section 129(3)(g): A data controller may rely on this condition if:
      • the transfer is necessary;
      • the purpose of the transfer is to protect the vital interests of the data subject; and
      • the risk to the data subject outweighs any personal data protection concerns.
  1. Other matters to note: In addition to the above conditions, the CBDT Guideline states that data controllers must keep and maintain a record of any transfer of personal data outside Malaysia. The record must contain the following information:
      • details of the receiving data controller or processor;
      • the country that the personal data is being transferred to;
      • the type of personal data transferred;
      • purposes for or related to the transfer;
      • conditions relied on for the transfer along with proof that the condition has been satisfied; and
      • such other information as is deemed necessary.

Key Compliance Requirements: All data controllers who transfer personal data outside Malaysia are strongly encouraged to review the CBDT Guideline and their own processes to determine as to whether they meet the requirements for the conditions relied on for the transfer of personal data outside Malaysia.

Additionally, in the event that a data controller is interested in relying on the new conditions introduced under section 129(2) of the PDPA or the new mechanisms under section 129(3)(f) of the PDPA, we strongly encourage such data controllers to review the CBDT Guideline and determine whether it would be feasible for the data controller to conduct the required TIA, observe the prescribed processes, and comply with the obligations required under the new mechanisms.

Due to the new record keeping requirements, data controllers should conduct a review of their current processes and policies to ensure that they are able to keep and maintain the necessary records that are required under the CBDT Guideline.

Concluding Remarks

The CBDT Guideline provides further guidance and clarity on the requirements to comply with each condition for the transfer of personal data outside Malaysia. All data controllers who transfer personal data outside of Malaysia are advised to review the CBDT Guideline (in particular the relevant condition currently relied on by the data controller) to ensure their full compliance with section 129 of the PDPA.

That said, with the anticipated issuance of further personal data protection guidelines, revised Personal Data Protection Standard (to replace the Personal Data Protection Standard 2015), and potential amendments to existing personal data protection regulations, we advise that all data controllers stay up to date and be prepared for these regulatory developments as and when they are issued.

We trust the above provides a useful update on the key requirements in the CBDT Guideline. Should you require any assistance or clarification in relation to the above, or any matter relating to personal data protection, please feel free to contact us at your convenience.

Contribution Note

This Legal Update is contributed by the listed Contact Partners, with the assistance of Matthew Chang (Associate, Christopher & Lee Ong).

__________________________________

[1] Under the CBDT Guideline, a transfer is necessary if: (i) it is not just practice or is carried out on a regular basis; (ii) it is made to achieve a specific purpose and not a general purpose; and (iii) the specified purpose cannot be achieved through any alternative means which can be feasibly carried out.

 

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.

CONTACTS

Deepak Pillai
Malaysia,
T +603 2273 1919
Intan Haryati Mohd Zulkifli
Malaysia,
+60 3 2273 1919
+60 3 2267 2674
Anissa Maria Anis
Malaysia,
T +603 2273 1919
D +603 2267 2750
Yong_Shih_Han
Yong Shih Han
Malaysia,
+60 3 2273 1919
+60 3 2267 2703

Country

Share

RELATED VIEWPOINT

Legal Updates

Launch of Personal Data Protection Guideline for Cross Border Data Transfers

29 Apr 2025
Legal Updates

Regional Competition Bites Q1 2025

21 Apr 2025
Legal Updates

Energy Commission Issues Guidelines on Electric Vehicle Charging System (EVCS)

17 Apr 2025

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Christopher & Lee Ong. All rights reserved.