Cross Border Personal Data Transfer Under the Personal Data Protection Act 2010 As Explained By the Cross Border Personal Data Transfer Guideline

Introduction

Section 129 of the Personal Data Protection Act 2010 [Act 709] (“PDPA”) (as amended by the Personal Data Protection (Amendment) Act 2024) provides the grounds in which the data controller may transfer any personal data to a place outside Malaysia.

Pursuant to Section 48(g) of the PDPA, the Personal Data Protection Commissioner (“Commissioner”) had, on 29 April 2025, issued the Cross Border Personal Data Transfer (CBPDT) Guideline (“CBPDT Guideline”):

(a) to clarify the requirements to be complied with for each of the grounds specified under Section 129 of the PDPA; and

(b) to assist the data controller in determining the applicable grounds that can be relied upon by the data controller for the cross border personal data transfer.

This article is written to highlight the grounds for the cross border personal data transfer (under Section 129 of the PDPA) as explained by the CBPDT Guideline.

Grounds for the Cross Border Personal Data Transfer As Explained By the CBPDT Guideline

The personal data may only be transferred by data controller to a place outside Malaysia if any of the following grounds listed under Section 129 of the PDPA has been fulfilled:

Conclusion

The CBPDT Guideline issued by the Commissioner serves as a valuable reference to clarify the compliance requirements in respect of the grounds for the cross border personal data transfer under Section 129 of the PDPA as well as to guide the data controllers in determining the applicable grounds for cross border personal data transfer intended by them. All data controllers are advised to carefully read and understand the CBPDT Guideline to ensure their full compliance with the provisions relating to cross border personal data transfer under Section 129 of the PDPA.

1. Paragraph 3.2 of the CBPDT Guideline defines the term “receiver” as “data controller and/or data processor who receives personal data of subject data outside of Malaysia”.
2. Section 129(2)(a) of the PDPA.
3. According to Paragraph 5.2 of the CBPDT Guideline, “A law is substantially similar to the PDPA if the content of the law such as protection, rights and requirements related to processing including collection, disclosure, retention and cross border personal data transfer are similar to those provided under the PDPA”.
4. Paragraph 3.2 of the CBPDT Guideline defines the term “Transfer Impact Assessment” as “a risk assessment conducted to evaluate the legal and regulatory framework where personal data is being transferred to ensure that receiving country/ jurisdiction provides a law substantially similar to Act 709 or adequate level of protection in relation to the processing of personal data”.
5. Paragraph 5.3 of the CBPDT Guideline.
6. Paragraph 5.6 of the CBPDT Guideline.
7. Paragraph 5.7 of the CBPDT Guideline.
8. Section 129(2)(b) of the PDPA.
9. Paragraph 6.2 of the CBPDT Guideline.
10. Paragraph 6.5 of the CBPDT Guideline.
11. Paragraph 6.6 of the CBPDT Guideline.
12. Section 129(3)(a) of the PDPA.
13. Paragraph 7.2 of the CBPDT Guideline.
14. Paragraph 7.3 of the CBPDT Guideline.
15. Section 129(3)(b) of the PDPA.
16. Paragraph 8.1 of the CBPDT Guideline.
17. Paragraph 8.3 of the CBPDT Guideline.
18. Paragraph 8.5 of the CBPDT Guideline.
19. Section 129(3)(c) of the PDPA.
20. Paragraph 9.2 of the CBPDT Guideline.
21. as explained under Paragraph 9.3 of the CBPDT Guideline.
22. Section 129(3)(d) of the PDPA.
23. Section 129(3)(e) of the PDPA.
24. Paragraph 11.1 of the CBPDT Guideline.
25. Paragraph 11.2 of the CBPDT Guideline.
26. Section 129(3)(f) of the PDPA.
27. Section 129(3)(g) of the PDPA.
28. Paragraph 13.1 of the CBPDT Guideline.
29. Paragraph 13.2 of the CBPDT Guideline.

Written by:

Khairul Fazli Abdul Kadir (Partner) khairul.fazli@azmilaw.com

Khaliesah Yusri Kamaruzaman (Associate) khaliesah@azmilaw.com

Corporate Communications, Azmi & Associates – 5 June 2025