To ensure personal data protection during cross border transfers, the Commissioner has issued the Personal Data Protection Guidelines No. 3/2025: Cross Border Personal Data Transfer, which provides a roadmap for complying with Section 129 of the Personal Data Protection Act 2010 (PDPA).
This article explores core requirements of the guideline, the legal framework of Section 129, and practical steps business owners acting as data controllers must take to ensure compliance.
Section 129 of PDPA
Section 129 of the PDPA is the primary provision regulating the transfer of personal data from Malaysia to any place outside the country, meant to ensure personal data that leaves Malaysian jurisdiction remains protected by standards least equal to those provided locally.
The guidelines clarify that a data controller cannot simply transfer data at will; they must satisfy specific legal conditions under either Subsection 129(2) or Subsection 129(3) of the Act.
Subsection 129(2)
Under Subsection 129(2), a data controller may transfer personal data if the destination meets one of two criteria:
- The receiving country has a law in place that is substantially similar to the PDPA.
- Even if not identical, the destination must ensure an adequate level of protection at least equivalent to Malaysia’s.
This means the foreign country must offer similar protections regarding collection, disclosure, retention, and data subject rights (such as access and correction).
Subsection 129(3)
If the destination does not have substantially similar laws or an adequate level of protection, a transfer may still proceed under Subsection 129(3) if specific conditions are met, the conditions include:
- The data subject has given informed consent, after the data controller provides notice of the transfer purpose and the categories of third-party recipients.
- It is strictly necessary for performing a contract with the data subject, or a contract with a third party entered into at the data subject’s request or in their direct interest. The necessity must relate to a specific core purpose, not general business practice.
- For legal proceedings, advice, or the defence of legal rights, as well as to protect the vital interests of a data subject (e.g., where life or health is at risk and outweighs privacy concerns).
The Transfer Impact Assessment (TIA)
To determine if a destination meets these standards, data controllers are encouraged to conduct a Transfer Impact Assessment (TIA). A TIA is a risk assessment designed to evaluate the legal and regulatory framework of the receiving jurisdiction.
The TIA process typically begins by identifying the countries involved in the data transfer and assessing the legal framework and data protection mechanisms applicable in those jurisdictions. This includes evaluating whether the recipient country has data protection laws comparable to the Malaysian PDPA, or other effective safeguards governing the protection of personal data.
Data controllers should then assess the practical risks associated with the transfer by drawing on credible and up-to-date sources of information, which may include:
- relevant foreign data protection laws and regulations;
- case law and regulatory guidance from the recipient jurisdiction;
- reports or assessments published by intergovernmental or regulatory bodies;
- reliable news or reports of data breaches or enforcement actions; and
- the recipient’s internal compliance measures, past compliance history, and other credible and recent information.
When conducting a TIA, there are also few important factors to consider, including the following:
- the existence of an authority similar to Malaysia’s Department of Personal Data Protection
- the presence of data breach notification requirements
- if there is a requirement for a Data Protection Officer
- the receiver’s history of compliance and past data breaches
Findings from a TIA are valid for a maximum of three years, after which a follow-up assessment is required.
Precautions
When a data controller relies on Paragraph 129(3)(f), they must demonstrate that they have taken all reasonable precautions and exercised all due diligence. The guidelines suggest three primary mechanisms.
Binding Corporate Rules (BCR)
BCRs are internal policies used by multinational corporate groups (e.g., franchises or joint ventures) to regulate intra-group data transfers. A BCR must be legally binding on all parties and include details on data retention, breach reporting, and data subject rights.
Contractual Clauses (CC)
Data controllers can insert specific clauses into contracts that legally bind the receiver to protect the data. These clauses should guarantee compliance with the PDPA and outline necessary security measures. The guideline points to international models such as the ASEAN Model Contractual Clauses or the EU GDPR Standard Contractual Clauses as useful templates.
Recognised certifications
A transfer may be justified if the receiver holds a valid Recognised Certificate, such as APEC CBPR (Cross Border Privacy Rules) or Europrivacy. Data controllers must verify the validity of these certificates, often through online registries, and enter a contract that warrants the certificate’s validity.
Record keeping & responsibility
Finally, the guidelines emphasise transparency and accountability. Data controllers must maintain detailed records of all cross-border transfers, including:
- name and registration number of the receiver
- destination country, the type of data transferred, and the purpose of the transfer
- proof of compliance, such as TIA findings, record of the data subject’s consent, copies of BCRs, certificate, or signed contracts
Conclusion
Businesses in Malaysia that fail to comply with Section 129 of the PDPA can potentially expose themselves to significant penalties, and if your business engages in cross-border data transfers, works with overseas vendors or service providers, or is unsure whether its current arrangements comply with the PDPA, it is important to address these risks proactively.
Should you require assistance with conducting a Transfer Impact Assessment (TIA) or strengthening your data protection compliance framework, please feel free to get in touch with us.
