Malaysia Launches Cross-Border Personal Data Transfer Guidelines, Shifting Adequacy Burden to Data Controllers

On April 29, 2025, Malaysia's Personal Data Protection Commissioner officially launched the Cross Border Personal Data Transfer Guidelines (CBPDT Guidelines). This milestone publication follows the Personal Data Protection (Amendment) Act 2024, which amended Section 129 of the Personal Data Protection Act 2010 (PDPA) and came into force on April 1, 2025.

The new framework fundamentally restructures how multinational corporations manage outbound transfers of personal data from Malaysia.

Removal of the Whitelist Regime

The most significant structural shift is the removal of the whitelist regime. Previously, the Minister was responsible for maintaining a whitelist of jurisdictions deemed to have adequate data protection laws. Under the amended Section 129, this responsibility is transferred directly to the data controller. Data controllers must now independently evaluate and determine whether a receiving destination jurisdiction affords adequate laws or protections to safeguard personal data.

Strict Tests for "Necessary" Transfers

For transfers relying on contractual necessity (e.g., performance of a contract between the data subject and data controller, or a contract between the data controller and a third party), the CBPDT Guidelines establish a strict three-prong "necessity" test:

1. The transfer must not be just common practice or carried out on a routine, regular basis.
2. The transfer must be made to achieve a specific, narrow purpose only, and not for a general purpose.
3. The specified purpose cannot be achieved through any feasible alternative means that could be carried out locally.

When conducting this assessment, data controllers must document the precise business reasons for the transfer, the underlying purposes, and the feasibility of local alternatives.

Core Operational Obligations

The CBPDT Guidelines prescribe several key compliance responsibilities for data controllers executing cross-border transfers:

• Security Safeguards: The data controller remains legally responsible for the security of personal data during transit and offshore processing, in line with the PDPA’s Security Principle.
• Contractual Controls: Data controllers must ensure that all contracts with third-party recipients or data processors contain robust clauses governing data processing and security.
• Mandatory Record-Keeping: Data controllers must maintain comprehensive, audit-ready records of all cross-border transfers. These records must contain:
  • Full details of the receiver (name, company registration number, and the contact details of their Data Protection Officer).
  • The destination country.
  • The specific categories of personal data transferred.
  • The business purposes of the transfer.
  • The legal conditions relied upon to effect the transfer, accompanied by supporting documentation (such as Transfer Impact Assessment (TIA) findings, privacy notices, and records of explicit consent).

Verbatim Quotes

"As background, the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) introduced amendments to Section 129 of the Personal Data Protection Act 2010 (“PDPA”), notably the removal of the whitelist regime and placing the responsibility of determining whether the receiving jurisdiction has adequate laws or protection to safeguard personal data on the data controller (instead of the Minister). The amended Section 129 of the PDPA came into force on 1 April 2025."

"Maintain records of any cross border transfers, which must contain the following: Details of the receiver ... The country that the personal data is being transferred to; The type of personal data transferred; Purposes of the transfer; The conditions relied on to effect the transfer and the relevant documentation (e.g. record and findings of TIA, privacy notice, record of data subject’s consent)..."