Section 129 of the Personal Data Protection Act 2010 (“PDPA 2010”) is one of the sections in the legislation that often becomes the subject of discussions among personal data practitioners and data controllers in Malaysia looking to transfer personal data out of Malaysia for further processing. Why? The conditions for transferring personal data to places outside Malaysia set out under Section 129 are worded rather broadly, leaving plenty of rooms for creative interpretation and thus, causing confusion. The amendment to Section 129 through the Personal Data Protection (Amendment) Act 2024 made the section clearer to some extent, given that the previously adopted “White-List Regime” is now being replaced by “Substantially Similar Law” and “Adequate Level of Protection” conditions. We discussed extensively about these two conditions in our previous article – fret not if you have missed it, it is published on our firm’s website if you would like to find out more.

Despite the amendment to Section 129 of the PDPA 2010, the section still lacks clarity in general, and this is where the Guidelines on Cross Border Personal Data Transfer (“Guidelines”) comes in. The Guidelines was published by the Personal Data Protection Commissioner on 29 April 2025 to clarify the conditions for cross border personal data transfer provided under Section 129 of the PDPA 2010. Our previous article has explained on how the conditions for “Substantially Similar Law” and “Adequate Level of Protection” can be applied by data controllers to transfer personal data out of Malaysia. This article is to address the rest of the conditions or exceptions under Section 129 of the PDPA 2010 for the effect of cross border personal data transfer. Section 129 of the PDPA 2010 provides seven exceptions where data controller can transfer personal data out of Malaysia without complying with the “Substantially Similar Law” and “Adequate Level of Protection” conditions, and we will examine each of these exceptions in turn.

1. Where Data Subject has Consented to the Transfer

Data controller can transfer personal data out of Malaysia if the data subject has given his consent to the transfer. According to the Guidelines, the consent obtained from data subjects must not be a blanket consent. The consent should be provided in response to the data controller’s personal data protection notice which sets out:

(i) the class of third parties to whom the data is to be transferred to; and
(ii) the purpose of the transfer.

Any such consent given by the data subjects should be recorded and maintained by the data controller in case of an investigation or dispute in the future.

2. Where the Transfer is Necessary for the Performance of a Contract Between the Data Controller and the Data Subject

Another exception where data controller can transfer personal data out of Malaysia is where the transfer is necessary for the performance of a contract between data controller and data subject. According to the Guidelines, where this exception is to be relied upon, the following conditions are to be met:

(i) The cross border data transfer is necessary in the sense that:

• (a) It is required for the fulfilment of a specified purpose rather than for the general purposes or practices of the data controller;
• (b) It is made to achieve a specific purpose only and not for general purpose; and
• (c) The specified purpose cannot be reasonably achieved through any alternative means which can be feasibly carried out without having to conduct the cross border data transfer; and

(ii) The cross border transfer of personal data must be directly related to and for the purposes of performing the obligations of the data controller specified under the contract with the data subject.

To be able to rely on this exception, data controller should carefully assess its reason and purpose for wanting to transfer the personal data out of Malaysia, and whether there are any feasible alternatives available.

3. Where the Transfer is Necessary for the Conclusion or Performance of a Contract Between the Data Controller and a Third Party

Data controller can also transfer personal data out of the country if it is necessary for the conclusion or performance of a contract between the data controller and a third party which is

(i) entered into at the request of the data subject; or
(ii) is in the interest of the data subject.

Similar to the earlier exception, a data controller looking to rely on this exception will have to fulfil the “necessity” condition expounded in paragraph 3(i) above. Additionally, the Guidelines also imposes the following conditions on a data controller who wishes to rely on this exception:

• (a) in the event the contract is entered into at the request of the data subject, the request should be recorded (in writing or otherwise) as proof; or
• (b) in the event the contract is entered into in the interest of the data subject, such interest must be clearly identifiable, directly affect the data subject, and targeted towards the data subject.

4. Where the Transfer is for the Purpose of Legal Proceedings

Section 129 of the PDPA 2010 also allows the transfer of personal data out of Malaysia in situations where the transfer is for the purpose of legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights. However, data controller should be mindful that it can only rely on this exception to perform cross border data transfer if there is a real imminent risk of legal proceeding being brought by or against the data controller – a mere possibility of a legal proceeding being brought by or against the data controller in the future will not make this exception available to the data controller.

Further, the Guidelines also clarified that the term “legal proceeding” used in this exception extends beyond just a court proceeding, but also includes tribunal claim, administrative or regulatory procedure, or out-of-court procedure.

5. Where the Transfer is Based on Reasonable Grounds

A data controller may transfer personal data out of Malaysia where it has reasonable grounds for believing that:

(i) The transfer is for the avoidance or mitigation of adverse action against the data subject;
(ii) It is not practicable to obtain the consent in writing of the data subject to that transfer; and
(iii) If it was practicable to obtain such consent, the data subject would have given his consent.

It is worth noting that in order to be able to rely on this exception, the circumstances which warrant the cross border data transfer will have to fulfil all three conditions set out above. Typically, this exception is only relied upon when a data subject is unconscious, uncontactable despite reasonable and proportionate steps have been taken to contact him, or where there is insufficient to provide the data subject with all the information required for him to give his consent.

6. Where the Data Controller has Exercised Precautions and Due Diligence to Ensure that the Processing of Personal Data Out of Malaysia Will Not Contravene the PDPA 2010

This number six is arguably the broadest exception for cross border data transfer provided under the PDPA 2010. Data controller is allowed to transfer personal data out of Malaysia if it has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of the PDPA 2010.

The Guidelines has since clarified that “all reasonable precautions and exercised due diligence” may be deciphered by the following three (3) mechanisms:

(i) Binding Corporate Rules (BCR) – BCR can be understood as a corporate governance framework that binds all the companies within the same group. In the context of PDPA 2010, the BCR will have to be one that addresses specifically intra-group cross border transfer of personal data and the processing of the transferred personal data by the group (among other things). Data controller can transfer personal data to a receiver outside of Malaysia if there exists a BCR that binds both of them.

(ii) Contractual Clauses – Data controller can also rely on contractual provisions to ensure that the receiver of personal data (a) complies with the requirements of PDPA 2010; and (b) that it has in place adequate security measures in relation to the processing of personal data, if the data controller wants to rely on this exception to carry out cross border data transfer. Under this exception, the data controller is advised to conduct periodic review of the data processing activities of the receiver to ensure compliance with the relevant contractual provisions.

(iii) Certification – Where the receiver possesses a valid and industrially recognised certificate concerning compliance with personal data protection laws, a data controller will be able to rely on this exception to conduct cross border data transfer to the receiver. Data controller will however be expected to verify the validity of the certificate and to contractually impose obligation on the receiver to ensure adequate level of protection over the transferred personal data and to obtain warranty from the receiver that the certificate is valid. Similarly, data controller is advised to periodically review the data processing activities of the receiver to ensure compliance with the relevant contractual provisions.

7. Where the Transfer is Necessary in Order to Protect the Vital Interest of Data Subject

Lastly, the PDPA 2010 also allows cross border data transfer where it is necessary to do so to protect the vital interest of a data subject. Similarly, a data controller looking to rely on this exception will have to fulfil the “necessity” condition expounded in paragraph 3(i) above.

With the introduction of the Guidelines, the conditions required before a data controller can transfer personal data out of Malaysia are now clearer than ever before. Data controller who are actively transferring personal data out of Malaysia should conduct a review of its processing activities to ensure continued compliance with the PDPA 2010. Depending on the profile of the data receiver, the jurisdiction in which the data receiver resides, and the nature of the data processing activities, there may be a need for the data controller to conduct a transfer impact assessment or to update its data protection policies or data protection clauses in new and existing data processing agreements.

If your organization needs help with further insights and legal guidance on Personal Data Protection Act 2010, please feel free to reach out to Halim Hong & Quek’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010 and will certainly be able to attend to your needs.

About the authors
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
◦
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my

More of our Tech articles that you should read:

• • The Future of Digital Assets and Blockchain in Malaysia: Key Developments for 2025 and Beyond
• • Key Impacts of the Online Safety Bill 2024
• • The Symbiotic Relationship Between Cyber Insurance and Compliance in Navigating Data Breaches and Cyber Security Incidents