Malaysia: Personal Data Protection Department published guidelines on cross-border personal data transfer

On 29 April 2025, the Personal Data Protection Department (PDPD) published guidelines on cross-border personal data transfer, in line with Section 129 of the Personal Data Protection Act 2010 (Act 709). The guideline details mechanisms for transferring data outside Malaysia, such as ensuring data is sent to countries with substantially similar laws or adequate protection levels, obtaining consent from data subjects, and using binding corporate rules, recognised certifications, or standard contractual clauses. Furthermore, it discusses requirements for Transfer Impact Assessments (TIAs) to evaluate legal and regulatory risks, record-keeping duties to demonstrate compliance, and the use of certified mechanisms to verify adherence to personal data protection standards.