Skip to main content
トレンド
Insights特集
全ての業務分野を見る
全ての産業分野を見る
事務所概要
  • ホームページ
  • Insights
  • From Legislative Reform to Practical Guidance: Key Amendments to Malaysia’s PDPA and the Launch of Cross-Border Transfer Guidelines
2025年7月25日

From Legislative Reform to Practical Guidance: Key Amendments to Malaysia’s PDPA and the Launch of Cross-Border Transfer Guidelines

Authors:
PDFをダウンロード
Share

Malaysia’s data protection landscape has recently undergone a profound transformation, with the phased implementation of the Personal Data Protection (Amendment) Act 2024 (“PDPA Amendment”) and the official launch of the Guidelines for Cross Border Personal Data Transfer (“CBPDT Guidelines”). These developments mark a decisive step in aligning Malaysia’s data protection framework with international standards, providing much-needed clarity and operational guidance for organisations handling personal data within and beyond Malaysia’s borders.

This article provides an overview of the recent amendments to the Malaysian PDPA, before turning to the newly launched CBPDT Guidelines, which together set the stage for a more robust, transparent, and accountable data protection regime.

Key Features of the PDPA Amendment

The PDPA Amendment, which came into force in stages from January to June 2025, represents the most significant overhaul of Malaysia’s data protection law since its inception. The amendments were introduced following a multi-year review, modernising the PDPA and bringing it closer in line with global data protection regimes.

  • Terminology and Definitions: The PDPA Amendment replaces the term “data user” with “data controller” throughout the Act, aligning with internationally-used terminology. The definition of “personal data” is narrowed to exclude data relating to deceased individuals, while “sensitive personal data” is expanded to include biometric data. The Act also introduces a definition for “personal data breach,” encompassing loss, misuse, or unauthorised access to personal data.
  • Direct Obligations for Data Processors: For the first time, data processors (entities processing personal data on behalf of data controllers) are directly subject to the Security Principle (PDPA Section 9). This means they must take practical steps to protect personal data from loss, misuse, or unauthorised access, and may face criminal penalties for non-compliance.
  • Increased Penalties: The maximum fine for breaches of the PDPA’s Data Protection Principles (PDPA Sections 6-12) has been raised from RM300,000 (~USD70,000) to RM1,000,000 (~USD236,000), and the maximum term of imprisonment from two to three years, reflecting the seriousness with which data protection is now regarded.
  • Mandatory Appointment of Data Protection Officers (DPOs): From June 2025, both data controllers and data processors are required to appoint at least one DPO (PDPA Section 12), who will be accountable for ensuring compliance with the PDPA. The Commissioner must be notified of the appointment, with the DPO’s responsibilities and qualifications further detailed in relevant guidelines.
  • Mandatory Data Breach Notification: From June 2025, data controllers must notify the Personal Data Protection Commissioner as soon as practicable if they have reason to believe a personal data breach has occurred. If the breach is likely to cause significant harm to data subjects, affected individuals must also be notified without unnecessary delay (PDPA Section 12B).
  • Data Portability Rights: From June 2025, data subjects have the right to request that their personal data be transmitted directly from one data controller to another, subject to technical feasibility and data format compatibility (PDPA Section 43A).
  • Revised Cross-Border Transfer Regime: The Amendment removes the previous “whitelist” approach to cross-border transfers (requiring recommendation by the Commissioner and approval by the Minister), replacing it with a risk-based framework that allows transfers to jurisdictions with substantially similar laws or adequate protection, or under specified exceptions.

The Launch of the CBPDT Guidelines

While the PDPA Amendment sets out the legal framework, the CBPDT Guidelines — one of seven guidelines announced by the Digital Minister to supplement the revised PDPA – provide the operational detail and practical steps required for compliance in relation to cross-border personal data transfers under Section 129 of the PDPA.

Recently issued on 29 April 2025, the CBPDT Guidelines enumerate several legal bases (or “conditions”) under which a data controller may lawfully transfer personal data outside Malaysia. A data controller need only satisfy one of these conditions for a given transfer. The principal bases are as follows:

1. Similar Law or Adequate Protection: A transfer is permitted if the destination jurisdiction: (a) has a law in force that is “substantially similar” to the PDPA; or (b) ensures an “adequate level of protection” for personal data, at least equivalent to that provided by the PDPA (PDPA Section 129(2)).

To determine whether these criteria are met, data controllers should conduct a Transfer Impact Assessment (“TIA”), considering factors such as:

  • The presence of data subject rights (e.g., access, correction);
  • The existence of data protection principles (e.g., security, retention);
  • Requirements for data protection officers and breach notification;
  • Obligations on data processors; and
  • The existence and powers of a regulatory authority.

Further, in assessing an “adequate level of protection” for personal data, data controllers should consider additional factors such as the recipient’s legal or contractual obligations and its security measures, certifications, and compliance history.

The findings of a TIA are valid for up to three years, after which a follow-up assessment is required. A review must also be conducted if there are significant changes to the laws or protection measures in the destination jurisdiction.

2. Consent of the Data Subject: A transfer may proceed if the data subject has given explicit consent (PDPA Section 129(3)(a)). The CBPDT Guidelines require that: (a) the data subject is provided with a written notice detailing the class of third parties to whom the data will be transferred and the purpose of the transfer; and (b) consent is obtained, recorded, and maintained in accordance with the PDPA. If the data subject cannot give consent, a transfer may still be permitted if it is for the avoidance or mitigation of adverse action against the data subject, provided reasonable efforts to obtain consent have been made (PDPA Section 129(3)(e)).

3. Necessary for Contract or Vital Interests: A transfer is permitted if “necessary”:

  • For the performance of a contract with the data subject (PDPA Section 129(3)(c); with the CBPDT Guidelines clarifying that this requires the transfer to be “for the core purpose of the contract”, in the sense that “[t]he transfer of personal data must be directly related to and for the purposes of performing the obligations of the data controller as specified under the contract”);
  • For the conclusion or performance of a contract with a third party, at the data subject’s request or in their interest (PDPA Section 129(3)(c); with the CBPDT Guidelines clarifying that the data subject’s request should be in written form or recording in writing, and the interest of the data subject be clear and substantial, direct, and targeted towards the data subject); or
  • To protect the vital interests of the data subject (PDPA Section 129(3)(g)).

The CBPDT Guidelines further clarify that “necessary” does not mean “absolutely essential”, but the transfer must be for a specific purpose and not merely a matter of routine practice. Data controllers must also consider whether the purpose could reasonably be achieved by other means.

4. Legal Purposes: A transfer is permitted for the purposes of legal proceedings, obtaining legal advice, or establishing, exercising, or defending legal rights (PDPA Section 129(d)). This includes court and tribunal proceedings, regulatory investigations, and out-of-court procedures such as mediation or arbitration. However, the legal basis does not apply if there is only a possibility of future proceedings.

5. Reasonable Precautions and Due Diligence: A transfer may be justified if the data controller has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA if the processing occurred in Malaysia (PDPA Section 129(f)).

The CBPDT Guidelines identify three mechanisms to evidence this:

  • Binding Corporate Rules: Legally binding data protection policies within a multinational group, covering intra-group transfers and subject to regular review.
  • Contractual Clauses: Minimum contractual clauses ensuring adequate protection, including security measures and compliance guarantees. The ASEAN Model Clauses and EU GDPR Standard Contractual Clauses are cited as examples.
  • Certification: Recognised certifications (e.g., Europrivacy, APEC CBPR/PRP) verifying compliance with data protection standards.

Regardless of the legal basis relied upon, the CBPDT Guidelines also reiterate several universal responsibilities on data controllers:

  • Notification: Data subjects should be informed in writing about the transfer, including the recipient and purpose.
  • Contractual Safeguards: Contracts with third parties or data processors should include clauses governing the processing and security of personal data.
  • Security: The method of transfer must be secure and in line with the PDPA’s security requirements.
  • Record-Keeping: Data controllers must maintain records of each transfer, including details of the recipient, country, type of data, purpose, and evidence of compliance with section 129 of the PDPA (e.g., TIA reports, consent records, contracts, BCRs, or certifications).

Conclusion

The PDPA Amendment, together with the launch of the CBPDT Guidelines, ushers in a new era of data protection in Malaysia. Establishing a comprehensive, risk-based framework for cross-border personal data transfers, they introduce clearer legal bases, enhanced operational requirements, and practical guidance, significantly raising the bar for data protection in Malaysia.

With cross-border data flows being an essential feature of the modern digital economy, organisations would do well to strengthen their data transfer practices, policies, and contracts to ensure compliance, safeguard data subjects’ rights, and support trust and confidence in the digital economy. Periodic review of compliance measures is highly recommended, and alignment with international standards is now central to facilitating global business and data flows.

著者

関連サービスと産業

最新のInsightsをお届けします

クライアントの皆様の様々なご要望にお応えするための、当事務所の多分野にまたがる統合的なアプローチをご紹介します。
購読する

Follow us

© 2025 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. More information about the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.