Yes, consent from data subjects is required for the data users to move their personal data to cloud servers located outside of Malaysia. Further, the data subjects' consent is also required if the data users intend to disclose their personal data to vendors, including cloud service providers.

Where sensitive personal data is involved, the data subjects' explicit consent must be obtained. Explicit consent for sensitive personal data is not defined under the Personal Data Protection Act 2010 ("PDPA"), and neither is the mode of obtaining such consent. However, it is typically construed to mean an affirmative action taken by the data subject to indicate consent (e.g., requiring the data subject to check a box on an online form consenting to their personal data being processed in accordance with the general terms and conditions or privacy policy would be explicit consent).

Where nonsensitive personal data is involved, such consent may be in the form of implied consent or consent in the general terms and conditions used with customers, but the consent must be as follows:

(i) In a form that can be recorded and properly maintained by the data user

(ii) Presented in a distinguishable way in its appearance from another matter, if the form in which such consent is to be given also concerns another matter

Note that data subjects are also afforded the right under the PDPA to withdraw their consent to the processing of their personal data by providing a written notice in writing to the data user. Failure to comply with such request is an offense under the PDPA. Upon conviction, the data user may be liable to a fine not exceeding MYR 100,000 (approximately USD 22,500) and/or imprisonment for a term not exceeding one year.