International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: 31 December 2024

Yes.

Any place outside Malaysia.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

         derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims

         other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

  • The data user/controller has reasonable grounds to believe that in all circumstances of the case:
    • the transfer is for the avoidance or mitigation of adverse action against the data subject
    • it is not practicable to obtain consent of the data subject in writing to that transfer, and
    • if it was practicable to obtain such consent, the data subject would have given the consent.
  • The data user/controller has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA if the personal data were processed in Malaysia.
  • The transfer is necessary in order to protect the vital interests (i.e., matters relating to life, death or security) of the data subject.

Effective 1 April 2025, the following additional legal bases will also be available:

  • There is a law in force in that place that is substantially similar to the PDPA.
  • That place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.

PDPD is proposing the adoption of a transfer impact assessment (TIA) (setting out prescribed steps to take and non-exhaustive factors to consider), in order to rely on either of the above new legal bases. There are also other proposals that seek to clarify the practical compliance with the existing legal bases, including the applicability of binding corporate rules, standard contractual clauses, and certification. The cross-border data transfer guidelines (setting out practices for cross-border data transfers) are expected to be released in early 2025 and will provide more guidance in this regard.