Last review date: 31 December 2024
Yes.
Any place outside Malaysia.
Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:
☒ derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
☒ other solutions
Please see separate question for information on data localization provisions that are not restricted to personal data.
Effective 1 April 2025, the following additional legal bases will also be available:
PDPD is proposing the adoption of a transfer impact assessment (TIA) (setting out prescribed steps to take and non-exhaustive factors to consider), in order to rely on either of the above new legal bases. There are also other proposals that seek to clarify the practical compliance with the existing legal bases, including the applicability of binding corporate rules, standard contractual clauses, and certification. The cross-border data transfer guidelines (setting out practices for cross-border data transfers) are expected to be released in early 2025 and will provide more guidance in this regard.