Cross-Border Data Transfers under the PDPA: What Companies Should Know in 2025

Executive summary

Malaysia has recast the legal architecture for exports of personal data. With effect from 1 April 2025, the whitelist mechanism in Section 129 PDPA has been repealed. Controllers may transfer personal data abroad where either (i) the destination has a law substantially similar to the PDPA or (ii) the destination assures an adequate level of protection. If neither applies, a transfer may proceed under one of the Section 129(3) exceptions.

‍

The Cross Border Personal Data Transfer Guidelines require Transfer Impact Assessments (TIAs) and recognise Binding Corporate Rules (BCRs), contractual clauses (including ASEAN MCCs and EU SCCs) and recognised certifications as safeguards. Separately, DPO appointment and mandatory data-breach notification have taken effect in June 2025 and should be integrated into your cross-border governance.‍

Statutory framework – Section 129 PDPA after the 2025 reforms

• Whitelist removed – The 2025 PDPA Amendments deleted Section 129(1) and revised Section 129(2) of the Personal Data Protection Act 2010. Controllers themselves may transfer data if the receiving place has substantially similar law or provides adequate protection equivalent to the PDPA. The Ministerial list requirement is gone. This change has been effective since April 2025.‍
• Exceptions updated – Section 129(3) continues to provide fallback conditions (consent, contract necessity with the data subject, etc.. The former public-interest limb has been expressly deleted.

Primary transfer routes under Section 129(2)

A. Law substantially similar to the PDPA

You may export personal data where the foreign legal system is substantially similar. The CBPDT Guidelines expect a Transfer Impact Assessment addressing, at minimum, data-subject rights, core principles, notice/consent, DPO and breach-notification requirements, processor controls, enforcement, and regulator effectiveness. Findings remain valid for no longer than three years and must be revisited if the legal position changes.

B. Adequate level of protection

Alternatively, demonstrate that the receiving place ensures adequate protection equivalent to the PDPA. The Transfer Impact Assessment should evaluate security posture, certifications, enforceability of obligations, histories of compliance/breach, and the regulator’s powers. Refresh the Transfer Impact Assessment within three years or earlier on material change.

Exceptions under Section 129(3)

If neither route in Section 129(2) is available, you may rely on a specific exception, provided necessity is satisfied and the decision is documented:

• Consent – after a compliant notice that identifies classes of recipients and purposes; keep a verifiable consent record.
• Contract necessity – where the transfer is necessary to perform a contract with the data subject, or to conclude/perform a contract with a third party at the data subject’s request or in their interest; the Guidelines spell out a strict, purpose-linked necessity test and require you to consider feasible local alternatives.
• Legal proceedings/rights – for proceedings, legal advice, or the establishment, exercise or defence of legal rights.
• Reasonable grounds where consent is impracticable – e.g., unconscious or uncontactable data subjects, with proportionate attempts to obtain consent.
• Reasonable precautions & due diligence – see Section 4 below (BCR, contractual clauses, certification).
• Vital interests – where necessary to protect life or health.

Proving reasonable precautions & due diligence (s.129(3)(f))

The Guidelines recognise three families of safeguards. In practice, high-maturity organisations layer these measures and couple them with a Transfer Impact Assessment.

(i) Binding Corporate Rules (BCRs) – legally binding intra-group policies with explicit scope, PDPA-equivalent principles, breach reporting, audit, liability apportionment, onward-transfer controls and DPO responsibilities; periodic review is expected.

(ii) Contractual Clauses (CCs) – contract terms guaranteeing PDPA-equivalent security and compliance, coupled with stop-transfer rights if the receiver breaches. The Guidelines expressly cite ASEAN MCCs and the EU SCCs as acceptable models; you should assess and, where needed, augment them to close PDPA-specific gaps identified by your Transfer Impact Assessment.

(iii) Recognised certification – independent attestations such as Europrivacy or APEC CBPR/PRP, paired with contractual warranties and validity verification (e.g., registry checks).

The Transfer Impact Assessment– substance, record-keeping and renewal

Content – map data flows and recipients; evaluate the receiving place’s legal framework, regulator effectiveness and enforceability of rights; scrutinise the receiver’s security measures, certifications, breach history and onward-transfer controls.

Validity and review – record your decision and rationale; valid for up to three years; conduct an earlier review upon material changes to law, systems or policies.

Logs – maintain a transfer register capturing receiver identity and DPO contact, destination country, data categories, purposes and evidence of compliance (TIA findings, consent records, contracts, BCRs or certificates).

Governance dependencies – DPO and breach notification

Malaysia’s 2025 update is not confined to cross-border rules. The DPO appointment and data-breach notification regimes were brought into force on 1 June 2025, with detailed Guidelines and Circulars issued by the Commissioner. Your cross-border programme should therefore embed DPO oversight, incident reporting and cooperation commitments into transfer contracts.

Malaysia ↔ EU and other regimes – dual-track compliance

For EU→Malaysia imports, remember that Malaysia does not benefit from an EU adequacy decision. EU exporters must deploy a GDPR transfer tool (e.g., EU SCCs/IDTA) and a GDPR-compliant Transfer Impact Assessment, in addition to your PDPA analysis for Malaysia→abroad flows. Align your templates to avoid contradictions across regimes.

How we can help

If your organisation is navigating the PDPA’s 2025 cross-border regime, our team can close the compliance loop end-to-end: we design transfer strategy and TIAs, tailor ASEAN MCCs and EU SCCs with PDPA riders and stop-transfer rights, implement BCRs and processor-governance frameworks, and produce bilingual (English and Bahasa Malaysia) notices, policies and transfer registers. We also provide DPO advisory or DPO-as-a-Service, build breach readiness aligned to notification thresholds, and deliver dual-track GDPR–PDPA alignment for EU→Malaysia imports and Malaysia→overseas exports, supported by targeted training and regulator-facing engagement so your programme stands up to scrutiny. Click here to get in touch.

‍

This article is written by Vishnu Vijandran (Partner). It only contains general information. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such.

For more information, contact Vishnu at vishnu@aqranvijandran.com.