You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Deutsch
|
English
Rödl & Partner opens new office in Waterloo, Canada |
Worldwide
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Germany
Ansbach
Bayreuth
Berlin
Bielefeld
Chemnitz
Cologne
Dortmund
Dresden
Eschborn
Fuerth
Hamburg
Hanover
Herford
Hof
Jena
Mettlach
Munich
Nuremberg
Plauen
Regensburg
Selb
Stuttgart
Ulm
Worldwide
Algeria
Angola
Argentina
Australia
Austria
Azerbaijan
Bahrain
Belarus
Belgium
Bosnia and Herzegovina
Botswana
Brazil
Bulgaria
Cambodia
Canada
Chile
China
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Ecuador
Egypt
Estonia
Ethiopia
Finland
France
Georgia
Germany
Ghana
Greece
Hong Kong (S.A.R.)
Hungary
India
Indonesia
Ireland
Italy
Japan
Kazakhstan
Kenya
Kuwait
Latvia
Libya
Liechtenstein
Lithuania
Luxembourg
Malaysia
Malta
Mauritius
Mexico
Moldova
Mongolia
Morocco
Mozambique
Myanmar
Namibia
Netherlands
New Zealand
Nigeria
North Macedonia
Norway
Oman
Pakistan
Paraguay
Peru
Philippines
Poland
Portugal
Qatar
Romania
Saudi Arabia
Serbia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Tunisia
Turkey
Uganda
Ukraine
United Arab Emirates
United Kingdom
Uruguay
USA
Uzbekistan
Vietnam
Zambia
Own offices of Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(Colours appear during mouseover)
We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our
data privacy statement
.
Insights
Services
Expertise from a single source
Our service lines
Legal advisory
Tax consulting
Audit services
Management and IT consulting
Business Process Outsourcing
Interdisciplinary services
MERGERS & ACQUISITIONS
Succession advisory
Mergers & Acquisitions
Stay informed
Completed deals
Who we advise
Media
Newsletters
Virtual reality tours
Virtual reality tours
Publications
Good to know
Newsletters
Brochures
Investment guides
Books
Download centre
Releases
Completed deals
Media contacts
Facts and figures
About us
Entrepreneurial spirit and values
Factbook
Facts and figures
Sustainability
Entrepreneurial spirit and values
Factbook
Managing Partners
Founder Dr. Bernd Rödl
Locations worldwide
Social responsibility
Project Fundus
Rödl Employee Fund for Children’s Aid
Partner cities: Kharkiv-Nuremberg
Family and career
Awards
Compliance & Incident Reporting System
Digital Agenda
Careers
Insights
Part 3: Personal Data Protection (Amendment) Act 2024 - Cross Border Personal Data Transfer Guidelines
ASEAN
ASEAN Forum
Digital Agenda
E-Invoicing
Indonesia Strategy Forum
Insights
Currently selected
Recent
Alle Kolumnen
Altersvorsorge
Antitrust Law
AOA
Artikelserie im OMV Fokus
ASEAN
Assurance & IT in der Gesundheits- und Sozialwirtschaft
Aufsichtsrecht
Außenwirtschaft und Zoll
BilRUG und weitere Reformen
International Expert Roundtable
Part 3: Personal Data Protection (Amendment) Act 2024 - Cross Border Personal Data Transfer Guidelines
Page Content
This is part of our ongoing series on the Personal Data Protection (Amendment) Act 2024. Our earlier articles can be accessed
here
(Part 1) and
here
(Part 2).
As mentioned in our article on the key amendments of Personal Data Protection (Amendment) Act 2024 (“PDPA 2024”), the whitelist regime for cross border data transfer provided in Section 129 of the Personal Data Protection Act 2010 (“PDPA”) has been removed, and companies must now meet specific conditions to legally transfer personal data outside of Malaysia.
On 29 April 2025, the Personal Data Protection Commissioner (“Commissioner”) published a Cross Border Personal Data Transfer Guideline (“Guideline”) to provide clarity on these requirements. These changes directly affect companies that operate internationally or transfer data overseas.
Cross Border Personal Data Transfer Guideline
The Guidelines outline the requirements data controllers must meet to rely on the conditions under Section 129 of the PDPA. The requirement is summarized below:
Equivalent data protection laws:
Data controller to conduct a Transfer Impact Assessment (TIA) to confirm the destination country has laws substantially similar to the PDPA and to reassess every 3 years.
Adequate level of protection:
Data controller to conduct a TIA to evaluate whether the level of protection offered is equivalent to the PDPA and to reassess every 3 years.
Consent from data subject: Inform the data subject of the transfer through a notice and document their consent according to PDPA regulations.
Contractual necessity between data controller and data subject:
Demonstrate that the transfer is essential to fulfill a specific contract with the data subject and cannot be achieved by other means.
Contractual necessity between data controller and third party:
Demonstrate that the transfer is essential to fulfill a specific contract with the data subject and cannot be achieved by other means and it is tied to a contract requested by or in the interest of the data subject.
Legal Purposes:
Transfers may be made in relation to legal proceedings, legal advice, or exercising legal rights.
Reasonable grounds:
If obtaining consent is impracticable and the data subject would likely consent, data controller has reasonable grounds to believe that the transfer may proceed to avoid or reduce harm to the data subject.
Taken all reasonable precautions and exercised all due diligence:
Implement Binding Corporate Rules, Standard Contractual Clauses, or obtain certifications.
Vital interests of data subject:
necessary to protect vital interests of data subject, provided the risk outweighs data protection concerns.
The Guidelines also outline the responsibilities of data controller in handling cross order personal data transfer which includes security of such transfer, the compliance of third party or data processor with the PDPA and record keeping of the transfer.
Actions to be taken
To ensure compliance with the amendment of Section 129 of the PDPA that came into force on 1 April 2025, it is crucial for companies to review their current cross border transfer processes, conduct and document required TIA, update data processing contracts with third parties and ensure record-keeping of all data transfers and consents.
While the PDPA shares similarities with the General Data Protection Regulation (“GDPR”) and may support the application of personal data protection policies and procedures across regions, the PDPA may, on a case-by-case basis, impose different or additional requirements as compared to the GDPR. Therefore, it is advisable for companies to carefully review and assess their compliance approach to ensure alignment with PDPA requirements and avoid potential non-compliance.
From The Newsletter
Newsflash Malaysia
Contact
Geetha Salva
+603 2276 5580
Send inquiry
How We Can Help
R
ö
dl & Partner in Malaysia
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
