The receiving jurisdiction has data protection laws that are equivalent with the PDPA. (refer to Para 129(2)(a) of the PDPA)

a.       Identify the countries to which the personal data will be transferred;

b.       Assess the personal data protection laws in each receiving country based on the factors listed in paragraph (2) below;

c.       Determine whether there are any existing laws that are substantially similar to the PDPA; and

d.       Ensure that the decision to transfer personal data complies with the PDPA.

2.     The data controller shall at minimum consider the following factors:

a.       the laws provide similar rights to data subjects, such as the right to access and the right to correct personal data;

b.       similar Personal Data Protection Principles, such as the Security Principle;

c.       comparable requirements and safeguards regarding the processing of personal data, including its collection, disclosure, retention, and cross-border transfer;

d.       similar or equivalent requirements concerning the appointment of a Data Protection Officer;

e.       similar requirements relating to data breach notification;

f.         similar requirement imposed on data processor to protect personal data; and

g.       a regulatory authority in that country that is similar to the Department of Personal Data Protection and has similar powers to enable it to effectively enforce the relevant personal data protection law.

3.     The TIA may be carried out by referring to the following source of information:

a.       the laws, regulations, guidelines and circulars that relate to personal data protection;

b.       case law or decision taken by independent judicial or administrative authorities regarding personal data protection matters;

c.       reports from intergovernmental organisations, independent oversight bodies, business and trade associations and professional bodies;

d.       news reports of data breaches;

e.       reports provided by the receiver relating to the personal data protection practices and history of the said data controller/ data processor;

f.         research articles relating to personal data protection laws and practices of receiving country/ jurisdiction; and

g.       such other sources of information that are credible and not outdated relating to personal data protection.

The receiving jurisdiction provides a level of personal data protection that is at least equivalent to the level of protection afforded under the PDPA. (refer to Para 129(2)(b) of the PDPA)

a.       identify the countries which personal data is to be transferred to;

b.       assess the mechanism to protect personal data of the receiving country/ jurisdiction based on the factors listed in paragraph (2) below;

c.       based on the findings of the TIA determine:

i.         whether there are protection measures in place to ensure that the personal data is provided with an adequate level of protection equivalent to the PDPA; and

ii.        whether there are further measures that must be taken by the receiver to ensure that personal data is adequately protected; and

d.       ensure that the decision to transfer personal data complies with the PDPA.

2.     Data controller shall consider the following factors:

a.       the receiver has security measures and policies that are in line with the Security Principle and the Personal Data Protection  Standards^[1] such as:-

i.         Safety Standards: Data Users must provide practical security measures when processing personal data to protect that personal data from loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

ii.         Storage Standards: Data Users must take reasonable steps to ensure that all personal data is destroyed or deleted permanently if no longer processed.

iii.         Data Integrity Standards: Data Users shall take reasonable steps to ensure that personal data is accurate, complete, not misleading and up-to-date.

b.       the receiver has in place any security related certifications which have assessed the systems in place and deemed to be secure;

c.       the receiver is bound by legally enforceable obligations (either through contract, agreement or by law) and whether such obligations can be enforced by the data controller or data subject whose personal data is to be transferred to such receiver;

d.       the relevant personal data protection law governing the receiver can be easily enforced;

e.       the receiver’s past history of compliance with the relevant personal data protection law and whether it has experienced any data breach incidents;

f.         the receiver (data controller) imposes or is legally required to impose requirements on data processor to protect personal data; and

g.       regulatory authority similar to the Department of Personal Data Protection that performs the functions and exercises powers under the law regarding personal data protection.

The data subject has given consent to the transfer (refer to Para 129(3)(a) of the PDPA)

a.       the class of third parties to whom the data is transferred to; and

b.       the purpose of the transfer.

The transfer is necessary for the performance of a contract between the data subject and the data controller. (refer to Para 129(3)(b) of the PDPA)

a.     the cross border personal data transfer is not just practice or is carried out on a regular basis. The reasons for the transfer must be for the fulfilment of a specified purpose rather than for the general purposes or practices of the company;

b.     the cross border personal data transfer is made to achieve a specific purpose only and not for general purpose; and

c.     data controller cannot reasonably achieve the specified purpose through any alternative means which can be feasibly carried out.

2.     When making an assessment as to whether the cross border personal data transfer satisfy the above factors, data controller shall take into account the following:

a.     the reason why the transfer is required;

b.     the purposes for the transfer; and

c.     whether there are any feasible alternatives available.

3.     The transfer of personal data must be directly related to and for the purposes of performing the obligations of the data controller as specified under the contract.

The transfer is necessary for the conclusion or performance of a contract between the data controller and a third party that:

a.   is made at the request of the data subject; or

b.   is for the benefit of the data subject;

(refer to paragraph 129(3)(c) of the PDPA)

a.     provided in written form; or

b.     where the request was made through means other than in writing, the said request maintained and kept in a proper form that can be shown as proof that the data subject made such request.

2.     Data controller may only do so if the interest of data subject is shown to be:

a.     clear and substantial

b.     direct

c.     targeted towards the data subject

The transfer is for the purpose of legal proceedings, for obtaining legal advice, or for establishing, exercising, or defending legal rights

(refer to paragraph 129(3)(d) of the PDPA)

a.     a claim that would be brought and defended in a court (including civil and criminal law);

b.     a claim that would be brought and defended in a tribunal (e.g. a consumer claims tribunal);

c.     administrative or regulatory procedure (e.g. to defend an investigation (or potential investigation) in competition or financial services law, or to seek approval for a merger); or

d.     an out-of-court procedure (e.g. without prejudice meeting, mediation or arbitration).

2.     Data controller shall not refer to the condition if there is only a possibility that a legal proceeding or other formal proceedings may be brought in the future. Nevertheless, data controller may refer to this condition if the data controller:

a.     is engaged in pre-action correspondence;

b.     is taking advice about the legal risk in bringing or defending a claim; or

c.     has received a request for information from an overseas regulatory authority with a view to it potentially taking formal action.

Reasonable grounds of the data controller for Cross-Border Transfers Without Written Consent (refer to Para 129(3)(e) of the PDPA)

a.     the transfer is made to avoid or reduce harm to the data subject;

b.     it is not practicable to obtain the data subject’s written consent; and

c.     if it were practicable to obtain such consent, the data subject would likely give it.

2.     It only applies if it is not possible for the data subject to give their consent such as:

a.     data subject is unconscious;

b.     data subject is not contactable and given the circumstances, reasonable and proportionate steps have been taken to try and contact them; or

c.     data subject is unable to provide consent due to insufficient time for the provision of all the information needed for a consent.

The data controller has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not be processed in a manner that would be a breach of the PDPA if it were processed in Malaysia

(refer to paragraph 129(3)(f) of the PDPA)

a.     Binding Corporate Rules (“BCR”): is personal data protection policies that are implemented by multinational corporate group, group of undertakings or a group of enterprise engaged in a joint economic activity such as franchise, joint venture or professional partnership.

b.     Contractual Clauses (“CC”): set of clauses inserted into a contract which would legally bind both the data controller and receiver to ensure adequate level of protection in relation to the processing of personal data.

c.     Certification under an approved certification scheme (“Certification”): Data controller/ data processor may obtain certification regarding personal data protection as a method of verifying that the data controller/ data processor has in place adequate policies and processes to comply with data protection standard/ laws or provide an adequate level of protection to protect personal data.

The transfer is necessary to protect the vital interests of the data subject.

(refer to paragraph 129(3)(g) of the PDPA)

a.     the necessity of the transfer satisfies the factors laid out under the Fourth Condition above in paragraph (1) and (2); and

b.     the purpose of cross border personal data transfer is to protect the vital interests of the data subject.

2.     The risk to the data subject’s vital interests must outweigh any personal data protection concerns.

2.     In the event that there occurs a change or amendment to the relevant personal data protection laws during the validity period of the TIA, data controller shall conduct a review of the changes or amendments made to determine whether, as a result of the change or amendment, the relevant personal data protection law is still substantially similar to the PDPA.