Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside Malaysia;
- people/entities outside Malaysia being able to access or "see" personal data held in the country; and,
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
Under Malaysia’s Personal Data Protection Act 2010, international data transfers are allowed in certain cases, including when:
- the employee has consented to the international transfer;
- the data transfer is necessary to perform a contract between the employer and the employee;
- the data transfer is necessary to conclude or perform a contract between the employer and a third party which is entered into at the employee’s request or, is in the interest of the employee;
- the data transfer is for the purpose of a legal proceeding, obtaining legal advice or, establishing/defending/exercising legal rights;
- the employer has taken all reasonable steps and due diligence to ensure that the international transfer of employees’ personal data will continue to meet the requirements outlined in the Act;
- the employer has reasonable grounds to believe the transfer is to mitigate/avoid adverse action against an employee (only in cases where it’s not practical to obtain written consent and the employee would have given consent if it were practical);
- the transfer is necessary to protect the employee’s vital interest or is in the public interest (as determined by Malaysia’s Minister); or,
- the data is being transferred to a location specifically allowed by Malaysia’s Minister (This is somewhat theoretical, as no country has yet received approval).
HR Best Practices: Ensure internationally transferred personal data meets the general requirements in Malaysia’s Personal Data Protection Act. Only transfer employee’s personal information internationally with the consent or for a reason permitted under the Act.