This article is intended for companies or businesses required to appoint a Data Protection Officer (“DPO”) in accordance with the guidelines issued by the Personal Data Protection Commissioner (“Commissioner”).
The Commissioner has issued new guidelines under the Personal Data Protection (Amendment) Act 2024 (“Act”) requiring certain organisations to appoint a DPO by 1 June 2025.
This requirement applies to organisations that:-
(i) process the personal data of more than 20,000 data subjects;
(ii) process sensitive personal data of more than 10,000 data subjects; or
(iii) engage in regular and systematic monitoring of personal data.
Once a DPO is appointed, the organisation must notify the Commissioner of the DPO appointment via the https://daftar.pdp.gov.my/v1/dpo-register within 21 days.
To prepare for registration, companies will need to gather both organisational and DPO details.
Organisation Information
- Type of organisation (e.g., Sdn Bhd, public limited company, foreign entity);
- SSM or registration number, sector classification (if within one of 13 prescribed data controller classes), PDP registration number if already registered; and
- Official address, contact numbers, email, fax (if any).
DPO
- DPO full name, IC or passport number;
- Dedicated official DPO business email account (must be separate from personal and general work emails, and actively monitored);
- Work email, telephone number;
- Date of appointment, status (signed appointment letter to be uploaded (if any));
- Highest educational qualifications;
- Area of specialisation; and
- Training or certifications attended (with supporting documents if available)
Roles and Responsibilities of the DPO:
The DPO serves as the primary liaison between the organisation, data subjects, and the Commissioner. Their responsibilities include advising on the compliance, monitoring adherence to data protection laws, conducting data protection impact assessments, overseeing data breach management, and fostering a data protection culture within the organisation.
Who can be a DPO?
The role may be filled by an internal employee or an outsourced service provider, but the appointee must have knowledge of the PDPA, an understanding of business operations, IT or data security literacy, integrity, and the ability to promote compliance practices. The DPO must be a Malaysian or resident in Malaysia (physically present for more than 180 days per year) and be proficient in both Bahasa Melayu and English.
Key takeaways for businesses:
Assess now whether your organisation meets the appointment criteria. Identify and train a qualified DPO, prepare all necessary registration documents as well as publish your DPO’s business contact details in privacy notices and on your website. Notify the Commissioner of the DPO appointment via the https://daftar.pdp.gov.my/v1/dpo-register within 21 days of appointment.
Acting early will help ensure compliance with the Act and avoid potential enforcement actions.
***
This article was written by Jocelyn Lier (Associate) with assistance from Wendy Chan (Intern) from Donovan & Ho’s corporate practice.
Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.
