Malaysia – Personal Data Protection Guidelines: Appointment Of Data Protection Officer & Data Breach Notification.
As anticipated in our December 2024 Legal Update, the phased implementation of the provisions of the Personal Data Protection (Amendment) Act 2024 (“PDP Amendment Act”) is already underway. Among others, the newly introduced requirements for the appointment of data protection officer (“DPO”) and data breach notification (“DBN”) are set to come into force on 1 June 2025. This Legal Update summarises the recent regulatory developments relating to the appointment of DPO and DBN.
The Personal Data Protection Guideline on Appointment of Data Protection Officer (“DPO Guidelines”) and Personal Data Protection Guideline on Data Breach Notification (“DBN Guidelines”) have been issued pursuant to the Personal Data Protection Commissioner’s (“Commissioner”) functions under Section 48(g) of the Personal Data Protection Act 2010 (“PDPA”). They are to be read in conjunction with the Commissioner’s Circular No. 1/2025 (Appointment of Data Protection Officer) and Circular No. 2/2025 (Data Breach Notification), respectively, which will come into force on 1 June 2025.
Appointment of Data Protection Officer
We discussed the requirement for DPO to be appointed in our July 2024 and December 2024 Legal Updates. Pursuant to the newly introduced Section 12A of the PDPA, data controllers and data processors are required to appoint one or more DPOs, who shall be accountable to the data controller or data processor (as the case may be). Notwithstanding the foregoing, such appointment shall not discharge the data controller or data processor from all duties and functions under the PDPA.