Malaysia: Personal Data Protection Commissioner released guidelines for appointment of data protection officers

On 25 February 2025, the Personal Data Protection Commissioner of Malaysia released Guidelines for the Appointment of Data Protection Officers (DPOs). The guidelines outline the requirements, roles, and responsibilities that data controllers and processors must adhere to, ensuring compliance with the Personal Data Protection Act 2010. The guidelines emphasise the legal requirement for data controllers and processors to appoint DPOs if their processing activities involve personal data exceeding 20'000 subjects, sensitive personal data of over 10'000 subjects, or activities requiring regular and systematic monitoring of personal data. It provides examples of activities that necessitate such monitoring, such as online behavioural tracking or health monitoring via wearable devices. Further, they outline the expertise and qualifications needed for DPOs, including an understanding of the organisation's data processing operations, and proficiency in information technology and data security. It also highlights the importance of personal integrity and professional ethics for DPOs. Responsibilities of DPOs include advising data controllers and processors on compliance, monitoring data protection activities, managing data breaches, and acting as a point of contact for data subjects and the Commissioner. Lastly, organisations are required to notify the Commissioner of DPO appointments within 21 days and maintain up-to-date contact information for DPOs.