Global Data and Cyber Handbook

Malaysia

Select a Topic
Start Comparison
DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last review date: 31 December 2024

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

Last review date: 31 December 2024

Effective 1 June 2025, data controllers and data processors may need to appoint at least one DPO, who will be accountable to their respective organizations for compliance with the PDPA.

Particularly, the PDPD is proposing that only those carrying out data processing activities of a "large scale" will need to appoint DPO. The DPO regulations/guidelines (setting out the requirements for DPO appointments) are expected to be released by early 2025 and will provide more guidance on the forthcoming legal obligation to appoint DPO.

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last review date: 31 December 2024

PDPD is proposing the following key requirements in relation to DPO appointments:

  • DPO appointment: A DPO can be appointed from an external provider or internally among the employees.
  • Qualification criteria: A DPO should meet a minimum set of prescribed qualities and complete/obtain such training/certification, as the Commissioner may later require.
  • Residency requirement: A DPO should ordinarily be a resident of Malaysia, but a single DPO may serve multiple entities within the same group of companies.
  • Responsibilities of the DPO: Carry out data protection impact assessments, ensure internal training sessions are provided, act as a liaison point with data subjects and the Commissioner, etc.
  • Reporting lines: A DPO should report directly to the senior management team or equivalent.

Note that the above is based on current proposals. The DPO regulations/guidelines (setting out the requirements for DPO appointment) are expected to be released by early 2025 and will provide more guidance on the forthcoming legal obligation to appoint DPO.

If yes, what are these requirements?

N/A

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last review date: 31 December 2024

Yes.

Certain classes of data users/controllers, as provided under the Personal Data Protection (Class of Data Users) Order 2013, are required to register with PDPD. These include, among others, licensed banks, insurers, private healthcare institutions, licensed tour operators, direct sales businesses, private higher education institutions, and certain utilities and transportation service providers.

{{ $store.state.loadingScreen.message }} ...