Action Required: New Guidelines on Data Protection Officer Appointment, Data Breach Notification, and Cross-Border Personal Data Transfers
29th May 2025
Introduction
In line with recent amendments to the Personal Data Protection Act 2010, Act 709 (“PDPA”), the Personal Data Protection Commissioner (“Commissioner”) has issued two important sets of guidelines on 25 February 2025, namely (a) the Guideline on Appointment of Data Protection Officer (“DPO Guideline”), and (b) the Guideline on Data Breach Notification (“DBN Guideline”). These guidelines outline the relevant requirements and procedures in respect of the appointment of Data Protection Officer (“DPO”) and managing data breach notifications (“DBN”). With these obligations set to come into force on 1 June 2025, organisations and businesses must ensure they are fully prepared to meet these new compliance standards.
Additionally, the Commissioner also issued the Guideline on Cross Border Personal Data Transfer (“CBPDT Guideline”) on 29 April 2025. The CBPDT Guideline provides additional guidance on cross border personal data transfers (“CBPDT”).
Part A: DPO Appointment
The PDPA defines data controllers and data processors to include any organisation involved in the commercial transaction of personal data. The newly introduced Section 12A of the PDPA has now made it mandatory for data controllers and data processors to appoint a DPO. However, Section 12A must be read with the DPO Guideline. A brief overview of Section 12A is explained below.
Mandatory Appointment
Data controllers/data processors must appoint one or more DPO(s) if the processing of personal data involves any of the following:
(a) personal data of more than 20,000 data subjects;
(b) sensitive personal data including financial information of more than 10,000 data subjects; or
(c) activities that require ‘regular and systematic monitoring’ of personal data.
Appointment Requirement
Data controllers/data processors must appoint a DPO by 1 June 2025.
Responsibility
The DPO is responsible for ensuring the organisation’s compliance with the PDPA.
Appointment Flexibility
Organisations can outsource the DPO role as a temporary solution.
Expertise and Qualifications
The DPO Guideline makes it an obligation for data controllers/data processors to appoint a DPO who can adequately carry out their tasks. The required competency of the DPO will scale accordingly with, among others, the complexity of the personal data being processed.
In that regard, the appointed DPO must demonstrate a sound level of skills such as knowledge of the PDPA, requirements under the law and data protection practices, IT and data security.
Obligations of data controllers/data processors
It cannot be stressed enough that the appointment of a DPO will not absolve data controllers/data processors from compliance with the PDPA. Liability will still fall onto them for any breach of the PDPA, notwithstanding the appointment of the DPO.
Data controllers/data processors are obliged to, among others, ensure that the DPO is registered with the Commissioner within 21 days from appointment.
Next course of action
Simply put, the first thing that data controllers/data processors must consider is whether the criteria for the appointment of the DPO is met. If answered in the affirmative, the DPO to be appointment must satisfy the minimum expertise as specified in the DPO Guideline. Once appointed, privacy notices, websites and other media to include the DPO’s information.
In view of the stringent DPO Guideline, organisations and businesses need to be cautious when appointing a DPO to avoid violating these requirements.
Alternatively, the DPO Guideline allows for the DPO to be outsourced; providing an effective temporary solution for organisations and businesses that are unable to appoint a DPO just yet.
Part B: DBN
Commencing on 1 June 2025, Section 12B of the PDPA mandates that data controllers must report any personal data breach to the Commissioner as soon as reasonably possible, following the prescribed form as determined by the Commissioner.
Threshold for evaluating the necessity of DBN
Data controllers are required to notify the Commissioner where the breach causes or is likely to cause ‘significant harm’, such as financial loss, identity fraud, physical injury, or misuse for illegal purposes to the data subject that is affected.
Notification to the Commissioner
The data controller must notify the Commissioner of a personal data breach no later than 72 hours of becoming aware of such a breach, and the notification must include details of the breach, its impact, and the steps taken to address it.
Notification to the affected Data Subjects
Data controllers would also need to inform the data subjects affected by the breach if it would result in or is likely to result in ‘significant harm’.
Within 7 days after notifying the Commissioner of a personal data breach, the data controller must also inform the affected data subjects, providing them with details of the breach, and also inform them if the breach would result in or is likely to result in ‘significant harm’ to them.
Strengthening Compliance
With the DBN Guideline introducing stringent data protection requirements, businesses handling personal data must proactively ensure compliance and mitigate legal risks. As a data controller, aligning internal data breach management policies with regulatory requirements is essential.
To ensure regulatory compliance, organisations and businesses need to:
(a) carry out an urgent review and update of their data breach management policies;
(b) establish clear procedures in the event of a personal data breach;
(c) implement documentation processes to record personal data breach incidents, communications, digital logs and relevant background details;
(d) review data handling and security policies, including existing agreements, and consider standardised third-party data processing contracts; and
(e) identify overlapping notification obligations under the PDPA, and other applicable laws.
Non-compliance constitutes an offence under the PDPA and may subject the data controller to regulatory enforcement, including fines or imprisonment.
Part C: CBPDT
Apart from the exceptions such as where consent has been obtained, under Section 129(2), data controllers may transfer personal data to any place outside Malaysia if:
(a) there is in that place in force any law which is substantially similar to the PDPA; or
(b) that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA.
The CBPDT Guideline clarifies the application of Section 129(2) of the PDPA and set out the conditions under which personal data may be transferred outside Malaysia, as well as the obligations imposed on data controllers engaging in such transfers.
Transfer of Personal Data Outside Malaysia
All cross-border transfers must be carried out in a manner that ensures an adequate level of personal data protection, including conducting a Transfer Impact Assessment (“TIA”) where appropriate.
Strengthening Compliance
Data controllers should review their cross-border data transfer practices to ensure they meet the requirements under the PDPA and the CBPDT Guideline, and update internal policies, procedures, and contractual arrangements where necessary, with proper record-keeping to demonstrate compliance.
Non-compliance constitutes an offence under the PDPA and may subject the data controller to regulatory enforcement, including fines or imprisonment.
This article is intended for general information. It should not be regarded as legal professional advice.
If you have any questions about how this development may impact your organisation or business, please feel free to reach out to Tan Gian Chung (Head) at [email protected] / Lai Jian Xian, Nina (Partner) at [email protected] / Nyau Kok Cheong, Jeff (Partner) at [email protected] of our firm’s Technology, Multimedia and Telecommunications (TMT) Law Department.
This alert is prepared with the assistance of Natasha L Jayasinghe (Associate) and Brandon Back E Hyun (Associate).