Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Hong Kong
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Guidelines on Appointment of Data Protection Officers in Malaysia

27 Mar 2025 APAC 7 min read

In February 2025, the Personal Data Protection Commissioner (the “Commissioner”) of Malaysia issued Guidelines on Appointment of Data Protection Officers (“DPO Guidelines”). The DPO Guidelines, which will take effect from 1 June 2025, were designed having considered the feedback from the public consultation conducted in 2024. The DPO Guidelines should be read alongside other relevant legislative instruments in upholding Malaysia’s privacy regime, as established in the Personal Data Protection Act 2010 (“PDPA”).

DPO Guidelines

The requirement to appoint a data protection officer (“DPO”) under the PDPA comes into force on 1 June 2025. Data controllers and data processors will be obliged to appoint one or more DPOs who will be accountable for the organisations’ compliance with the PDPA. The DPO Guidelines provide key guidance regarding the scope and application of this requirement.

A. Scope of Application – Large Scale

The requirement to appoint a DPO will only apply to organisations processing data on a large scale, specifically where the processing of personal data involves:

  • personal data exceeding 20,000 data subjects;
  • sensitive personal data including financial information data exceeding 10,000 data subjects; or
  • activities that require regular and systematic monitoring of personal data.

B. Key Obligations of Organisations

If an organisation falls within any of the criteria, it must appoint and register its appointed DPO with their business contact information on the Personal Data Protection System (“SPDP”) portal (https://daftar.pdp.gov.my) within 21 days of appointment. Where there is a change in the DPO or in the DPO’s business contact information, an update must be made on the SPDP portal no later than 14 days from the new appointment. This is to enable efficient communication with the DPO at all reasonable times. However, if data controllers or data processors believe that the above conditions are not met, they may record their reasons for not appointing a DPO.

Data controllers and data processors must set up a dedicated official business email account for the DPO, separate from the DPO’s personal and work email accounts, and the dedicated DPO account must be constantly monitored. The business contact information of the DPO must be published on:

  • the data controller or data processor’s official website and other official media (including social media platforms, the intranet and telephone directories);
  • personal data protection notices; and/or
  • security policies and guidelines.

DPOs should be involved in all matters regarding personal data protection, and appointing organisations must engage DPOs from the earliest stage of the data processing lifecycle up till the data is destroyed or deleted. DPOs should also be allocated sufficient resources that enable them to effectively perform their responsibilities, and whether the resources allocated are adequate will depend on factors like the complexity, sensitivity and volume of data being processed. Nonetheless, the independence of DPOs should be safeguarded, and DPOs should have direct reporting access to the senior management of their appointing organisation.

Where the appointment of an individual as a DPO ceases, the data controller or data processor must appoint a replacement within a reasonable time frame. An interim DPO should also be appointed to monitor the DPO’s official business email. Data controllers and Data processors must not dismiss DPOs for the performance of their duties in good faith, unless there was a breach of applicable laws or where the DPOs were negligent or in misconduct.

C. Key Obligations of DPOs

DPOs owe responsibilities to all stakeholders involved in the data controllers’ or data processors’ operations, specifically their appointing organisation, data subjects and the Commissioner.

Obligations to Appointing Organisations

DPOs must assess the risks of the processing operations of their data controllers or data processors, in consideration of the nature, scope, context and purposes of the data processing. DPOs should perform, at the minimum, the following core responsibilities:

  • Informing and advising data controllers and data processors on their processing of personal data.
  • Monitoring and assisting data controllers or data processors in their compliance with the PDPA and related data protection laws.
  • Supporting the performance of Data Protection Impact Assessments.
  • Assisting with the preparation, processing and submission of reports and any other documents required by the Commissioner with relation to personal data breaches.
Obligations to Data Subjects

DPOs should facilitate communications between data subjects and the organisations processing their data, and act as the point of contact between them.

Obligations to the Commissioner

DPOs should act as the point of contact between the Commissioner and data controllers or data processors, acting as the liaison officer who facilitates communication.

D. Qualifications of DPOs

A DPO, who must be proficient in Bahasa Melayu and English, is required to be:

  • resident in Malaysia (i.e. be physically present in Malaysia for at least 180 days in one calendar year); or
  • easily contactable by any means.

The appropriate level of qualifications, experiences, skill and expertise required of the DPO will depend on:

  • the operation of personal data processing being carried out;
  • the complexity and scale of data processed;
  • the sensitivity of the personal data processed; and
  • the level of protection required for the data being processed.

However, a DPO may be required to possess a higher level of skill and expertise depending on:

  • the scale of sensitive personal data being processed; or
  • whether the data controller or data processor is involved in complex processing of personal data such as systematic personal data sharing between multiple organisations and cross-border personal data transfers.

While there are no prescribed minimum qualifications for DPOs, data controllers or data processors may require their DPOs to hold certain qualifications. Similarly, the Commissioner may determine that DPOs must possess certain qualifications. Nonetheless, data controllers and data processors must ensure that any DPO they appoint demonstrates sufficient:

  • knowledge of the PDPA, as well as the requirements under the data protection practices in Malaysia (including any other applicable data protection laws, where relevant);
  • understanding of the data controller’s or data processor’s business operations and the personal data processing operations carried out;
  • understanding of information technology and data security;
  • personal qualities such as integrity, understanding of corporate governance and high professional ethics; and
  • ability to promote a culture that prioritises data protection.

An individual may be appointed as the DPO of multiple data controllers or data processors if the individual remains easily accessible by each of their appointing organisations.

E. Conclusion

Organisations must carefully assess their current data governance frameworks to ensure alignment with the updated requirements, particularly regarding DPO appointment, responsibilities, and reporting structures. It is imperative that organisations processing personal data ascertain whether they will be required to appoint a DPO and, if so, to make the necessary preparations to appoint a suitable DPO. Nonetheless, the appointment of a DPO does not exempt the duty of data controllers and data processors from the obligation to comply with the PDPA. The responsibility for any non-compliance with the PDPA will ultimately fall on the data controller or data processor. Organisations processing personal data should continually review their policies and practices to ensure compliance with all regulatory requirements and must not relegate their responsibility to comply with the relevant data protection obligations.

Click here to refer to the Guidelines.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Malaysian data protection regime under the PDPA and its subsidiary legislation; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.

More insights

Explore more

Expert Guide International

International arbitration law and rules in Hong Kong

48 min read
Publication Hong Kong SAR, China

CMS Arbitration Atlas

20 Mar 2026 3 min read
Event Hong Kong SAR, China

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.