Following the newly introduced requirement for data controllers and data processors to appoint a data protection officer (“
DPO”), the Department of Personal Data Protection has launched the DPO registration portal (
https://daftar.pdp.gov.my/v1/dpo-register), enabling organisations to formally notify the Personal Data Protection Commissioner (“
Commissioner”) of their DPO appointments.
To recap, data controllers and data processors are required to appoint one or more DPO(s) if their processing of personal data involves one of the following:
- personal data exceeding 20,000 data subjects;
- sensitive personal data including financial information exceeding 10,000 data subjects; or
- activities that require “regular and systematic monitoring” of personal data.
Only data controllers are required to notify the Commissioner of the appointment of their DPO(s) and provide the DPO’s business contact information
1. The notification must be submitted within 21 days from the appointment date, via the DPO registration portal.
The following information is required for the registration of a DPO on the portal:
- DPO’s name
- DPO’s dedicated email address
- Official/work email address of the individual appointed as the DPO (separate from the dedicated email account stated above)
- IC number or passport number
- Telephone number
- Date of appointment and the appointment status (a copy of the appointment document from the organisation must be uploaded)
- Highest education qualifications
- Area of specialisation
- Training and certification attended relating to the DPO requirements (accompanied by the relevant documents, if any).
Note that the data controller organisation information must also be provided before the DPO details above may be submitted. The required information relating to the data controller organisation include:
- Whether the organisation falls within any of the 13 classes of data controllers prescribed in the Personal Data Protection (Class of Data Users) Order 2013, required to register with the Commissioner? If yes, to provide the following information:
- The relevant sector of the organisation (example: tourism and hospitality sector e.g. a person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992)
- Registration certification number issued by Department of Personal Data Protection (example: Registration No.: SB01052025-1234)
- Type of organisation (example: foreign company, private limited company, public limited company, company limited by guarantee, etc)
- Name of the organisation (registered with the Companies Commission of Malaysia (SSM) or regulatory body)
- Organisation’s registration number (example: Registration No.: 201901000005)
- Organisation’s address
- Telephone number
- Facsimile number (if any)
- Organisation’s official email
Organisations that meet the criteria for mandatory DPO appointment should take prompt action to ensure compliance with the new requirement.
For further information, please contact Jillian Chia (Head/Partner), Natalie Lim (Partner) and Charmayne Ong (Partner) of the Personal Data Protection Practice of Skrine.
| As the DPO online notification form allows for the uploading of supporting documents, such as evidence of training attended by the appointed DPO, Skrine offers a 1-day DPO Intensive Training specifically designed to equip internally appointed DPOs with practical knowledge of the core principles and obligations under the PDPA. The next training session will be held on 3 July 2025. For more information or to register, please contact Jillian Chia at jc@skrine.com. |
1 Business contact information’ means an individual’s name, position or title, business telephone number, business address, the dedicated and official business e-mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.