On Feb. 26, MLY DP issued a circular on mandatory DPO appointment.
MLY DP issued circular prescribing rules on data protection officer (DPO) appointment.
Follows MLY DP Aug. 2024 proposed amendments re privacy protection, see #223744.
Also follows MLY GVT Oct. 2024 amendedPersonal data protection act 2010, #218997.
Document dated Feb. 26, 2025, was added on Apr. 4, 2025 due to editorial backfill.
Background
Section 12A of 2010 act requires data controllers, data processors to appoint 1/more DPOs, to strengthen transparent and secure personal data management practices.
Plus, increase accountability and public trust in the way personal data is handled.
Key Provisions
This circular covers all aspects of the mandatory appointment of a DPO, including the duties and responsibilities that must be fulfilled by the DPO to ensure that data controllers and data processors comply with the Personal data protection act 2010.
One or more DPOs must be appointed in cases where processing involves: personal data exceeding 20,000 data subjects; sensitive data including financial information exceeding 10,000 data subjects; or activities requiring periodic, systematic monitoring.
The circular also prescribes: conditions for appointment,; duties/responsibilities of the DPO, training and professionalism requirements, and communication re appointments.
Effectiveness
The circular is effective on Jun. 1, 2025.
Regulators
MLY DP
Entity Types
Corp
Reference
PR, Cir 1 of 2025, 2/26/2025; Gd, DPO v 1.0, 2/25/2025;
Functions
Compliance; HR; Legal; Privacy; Record Retention; Reporting; Risk; Technology; Training
