The Notification of the Personal Data Protection Committee (PDPC) Re: Appointment of Data Protection Officers dated 31^th August 2023 comes into force on and from 13^th December 2023.  Some businesses who are data controllers or data processors (DC/DP) must appointment of a DPO.  Below are some frequently asked questions about the DPO with our answers.

Who Must Appoint a DPO?

The DC/DP must appoint a DPO:

(1)  if their business operations require regular monitoring of personal data or data systems because they collect, use or disclose a large number of personal data; or

(2)  if their core activities are related to collecting, using and disclosing sensitive personal data (SPD) of data subjects.

The standards and the business practices and the levels of risks to and impacts on data subjects will be taken into account when determining whether or not the core business activities of the DC/DP require regular monitoring of personal data or data systems and the processing of a large scale of personal data.

What Is the Regular Monitoring of Personal Data or Systems?

The regular monitoring of personal data means tracking, monitoring, analyzing, or profiling the behaviors, attitudes, or characteristics of data subjects, systematically collecting, using, or disclosing the personal data on a regular basis.  For example, using the membership or public transportation cards for tracking, ongoing collection of customer data for risk evaluations, targeted advertising (behavioral advertising), collecting personal data by internet service providers or telecom companies, and collecting personal data at multiple sites for security purposes.

What Is the Large Number of Personal Data?

The large number of personal data is determined by (a) the quantities, types and characters of the processed personal data, (b) the duration of the data processing, and (c) the purposes of use of the collected personal data.  For example, the processing personal data of 100,000 data subjects or more, the behavioral advertising through search engines or social media with a large user base, and the processing personal data by life insurance companies, financial institutions, or telecom companies are considered as the processing of a large number of personal data.

What Is the SPD?

The SPD is the personal data on racial, ethnic origins, political opinions, cult, religious or philosophical beliefs, sexual behaviors, criminal records, health data, disability, trade union information, genetic data, biometric data, and any other data which may affect the data subject in the same manner as the afore-mentioned data to be prescribed by the PDPC.

What Are the Duties of the DPO?

The duties of the DPO are providing advice on PDPA compliance to the DC/DP, investigating the performance of the DC/DP, coordinating with the PDPC Office in case there has occurred any compliance issue, and keeping the confidentiality of personal data which the DPO acquires from the performance of his/her duties.

Can the DPO Perform Other Duties?

The DPO can also work in other roles and duties for the DC/DP if his/her such other roles and duties do not have a conflict with his/her duties as the DPO.  The DC/DP must issue a letter to the PDPC to confirm that there is no conflict between the duties of the DPO and his/her other duties.

To see the archive of our past newsletters and articles please click here.